Re: [exim-dev] Exim 4.96-RC0 released

2022-04-30 Thread Andreas Metzler via Exim-dev 
On 2022-04-27 Jeremy Harris via Exim-dev  wrote:
> On 26/04/2022 08:28, Andrew C Aitchison via Exim-dev wrote:
>>> • Jeremy Harris via Exim-announce [2022-04-23 20:23]:
 Notable removals since 4.95:

   - the "allow_insecure_tainted_data" main config option and the
 "taint" log_selector.  These were previously deprecated.

>> That isn't a good combination. Please could we keep the option to
>> allow_insecure_tainted_data if there are new taint features ?

>> That way we can continue to run live systems while we resolve
>> these sort of problems.

> The trouble with that is that it means the coverage of tracking
> tainted data use can never be extended.
[...]

Hello,

I think it could be less problematic if configurations that already
triggered an error in 4.95 (and needed allow_insecure_tainted_data to
work) stopped working with 4.96 even if allow_insecure_tainted_data was
set.

However users need/want something equivalent to test upgrades to 4.96
for problems with the new taint checks (requirement for quoting in
query-style lookups and taint-check exec arguments for
transport-initiated external processes).

People upgrading directly from < 4.93 to 4.96 would still have to deal
with hard breakage on upgrades, but requirig a two step upgrade might be
considered a fair compromise.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clients

2022-04-12 Thread Andreas Metzler via Exim-dev 
Exim-dev  wrote:
> If DANE validated the connection attempt then the value of the &%tls_sni%& 
> option
> -is forced to the domain part of the recipient address.
> +is forced to the name of the destination host, after any MX- or 
> CNAME-folowing.

Good morning,

just saw the patch in git history and stumbled over "folowing".

I guess "If DANE validated the connection attempt" should read "If the
connection attempt is DANE validated".

TIA cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] buildfarm animals

2021-10-02 Thread Andreas Metzler via Exim-dev 
On 2021-10-02 Jeremy Harris via Exim-dev  wrote:
> On 02/10/2021 20:00, Andrew C Aitchison wrote:
> > Will 4.95.1 (if such happens) use pcre or pcre2 ?

> Pcre2. Pcre is dead, as I said.

Hello,

4.95.1 would presumably be a security release. I do not think making
the pcre change (33 files changed, 498 insertions(+), 384 deletions(-))
part of a security release would be good practise.

cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [PATCH] Docs: fix cross-reference for $spf_received

2021-07-20 Thread Andreas Metzler via Exim-dev 
Hello,

the existing cross-reference point is broken, also the description is
unnecessary short, imho.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From 01054b307da64e3fe13c6a98911fc71de2a1044b Mon Sep 17 00:00:00 2001
From: Andreas Metzler 
Date: Tue, 20 Jul 2021 13:13:19 +0200
Subject: [PATCH] Docs: fix cross-reference for $spf_received

---
 doc/doc-docbook/spec.xfpt | 12 
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index fef3dfce6..393085832 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -41869,10 +41869,14 @@ variables:
 
 .vitem &$spf_received$&
 .vindex &$spf_received$&
-  This contains a complete Received-SPF: header that can be
-  added to the message. Please note that according to the SPF
-  draft, this header must be added at the top of the header
-  list. Please see section 10 on how you can do this.
+  This contains a complete Received-SPF: header (name and
+  content) that can be added to the message. Please note that
+  according to the SPF draft, this header must be added at the
+  top of the header list, i.e. with
+.code
+add_header = :at_start:$spf_received
+.endd
+  See section &<>& for further details.
 
   Note: in case of "Best-guess" (see below), the convention is
   to put this string in a header called X-SPF-Guess: instead.
-- 
2.30.2

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Junk in repo: doc/doc-docbook/spec.xfpt.readsock

2021-07-20 Thread Andreas Metzler via Exim-dev 
Hello,

doc/doc-docbook/spec.xfpt.readsock seems to have been accidentally added
to the repository.

cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] 4.95 - superfluous HELO check in ACL

2021-07-17 Thread Andreas Metzler via Exim-dev 
Hello,

4.95 still has this in configure.default:

require message   = nice hosts say HELO first
condition = ${if def:sender_helo_name}

This should be superfluous due to:

++
|hosts_require_helo|Use: smtp|Type: host list*|Default: *|
++

Exim will require an accepted HELO or EHLO command from a host matching
this list, before accepting a MAIL command.


cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Patch on exim-4.94+fixes applied after EOL

2021-05-12 Thread Andreas Metzler via Exim-dev 
On 2021-05-12 Jeremy Harris via Exim-dev  wrote:
[...]
> I think I'll give up bothering to cherry-pick to
> a +fixes branch at all, given the level of thanks we get.

Good morning,

I am extremely grateful and care for the +fixes branches. I am very
sorry if my mail suggested I did not.

