Bug#985984: unblock: exim4/4.94-17
Andreas Metzler
ametzler at bebt.de
Sat Mar 27 13:15:07 GMT 2021
Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock
X-Debbugs-Cc: exim4 at packages.debian.org
Hello release team,
Please unblock exim4.
The main point of this upload is to fix the issues reported by Jö Fahlke
which apply to bullseye. This was fixed for buster in a more conservative
way (document instead of improved behavior) in 4.92-8+deb10u5.
* README.Debian: Fix typo "tls_verify_certificate" instead of
"tls_verify_certificates".
* General doc improvements in this area. (Thanks, Jö Fahlke) Closes: #985244
* Enforce certificate verification against the system trust store in the
remote SMTP transport by default by setting
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *. Closes: #985344
* Let exim4-config Recommend ca-certificates, needed for certificate
verification.
The second important change is
* Intensify upgrade warning in NEWS file.
I have also synced with upstream's bugfix-only GIT branch.
unblock exim4/4.94-17
TIA, cu Andreas
-------------- next part --------------
diff -Nru exim4-4.94/debian/changelog exim4-4.94/debian/changelog
--- exim4-4.94/debian/changelog 2021-02-07 08:13:29.000000000 +0100
+++ exim4-4.94/debian/changelog 2021-03-18 13:54:47.000000000 +0100
@@ -1,3 +1,30 @@
+exim4 (4.94-17) unstable; urgency=medium
+
+ * Let exim4-config Recommend ca-certificates, needed for certificate
+ verification.
+
+ -- Andreas Metzler <ametzler at debian.org> Thu, 18 Mar 2021 13:54:47 +0100
+
+exim4 (4.94-16) unstable; urgency=medium
+
+ * README.Debian: Fix typo "tls_verify_certificate" instead of
+ "tls_verify_certificates".
+ * General doc improvements in this area. (Thanks, Jö Fahlke) Closes: #985244
+ * Intensify upgrade warning in NEWS file.
+ * Enforce certificate verification against the system trust store in the
+ remote SMTP transport by default by setting
+ REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *. Closes: #985344
+ * Update from exim-4.94+fixes:
+ + 74_56-Fix-FreeBSD-13-build.patch
+ + 74_57-Fix-weight-calculation-for-spamd_address.-Bug-2694.patch
+ + 74_58-Fix-weight-calculation-for-socks_proxy.-Bug-2694.patch
+ + 74_59-Fix-build-for-platforms-not-having-ulong.patch
+ + 74_60-Fix-list-expansion-for-various-domainlists-having-in.patch
+ + 74_61-Bulid-fix-DISABLE_PIPE_CONNECT-build.-Bug-2703.patch
+ + 74_62-Docs-fix-description-of-hosts_try_dane.-Bug-2704.patch
+
+ -- Andreas Metzler <ametzler at debian.org> Wed, 17 Mar 2021 13:50:44 +0100
+
exim4 (4.94-15) unstable; urgency=medium
* Update from exim-4.94+fixes:
diff -Nru exim4-4.94/debian/control exim4-4.94/debian/control
--- exim4-4.94/debian/control 2021-01-30 18:21:15.000000000 +0100
+++ exim4-4.94/debian/control 2021-03-18 13:54:47.000000000 +0100
@@ -109,6 +109,7 @@
exim4-config-2,
${MTA-Conflicts}
Depends: adduser, ${misc:Depends}, ${shlibs:Depends}
+Recommends: ca-certificates
Description: configuration for the Exim MTA (v4)
Exim (v4) is a mail transport agent. exim4-config provides the configuration
for the exim4 daemon packages. The configuration framework has been split
diff -Nru exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros
--- exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros 2020-02-29 15:37:28.000000000 +0100
+++ exim4-4.94/debian/debconf/conf.d/transport/10_exim4-config_transport-macros 2021-03-18 13:53:44.000000000 +0100
@@ -14,3 +14,7 @@
REMOTE_SMTP_HELO_DATA=${lookup dnsdb {ptr=$sending_ip_address}{$value}{$primary_hostname}}
.endif
.endif
+
+.ifndef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+ REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *
+.endif
diff -Nru exim4-4.94/debian/NEWS exim4-4.94/debian/NEWS
--- exim4-4.94/debian/NEWS 2020-11-03 18:11:40.000000000 +0100
+++ exim4-4.94/debian/NEWS 2021-03-18 13:53:44.000000000 +0100
@@ -1,11 +1,36 @@
+exim4 (4.94-16) unstable; urgency=medium
+
+ The configuration now enforces certificate verification against the
+ system trust store on encrypted connections using the
+ remote_smtp_smarthost transport (smarthost and satellite setups).
