summaryrefslogtreecommitdiff
path: root/doc
AgeCommit message (Collapse)Author
2013-04-07Merge branch 'ocsp_staple_rollup'Jeremy Harris
* ocsp_staple_rollup: tidying OCSP-stapling enhancement and testing.
2013-04-03Fix -p doc mention of Perl -pd conflict.Phil Pennock
Reported by Heiko Schlichting. fixes 1345
2013-04-01Clean & integrate force_command.Phil Pennock
Work by J. Nick Koston, for cPanel, Inc.
2013-04-01Add the force_command option to the pipe transportJ. Nick Koston
Normally when a router redirects an address directly to a pipe command the command option on the transport is ignored. If force_command is set, the command option will expanded and used. This is especially useful for forcing a wrapper or additional argument to be added to the command.
2013-03-25OCSP-stapling enhancement and testing.Jeremy Harris
Server: Honor environment variable as well as running_in_test_harness in permitting bogus staplings Update server tests Add "-ocsp" option to client-ssl. Server side: add verification of stapled status. First cut server-mode ocsp testing. Fix some uninitialized ocsp-related data. Client (new): Verify stapling using only the chain that verified the server cert, not any acceptable chain. Add check for multiple responses in a stapling, which is not handled Refuse verification on expired and revoking staplings. Handle OCSP client refusal on lack of stapling from server. More fixing in client OCSP: use the server cert signing chain to verify the OCSP info. Add transport hosts_require_ocsp option. Log stapling responses. Start on tests for client-side. Testing support: Add CRL generation code and documentation update Initial CA & certificate set for testing. BUGFIX: Once a single OCSP response has been extracted the validation routine return code is no longer about the structure, but the actual returned OCSP status.
2013-03-23Rename dns_use_dnssec to dns_dnssec_ok.Phil Pennock
This per Tony's suggestion; this makes it clearer that we are merely setting resolver flags, not performing validation ourselves. Well, clearer to those who understand DNSSEC. For everyone else, they'll still be dependent upon a forthcoming new chapter to the Specification.
2013-03-13OpenSSL fix empty tls_verify_certificates.Phil Pennock
New behaviour matches GnuTLS handling, and is documented. Previously, a tls_verify_certificates expansion forced failure was the only portable way to avoid setting this option. Now, an empty string is equivalent.
2013-03-11configure.default handle IPv6 localhost better.Phil Pennock
Base patch by Alain Williams. Tweaked, to avoid putting an IPv6-dependency into the default uncommented form, and some rewording. Bugzilla 880. GitHub PR #1.
2013-03-11Document the last change in ChangeLogPhil Pennock
2013-02-19Bug 1339: DCC update (Wolfgang Breyha)Jeremy Harris
2013-02-15Add a few temp doc items to ignoreTodd Lyons
2013-01-26PRDR support, if compiled with EXPERIMENTAL_PRDRJeremy Harris
2013-01-14Update eximstats to watch out for senders sending 'HELO [IpAddr]'Steve Campbell
2013-01-14Fix GNU Hurd interface IPv6 address detection.Phil Pennock
Define SIOCGIFCONF_GIVES_ADDR in OS/os.h-GNU Fixes 1331.
2013-01-07Typo & nit fixes.Phil Pennock
JH has made more changes than he realised. New second JH/11 to JH/13.
2013-01-06Restrict lifetime of $router_name and $transport_name. Bug 308.Jeremy Harris
The router name is explicitly nulled after the router exits; the transport name is set only in the subprocess it runs in.
2012-12-25Add $router_name and $transport_name variables. Bug 308.Jeremy Harris
2012-12-23Typo fixes (experimental-spec)Phil Pennock
2012-12-20GnuTLS-FAQ: typo fixes & glitch re standard primesPhil Pennock
Mostly typos. Was one instance of "which a future release of Exim will probably support" which should already have been "which Exim now supports". Doh. Fixed too.
2012-12-11Document scripts/lookups-Makefile for new lookups.Phil Pennock
Missing step for adding a new lookup noticed by Paul Gamble.
2012-12-09OCSP/SNI: set correct callback.Phil Pennock
Caught by Jeremy; was wrong in (my) original commit, the dual-TLS work had just renamed the variables and theoretically made it more visible. I still missed it. The server_sni context initialisation was setting the OCSP status callback context parameter back on the original server_ctx instead of the new server_sni context. I guess OCSP and SNI aren't being used together in Exim much yet.
2012-12-07Note build fixes in ChangeLogTony Finch
2012-12-06Added DCC entry to Changelog as GF/01 (2nd attempt)Graeme Fowler
2012-12-06Revert "Added DCC entry to Changelog as GF/01"Graeme Fowler
This reverts commit fee685ddb4cb1a995556b5cc35df907ae7a8ad62.
2012-12-06Added DCC entry to Changelog as GF/01Graeme Fowler
2012-12-06Fix my earlier "fix" for intermittently deliverable recipients.Tony Finch
Only do the ultimate address timeout check if there is an address retry record and there is not a domain retry record; this implies that previous attempts to handle the address had the retry_use_local_parts option turned on. We use this as an approximation for the destination being like a local delivery, as in LMTP.