So here it is: Thanks for maintaining a +fixes branch.

cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Patch on exim-4.94+fixes applied after EOL

2021-05-12 Thread Andreas Metzler via Exim-dev 
On 2021-05-09 Heiko Schlittermann via Exim-dev  wrote:
> Andreas Metzler via Exim-dev  (So 09 Mai 2021 08:06:11 
> CEST):
>> there is a patch on exim-4.94+fixes which was applied after 4.94.2, it
>> is therefore missing on exim-4.94.2+fixes.
 
>> ed64b5c2f0f44db27ae48128fc97d5ad8406a28e Fix ${ipv6norm:}

> Thank you, it is merged now into 4.94.2+fixes

Hello,

Thanks, seems to have happened again with
c1faf04b865465894c7ca41ab4585fb69d4a5936. How about closing this branch
e.g. with a commit deleting all files?

cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Patch on exim-4.94+fixes applied after EOL

2021-05-09 Thread Andreas Metzler via Exim-dev 
Hello,

there is a patch on exim-4.94+fixes which was applied after 4.94.2, it
is therefore missing on exim-4.94.2+fixes.

ed64b5c2f0f44db27ae48128fc97d5ad8406a28e Fix ${ipv6norm:}

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] DKIM Signing and renewing DKIM certificates

2020-11-01 Thread Andreas Metzler via Exim-dev 
On 2020-11-01 Mark Elkins via Exim-dev  wrote:
[...]
> Does Exim know the current month? Is there a Variable for the current month
> in Exim? (Can I run the unix 'date' command to get the month?)
[...]

${substr_4_2:$tod_zulu} will work for the next ~8000 years.

cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] exim 4.94 RC1 published

2020-05-14 Thread Andreas Metzler via Exim-dev 
Hello,

thanks for driving this. Debian/experimental update will probably take
until weekend, but we are almost at RC1 anyway
(8ca559c846f149eda900c581cc4c0ce0cacb89c2).

On 2020-05-14 Jeremy Harris via Exim-dev  wrote:
> I have built, and placed on the FTP site, Release Candidate 1 for
> exim release 4.94
[...]
> Changes since RC0:

- $local_part_verified has been dropped again. $local_part_data should
  work where $local_part_verified worked.

BTW Jeremy, could you fix the last reference to $local_part_verified, it
is in README.UPDATING.

cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] misleading indent

2019-10-19 Thread Andreas Metzler via Exim-dev 
On 2019-10-20 Andreas Metzler via Exim-dev  wrote:
> that either the later blocks or the if-checks are misaligned. The diff
> does not show this clearly, but look at the modified code:
 ^
---

*un*modified, obviously.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] misleading indent

2019-10-19 Thread Andreas Metzler via Exim-dev 
On 2019-10-19 Jeremy Harris via Exim-dev  wrote:
> On 19/10/2019 13:26, Andreas Metzler via Exim-dev wrote:
> > gcc (correctly) warns about two instances of misleading indentation.

> Correctly?  I think not.  Neither is associated with a flow-control;
> they are both purely blocks for the restriction of local-variable
> scope.  Your suggested changes would break function-head identification
> for editors.

Hello Jeremy,

the current indentation looks misleading to /me/. The blocks are aligned
with the preceding but uncorrelated action with "if". So I would think
that either the later blocks or the if-checks are misaligned. The diff
does not show this clearly, but look at the modified code:

---
if (!cipher_list)
  cipher_list = ob->tls_require_ciphers;

if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
cipher_list, , tlsp, errstr) != OK)
  return FALSE;

  {
  int dh_min_bits = ob->tls_dh_min_bits;
  if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
--

--
if (  buf[0] != 5
   || socks_auth(fd, buf[1], sob, tmo) != OK
   )
  goto proxy_err;

  {
  union sockaddr_46 sin;
  (void) ip_addr(, host_af, host->address, port);

  /* send connect (ipver, ipaddr, port) */

  buf[0] = 5; buf[1] = 1; buf[2] = 0; buf[3] = host_af == AF_INET6 ? 4 : 1;
--

Obviously /I/ am not the benchmark for "misleading" on exim code as I am
not writing the code. ;-) But still I do not get the style, indenting
code on the same syntax level (if-condition and local-variable scop
blocks) differently.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] misleading indent

2019-10-19 Thread Andreas Metzler via Exim-dev 
Hello,

gcc (correctly) warns about two instances of misleading indentation.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 03e704e39..196e62203 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2827,23 +2827,23 @@ if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
 cipher_list, , tlsp, errstr) != OK)
   return FALSE;
 
+{
+int dh_min_bits = ob->tls_dh_min_bits;
+if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
   {
-  int dh_min_bits = ob->tls_dh_min_bits;
-  if (dh_min_bits < EXIM_CLIENT_DH_MIN_MIN_BITS)
-{
-DEBUG(D_tls)
-  debug_printf("WARNING: tls_dh_min_bits far too low,"
-		" clamping %d up to %d\n",
-	  dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
-dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
-}
-
-  DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
-		" acceptable bits to %d\n",
-  dh_min_bits);
-  gnutls_dh_set_prime_bits(state->session, dh_min_bits);
+  DEBUG(D_tls)
+debug_printf("WARNING: tls_dh_min_bits far too low,"
+  	" clamping %d up to %d\n",
+dh_min_bits, EXIM_CLIENT_DH_MIN_MIN_BITS);
+  dh_min_bits = EXIM_CLIENT_DH_MIN_MIN_BITS;
   }
 
