pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mail exim: updated to 4.93

branches:  trunk
changeset: 345311:55c12b9333ed
user:      adam <>
date:      Mon Dec 09 18:46:00 2019 +0000

exim: updated to 4.93

Exim version 4.93

JH/01 OpenSSL: With debug enabled output keying information sufficient, server
      side, to decode a TLS 1.3 packet capture.

JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
      Previously the default library behaviour applied, sending two, each in
      its own TCP segment.

JH/03 Debug output for ACL now gives the config file name and line number for
      each verb.

JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.

JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.

JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
      buffer overrun for (non-chunking) other transports.

JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
      TLS1.3, means that a server rejecting a client certificate is not visible
      to the client until the first read of encrypted data (typically the
      response to EHLO).  Add detection for that case and treat it as a failed
      TLS connection attempt, so that the normal retry-in-clear can work (if
      suitably configured).

JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
      and/or domain.  Found and fixed by Jason Betts.

JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
      configuration).  If a CNAME target was not a wellformed name pattern, a
      crash could result.

JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
      the OS reports them interleaved with other addresses.

JH/10 OpenSSL: Fix aggregation of messages.  Previously, when PIPELINING was
      used both for input and for a verify callout, both encrypted, SMTP
      responses being sent by the server could be lost.  This resulted in
      dropped connections and sometimes bounces generated by a peer sending
      to this system.

JH/11 Harden plaintext authenticator against a badly misconfigured client-send
      string.  Previously it was possible to cause undefined behaviour in a
      library routine (usually a crash).  Found by "zerons".

JH/12 Bug 2384: fix "-bP smtp_receive_timeout".  Previously it returned no

JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward.  Some old
      API was removed, so update to use the newer ones.

JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
      any timeout set, is taking a long time.  Previously we would hang on to a
      rotated logfile "forever" if the input was arriving with long gaps
      (a previous attempt to fix addressed lack, for a long time, of initial

HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
      shared (NFS) environment. The length of the tempfile name is now
      4 + 16 ("hdr.$message_exim_id") which might break on file
      systems which restrict the file name length to lower values.
      (It was "hdr.$pid".)

HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
      shared (NFS) environment.

HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
      did for all versions <4.90). Notably -M, -m, --invert, -I may be

JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
      on some platforms for bit 31.

JH/16 GnuTLS: rework ciphersuite strings under recent library versions.  Thanks
      to changes apparently associated with TLS1.3 handling some of the APIs
      previously used were either nonfunctional or inappropriate.  Strings
      like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
      and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
      the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
      This affects log line X= elements, the $tls_{in,out}_cipher variables,
      and the use of specific cipher names in the encrypted= ACL condition.

JH/17 OpenSSL: the default openssl_options now disables ssl_v3.

JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
      verification result was not updated unless hosts_require_ocsp applied.

JH/19 Bug 2398: fix listing of a named-queue.  Previously, even with the option
      queue_list_requires_admin set to false, non-admin users were denied the

JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
      directory-of-certs mode.  Previously they were advertised despite the

JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
      A single TCP connection by a client will now hold a TLS connection open
      for multiple message deliveries, by default.  Previoud the default was to
      not do so.

JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
      default.  If built with the facility, DANE will be used.  The facility
      SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".

JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
      is replaced with DISABLE_TLS.  Either USE_GNUTLS or (the new) USE_OPENSSL
      must be defined and you must still, unless you define DISABLE_TLS, manage
      the the include-dir and library-file requirements that go with that
      choice.  Non-TLS builds are still supported.

JH/24 Fix duplicated logging of peer name/address, on a transport connection-
      reject under TFO.

JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
      default.  If the platform supports and has the facility enabled, it will
      be requested on all coneections.

JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
      controlled by the build-time option SUPPORT_PIPE_CONNECT.

PP/01 Unbreak heimdal_gssapi, broken in 4.92.

JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
      success-DSN messages.  Previously the From: header was always the default
      one for these; the option was ignored.

JH/28 Fix the timeout on smtp response to apply to the whole response.
      Previously it was reset for every read, so a teergrubing peer sending
      single bytes within the time limit could extend the connection for a
      long time.  Credit to Qualsys Security Advisory Team for the discovery.

JH/29 Fix DSN Final-Recipient: field.  Previously it was the post-routing
      delivery address, which leaked information of the results of local
      forwarding.  Change to the original envelope recipient address, per

JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
      requested.  Previously not bounce was generated and a log entry of
      error ignored was made.

JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)

JH/32 Introduce a general tainting mechanism for values read from the input
      channel, and values derived from them.  Refuse to expand any tainted
      values, to catch one form of exploit.

JH/33 Bug 2413: Fix dkim_strict option.  Previously the expansion result
      was unused and the unexpanded text used for the test.  Found and
      fixed by Ruben Jenster.