+ Delivery will therefore fail if the host certificates are not verifyable
+ and non TLS delivery is not available (e.g. because AUTH PLAIN is used).
+
+ -- Andreas Metzler <ametzler at debian.org> Wed, 17 Mar 2021 13:50:44 +0100
+
exim4 (4.94~RC0-2) experimental; urgency=low
- Some Transports now refuse to use tainted data in constructing their
- delivery location; this WILL BREAK configurations which are not updated
- accordingly. In particular: any Transport use of $local_user which has
- been relying upon check_local_user far away in the Router to make it
- safe, should be updated to replace $local_user with
- $local_part_data.
+ Please consider this a *major* exim upgrade. It introduces the concept of
+ tainted data read from untrusted sources, like e.g. message sender or
+ recipient. This tainted data (e.g. $local_part or $domain) cannot be used
+ among other things as a file or directory name or command name.
+
+ This WILL BREAK configurations which are not updated accordingly.
+ Old Debian exim configuration files also will not work unmodified, the new
+ configuration needs to be installed with local modifications merged in.
+
+ Typical nonworking examples include:
+ * Delivery to /var/mail/$local_part. Use $local_part_data in combination
+ with check_local_user.
+ * Using
+ data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
+ instead of
+ data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
+ for a virtual domain alias file.
+
+ The basic strategy for dealing with this change is to use the result of a
+ lookup in further processing instead of the original (remote provided)
+ value.
-- Andreas Metzler <ametzler at debian.org> Sun, 10 May 2020 10:27:04 +0200
diff -Nru exim4-4.94/debian/patches/74_56-Fix-FreeBSD-13-build.patch exim4-4.94/debian/patches/74_56-Fix-FreeBSD-13-build.patch
--- exim4-4.94/debian/patches/74_56-Fix-FreeBSD-13-build.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.94/debian/patches/74_56-Fix-FreeBSD-13-build.patch 2021-03-18 13:53:44.000000000 +0100
@@ -0,0 +1,28 @@
+From 847af3bf8ab8fce233b5927428d5cd06bf8d9bc9 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Fri, 12 Feb 2021 17:40:28 +0000
+Subject: [PATCH 56/62] Fix FreeBSD 13 build
+
+(cherry picked from commit e8fd2c45ddd6f59f159baaa2c154ced5ce36f3df)
+---
+ src/transports/appendfile.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/transports/appendfile.c b/src/transports/appendfile.c
+index f96d00182..9947971d9 100644
+--- a/src/transports/appendfile.c
++++ b/src/transports/appendfile.c
+@@ -1783,8 +1783,8 @@ if (!isdirectory)
+ if (statbuf.st_nlink != 1)
+ {
+ addr->basic_errno = ERRNO_NOTREGULAR;
+- addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
+- filename, islink ? " (symlink)" : "", statbuf.st_nlink);
++ addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
++ filename, islink ? " (symlink)" : "", (ulong)statbuf.st_nlink);
+ goto RETURN;
+
+ }
+--
+2.30.2
+
diff -Nru exim4-4.94/debian/patches/74_57-Fix-weight-calculation-for-spamd_address.-Bug-2694.patch exim4-4.94/debian/patches/74_57-Fix-weight-calculation-for-spamd_address.-Bug-2694.patch
--- exim4-4.94/debian/patches/74_57-Fix-weight-calculation-for-spamd_address.-Bug-2694.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.94/debian/patches/74_57-Fix-weight-calculation-for-spamd_address.-Bug-2694.patch 2021-03-18 13:53:44.000000000 +0100
@@ -0,0 +1,42 @@
+From 56aaf18ba56889f4b51aede05317368ce146a2aa Mon Sep 17 00:00:00 2001
+From: Heiko Schlichting <heiko at fu-berlin.de>
+Date: Fri, 19 Feb 2021 11:11:51 +0000
+Subject: [PATCH 57/62] Fix weight calculation for spamd_address. Bug 2694
+
+(cherry picked from commit 6296a393aeab9fecc38916dfcbf1c94d54691650)
+---
+ doc/ChangeLog | 4 +++-
+ src/spam.c | 2 +-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/doc/ChangeLog b/doc/ChangeLog
+index f687f73f5..f8bfcf10c 100644
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -153,7 +153,9 @@ JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many
+ previous coding assumed this would not happen, and under PIPELINING
+ would result in both lost and duplicate recipients for a message.
