From 7befa435e5664f43d90bf5a2703fcf4f2a26139e Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Mon, 16 Oct 2006 13:43:21 +0000 Subject: Update Dovecot authenticator to (a) lock out tabs (b) add extra parameters "secured" and "valid-client-cert" when relevant. --- doc/doc-txt/ChangeLog | 12 ++++++++++-- doc/doc-txt/NewStuff | 8 +++++++- 2 files changed, 17 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 2355e01fc..124101d78 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.408 2006/10/16 10:58:39 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.409 2006/10/16 13:43:21 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -65,7 +65,7 @@ PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_ addresses), $smtp_active_hostname is used. PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various - tweaks were necessary in order to get it to work: + tweaks were necessary in order to get it to work (see also 21 below): (a) The code assumed that strncpy() returns a negative number on buffer overflow, which isn't the case. Replaced with Exim's string_format() function. @@ -142,6 +142,14 @@ PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a effect of slowing Exim down by computing (never used) parameters for the RSA_EXPORT functionality. +PH/21 On the advice of Timo Sirainen, added a check to the dovecot + authenticator to fail if there's a tab character in the incoming data + (there should never be unless someone is messing about, as it's supposed + to be base64-encoded). Also added, on Timo's advice, the "secured" option + if the connection is using TLS or if the remote IP is the same as the + local IP, and the "valid-client-cert option" if a client certificate has + been verified. + Exim version 4.63 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 4ee55fdcf..b66cfb593 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.115 2006/10/03 15:11:22 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.116 2006/10/16 13:43:21 ph10 Exp $ New Features in Exim -------------------- @@ -72,6 +72,12 @@ Version 4.64 server_name = /var/run/dovecot/auth-client server_setid = $auth1 + If the SMTP connection is encrypted, or if $sender_host_address is equal to + $interface_address (that is, the connection is local), the "secured" option + is passed in the Dovecot authentication command. If, for a TLS connection, a + client certificate has been verified, the "valid-client-cert" option is + passed. + 4. The variable $message_headers_raw provides a concatenation of all the messages's headers without any decoding. This is in contrast to $message_headers, which does RFC2047 decoding on the header contents. -- cgit v1.2.3