JH/34 Fix crash after TLS shutdown.  When the TCP/SMTP channel was left open,
      an attempt to use a TLS library read routine dereffed a nul pointer,
      causing a segfault.

JH/35 Bug 2409: filter out-of-spec chars from callout response before using
      them in our smtp response.

JH/36 Have the general router option retry_use_local_part default to true when
      any of the restrictive preconditions are set (to anything).  Previously it
      was only for check_local user.  The change removes one item of manual
      configuration which is required for proper retries when a remote router
      handles a subset of addresses for a domain.

JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
      link count into consideration.

HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
      caused the extension of big_buffer, the following lines were ignored.

JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
      accordance with RFC 2308.  Previously there was no expiry, so a longlived
      receive process (eg. due to ACL delays) versus a short SOA value could

HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)

JH/39 Promote DMARC support to mainline.

JH/40 Bug 2452: Add a References: header to DSNs.

JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
      parameters.  The relevant library call is documented as "Deprecated: This
      function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
      3.6.0, DH parameters are negotiated following RFC7919."

HS/06 Change the default of dnssec_request_domains to "*"

JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected.  Previously we
      carried on and emitted a BDAT command, even when PIPELINING was not

JH/43 Bug 2465: Fix taint-handling in dsearch lookup.  Previously a nontainted
      buffer was used for the filename, resulting in a trap when tainted
      arguments (eg. $domain) were used.

JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
      recommended to avoid a possible server-load attack.  The feature can be
      re-enabled via the openssl_options main cofiguration option.

JH/45 local_scan API: documented the current smtp_printf() call. This changed
      for version 4.90 - adding a "more data" boolean to the arguments.
      Bumped the ABI version number also, this having been missed previously;
      release versions 4.90 to 4.92.3 inclusive were effectively broken in
      respect of usage of smtp_printf() by either local_scan code or libraries
      accessed via the ${dlfunc } expansion item.  Both will need coding
      adjustment for any calls to smtp_printf() to match the new function
      signature; a FALSE value for the new argument is always safe.

JH/46 FreeBSD: fix use of the sendfile() syscall.  The shim was not updating
      the file-offset (which the Linux syscall does, and exim expects); this
      resulted in an indefinite loop.

JH/47 ARC: fix crash in signing, triggered when a configuration error failed
      to do ARC verification.  The Authentication-Results: header line added
      by the configuration then had no ARC item.


 mail/exim-html/Makefile                       |   4 +-
 mail/exim-html/PLIST                          |   9 ++++-
 mail/exim-html/distinfo                       |  10 ++--
 mail/exim/Makefile                            |   4 +-
 mail/exim/distinfo                            |  12 +++---
 mail/exim/                          |   3 +-
 mail/exim/patches/patch-Local_Makefile.pkgsrc |  46 +++++++++++---------------
 7 files changed, 44 insertions(+), 44 deletions(-)

diffs (246 lines):