+
+-
++JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
++ Previously the weighting was incorrectly applied. Found and fixed by
++ Heiko Schlichting.
+
+
+ Exim version 4.94
+diff --git a/src/spam.c b/src/spam.c
+index 340f8b92f..2fffa1447 100644
+--- a/src/spam.c
++++ b/src/spam.c
+@@ -174,7 +174,7 @@ for (long rnd = random() % weights, i = 0; i < num_servers; i++)
+ {
+ sd = spamds[i];
+ if (!sd->is_failed && sd->priority == pri)
+- if ((rnd -= sd->weight) <= 0)
++ if ((rnd -= sd->weight) < 0)
+ return i;
+ }
+
+--
+2.30.2
+
diff -Nru exim4-4.94/debian/patches/74_58-Fix-weight-calculation-for-socks_proxy.-Bug-2694.patch exim4-4.94/debian/patches/74_58-Fix-weight-calculation-for-socks_proxy.-Bug-2694.patch
--- exim4-4.94/debian/patches/74_58-Fix-weight-calculation-for-socks_proxy.-Bug-2694.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.94/debian/patches/74_58-Fix-weight-calculation-for-socks_proxy.-Bug-2694.patch 2021-03-18 13:53:44.000000000 +0100
@@ -0,0 +1,42 @@
+From 90e320fb14cc946f4eb5671618e7db9f5d002453 Mon Sep 17 00:00:00 2001
+From: Heiko Schlichting <heiko at fu-berlin.de>
+Date: Fri, 19 Feb 2021 11:14:36 +0000
+Subject: [PATCH 58/62] Fix weight calculation for socks_proxy. Bug 2694
+
+(cherry picked from commit 83811e3c1b8189c0a725ec53df699730e7767263)
+---
+ doc/ChangeLog | 4 ++--
+ src/transports/smtp_socks.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/doc/ChangeLog b/doc/ChangeLog
+index f8bfcf10c..a458b4721 100644
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -154,8 +154,8 @@ JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many
+ would result in both lost and duplicate recipients for a message.
+
+ JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
+- Previously the weighting was incorrectly applied. Found and fixed by
+- Heiko Schlichting.
++ Previously the weighting was incorrectly applied. Similar fix for socks
++ proxies. Found and fixed by Heiko Schlichting.
+
+
+ Exim version 4.94
+diff --git a/src/transports/smtp_socks.c b/src/transports/smtp_socks.c
+index 41dc78147..cd8ed3e6d 100644
+--- a/src/transports/smtp_socks.c
++++ b/src/transports/smtp_socks.c
+@@ -190,7 +190,7 @@ for (rnd = random() % weights, i = 0; i < nproxies; i++)
+ {
+ sd = &proxies[i];
+ if (!sd->is_failed && sd->priority == pri)
+- if ((rnd -= sd->weight) <= 0)
++ if ((rnd -= sd->weight) < 0)
+ return i;
+ }
+
+--
+2.30.2
+
diff -Nru exim4-4.94/debian/patches/74_59-Fix-build-for-platforms-not-having-ulong.patch exim4-4.94/debian/patches/74_59-Fix-build-for-platforms-not-having-ulong.patch
--- exim4-4.94/debian/patches/74_59-Fix-build-for-platforms-not-having-ulong.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.94/debian/patches/74_59-Fix-build-for-platforms-not-having-ulong.patch 2021-03-18 13:53:44.000000000 +0100
@@ -0,0 +1,26 @@
+From b099c4cea4ade08e8428b31ded5947b8386aab32 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Sat, 13 Feb 2021 17:26:14 +0000
+Subject: [PATCH 59/62] Fix build for platforms not having ulong
+
+(cherry picked from commit be839a2609381f535f263ed0c459a4ebf3fd5d1d)
+---
+ src/transports/appendfile.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/transports/appendfile.c b/src/transports/appendfile.c
+index 9947971d9..8ab8b6016 100644
+--- a/src/transports/appendfile.c
++++ b/src/transports/appendfile.c
+@@ -1784,7 +1784,7 @@ if (!isdirectory)
+ {
+ addr->basic_errno = ERRNO_NOTREGULAR;
+ addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
+- filename, islink ? " (symlink)" : "", (ulong)statbuf.st_nlink);
++ filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink);
+ goto RETURN;
+
+ }
+--
+2.30.2
+
