Age | Commit message (Collapse) | Author | |
---|---|---|---|
2017-02-12 | Forward-port ChangeLog entries written for release branchexim-4.90devstart | Phil Pennock | |
2017-02-12 | 4.89 JH/17 -> 4.90 JH/01 | Phil Pennock | |
2017-02-11 | Fix missing Changelog entries for recent work | Phil Pennock | |
2017-02-10 | TLS: rework error logging to pass more string back to caller for logging | Jeremy Harris | |
This permits a library-sourced error to be associated with an address being delivered, collapsing pairs of log lines | |||
2017-02-08 | Memory management: drop variables identified as going out-of-scope | Jeremy Harris | |
Fixes crash in transport re-using bad $sender_ip_address from callout | |||
2017-02-02 | FreeBSD: Perl no longer in /usr/bin from Ports | Phil Pennock | |
FreeBSD Ports by policy no longer allows symlinks in /usr/bin for things like Perl, so we have to look in /usr/local/bin for it instead. | |||
2017-01-31 | Handle Proxy Protocol v2 safely as well. | Phil Pennock | |
We had test suite failures (test suite success!) because Proxy Protocol v2 (PPv2) wasn't being detected; by only reading 12 octets, the >= 16 check was failing. But in fact I had previously only fixed reading "only enough" for PPv1. Handling both PPv1 and PPv2 is complicated because the minimum valid length for PPv1 is 15 octets but for PPv2 the size to read is in the 15th and 16th octets. So refactored a little and we now use a total of 3 reads for the PPv2 case (assuming no fragmentation, etc; we'll actually keep reading now instead of aborting) to get the entire PPv2 header of exactly the right size, so that TLS handshake immediately following the PP header is not also swallowed. Fixes: 2018 Tested: manually, TLS and non-TLS, PPv1 and PPv2, all ways. Release: should be cherry-picked into 4.89RC series | |||
2017-01-30 | Document that fixed 2018 | Phil Pennock | |
Fixes: 2018 | |||
2017-01-30 | Restrict address-parsing to a maximum of five layers of nested angle-brackets, | Jeremy Harris | |
under main-option strip_excess_angle_brackets | |||
2017-01-29 | Update change log | Jeremy Harris | |
2017-01-22 | DKIM: permit verify of sig blocks that sign other sig blocks. Bug 2014 | Jeremy Harris | |
2017-01-21 | Fix DKIM verify when used with CHUNKING. Bug 2016 | Jeremy Harris | |
2017-01-21 | Testcases for pipelined callout | Jeremy Harris | |
2017-01-21 | Fix DKIM verify operation in -bh test mode. Bug 2017 | Jeremy Harris | |
2017-01-18 | Bug-fix no_require_dnssec parsing & spelling fixes | Josh Soref | |
Patches from Josh Soref fixing spelling fixed two bugs: * Parsing `no_require_dnssec` configuration option * Setting `_HAVE_TRANSPORT_APPEND_MAILDIR` macro (for config parsing) [ PP pulled these two out into a separate commit to update the ChangeLog accordingly. ] | |||
2017-01-18 | 214 spelling fixes | Josh Soref | |
2017-01-03 | CHUNKING: fix non-pipelined synch checks. Bug 2004 | Jeremy Harris | |
2017-01-02 | PROXY: fix v2 protocol decode. Bugs 2003, 1747 | Jeremy Harris | |
2016-12-31 | Merge remote-tracking branch 'github/pr/50' | Phil Pennock | |
GitHub user @YmrDtnJu "Björn" provided a patch to fix that we called ldap_start_tls_s on ldapi:// connections. This is obviously a correct change, since above we've avoiding initializing the TLS state if using ldapi. Added documentation noting this behaviour. | |||
2016-12-29 | Pipe transport: expand the path option | Jeremy Harris | |
2016-12-26 | I18N: support IDNA2008. Bug 1911 | Jeremy Harris | |
2016-12-25 | Docs: Clean for next release | Jeremy Harris | |
2016-12-18 | Fix DKIM information leakage | Jeremy Harris | |
2016-12-04 | OpenSSL: default to tls_eccurve = auto | Heiko Schlittermann (HS12-RIPE) | |
For OpenSSL < 1.0.2: fallback to prime256v1, for newer libraries rely on auto-selection. | |||
2016-11-28 | Doc: Minor corrections/additions | Heiko Schlittermann (HS12-RIPE) | |