diff -r 09f65f405099 -r 55c12b9333ed mail/exim-html/Makefile
--- a/mail/exim-html/Makefile   Mon Dec 09 18:44:52 2019 +0000
+++ b/mail/exim-html/Makefile   Mon Dec 09 18:46:00 2019 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.40 2019/09/30 19:25:58 wiedi Exp $
+# $NetBSD: Makefile,v 1.41 2019/12/09 18:46:01 adam Exp $
-DISTNAME=      exim-html-4.92.3
+DISTNAME=      exim-html-4.93
 CATEGORIES=    mail net
diff -r 09f65f405099 -r 55c12b9333ed mail/exim-html/PLIST
--- a/mail/exim-html/PLIST      Mon Dec 09 18:44:52 2019 +0000
+++ b/mail/exim-html/PLIST      Mon Dec 09 18:46:00 2019 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.21 2019/09/30 19:25:58 wiedi Exp $
+@comment $NetBSD: PLIST,v 1.22 2019/12/09 18:46:01 adam Exp $
@@ -8,7 +8,7 @@
@@ -48,6 +48,7 @@
@@ -127,6 +128,7 @@
@@ -156,3 +158,6 @@
diff -r 09f65f405099 -r 55c12b9333ed mail/exim-html/distinfo
--- a/mail/exim-html/distinfo   Mon Dec 09 18:44:52 2019 +0000
+++ b/mail/exim-html/distinfo   Mon Dec 09 18:46:00 2019 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.33 2019/09/30 19:25:58 wiedi Exp $
+$NetBSD: distinfo,v 1.34 2019/12/09 18:46:01 adam Exp $
-SHA1 (exim-html-4.92.3.tar.xz) = 489027cf9c444b33e67e791b12a37ea6a4a03897
-RMD160 (exim-html-4.92.3.tar.xz) = 87f0d44cb58d9fe8f57c05d6199087fe26160ddc
-SHA512 (exim-html-4.92.3.tar.xz) = 8c8888b132820e03bcfd71a875d5a16f71411b56594ea9cb6d4e86ae495cd323b3c1c15d39d5997e248922edbaf1999b2f0eb6444ea62d76b7b0b834223758f0
-Size (exim-html-4.92.3.tar.xz) = 494692 bytes
+SHA1 (exim-html-4.93.tar.xz) = 2bb7a3c37f53114b81425a6a60179811c1afe5ba
+RMD160 (exim-html-4.93.tar.xz) = d4796d9137d9e0fa3e7cc3b1097daf0288c087d1
+SHA512 (exim-html-4.93.tar.xz) = 0dfd9249bc9853214847892bc068d04f20ab1b1613b038806cd5fb241f1597b6a94ccf0670d79560e352593fd075f9de04d5234b1ae26af479b5ca3dd09c86c4
+Size (exim-html-4.93.tar.xz) = 562424 bytes
diff -r 09f65f405099 -r 55c12b9333ed mail/exim/Makefile
--- a/mail/exim/Makefile        Mon Dec 09 18:44:52 2019 +0000
+++ b/mail/exim/Makefile        Mon Dec 09 18:46:00 2019 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.171 2019/09/30 19:25:58 wiedi Exp $
+# $NetBSD: Makefile,v 1.172 2019/12/09 18:46:00 adam Exp $
-DISTNAME=      exim-4.92.3
+DISTNAME=      exim-4.93
 CATEGORIES=    mail net
diff -r 09f65f405099 -r 55c12b9333ed mail/exim/distinfo
--- a/mail/exim/distinfo        Mon Dec 09 18:44:52 2019 +0000
+++ b/mail/exim/distinfo        Mon Dec 09 18:46:00 2019 +0000
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.73 2019/09/30 19:25:58 wiedi Exp $
+$NetBSD: distinfo,v 1.74 2019/12/09 18:46:00 adam Exp $
-SHA1 (exim-4.92.3.tar.xz) = 60651ccbd4098a194914e06b71764c21a201a140
-RMD160 (exim-4.92.3.tar.xz) = c174866102dbe6b5585412ca4a16d08ca2d0d50d
-SHA512 (exim-4.92.3.tar.xz) = ca6d6f50653502345511b683859b33aa02faa48454fb2100ff89fed3dcb8af8933e7bce68939365fdee42f96eec0c3b135cf748f4581e92a62be0f0ab093868a
-Size (exim-4.92.3.tar.xz) = 1773156 bytes
-SHA1 (patch-Local_Makefile.pkgsrc) = de19076443c4d89a7ead97a0cabdec9bb784dd9f
+SHA1 (exim-4.93.tar.xz) = 1fd4eeefacbb51648f578b91f49561b29e5679cc
+RMD160 (exim-4.93.tar.xz) = aeee8a593c1866f4816946772a3ecba7b4e43496
+SHA512 (exim-4.93.tar.xz) = 556c7fe75042739c3e92346b96c40960680fe2838589add5fad1f69f18600dd9ed128f367627c812051b3a3a1a64e740488d5ce8c198bf87b59fa84ab8a0eb5b
+Size (exim-4.93.tar.xz) = 1803660 bytes
+SHA1 (patch-Local_Makefile.pkgsrc) = 7d6971cfe6f6fecf854926e90460b1a8bcd6a79d
 SHA1 (patch-OS_Makefile-Default) = 6af17f036ed02a3bc37c1f303269eea447fcb691
 SHA1 (patch-lookups_Makefile) = cfc40dba3f75ef37b9887f7767139ad50cf9d4e5
 SHA1 (patch-scripts_exim__install) = aa0a31e77d5f76e33bc92140c14d39c79f710b95
diff -r 09f65f405099 -r 55c12b9333ed mail/exim/
--- a/mail/exim/      Mon Dec 09 18:44:52 2019 +0000
+++ b/mail/exim/      Mon Dec 09 18:46:00 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD:,v 1.24 2019/11/02 16:25:20 rillig Exp $
+# $NetBSD:,v 1.25 2019/12/09 18:46:00 adam Exp $
 PKG_SUPPORTED_OPTIONS= exim-appendfile-maildir exim-appendfile-mailstore
@@ -110,6 +110,7 @@
 .if !empty(PKG_OPTIONS:Mexim-tls)
 LOOKUP_LIBS+=-lssl -lcrypto
 .  include "../../security/openssl/"
diff -r 09f65f405099 -r 55c12b9333ed mail/exim/patches/patch-Local_Makefile.pkgsrc