diff -Nru exim4-4.94/debian/patches/74_60-Fix-list-expansion-for-various-domainlists-having-in.patch exim4-4.94/debian/patches/74_60-Fix-list-expansion-for-various-domainlists-having-in.patch
--- exim4-4.94/debian/patches/74_60-Fix-list-expansion-for-various-domainlists-having-in.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.94/debian/patches/74_60-Fix-list-expansion-for-various-domainlists-having-in.patch 2021-03-18 13:53:44.000000000 +0100
@@ -0,0 +1,214 @@
+From e059caafd40201b8addb1f7237d8bdc3f8ea01f3 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Mon, 22 Feb 2021 21:48:19 +0000
+Subject: [PATCH 60/62] Fix list-expansion for various domainlists, having
+ included sublist elements. Bug 2701
+
+(cherry picked from commit e2be2df5c0760e2b6a7870c88ad486a23f5e4b01)
+---
+ doc/ChangeLog | 6 ++++++
+ src/acl.c | 6 +++---
+ src/dns.c | 6 +++---
+ src/host.c | 50 +++++++++++++++++++++----------------------
+ 4 files changed, 36 insertions(+), 32 deletions(-)
+
+diff --git a/doc/ChangeLog b/doc/ChangeLog
+index a458b4721..0792062ba 100644
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -157,6 +157,12 @@ JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
+ Previously the weighting was incorrectly applied. Similar fix for socks
+ proxies. Found and fixed by Heiko Schlichting.
+
++JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did
++ not handle sub-lists included using the +namedlist syntax. While
++ investigating, the same found for dns_trust_aa, dns_again_means_nonexist,
++ dnssec_require_domains, dnssec_request_domains, srv_fail_domains,
++ mx_fail_domains.
++
+
+ Exim version 4.94
+ -----------------
+diff --git a/src/acl.c b/src/acl.c
+index 105b1b473..90e1ce81d 100644
+--- a/src/acl.c
++++ b/src/acl.c
+@@ -3438,14 +3438,14 @@ for (; cb; cb = cb->next)
+ case ACLC_DKIM_SIGNER:
+ if (dkim_cur_signer)
+ rc = match_isinlist(dkim_cur_signer,
+- &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
++ &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+ else
+ rc = FAIL;
+ break;
+
+ case ACLC_DKIM_STATUS:
+ rc = match_isinlist(dkim_verify_status,
+- &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
++ &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+ break;
+ #endif
+
+@@ -3457,7 +3457,7 @@ for (; cb; cb = cb->next)
+ /* used long way of dmarc_exim_expand_query() in case we need more
+ * view into the process in the future. */
+ rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
+- &arg,0,NULL,NULL,MCL_STRING,TRUE,NULL);
++ &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
+ break;
+ #endif
+
+diff --git a/src/dns.c b/src/dns.c
+index b567c3e71..806838e02 100644
+--- a/src/dns.c
++++ b/src/dns.c
+@@ -516,7 +516,7 @@ if ( !h->aa
+ || !(trusted = expand_string(dns_trust_aa))
+ || !*trusted
+ || !(auth_name = dns_extract_auth_name(dnsa))
+- || OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL,
++ || OK != match_isinlist(auth_name, &trusted, 0, &domainlist_anchor, NULL,
+ MCL_DOMAIN, TRUE, NULL)
+ )
+ return FALSE;
+@@ -908,8 +908,8 @@ if (dnsa->answerlen < 0) switch (h_errno)
+ #ifndef STAND_ALONE
+ save_domain = deliver_domain;
+ deliver_domain = string_copy(name); /* set $domain */
+- rc = match_isinlist(name, (const uschar **)&dns_again_means_nonexist, 0, NULL, NULL,
+- MCL_DOMAIN, TRUE, NULL);
++ rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0,
++ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+ deliver_domain = save_domain;
+ if (rc != OK)
+ {
+diff --git a/src/host.c b/src/host.c
+index 817d4446c..dbc7ce20d 100644
+--- a/src/host.c
++++ b/src/host.c
+@@ -1946,9 +1946,7 @@ host_find_byname(host_item *host, const uschar *ignore_target_hosts, int flags,