+DEBUG(D_tls) debug_printf("Setting D-H prime minimum"
+  	" acceptable bits to %d\n",
+dh_min_bits);
+gnutls_dh_set_prime_bits(state->session, dh_min_bits);
+}
+
 /* Stick to the old behaviour for compatibility if tls_verify_certificates is
 set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
 the specified host patterns if one of them is defined */
diff --git a/src/src/transports/smtp_socks.c b/src/src/transports/smtp_socks.c
index 41dc78147..9446e2880 100644
--- a/src/src/transports/smtp_socks.c
+++ b/src/src/transports/smtp_socks.c
@@ -330,30 +330,30 @@ if (  buf[0] != 5
)
   goto proxy_err;
 
-  {
-  union sockaddr_46 sin;
-  (void) ip_addr(, host_af, host->address, port);
+{
+union sockaddr_46 sin;
+(void) ip_addr(, host_af, host->address, port);
 
-  /* send connect (ipver, ipaddr, port) */
+/* send connect (ipver, ipaddr, port) */
 
-  buf[0] = 5; buf[1] = 1; buf[2] = 0; buf[3] = host_af == AF_INET6 ? 4 : 1;
-  #if HAVE_IPV6
-  if (host_af == AF_INET6)
-{
-memcpy(buf+4, _addr,   sizeof(sin.v6.sin6_addr));
-memcpy(buf+4+sizeof(sin.v6.sin6_addr),
-  _port, sizeof(sin.v6.sin6_port));
-size = 4+sizeof(sin.v6.sin6_addr)+sizeof(sin.v6.sin6_port);
-}
-  else
-  #endif
-{
-memcpy(buf+4, _addr.s_addr, sizeof(sin.v4.sin_addr.s_addr));
-memcpy(buf+4+sizeof(sin.v4.sin_addr.s_addr),
-  _port, sizeof(sin.v4.sin_port));
-size = 4+sizeof(sin.v4.sin_addr.s_addr)+sizeof(sin.v4.sin_port);
-}
+buf[0] = 5; buf[1] = 1; buf[2] = 0; buf[3] = host_af == AF_INET6 ? 4 : 1;
+#if HAVE_IPV6
+if (host_af == AF_INET6)
+  {
+  memcpy(buf+4, _addr,   sizeof(sin.v6.sin6_addr));
+  memcpy(buf+4+sizeof(sin.v6.sin6_addr),
+_port, sizeof(sin.v6.sin6_port));
+  size = 4+sizeof(sin.v6.sin6_addr)+sizeof(sin.v6.sin6_port);
   }
+else
+#endif
+  {
+  memcpy(buf+4, _addr.s_addr, sizeof(sin.v4.sin_addr.s_addr));
+  memcpy(buf+4+sizeof(sin.v4.sin_addr.s_addr),
+_port, sizeof(sin.v4.sin_port));
+  size = 4+sizeof(sin.v4.sin_addr.s_addr)+sizeof(sin.v4.sin_port);
+  }
+}
 
 state = US"connect";
 HDEBUG(D_transport|D_acl|D_v)
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] dnssec_request_domain router option in default config

2019-10-19 Thread Andreas Metzler via Exim-dev 
Hello,

4.93 C0 features this change:

HS/06 Change the default of dnssec_request_domains to "*"

The default config file still has a (single) explicit
"dnssec_request_domains = *", though. - That is an oversight, isn't it?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Hard to understand doc enhancement 52af44332434a2a34ae30f3d0ac3b549d512e4cc

2019-03-11 Thread Andreas Metzler via Exim-dev 
On 2019-03-11 Heiko Schlittermann via Exim-dev  wrote:
> Andreas Metzler via Exim-dev  (Sa 09 Mär 2019 17:49:28 
> CET):
[...]
>> +&*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the
>> +IPv4.  Such addresses being searched for are converted to IPv4.
[...]
>> Do not use an IPv4-mapped IPv6 address as key; use the original IPv4
>> notation. IPv4-mapped IPv6 addresses are being converted to IPv4
>> notation by exim before executing the lookup.

> What about such change:

>  .new
>  &*Warning 3*&: Do not use an IPv4-mapped IPv6 address for a key; use the
> -IPv4.  Such addresses being searched for are converted to IPv4.
> +IPv4 address in dotted-quad form.
>  .wen
>  .next
>  .new


Hello,

Thanks, the description of what to do is great, but the imho the
rationale (what breaks?) should stay.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] tls_sni = $host in default configuration file

2019-01-04 Thread Andreas Metzler via Exim-dev 
On 2019-01-04 Florian Zumbiehl via Exim-dev  wrote:
> On 2019-01-04 Jeremy Harris via Exim-dev wrote:
>> On 04/01/2019 01:02, Florian Zumbiehl via Exim-dev wrote:
>>>  may I suggest you put that on the
>>> website somewhere?
 