2016-11-25 | Update ChangeLog | Jeremy Harris | |
2016-11-08 | Ensure socket is nonblocking before draining. Bug 1914 | Jeremy Harris | |
2016-11-02 | Fix OCSP proof verification for direct-signed proofs. Bug 1909 | Jeremy Harris | |
2016-10-23 | Update README.UPDATING; fix typos in ChangeLog/NewStuff | Phil Pennock | |
2016-10-23 | Fix bug with aborted server TLS connection, under GnuTLS | Jeremy Harris | |
Longstanding, but exposed by 60d10ce | |||
2016-10-18 | Unbreak build: crypto hdrs not in system includes | Phil Pennock | |
If using pkg-config to get the paths for various packages and the crypto library headers are not in the system headers, then the hash work broke the Exim build by requiring the CFLAGS manipulation for _all_ builds, not just the TLS libraries. Shows up on MacOS where there's a system OpenSSL but not system OpenSSL headers (because only SecureTransport is supported) and using brew-installed OpenSSL. I've also coded the fix for GnuTLS on the same basis, but that's untested. Fixes bug 1906 | |||
2016-10-08 | DH parameters update, new values & defaultexim-4_88_RC2 | Phil Pennock | |
* Add three new Exim-specific DH parameter constants; state provenance, but no way for others to verify; this is a signed commit, which is about as much as we can do for the truly paranoid: provide an audit trail. * Add the RFC 7919 DH primes + No TLS feature negotiation, per 7919, but the DH primes can be used if folks so choose * Fixed broken format string in util/gen_pkcs3.c * Tried to make gen_pkcs3.c support q values. + Turns out, q doesn't affect the PEM and that's not a mistake in my initialisation; I've checked with a cryptographer, we're losing some server-side optimizations but not any security properties for our scenario. Fixes: 1895 | |||
2016-10-08 | Fix callouts connection fallback from TLS to cleartext. Bug 1897 | Jeremy Harris | |
2016-10-02 | Logging: connection_reject log selector should apply also to the connect acl | Jeremy Harris | |
2016-09-28 | Default to filesystem space/inode checking enabled | Jeremy Harris | |
2016-09-22 | Defend against symlink attack by another process running as exim | Jeremy Harris | |
Reported-by: http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ | |||
2016-09-22 | Routing: avoid doing the one_time replacement operation when a redirect ↵ | Jeremy Harris | |
leaves the address unchanged When done, in combination with a defer the retry would see the address as delivered, hence losing mail. | |||
2016-09-18 | ACL: merge the tables used for codition/modifier decode | Jeremy Harris | |
2016-09-18 | ACL: bsearch for controls | Jeremy Harris | |
2016-09-11 | Log EHLO response on getting conn-close response for HELO. Bug 1832 | Jeremy Harris | |
2016-08-18 | Delivery: fix transmission down an already-open connection, when | Jeremy Harris | |
one of the group of addresses is unsuitable for it. Bug 1874 Broken-by: 3070ceeeed05, fa41615da702. | |||
2016-08-17 | Delivery: same-host checking for transport runs should include port from ↵ | Jeremy Harris | |
address give by routing | |||
2016-08-14 | DMARC: send forensic reports for reject & quarantine results, and "none" ↵ | Tony Meyer | |
policy. Bug 1846 | |||
2016-08-11 | ACL: Ensure that acl_smtp_notquit is called for a conndrop between ↵ | Jasen Betts | |
data-go-ahead and data-ack. Bug 1872 | |||
2016-08-08 | Radius: Fix authentication for Radius libraries that return REJECT_RC. Bug 1850 | Leonhard Knauff | |
2016-08-06 | Routing: in a dnslookup, fix fail_defer_domains to defer on missing MX ↵ | Jeremy Harris | |
record. Bug 1867 | |||
2016-08-04 | Merge branch 'fakereject' | Jeremy Harris | |
2016-08-04 | Logging: visibility of fakereject | Jeremy Harris | |
2016-08-03 | DANE: treat a TLSA response having only non-TLSA records the same as a ↵ | Jeremy Harris | |
no-match response | |||
2016-07-31 | Fix $body_linecount for empty lines | Jeremy Harris | |