+ int yield, times;
+ host_item *last = NULL;
+ BOOL temp_error = FALSE;
+-#if HAVE_IPV6
+ int af;
+-#endif
+
+ #ifndef DISABLE_TLS
+ /* Copy the host name at this point to the value which is used for
+@@ -1974,10 +1972,10 @@ lookups here (except when testing standalone). */
+ #ifdef STAND_ALONE
+ if (disable_ipv6)
+ #else
+- if (disable_ipv6 ||
+- (dns_ipv4_lookup != NULL &&
+- match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL,
+- MCL_DOMAIN, TRUE, NULL) == OK))
++ if ( disable_ipv6
++ || dns_ipv4_lookup
++ && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
++ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
+ #endif
+
+ { af = AF_INET; times = 1; }
+@@ -1987,7 +1985,7 @@ lookups here (except when testing standalone). */
+ /* No IPv6 support */
+
+ #else /* HAVE_IPV6 */
+- times = 1;
++ af = AF_INET; times = 1;
+ #endif /* HAVE_IPV6 */
+
+ /* Initialize the flag that gets set for DNS syntax check errors, so that the
+@@ -2029,7 +2027,7 @@ for (int i = 1; i <= times;
+
+ #else /* not HAVE_IPV6 */
+ if (f.running_in_test_harness)
+- hostdata = host_fake_gethostbyname(host->name, AF_INET, &error_num);
++ hostdata = host_fake_gethostbyname(host->name, af, &error_num);
+ else
+ {
+ hostdata = gethostbyname(CS host->name);
+@@ -2202,8 +2200,8 @@ RETURN_AGAIN:
+ int rc;
+ const uschar *save = deliver_domain;
+ deliver_domain = host->name; /* set $domain */
+- rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0, NULL, NULL,
+- MCL_DOMAIN, TRUE, NULL);
++ rc = match_isinlist(host->name, CUSS &dns_again_means_nonexist, 0,
++ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL);
+ deliver_domain = save;
+ if (rc == OK)
+ {
+@@ -2303,9 +2301,9 @@ On an IPv4 system, go round the loop once only, looking only for A records. */
+ #ifndef STAND_ALONE
+ if ( disable_ipv6
+ || !(whichrrs & HOST_FIND_BY_AAAA)
+- || (dns_ipv4_lookup
+- && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0, NULL, NULL,
+- MCL_DOMAIN, TRUE, NULL) == OK)
++ || dns_ipv4_lookup
++ && match_isinlist(host->name, CUSS &dns_ipv4_lookup, 0,
++ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK
+ )
+ i = 0; /* look up A records only */
+ else
+@@ -2563,12 +2561,12 @@ int yield;
+ dns_answer * dnsa = store_get_dns_answer();
+ dns_scan dnss;
+ BOOL dnssec_require = dnssec_d
+- && match_isinlist(host->name, CUSS &dnssec_d->require,
+- 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
++ && match_isinlist(host->name, CUSS &dnssec_d->require,
++ 0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK;
+ BOOL dnssec_request = dnssec_require
+- || ( dnssec_d
+- && match_isinlist(host->name, CUSS &dnssec_d->request,
+- 0, NULL, NULL, MCL_DOMAIN, TRUE, NULL) == OK);
++ || ( dnssec_d
++ && match_isinlist(host->name, CUSS &dnssec_d->request,
++ 0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK);
+ dnssec_status_t dnssec;
+
+ /* Set the default fully qualified name to the incoming name, initialize the
+@@ -2633,10 +2631,10 @@ if (whichrrs & HOST_FIND_BY_SRV)
+ }
+ if (rc == DNS_FAIL || rc == DNS_AGAIN)
+ {
+- #ifndef STAND_ALONE
+- if (match_isinlist(host->name, CUSS &srv_fail_domains, 0, NULL, NULL,
+- MCL_DOMAIN, TRUE, NULL) != OK)
+- #endif
++#ifndef STAND_ALONE
++ if (match_isinlist(host->name, CUSS &srv_fail_domains, 0,
++ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
++#endif
+ { yield = HOST_FIND_AGAIN; goto out; }
+ DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
+ "(domain in srv_fail_domains)\n", (rc == DNS_FAIL)? "FAIL":"AGAIN");
+@@ -2685,8 +2683,8 @@ if (rc != DNS_SUCCEED && whichrrs & HOST_FIND_BY_MX)
+ DEBUG(D_host_lookup)
+ debug_printf("dnssec fail on MX for %.256s", host->name);