>> It was already there, at https://bugs.exim.org/enter_bug.cgi

> That page only tells me that "Bugzilla needs a legitimate login and
> password to continue.".

Fair enough.

Once one is logged in or creates a log-in to file a report, it really is
quite straightforward:

http://www.exim.org/ --> [bugs]
https://bugs.exim.org/ --> [File a Bug]
https://bugs.exim.org/enter_bug.cgi which looks as attached

[...]
> And in any case, what I can say is that as a matter of fact I didn't find
> it when I needed it, even if you think that I should have.

http://www.exim.org/ --> [Security] could include a pointer.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Tests with TLS 1.3?

2018-12-24 Thread Andreas Metzler via Exim-dev 
Hello,

did anybody yet test exim with TLS 1.3?

Server side (exim/GnuTLS accepting messages from swaks or mutt) seems to
work (see header), however I have yet to find a public SMTP server who
offers TLS 1.3, to test outgoing deliveries.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-17 Thread Andreas Metzler via Exim-dev 
On 2018-12-17 Phil Pennock via Exim-dev  wrote:
> On 2018-12-16 at 10:42 +, Jeremy Harris via Exim-dev wrote:
> > On 16/12/2018 10:20, Andreas Metzler via Exim-dev wrote:
> > > 4.92rc1 adds this to the smarthost_smtp transport:
> > > 
> > > tls_sni = $host
> > > 
> > > I do not think that always works as expected. Depending on the DNS setup
> > > (CNAME, round robin) $host will not contain the name of the selected
> > > smarthost anymore but a different value.
[...]
> I think that I just missed that we might adapt `$host` during the life
> of the Transport.

> <https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_smtp_transport.html>
> 30.2

> Absent `hosts_override` or `hosts` directly on the Transport, Round
> Robin A records have no cause to change the host _name_.  So the only
> issue should be CNAME records?
[...]

Hello Phil,

I only recognized the problem because we have had to workaound/document
around it in Debian for ages. - We have been using ${lookup{$host} in
smtp authentication.

CNAME for smarthost is very common, the biggest players (office365,
gmail and yahoo) use it.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] tls_sni = $host in default configuration file

2018-12-16 Thread Andreas Metzler via Exim-dev 
Hello,

4.92rc1 adds this to the smarthost_smtp transport:

tls_sni = $host

I do not think that always works as expected. Depending on the DNS setup
(CNAME, round robin) $host will not contain the name of the selected
smarthost anymore but a different value.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] branch exim-4_91+fixes created

2018-04-27 Thread Andreas Metzler via Exim-dev 
On 2018-04-23 Jeremy Harris via Exim-dev  wrote:
> For distro maintainers, and similar, as per Subject
> and similar to previous +fixes branches.

> Intent is to only carry actual fixes, no new features or
> minor fiddling.  The master branch remains the main path
> of development; this one is subsidiary but may be of
> interest to distro maintainers wanting to keep abreast
> of fixes as they arrive but not at the bleeding-edge.

Hello,

theses -fixes branches are indeed a very nice thing to have for
Debian/unstable and /testing. Thank you!

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] committers

2018-02-03 Thread Andreas Metzler 
On 2018-02-03 Heiko Schlittermann via Exim-dev  wrote:
> Jeremy Harris  (Sa 03 Feb 2018 18:03:18 CET):
> …
> > Previouly for commits done using content supplied by other people
> > we have set the Author and left the Committer saying who did
> > the commit.  I'd like that to continue.

> Yes, that was my intention too, but I didn't check if the reality matched my
> intention.

> My fault.

Hello,

I googled in vain and experimented a bit. Using cherry-pick instead of
merge seemed to work for me to change the committer.

instead of   git merge --ff 
use  git cherry-pick  ..

cu And- no guarantee, seemed to worl for me -reas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] committers

2018-02-03 Thread Andreas Metzler 
On 2018-02-03 Jeremy Harris  wrote:
> Who is "Vladimir Panteleev "
> and how did he acquire commit rights?

