| Age | Commit message (Collapse) | Author |
|---|
|
|
|
If the dovecot protocol response doesn't include the MECH message for
the SMTP AUTH protocol the client has requested, that's not a protocol
failure, don't log it as such. Instead, explicitly log that it didn't
advertise the mechanism we're looking for. This lets administrators fix
either their Exim or their Dovecot configurations.
Also: make the Dovecot handling more resistant to bad data from the auth
server; handle too many fields with debug-log message to explain what's
going on, permit lines of 8192 length per spec and detect if the line is
too long, so that we can fail auth instead of becoming unsynchronised.
Stop using the CUID from the server as the AUTH id counter. They're
different, by my reading of the spec.
TESTED: works against Dovecot 2.1.10.
Thanks to Brady Catherman for reporting the problem with diagnosis.
|
|
|
|
|
|
|
|
|
|
Set the POSIX -e option on the #! line invoking /bin/sh.
If any of the sub-commands fail, the Configure as a whole should fail.
|
|
|
|
|
|
Broken in 4.80 release, commit 08488c86.
We need to leave $auth1 available after the authenticator returns, so
that server_set_id can be evaluated by the caller. We need to do this
whether we succeed or fail, because server_set_id only makes it into
$authenticated_id if we return OK, but is logged regardless.
Updated test config to set server_set_id; updated logs.
|
|
New log_selector, smtp_mailauth, to enable.
|
|
|
|
Rather than pass "where" around all the string-expansion calls I've
used a global; and unpleasant mismatch with the existing "where"
tracking done for nested ACL calls.
|
|
|
|
Avoiding confusion of 4.80.1 vs 4.81, we went with skipping to 4.82 instead.
|
|
Merge commit '4263f395efd136dece52d765dfcff3c96f17506e'
Amendment to ChangeLog to handle changes.
|
|
|
|
|
|
CVE-2012-5671
malloc/heap overflow, with a 60kB window of overwrite.
Requires DNS under control of person sending email, leaves plenty of
evidence, but is very likely exploitable on OSes that have not been
well hardened.
|
|
|
|
|
|
side-effects that must
be persistent.
|
|
|
|
|
|
This is a very common requirement for the portion of the user-base who need the most assistance.
|
|
added in ACLs. Bug 199.
|
|
NB: this means a bare "X-ACL-Warn:" header is harder to add.
|
|
My commit 3a7963704c519 broke compilation without HAVE_IPv6. Rework.
|
|
|
|
Update src comment to be clearer about why it's safe for "state of this transport" to affect other deliveries.
Mention change in externally observable state in README.UPDATING.
Reference bugzilla entry in ChangeLog.
Update Paul's credit in ACKNOWLEDGMENTS.
|
|
bug 1262 and patch from Paul Fisher. Testcase 0288 exercises.
|
|
|
|
Used patch from Magnus Holmgren dated 2007-02-20.
Added documentation.
Added tests to detect proper operation.
|
|
|
|
Thanks to Jay Rouman for highlighting that there can be rollover.
I have chosen *not* to reduce the duration, but to leave it and instead
provoke thought on the part of those deploying systems, if this bites them.
|
|
|
|
|
|
|
|
Fix the acl condition also; and make editor brace-matching a
little better.
|
|
after connection startup, to match documentation - bug 1144.
|
|
|
|
github seems to assume content is 8bit.
|
|
|
|
Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
We just add CFLAGS_DYNAMIC too and some comments.
Non-POSIX syntax, but fairly portable; GNU make gained it in 1998,
we believe even very old systems should handle it fine.
|
|
to match saslauthd condition.
|
|
|
|
GnuTLS 2.12.0 adds PKCS11 support using p11-kit and by default will
autoload modules, which interoperates badly with GNOME keyring
integration, configured via paths in environment variables, and Exim
invoked by the user (eg, mailq) will then try to load the modules, fail
and spew warnings from the module for a library loaded by a library.
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
documents that to prevent this, explicitly init PKCS11 before calling
gnutls_global_init(). So we do so, unless the admin sets the new
option.
Reported by Andreas Metzler, who confirmed that the added calls fixed
the problem for him.
|
|
|
|
|
|
|