+ #ifndef STAND_ALONE
+- if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL,
+- MCL_DOMAIN, TRUE, NULL) != OK)
++ if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
++ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
+ { yield = HOST_FIND_SECURITY; goto out; }
+ #endif
+ rc = DNS_FAIL;
+@@ -2695,8 +2693,8 @@ if (rc != DNS_SUCCEED && whichrrs & HOST_FIND_BY_MX)
+ case DNS_FAIL:
+ case DNS_AGAIN:
+ #ifndef STAND_ALONE
+- if (match_isinlist(host->name, CUSS &mx_fail_domains, 0, NULL, NULL,
+- MCL_DOMAIN, TRUE, NULL) != OK)
++ if (match_isinlist(host->name, CUSS &mx_fail_domains, 0,
++ &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) != OK)
+ #endif
+ { yield = HOST_FIND_AGAIN; goto out; }
+ DEBUG(D_host_lookup) debug_printf("DNS_%s treated as DNS_NODATA "
+--
+2.30.2
+
diff -Nru exim4-4.94/debian/patches/74_61-Bulid-fix-DISABLE_PIPE_CONNECT-build.-Bug-2703.patch exim4-4.94/debian/patches/74_61-Bulid-fix-DISABLE_PIPE_CONNECT-build.-Bug-2703.patch
--- exim4-4.94/debian/patches/74_61-Bulid-fix-DISABLE_PIPE_CONNECT-build.-Bug-2703.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.94/debian/patches/74_61-Bulid-fix-DISABLE_PIPE_CONNECT-build.-Bug-2703.patch 2021-03-18 13:53:44.000000000 +0100
@@ -0,0 +1,36 @@
+From 033569a66e152b2c83480fabdcd9642f8a381225 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Tue, 23 Feb 2021 18:55:33 +0000
+Subject: [PATCH 61/62] Bulid: fix DISABLE_PIPE_CONNECT build. Bug 2703
+
+(cherry picked from commit a842359f622190904ceccfff1afff021570566eb)
+---
+ src/transports/smtp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/transports/smtp.c b/src/transports/smtp.c
+index 0c87027f5..6540e4d2b 100644
+--- a/src/transports/smtp.c
++++ b/src/transports/smtp.c
+@@ -1020,7 +1020,7 @@ fail:
+ (void) smtp_discard_responses(sx, sx->conn_args.ob, *countp);
+ return rc;
+ }
+-#endif
++#endif /*!DISABLE_PIPE_CONNECT*/
+
+
+ /*************************************************
+@@ -1551,7 +1551,9 @@ if ( sx->esmtp
+
+ if (require_auth == OK && !f.smtp_authenticated)
+ {
++#ifndef DISABLE_PIPE_CONNECT
+ invalidate_ehlo_cache_entry(sx);
++#endif
+ set_errno_nohost(sx->addrlist, ERRNO_AUTHFAIL,
+ string_sprintf("authentication required but %s", fail_reason), DEFER,
+ FALSE, &sx->delivery_start);
+--
+2.30.2
+
diff -Nru exim4-4.94/debian/patches/74_62-Docs-fix-description-of-hosts_try_dane.-Bug-2704.patch exim4-4.94/debian/patches/74_62-Docs-fix-description-of-hosts_try_dane.-Bug-2704.patch
--- exim4-4.94/debian/patches/74_62-Docs-fix-description-of-hosts_try_dane.-Bug-2704.patch 1970-01-01 01:00:00.000000000 +0100
+++ exim4-4.94/debian/patches/74_62-Docs-fix-description-of-hosts_try_dane.-Bug-2704.patch 2021-03-18 13:53:44.000000000 +0100
@@ -0,0 +1,33 @@
+From 037b688902e64a04cd81a90ad7ae070d78284036 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb at wizmail.org>
+Date: Sat, 27 Feb 2021 19:25:26 +0000
+Subject: [PATCH 62/62] Docs: fix description of hosts_try_dane. Bug 2704
+
+Cherry-picked from: 725900cda2
+---
+ doc/doc-docbook/spec.xfpt | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/doc/spec.txt
++++ b/doc/spec.txt
+@@ -23613,15 +23613,15 @@
+
+ +----------------------------------------------------+
+ |hosts_try_dane|Use: smtp|Type: host list*|Default: *|
+ +----------------------------------------------------+
+
+-If built with DANE support, Exim will require that a DNSSEC-validated TLSA
+-record is present for any host matching the list, and that a DANE-verified TLS
+-connection is made. See the dnssec_request_domains router and transport
+-options. There will be no fallback to in-clear communication. See section 43.15
+-.