I do not think he has commit rights, this was a github pull request.

https://github.com/Exim/exim/pull/61

cu Andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] OS/Makefile-Base - why a double colon rule

2017-12-26 Thread Andreas Metzler 
Hello,

I was wondering why I never so an exim build with EXIM_COMPILE_NUMBER 1
and ended up with looking at OS/Makefile-Base which contains this rule:

# Update Exim's version information and build the version object.

version.h version.sh::
@../scripts/reversion

Can anybody imagine why this is double-colon rule, i.e.
version.h version.sh::
instead of
version.h version.sh:

The double-colon enforces that scripts/reversion is run twice, which is
why we end up with EXIM_COMPILE_NUMBER of at least 2.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 2201] Exim handles BDAT data incorrectly and leads to crash

2017-12-13 Thread Andreas Metzler 
On 2017-12-13 ad...@bugs.exim.org wrote:
> https://bugs.exim.org/show_bug.cgi?id=2201

> --- Comment #12 from Jeremy Harris  ---
> d21bf20 fixes the reproducer I created for the report with the re-open of the
> bug.  It turned out to actually be a different issue, in flushing input 
> between
> detecting an overlong header line and accepting further SMTP commands.  The
> flush
> is required in its own right, but has the side-effect of dropping us out of
> BDAT-handling mode.

Hello,

could you please spell out what the actual effects of the issue fixed by
this patch are? Another security vulnarability, data loss, none of the
above?

Thanks, cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [patch] exim 4.90_RC1 SOURCE_DATE_EPOCH build error / missing parts

2017-10-28 Thread Andreas Metzler 
On 2017-10-28 Phil Pennock <p...@exim.org> wrote:
> On 2017-10-28 at 13:08 +0200, Andreas Metzler wrote:
> > Thanks for introducing SOURCE_DATE_EPOCH support to exim. Due to a typo
> > 4.90_RC1 FTBFS with non-BSD date if SOURCE_DATE_EPOCH is set. Also the
> > change applied to exim needs to be copied over to exim_monitor.

> You're welcome, and sorry.  I neglected to become a heathen using
> non-BSD date in testing. ;)

> I don't have any X11 systems (and haven't had for years) so testing the
> monitor changes would be problematic here.  I _suspect_ that to fix the
> missing vars it's sufficient to just `#include "version.h"` at the top
> of em_version.c because the build system symlinks the monitor source
> files into the same build-foo dir as the Exim source files.
[...]

That is one part, the other one is that the output needs to be stored
somewhere else since the version setting code is just /almost/
identical.

Try2 attached.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From f0bcc8c1b9a957d2a891da91e0c237440fca3b1b Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametz...@bebt.de>
Date: Sat, 28 Oct 2017 19:45:30 +0200
Subject: [PATCH] Make exim_monitor build reproducible.

Adapt changes to exim for SOURCE_DATE_EPOCH from exim
6e411084a29a7658f7bc88aa5a62ab9016c22c79 to exim_monitor.
---
 src/exim_monitor/em_version.c | 13 +
 1 file changed, 13 insertions(+)

diff --git a/src/exim_monitor/em_version.c b/src/exim_monitor/em_version.c
index a2edbfe8..8228f946 100644
--- a/src/exim_monitor/em_version.c
+++ b/src/exim_monitor/em_version.c
@@ -10,6 +10,8 @@
 #include 
 #include 
 
+#include "version.h"
+
 extern uschar *version_string;
 extern uschar *version_date;
 
@@ -21,6 +23,16 @@ uschar today[20];
 
 version_string = US"2.06";
 
+#ifdef EXIM_BUILD_DATE_OVERRIDE
+/* Reproducible build support; build tooling should have given us something looking like
+ * "25-Feb-2017 20:15:40" in EXIM_BUILD_DATE_OVERRIDE based on $SOURCE_DATE_EPOCH in environ
+ * per <https://reproducible-builds.org/specs/source-date-epoch/>
+ */
+version_date = US malloc(32);
+version_date[0] = 0;
+Ustrncat(version_date, EXIM_BUILD_DATE_OVERRIDE, 31);
+
+#else
 Ustrcpy(today, __DATE__);
 if (today[4] == ' ') i = 1;
 today[3] = today[6] = '-';
@@ -32,6 +44,7 @@ Ustrncat(version_date, today, 4);
 Ustrncat(version_date, today+7, 4);
 Ustrcat(version_date, " ");
 Ustrcat(version_date, __TIME__);
+#endif
 }
 
 /* End of em_version.c */
-- 
2.14.2

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [patch] exim 4.90_RC1 SOURCE_DATE_EPOCH build error / missing parts

2017-10-28 Thread Andreas Metzler 
On 2017-10-28 Andreas Metzler <eximus...@bebt.de> wrote:
> Hello,

> Thhanks for introducing SOURCE_DATE_EPOCH support to exim. Due to a typo
> 4.90_RC1 FTBFS with non-BSD date if SOURCE_DATE_EPOCH is set. Also the
> change applied to exim needs to be copied over to exim_monitor.

> Trivial patches attached. ;-)

0002-* is not so trivial, since it does not actually work. :-(

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [patch] Typo fix "psuedo"

2017-10-28 Thread Andreas Metzler 
Hello,

find atached a trivial patch to fix a typo in exipick's documentation.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From ec47e8940d518fb3bcf3198381848056cf08e9cd Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametz...@bebt.de>
Date: Sat, 28 Oct 2017 13:19:22 +0200
Subject: [PATCH] Correct typo "psuedo" in exipick documentation.