2012-12-06Correct gecos expansion when From: is a prefix of the username.Tony Finch
Test 0254 submits a message to Exim with the header Resent-From: f When I ran the test suite under the user fanf2, Exim expanded the header to contain my full name, whereas it should have added a Resent-Sender: header. It erroneously treats any prefix of the username as equal to the username. This change corrects that bug.
2012-11-30Add retry timeout fix to ChangeLogTony Finch
2012-11-26Use new .copyyear macroPhil Pennock
2012-11-25Revert copyright years to manual-update. Bug 1318.Jeremy Harris
2012-11-24Insert version number and date into documentation at build time. Bug 1318.Jeremy Harris
Write a temp file with macro definitions from the makefile, and include it from the doc sources. Pass the version to make from the perl script. It is still needed to manually update the previous-version number and changebar indicators (.new/.wen) manually.
2012-11-19Dovecot: robustness; better msg on missing mech.Phil Pennock
If the dovecot protocol response doesn't include the MECH message for the SMTP AUTH protocol the client has requested, that's not a protocol failure, don't log it as such. Instead, explicitly log that it didn't advertise the mechanism we're looking for. This lets administrators fix either their Exim or their Dovecot configurations. Also: make the Dovecot handling more resistant to bad data from the auth server; handle too many fields with debug-log message to explain what's going on, permit lines of 8192 length per spec and detect if the line is too long, so that we can fail auth instead of becoming unsynchronised. Stop using the CUID from the server as the AUTH id counter. They're different, by my reading of the spec. TESTED: works against Dovecot 2.1.10. Thanks to Brady Catherman for reporting the problem with diagnosis.
2012-11-07ChangeLog update for NTLM/server_set_idPhil Pennock
2012-11-06Add optional authenticated_sender info to A= elements of log lines; bug 1314.Jeremy Harris
New log_selector, smtp_mailauth, to enable.
2012-11-05Docs fixupJeremy Harris
2012-11-04Add A= to delivery log lines, and a client_set_id option to authenticators.Jeremy Harris
2012-10-264.81 to 4.82Phil Pennock
Avoiding confusion of 4.80.1 vs 4.81, we went with skipping to 4.82 instead.
2012-10-26Merge 4.80.1 security fix in.Phil Pennock
Merge commit '4263f395efd136dece52d765dfcff3c96f17506e' Amendment to ChangeLog to handle changes.
2012-10-25Merge branch 'master' of git://git.exim.org/eximJeremy Harris
2012-10-25Save/restore $acl_arg1 ... across acl calls, making them local variables.Jeremy Harris
2012-10-24SECURITY: DKIM DNS buffer overflow protectionPhil Pennock
CVE-2012-5671 malloc/heap overflow, with a 60kB window of overwrite. Requires DNS under control of person sending email, leaves plenty of evidence, but is very likely exploitable on OSes that have not been well hardened.
2012-10-17Example tune for clarity (reverse_ip)Phil Pennock
Use a last octet which will highlight the hex nature in the example. > ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.127} f.7.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
2012-10-15Note post-DATA ACL ordering.Phil Pennock
DKIM, then MIME, then DATA. (Also CHID12 -> CHAPdkim)
2012-10-06Doc fix: log field M8S=, in details sectionPhil Pennock
2012-10-06Logging-only patch for 8BITMIME; bug 817.Jeremy Harris
2012-10-04Add expansion variable $headers_added returning newline-sep list of headersJeremy Harris
added in ACLs. Bug 199.
2012-10-04Strip leading/trailing newlines on list of headers for addition; bug 884.Jeremy Harris
NB: this means a bare "X-ACL-Warn:" header is harder to add.
2012-10-03Releases signed by Phil's key, not Nigel's.Phil Pennock
State a more general policy of PGP signing, mention trust paths, cite the main public keyserver pool, provide a link to a trustpath display between Nigel's key and Phil's. Provide Phil's current PGP keyid (noting will change in 2013). Bounce via a redirector, on Phil's security site, because: (1) xfpt barfs on &url(..) where the URL contains an ampersand (2) No ampersands means less debugging across various platforms (3) The redirector is https: with a public cert, where www.exim.org does not have a cert (with that name, at this time). All keys cited in 0xLong form (16 hex characters). Nits: (1) URL is given with https:// on one line, the rest on the next (2) using alt text does not give the URL in the .txt format, despite the docs, because we build .txt from w3m -dump, so the HTML form is used. (3) Ideally, we'll get around to having https://www.exim.org/ exist and be usable for this redirect. Side-effects: (1) My name is in The Spec for the first time. :)
2012-09-24Add doc caveats on cutthrough-delivery vs. verify-mode routers.Jeremy Harris
2012-09-11Minor doc nits re bug 1262.Phil Pennock
Update src comment to be clearer about why it's safe for "state of this transport" to affect other deliveries. Mention change in externally observable state in README.UPDATING. Reference bugzilla entry in ChangeLog. Update Paul's credit in ACKNOWLEDGMENTS.