| Age | Commit message (Collapse) | Author |
|---|
|
If the dovecot protocol response doesn't include the MECH message for
the SMTP AUTH protocol the client has requested, that's not a protocol
failure, don't log it as such. Instead, explicitly log that it didn't
advertise the mechanism we're looking for. This lets administrators fix
either their Exim or their Dovecot configurations.
Also: make the Dovecot handling more resistant to bad data from the auth
server; handle too many fields with debug-log message to explain what's
going on, permit lines of 8192 length per spec and detect if the line is
too long, so that we can fail auth instead of becoming unsynchronised.
Stop using the CUID from the server as the AUTH id counter. They're
different, by my reading of the spec.
TESTED: works against Dovecot 2.1.10.
Thanks to Brady Catherman for reporting the problem with diagnosis.
|
|
|
|
New log_selector, smtp_mailauth, to enable.
|
|
|
|
|
|
Avoiding confusion of 4.80.1 vs 4.81, we went with skipping to 4.82 instead.
|
|
Merge commit '4263f395efd136dece52d765dfcff3c96f17506e'
Amendment to ChangeLog to handle changes.
|
|
|
|
|
|
CVE-2012-5671
malloc/heap overflow, with a 60kB window of overwrite.
Requires DNS under control of person sending email, leaves plenty of
evidence, but is very likely exploitable on OSes that have not been
well hardened.
|
|
Use a last octet which will highlight the hex nature in the example.
> ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.127}
f.7.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
|
|
DKIM, then MIME, then DATA.
(Also CHID12 -> CHAPdkim)
|
|
|
|
|
|
added in ACLs. Bug 199.
|
|
NB: this means a bare "X-ACL-Warn:" header is harder to add.
|
|
State a more general policy of PGP signing, mention trust paths, cite
the main public keyserver pool, provide a link to a trustpath display
between Nigel's key and Phil's.
Provide Phil's current PGP keyid (noting will change in 2013).
Bounce via a redirector, on Phil's security site, because:
(1) xfpt barfs on &url(..) where the URL contains an ampersand
(2) No ampersands means less debugging across various platforms
(3) The redirector is https: with a public cert, where www.exim.org
does not have a cert (with that name, at this time).
All keys cited in 0xLong form (16 hex characters).
Nits:
(1) URL is given with https:// on one line, the rest on the next
(2) using alt text does not give the URL in the .txt format, despite
the docs, because we build .txt from w3m -dump, so the HTML form is
used.
(3) Ideally, we'll get around to having https://www.exim.org/ exist and
be usable for this redirect.
Side-effects:
(1) My name is in The Spec for the first time. :)
|
|
|
|
Update src comment to be clearer about why it's safe for "state of this transport" to affect other deliveries.
Mention change in externally observable state in README.UPDATING.
Reference bugzilla entry in ChangeLog.
Update Paul's credit in ACKNOWLEDGMENTS.
|
|
bug 1262 and patch from Paul Fisher. Testcase 0288 exercises.
|
|
|
|
Some whitespace changes; 4.73 item 8: bool_lax{} is an expansion condition, not e. operator.
Fix a comma to a period.
|
|
|
|
Submitted by Regid.
|
|
Fixed spec docbook file to pass validation when building spec.txt.
Adjust Makefile to not delete html, but not version controlled
index.html.
|
|
|
|
|
|
Used patch from Magnus Holmgren dated 2007-02-20.
Added documentation.
Added tests to detect proper operation.
|
|
|
|
|
|
Thanks to Jay Rouman for highlighting that there can be rollover.
I have chosen *not* to reduce the duration, but to leave it and instead
provoke thought on the part of those deploying systems, if this bites them.
|
|
|
|
|
|
|
|
|
|
|
|
Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
We just add CFLAGS_DYNAMIC too and some comments.
Non-POSIX syntax, but fairly portable; GNU make gained it in 1998,
we believe even very old systems should handle it fine.
|
|
GnuTLS 2.12.0 adds PKCS11 support using p11-kit and by default will
autoload modules, which interoperates badly with GNOME keyring
integration, configured via paths in environment variables, and Exim
invoked by the user (eg, mailq) will then try to load the modules, fail
and spew warnings from the module for a library loaded by a library.
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
documents that to prevent this, explicitly init PKCS11 before calling
gnutls_global_init(). So we do so, unless the admin sets the new
option.
Reported by Andreas Metzler, who confirmed that the added calls fixed
the problem for him.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