---
 src/src/exipick.src | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/src/exipick.src b/src/src/exipick.src
index d0122a32..a1aa79dc 100644
--- a/src/src/exipick.src
+++ b/src/src/exipick.src
@@ -390,7 +390,7 @@ sub process_criteria {
 } else {
   $c[-1]{cmp} .= $G::negate ? " ? 0 : 1" : " ? 1 : 0";
 }
-# support the each_* psuedo variables.  Steal the criteria off of the
+# support the each_* pseudo variables.  Steal the criteria off of the
 # queue for special processing later
 if ($c[-1]{var} =~ /^each_(recipients(_(un)?del)?)$/) {
   my $var = $1;
@@ -1597,7 +1597,7 @@ TRUE if, under normal circumstances, Exim will not try to deliver the message.
 
 =item S + $each_recipients
 
-This is a psuedo variable which allows you to apply a test against each address in $recipients individually.  Whereas '$recipients =~ /@aol.com/' will match if any recipient address contains aol.com, '$each_recipients =~ /@aol.com$/' will only be true if every recipient matches that pattern.  Note that this obeys --and or --or being set.  Using it with --or is very similar to just matching against $recipients, but with the added benefit of being able to use anchors at the beginning and end of each recipient address.
+This is a pseudo variable which allows you to apply a test against each address in $recipients individually.  Whereas '$recipients =~ /@aol.com/' will match if any recipient address contains aol.com, '$each_recipients =~ /@aol.com$/' will only be true if every recipient matches that pattern.  Note that this obeys --and or --or being set.  Using it with --or is very similar to just matching against $recipients, but with the added benefit of being able to use anchors at the beginning and end of each recipient address.
 
 =item S + $each_recipients_del
 
-- 
2.14.2

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [patch] exim 4.90_RC1 SOURCE_DATE_EPOCH build error / missing parts

2017-10-28 Thread Andreas Metzler 
Hello,

Thhanks for introducing SOURCE_DATE_EPOCH support to exim. Due to a typo
4.90_RC1 FTBFS with non-BSD date if SOURCE_DATE_EPOCH is set. Also the
change applied to exim needs to be copied over to exim_monitor.

Trivial patches attached. ;-)

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From d7a9be112b313cc5d56fed5301ce73c60747d943 Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametz...@bebt.de>
Date: Sat, 28 Oct 2017 12:59:21 +0200
Subject: [PATCH 1/2] Fix build error with SOURCE_DATE_EPOCH due to typo.

---
 src/scripts/reversion | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scripts/reversion b/src/scripts/reversion
index 5e0ed855..c82d9c0a 100755
--- a/src/scripts/reversion
+++ b/src/scripts/reversion
@@ -96,7 +96,7 @@ if [ ".${SOURCE_DATE_EPOCH:-}" != "." ]; then
   # builds without it causing any problems: nothing really cares about timezone.
   # GNU date: "date -d @TS"
   # BSD date: "date -r TS"
-  exim_build_date_override="$(date -u -d "@${SOURCE_DATE_EPOCH}" "$fmt" 2>/dev/null | date -u -r "${SOURCE_DATE_EPOCH}" "$fmt" 2>/dev/null)"
+  exim_build_date_override="$(date -u -d "@${SOURCE_DATE_EPOCH}" "$fmt" 2>/dev/null || date -u -r "${SOURCE_DATE_EPOCH}" "$fmt" 2>/dev/null)"
 fi
 
 ( echo '# automatically generated file - see ../scripts/reversion'
-- 
2.14.2

>From e01292d0bf44cc5ab3fcebe2abf3acaee49ccd57 Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametz...@bebt.de>
Date: Sat, 28 Oct 2017 13:01:50 +0200
Subject: [PATCH 2/2] Make exim_monitor build reproducible.

Copy changes to exim for SOURCE_DATE_EPOCH from exim
6e411084a29a7658f7bc88aa5a62ab9016c22c79 to exim_monitor.
---
 src/exim_monitor/em_version.c | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/src/exim_monitor/em_version.c b/src/exim_monitor/em_version.c
index a2edbfe8..92d813ff 100644
--- a/src/exim_monitor/em_version.c
+++ b/src/exim_monitor/em_version.c
@@ -21,6 +21,16 @@ uschar today[20];
 
 version_string = US"2.06";
 
+#ifdef EXIM_BUILD_DATE_OVERRIDE
+/* Reproducible build support; build tooling should have given us something looking like
+ * "25-Feb-2017 20:15:40" in EXIM_BUILD_DATE_OVERRIDE based on $SOURCE_DATE_EPOCH in environ
+ * per <https://reproducible-builds.org/specs/source-date-epoch/>
+ */
+version_date = date_buffer;
+version_date[0] = 0;
+Ustrncat(version_date, EXIM_BUILD_DATE_OVERRIDE, sizeof(date_buffer));
+
+#else
 Ustrcpy(today, __DATE__);
 if (today[4] == ' ') i = 1;
 today[3] = today[6] = '-';
@@ -32,6 +42,7 @@ Ustrncat(version_date, today, 4);
 Ustrncat(version_date, today+7, 4);
 Ustrcat(version_date, " ");
 Ustrcat(version_date, __TIME__);
+#endif
 }
 
 /* End of em_version.c */
-- 
2.14.2

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] GnuTLS and tls_eccurve

2017-03-25 Thread Andreas Metzler 
[moved from -users to -dev]
On 2017-03-22 Bjcsurf via Exim-users  wrote:
> Thanks. Then I guess all of the details will be specified in the
> tls_require_ciphers option.

