summaryrefslogtreecommitdiff
path: root/doc
AgeCommit message (Collapse)Author
2012-06-03DSCP: inbound via control = dscp/<value>Phil Pennock
2012-06-02Docs: pipes in redirect, need for quote cautionPhil Pennock
2012-06-02DSCP: take numeric values too.Phil Pennock
Also fix doc claim that value is unexpanded. Also strip affix whitespace before numeric conversion and fixed string comparison.
2012-06-02DSCP: document; hex print; -bI:dscpPhil Pennock
2012-06-01DNSSEC babystep: dns_use_dnssec & $sender_host_dnssecPhil Pennock
2012-06-01ACKNOWLEDGEMENTS update, covering a few yearsPhil Pennock
2012-06-01tls_dh_min_bits smtp transport optionPhil Pennock
Could not find an API for use with OpenSSL, so GnuTLS only
2012-06-01Make -n combine with -bP to inhibit namesPhil Pennock
2012-06-01Add -bI:help and -bI:sievePhil Pennock
2012-05-31Doc: drop .new/.wen, update previousversion.Phil Pennock
Also, drop fix one place which claimed TLS SNI support was OpenSSL only.
2012-05-30Revert "Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512."exim-4_80Phil Pennock
This reverts commit 83f4c7515f3eb06dc070e78edd2694c1d088e5fd. This was not a new check! The call to gnutls_dh_set_prime_bits() was made with DH_BITS in Exim 4.77, so the only difference is that now an administrator can choose at compile time to change the lower bound. So keeping this at 1024 is not a regression and if we can't talk to them now, we couldn't before, and we shouldn't lower security by default. The reverted commit was only acceptable IF it was still better than what we had in Exim 4.77.
2012-05-30Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512.Phil Pennock
Wolfgang Breyha saw a real-world site using 768 bits.
2012-05-28Merge openssl_disable_ssl2 branchexim-4_80_RC7Phil Pennock
2012-05-27Doc: fix glitchexim-4_80_RC6Phil Pennock
2012-05-27Doc: SECTgnutlsparam referencing tls_dhparamPhil Pennock
2012-05-27For DH, use standard primes from RFCsPhil Pennock
2012-05-27Deal with GnuTLS DH generation overshootPhil Pennock
2012-05-26FAQ for GnuTLSPhil Pennock
2012-05-25Doc: Provide context for bare numbers from CHAP/SECT.Phil Pennock
2012-05-25Cyrus SASL auth: SSF retrieval was incorrect.Phil Pennock
Exim thought protection layer was required, which is not implemented. Patch from Wolfgang Breyha. Fixes bug 1254
2012-05-24Added some more .gitignore entriesNigel Metheringham
Ignore more build side effects
2012-05-23_ISOC99_SOURCE -> _GNU_SOURCEexim-4_80_RC5Phil Pennock
_ISOC99_SOURCE broke build on Linux (Ubuntu 11.10) because it broke <resolv.h>, <arpa/nameser.h>, etc. Their u_char and u_int usage relies upon BSD source being enabled too. So use _GNU_SOURCE.
2012-05-23Define _ISOC99_SOURCE in exim.hPhil Pennock
Done before os.h is pulled in so an OS can override it.
2012-05-23Doc: move -bmalware into alphabetic placePhil Pennock
2012-05-23Doc: s/DNS/domains/ in new textPhil Pennock
2012-05-23Doc: document when dnslookup will declinePhil Pennock
2012-05-23Doc: tls_require_ciphers examplesPhil Pennock
Note how to test strings, provide examples which distinguish port 25 from other ports. Carefully used short examples, but allows two different strings per implementation and demonstrates how the strings are very different.
2012-05-22OCSP description: minor nitsPhil Pennock
2012-05-21.end -> .wenexim-4_80_RC4Phil Pennock
2012-05-21Add tls_dh_max_bits to OptionLists.txtPhil Pennock
2012-05-21features.h; tls_validate_require_cipher: log flag & testsexim-4_80_RC3Phil Pennock
Pull in <features.h> on Linux. Switch readconf log from D_all (bug) to D_tls (though D_any would have worked). Modified runtest to handle clamped DH bits and tls_validate_require_cipher added debug logging.
2012-05-20Update docs for latest state of TLS affairs.Phil Pennock
gnutls-params bits count no longer necessarily what GnuTLS says to use. The OpenSSL-vs-GnuTLS text needed some updating. Catches a ChangeLog addition made during the previous commit, so not picked up by it.
