Age | Commit message (Collapse) | Author |
|
* ocsp_staple_rollup:
tidying
OCSP-stapling enhancement and testing.
|
|
Reported by Heiko Schlichting.
fixes 1345
|
|
Work by J. Nick Koston, for cPanel, Inc.
|
|
Normally when a router redirects an address directly to a pipe command
the command option on the transport is ignored. If force_command
is set, the command option will expanded and used. This is especially
useful for forcing a wrapper or additional argument to be added to the
command.
|
|
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
|
|
This per Tony's suggestion; this makes it clearer that we are merely
setting resolver flags, not performing validation ourselves.
Well, clearer to those who understand DNSSEC. For everyone else,
they'll still be dependent upon a forthcoming new chapter to the
Specification.
|
|
New behaviour matches GnuTLS handling, and is documented.
Previously, a tls_verify_certificates expansion forced failure was the
only portable way to avoid setting this option. Now, an empty string is
equivalent.
|
|
Base patch by Alain Williams.
Tweaked, to avoid putting an IPv6-dependency into the default
uncommented form, and some rewording.
Bugzilla 880.
GitHub PR #1.
|
|
|
|
|
|
|
|
|
|
|
|
Define SIOCGIFCONF_GIVES_ADDR in OS/os.h-GNU
Fixes 1331.
|
|
JH has made more changes than he realised. New second JH/11 to JH/13.
|
|
The router name is explicitly nulled after the router exits;
the transport name is set only in the subprocess it runs in.
|
|
|
|
|
|
Mostly typos.
Was one instance of "which a future release of Exim will probably support"
which should already have been "which Exim now supports". Doh. Fixed
too.
|
|
Missing step for adding a new lookup noticed by Paul Gamble.
|
|
Caught by Jeremy; was wrong in (my) original commit, the dual-TLS work
had just renamed the variables and theoretically made it more visible.
I still missed it.
The server_sni context initialisation was setting the OCSP status
callback context parameter back on the original server_ctx instead of
the new server_sni context.
I guess OCSP and SNI aren't being used together in Exim much yet.
|
|
|
|
|
|
This reverts commit fee685ddb4cb1a995556b5cc35df907ae7a8ad62.
|
|
|
|
Only do the ultimate address timeout check if there is an address
retry record and there is not a domain retry record; this implies
that previous attempts to handle the address had the retry_use_local_parts
option turned on. We use this as an approximation for the destination
being like a local delivery, as in LMTP.
|
|
Test 0254 submits a message to Exim with the header
Resent-From: f
When I ran the test suite under the user fanf2, Exim expanded
the header to contain my full name, whereas it should have added
a Resent-Sender: header. It erroneously treats any prefix of the
username as equal to the username.
This change corrects that bug.
|
|
|
|
|
|
|
|
Write a temp file with macro definitions from the makefile, and include it
from the doc sources. Pass the version to make from the perl script.
It is still needed to manually update the previous-version number and
changebar indicators (.new/.wen) manually.
|
|
If the dovecot protocol response doesn't include the MECH message for
the SMTP AUTH protocol the client has requested, that's not a protocol
failure, don't log it as such. Instead, explicitly log that it didn't
advertise the mechanism we're looking for. This lets administrators fix
either their Exim or their Dovecot configurations.
Also: make the Dovecot handling more resistant to bad data from the auth
server; handle too many fields with debug-log message to explain what's
going on, permit lines of 8192 length per spec and detect if the line is
too long, so that we can fail auth instead of becoming unsynchronised.
Stop using the CUID from the server as the AUTH id counter. They're
different, by my reading of the spec.
TESTED: works against Dovecot 2.1.10.
Thanks to Brady Catherman for reporting the problem with diagnosis.
|
|
|
|
New log_selector, smtp_mailauth, to enable.
|
|
|
|
|
|
Avoiding confusion of 4.80.1 vs 4.81, we went with skipping to 4.82 instead.
|
|
Merge commit '4263f395efd136dece52d765dfcff3c96f17506e'
Amendment to ChangeLog to handle changes.
|
|
|
|
|
|
CVE-2012-5671
malloc/heap overflow, with a 60kB window of overwrite.
Requires DNS under control of person sending email, leaves plenty of
evidence, but is very likely exploitable on OSes that have not been
well hardened.
|
|
Use a last octet which will highlight the hex nature in the example.
> ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.127}
f.7.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
|
|
DKIM, then MIME, then DATA.
(Also CHID12 -> CHAPdkim)
|
|
|
|
|
|
added in ACLs. Bug 199.
|
|
NB: this means a bare "X-ACL-Warn:" header is harder to add.
|
|
State a more general policy of PGP signing, mention trust paths, cite
the main public keyserver pool, provide a link to a trustpath display
between Nigel's key and Phil's.
Provide Phil's current PGP keyid (noting will change in 2013).
Bounce via a redirector, on Phil's security site, because:
(1) xfpt barfs on &url(..) where the URL contains an ampersand
(2) No ampersands means less debugging across various platforms
(3) The redirector is https: with a public cert, where www.exim.org
does not have a cert (with that name, at this time).
All keys cited in 0xLong form (16 hex characters).
Nits:
(1) URL is given with https:// on one line, the rest on the next
(2) using alt text does not give the URL in the .txt format, despite
the docs, because we build .txt from w3m -dump, so the HTML form is
used.
(3) Ideally, we'll get around to having https://www.exim.org/ exist and
be usable for this redirect.
Side-effects:
(1) My name is in The Spec for the first time. :)
|
|
|
|
Update src comment to be clearer about why it's safe for "state of this transport" to affect other deliveries.
Mention change in externally observable state in README.UPDATING.
Reference bugzilla entry in ChangeLog.
Update Paul's credit in ACKNOWLEDGMENTS.
|