++If built with DANE support, Exim will look up a TLSA record for any host
++matching the list. If one is found and that lookup was DNSSEC-validated,
++then Exim requires that a DANE-verified TLS connection is made for that
++host; there will be no fallback to in-clear communication. See the
++dnssec_request_domains router and transport options. See section 43.15.
+
+ +--------------------------------------------------------+
+ |hosts_try_fastopen|Use: smtp|Type: host list*|Default: *|
+ +--------------------------------------------------------+
+
diff -Nru exim4-4.94/debian/patches/series exim4-4.94/debian/patches/series
--- exim4-4.94/debian/patches/series 2021-02-07 08:10:05.000000000 +0100
+++ exim4-4.94/debian/patches/series 2021-03-18 13:53:44.000000000 +0100
@@ -59,4 +59,11 @@
74_52-Lookups-fix-local_part_data-for-a-match-on-a-filenam.patch
74_54-Fix-daemon-SIGHUP-on-FreeBSD.patch
74_55-Fix-handling-of-server-which-follows-a-RCPT-452-with.patch
+74_56-Fix-FreeBSD-13-build.patch
+74_57-Fix-weight-calculation-for-spamd_address.-Bug-2694.patch
+74_58-Fix-weight-calculation-for-socks_proxy.-Bug-2694.patch
+74_59-Fix-build-for-platforms-not-having-ulong.patch
+74_60-Fix-list-expansion-for-various-domainlists-having-in.patch
+74_61-Bulid-fix-DISABLE_PIPE_CONNECT-build.-Bug-2703.patch
+74_62-Docs-fix-description-of-hosts_try_dane.-Bug-2704.patch
90_localscan_dlopen.dpatch
diff -Nru exim4-4.94/debian/README.Debian.xml exim4-4.94/debian/README.Debian.xml
--- exim4-4.94/debian/README.Debian.xml 2020-11-03 18:11:40.000000000 +0100
+++ exim4-4.94/debian/README.Debian.xml 2021-03-18 13:53:44.000000000 +0100
@@ -1092,17 +1092,50 @@
</para>
<para>
This means that you will not need any special configuration if
- you want to use TLS for outgoing mail. However, if your
+ you want to use opportunistic TLS for outgoing mail. However,
+ to enforce TLS and successful certificate verification, a few
+ things need to be configured.
+ </para>
+ <para>
+ To enforce TLS and prevent fallback to unencrypted
+ connections, ensure that hosts_require_tls = * is in effect on
+ the respective transport. For the remote_smtp_smarthost
+ transport, this setting can be controlled via the
+ REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS macro.
+ </para>
+ <para>
+ The certificate presented by the remote host is checked
+ against the system CA certificate store
+ (<filename>/etc/ssl/certs/</filename>) and the verification
+ result is logged (CV=...).
+ For the remote_smtp_smarthost transport successful
+ certificate verification against the system trust store is
+ enforced by default on encrypted connections.
+ (<quote>REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS = *</quote>
+ is set by default). Set this macro to an empty value to
+ disable this. To check against a certificate not present in
+ the system trust store point
+ REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES (which sets
+ tls_verify_certificates) to a file containing this (set of)
+ trusted certificates.
+ </para>
+ <para>
+ Successful certificate verification is
+ <emphasis>not enforced</emphasis>
+ by default for other transports.
+ </para>
+ <para>
+ Another possibility would be to use DANE for certificate
+ verification. This requires support on the server side and
+ a resolver with DNSSEC support on the client side.
+ </para>
+ <para>
+ If your
server setup mandates the use of client certificates, you
need to amend your remote_smtp and/or remote_smtp_smarthost
transports with a tls_certificate option. This is not
commonly needed.
</para>
- <para>
- The certificate
- presented by the remote host is not checked unless you
- specify a tls_verify_certificate option on the transport.
- </para>
<para id="tls_client_certicate">
To make exim send a TLS certificate to the remote host set
REMOTE_SMTP_TLS_CERTIFICATE/REMOTE_SMTP_PRIVATEKEY or for
More information about the Pkg-exim4-maintainers
mailing list