--- a/mail/exim/patches/patch-Local_Makefile.pkgsrc     Mon Dec 09 18:44:52 2019 +0000
+++ b/mail/exim/patches/patch-Local_Makefile.pkgsrc     Mon Dec 09 18:46:00 2019 +0000
@@ -1,8 +1,8 @@
-$NetBSD: patch-Local_Makefile.pkgsrc,v 1.1 2017/03/18 07:08:23 adam Exp $
+$NetBSD: patch-Local_Makefile.pkgsrc,v 1.2 2019/12/09 18:46:00 adam Exp $
---- Local/Makefile.pkgsrc.orig 2017-03-18 06:47:43.000000000 +0000
+--- Local/Makefile.pkgsrc.orig 2019-12-09 08:46:14.000000000 +0000
 +++ Local/Makefile.pkgsrc
-@@ -98,7 +98,7 @@
+@@ -100,7 +100,7 @@
  # /usr/local/sbin. The installation script will try to create this directory,
  # and any superior directories, if they do not exist.
@@ -11,7 +11,7 @@
-@@ -114,7 +114,7 @@ BIN_DIRECTORY=/usr/exim/bin
+@@ -116,7 +116,7 @@ BIN_DIRECTORY=/usr/exim/bin
  # don't exist. It will also install a default runtime configuration if this
  # file does not exist.
@@ -20,7 +20,7 @@
  # It is possible to specify a colon-separated list of files for CONFIGURE_FILE.
  # In this case, Exim will use the first of them that exists when it is run.
-@@ -131,7 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure
+@@ -133,7 +133,7 @@ CONFIGURE_FILE=/usr/exim/configure
  # deliveries. (Local deliveries run as various non-root users, typically as the
  # owner of a local mailbox.) Specifying these values as root is not supported.
@@ -29,7 +29,7 @@
  # If you specify EXIM_USER as a name, this is looked up at build time, and the
  # uid number is built into the binary. However, you can specify that this
-@@ -152,7 +152,7 @@ EXIM_USER=
+@@ -154,7 +154,7 @@ EXIM_USER=
  # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless
  # you want to use a group other than the default group for the given user.
@@ -38,7 +38,7 @@
  # Many sites define a user called "exim", with an appropriate default group,
  # and use
-@@ -173,7 +173,7 @@ EXIM_USER=
+@@ -175,7 +175,7 @@ EXIM_USER=
  # Almost all installations choose this:
@@ -47,16 +47,7 @@
-@@ -380,7 +380,7 @@ PCRE_CONFIG=yes
- # files are defaulted in the OS/Makefile-Default file, but can be overridden in
- # local OS-specific make files.
-+# EXIM_MONITOR=eximon.bin
- #------------------------------------------------------------------------------
-@@ -622,7 +622,7 @@ FIXED_NEVER_USERS=root
+@@ -752,7 +752,7 @@ FIXED_NEVER_USERS=root
  # included in the Exim binary. You will then need to set up the run time
  # configuration to make use of the mechanism(s) selected.
@@ -64,8 +55,8 @@
- # AUTH_GSASL=yes
-@@ -630,8 +630,8 @@ FIXED_NEVER_USERS=root
+@@ -761,8 +761,8 @@ FIXED_NEVER_USERS=root
  # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi
  # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5
@@ -76,7 +67,7 @@
  # AUTH_TLS=yes
  # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1
-@@ -831,7 +831,7 @@ HEADERS_CHARSET="ISO-8859-1"
+@@ -896,7 +896,7 @@ HEADERS_CHARSET="ISO-8859-1"
  # %s. This will be replaced by one of the strings "main", "panic", or "reject"
  # to form the final file names. Some installations may want something like this:
@@ -85,7 +76,7 @@
  # which results in files with names /var/log/exim_mainlog, etc. The directory
  # in which the log files are placed must exist; Exim does not try to create
-@@ -1119,13 +1119,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
+@@ -1201,13 +1201,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases
  # haven't got Perl, Exim will still build and run; you just won't be able to
  # use those utilities.
@@ -106,7 +97,7 @@
-@@ -1327,7 +1327,7 @@ EXIM_TMPDIR="/tmp"
+@@ -1409,7 +1409,7 @@ EXIM_TMPDIR="/tmp"
  # (process id) to a file so that it can easily be identified. The path of the
  # file can be specified here. Some installations may want something like this:
@@ -115,14 +106,17 @@
  # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory
  # using the name "".
-@@ -1399,3 +1399,10 @@ EXIM_TMPDIR="/tmp"
+@@ -1465,6 +1465,13 @@ EXIM_TMPDIR="/tmp"
- # End of EDITME for Exim 4.
+ #------------------------------------------------------------------------------
+ # Disabling the use of fsync(): DO NOT UNCOMMENT THE FOLLOWING LINE unless you
+ # really, really, really know what you are doing. And even then, think again.

Home | Main Index | Thread Index | Old Index