> I do notice in the documentation [1] that only OpenSSL is discussed in
> the tls_eccurve option, but it might be nice if it specifically
> mentioned that GnuTLS does not use this option.

How about the attached patch?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index a342a171..5341c4ef 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17179,6 +17179,8 @@ For OpenSSL versions before (and not including) 1.0.2, the string
 
 If the option expands to an empty string, no EC curves will be enabled.
 
+This setting is only relevant for OpenSSL, it not used when Exim is built
+against GnuTLS.
 
 .option tls_ocsp_file main string&!! unset
 .cindex TLS "certificate status"
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [exim] Exim 4.89 RC7

2017-03-03 Thread Andreas Metzler 
On 2017-03-03 Phil Pennock  wrote:
> On 2017-02-28 at 22:48 -0500, Phil Pennock wrote:
> > I have uploaded Exim 4.89 RC7 to:
> > 
> > https://ftp.exim.org/pub/exim/exim4/test/

> No replies.
[...]

For those running Debian: rc7 is available in unstable.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.89 RC6 uploaded: one remaining known issue

2017-02-23 Thread Andreas Metzler 
On 2017-02-23 Phil Pennock  wrote:
> Folks, we really need your help tracking down one last issue with a
> crashing Exim; _please_ try this Exim some place, to see if you can help
> expose it.

> I have uploaded Exim 4.89 RC6 to:
[...]

Hello,

Just uploaded to debian/unstable, should be available after the next
mirror push.

BTW, there is a new rather ugly warning in RC6:
| receive.c: In function 'read_message_bdat_smtp':
| receive.c:947:9: warning: implicit declaration of function 'bdat_ungetc' 
[-Wimplicit-function-declaration]
|  bdat_ungetc('\n');
|  ^~~

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [exim] Exim 4.89 RC6 tomorrow (Wednesday)

2017-02-18 Thread Andreas Metzler 
On 2017-02-18 Jeremy Harris  wrote:
[...]
> Separately, on the TLS / continued-connection front: a branch on
> hummus, "transport_tls_continue" with a prototype for discussion.
[...]
> Issues:
[...]
> - The continued-delivery log lines (ones with the "*" marker) are
>   missing any TLS information; because the process sending the
>   log info no longer starts the TLS it has no info.  So no X=cipher,
>   CV, OCSP or DS markers on those deliveries; one has to locate
>   the "initiating delivery" log line (the one for the same host
>   but lacking the "*".

Hello,

Does "exigrep $message-id" also display the line with the TLS-info?

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Disabling BDAT by default for upcoming Debian stable release?

2017-01-20 Thread Andreas Metzler 
On 2017-01-19 Heiko Schlittermann <h...@schlittermann.de> wrote:
> Andreas Metzler <eximus...@bebt.de> (Do 19 Jan 2017 15:44:17 CET):
[...]
> > -  US"*",   /* hosts_try_chunking */
> > +  NULL,/* hosts_try_chunking */
> >  #ifdef EXPERIMENTAL_DANE
> >NULL,/* hosts_try_dane */
> >NULL,/* hosts_require_dane */

> But this patch?? As far as I know, the issues with chunking are
> *inbound*, not outbound, so, the disabling chunking for outgoing
> connections isn't strictly necessary.

Hello,

Outgoing chunking relies on correct body_linecount in the spoolfile,
DATA does not. I know that incoming chunking allows setting
body_linecount in the spoolfile to an (almost) arbitrary value, perhaps
there are other venues to accomplish this.

> But I'd add update the spec, just in case somebody reads it:
[...]

I had done the minimal change in the upload.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Disabling BDAT by default for upcoming Debian stable release?

2017-01-19 Thread Andreas Metzler 
On 2017-01-19 Jeremy Harris <j...@wizmail.org> wrote:
> On 19/01/17 14:44, Andreas Metzler wrote:
> > Any thoughts, strong opinions against?

> It's the right way to do it, and probably wise
> given the outstanding bug against CHUNKING vs. DKIM.

Thank you for doublechecking the patch.

I have just uploaded since I 
a) had some time, and
b) it's easy to undo by re-upoading without the patch.

cu Andreas


-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Disabling BDAT by default for upcoming Debian stable release?

2017-01-19 Thread Andreas Metzler 
Hello,

I am considering to temporarily disable BDAT in Debian's exim packages.