2012-05-20Added tls_dh_max_bits & check tls_require_ciphers early.Phil Pennock
Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS was suggesting 2432 bits as normal. Added new global option tls_dh_max_bits to clamp all DH values (client or server); unexpanded integer. Default value to 2236. Apply to both GnuTLS and OpenSSL (which requires tls_dh_params for this). Tired of debugging "SMTP fails TLS" error messages in mailing-lists caused by OpenSSL library/include clashes, and of finding out I typo'd in tls_require_ciphers only at the STARTTLS handshake. During readconf, fork/drop-privs/initialise-TLS-library. In that, if tls_require_ciphers is set, then validate it. The validation child will panic if it can't initialise or if tls_require_ciphers can't be parsed, else it exits 0. If the child exits anything other than 0, the main Exim process will exit.
2012-05-20tls_require_ciphers must be assigned to state copyPhil Pennock
2012-05-19PRINTF_FUNCTION -> ALMOST_PRINTF.Phil Pennock
WANT_DEEPER_PRINTF_CHECKS guards ALMOST_PRINTF being PRINTF_FUNCTION. Fix some actual issues exposed when I cut down on the spam.
2012-05-19PCRE_PRERELEASE fix, againPhil Pennock
2012-05-18Fix three issues highlighted by clang analyser.Phil Pennock
Only crash-plausible issue would require the Cambridge-specific iplookup router and a misconfiguration. Report from Marcin Mirosław
2012-05-18Document DCC in experimental-spec.txtPhil Pennock
Base text from Wolfgang Breyha. I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.
2012-05-18Fix dcc_header content corruption.Phil Pennock
(stack memory referenced, read-only, out of scope). Patch from Wolfgang Breyha, report from Stuart Northfield.
2012-05-18SPF multiple strings join on "".Phil Pennock
Patch from Janne Snabb.
2012-05-17Insert new JH/02 entry for the ACL clean-upPhil Pennock
2012-05-18Documentation update for bug 1172.root
2012-05-17Copyright year updates.Phil Pennock
Updated all files modified in 2012 which contained a copyright year already, unless the range was specified as open-ended. vi $(git whatchanged --since=2012-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
2012-05-174.78 -> 4.80Phil Pennock
2012-05-17Guards for older releases of GnuTLS.Phil Pennock
gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time. In older versions, the vaguely_random_number() function just immediately calls the fallback, so it's the same as before this change (just one extra indirection in the code-path). Define a constant of 1024 for dh-bits for use in those old releases where GnuTLS won't tell us how many we should use. Change the on-disk filename for generated D-H params again, replacing the -normal with -<bitcount>, so that it's 1024 or whatever, and as the value changes, Exim will automatically start using the new value.
2012-05-17dnsdb SPF support, from Janne SnabbPhil Pennock
2012-05-16Merge branch 'experimental_ocsp'Phil Pennock
2012-05-16Overhaul of GnuTLS code.Phil Pennock
GnuTLS code re-done, using cut&paste for preservation where appropriate. Stop using deprecated APIs. Stop hard-coding lists of ciphers. Use gnutls_priority_init() instead. Turns tls_require_ciphers into a string in the GnuTLS case, not just OpenSSL case. Deprecate three gnutls_require_* options; now ignored but not errors. (No warnings yet). Added TLS SNI support. Made the channel binding integration theoretically actually work. I had it guarded by an #ifdef but the value used was an enum instead. Oops. Fixed. New code much more amenable to future work permitting TLS in callouts. DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's suddenly a lot more bits, so the saved filename was changed too. (GNUTLS_SEC_PARAM_NORMAL). DH param setup only done for servers now, since clients don't need/use it. GnuTLS a lot more robust to library negotiation using stuff we don't support, error-ing out quickly for other authentication systems (PGP, etc). Renamed pseudo_random_number() to vaguely_random_number() which makes the nature clearer. GnuTLS now provides a vaguely_random_number() implementation, to match OpenSSL. Pull in <inttypes.h> to make the recent arithmetic changes compile on MacOS. Nuke test 2011 which related to the gnutls_require_* options now non-functional.
2012-05-13Use defines in config.h for type & scanf-patterns for eval. Update docs.Jeremy Harris
2012-05-13Fixed headers_only on smtp transports.Phil Pennock
Was not sending trailing dot. Added test case to catch this. fixes bug 1246.