Afaict BDAT in exim is still stabilizing, multiple issues have shown up
since 4.88 and some are still unfixed.

OTOH we (Debian) do not have time to wait for BDAT to get ready. Debian
is currently preparing for a new stable release. On February 5 the "Full
Freeze" will come into effect, i.e. uploads targeted for the release
will require manual approval by the release team. (With the ten day
waiting period for automatic appproval, the upload deadline is about
January 26.

I would apply the attached patch.

Any thoughts, strong opinions against?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From 6ed375c38b0d7a743fa37e61ac4353cd34aeed9e Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametz...@bebt.de>
Date: Thu, 19 Jan 2017 15:16:45 +0100
Subject: [PATCH] Disable chunking (BDAT) by default.

Change default value of main option chunking_advertise_hosts and
smtp transport option hosts_try_chunking from "*" to empty.
---
 src/src/globals.c | 2 +-
 src/src/transports/smtp.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/src/globals.c b/src/src/globals.c
index 90e46dff..8f26487a 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -494,7 +494,7 @@ BOOLcheck_rfc2047_length   = TRUE;
 int check_spool_inodes = 100;
 int check_spool_space  = 10*1024;	/* 10K Kbyte == 10MB */
 
-uschar *chunking_advertise_hosts = US"*";
+uschar *chunking_advertise_hosts = NULL;
 unsigned chunking_datasize = 0;
 unsigned chunking_data_left= 0;
 BOOLchunking_offered   = FALSE;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 87082717..314d74f1 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -206,7 +206,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,/* serialize_hosts */
   NULL,/* hosts_try_auth */
   NULL,/* hosts_require_auth */
-  US"*",   /* hosts_try_chunking */
+  NULL,/* hosts_try_chunking */
 #ifdef EXPERIMENTAL_DANE
   NULL,/* hosts_try_dane */
   NULL,/* hosts_require_dane */
-- 
2.11.0

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?

2016-09-11 Thread Andreas Metzler 
On 2016-09-11 Jeremy Harris <j...@wizmail.org> wrote:
> On 11/09/16 17:16, Andreas Metzler wrote:
> >> And... is that
> >> repeat-by relying on the writability of a library directory
> >> by an unpriv process?
> > 
> > /lib/x86_64-linux-gnu/ is 0755 root:root.

> In that case I'm not seeing how this stage works:

> - Symlink /var/spool/exim4/input/xx-xx-xx-J to
> /lib/x86_64-linux-gnu/libpam.so.0.83.1

> Perhaps I'm not understanding "to".  What is the "ls -l" output for
> the symlink just created?

strcpy(linkPath, "/var/spool/exim4/input/xx-xx-xx-J");
dirStruct=opendir("/var/spool/exim4/msglog");
assert(dirStruct);
result=1;
while(result) {
  while((dirEnt=readdir(dirStruct))) {
if(*dirEnt->d_name=='.') continue;
// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
strncpy(linkPath+23, dirEnt->d_name, 16);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
result=symlink(TARGET_PATH, linkPath);
system ("ls -l /var/spool/exim4/input/ /lib/x86_64-linux-gnu/libpam.so.0.83.1");
assert(!result);
fprintf(stderr, "Relinked %s\n", linkPath);
break;

...

$ /tmp/EximUpgrade --Upgrade
-rw-r--r-- 1 rootroot60104 May 18 00:22 
/lib/x86_64-linux-gnu/libpam.so.0.83.1

/var/spool/exim4/input/:
total 8
-rw-r- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 rootroot60104 May 18 00:22 
/lib/x86_64-linux-gnu/libpam.so.0.83.1

/var/spool/exim4/input/:
total 8
-rw-r- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
-rw-r--r-- 1 rootroot60104 May 18 00:22 
/lib/x86_64-linux-gnu/libpam.so.0.83.1

/var/spool/exim4/input/:
total 8
-rw-r- 1 Debian-exim Debian-exim  19 Sep 11 17:20 1bj8R0-0004c9-JG-D
-rw-r- 1 Debian-exim Debian-exim 617 Sep 11 17:20 1bj8R0-0004c9-JG-H
lrwxrwxrwx 1 Debian-exim Debian-exim  38 Sep 11 17:20 1bj8R0-0004c9-JG-J -> 
/lib/x86_64-linux-gnu/libpam.so.0.83.1
Relinked /var/spool/exim4/input/1bj8R0-0004c9-JG-J
Target ready for writing
EximUpgrade: EximUpgrade-debugme.c:163: main: Assertion 
`result==newStatData.st_size' failed.
Aborted

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?

2016-09-11 Thread Andreas Metzler 
On 2016-09-11 Jeremy Harris <j...@wizmail.org> wrote:
> On 11/09/16 15:32, Andreas Metzler wrote:
> > was there a thread or a bug report about
> > http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ ?

> No idea.  I assume you searched?

Hello,

Did not find anything on bugzilla, I thought there might have been other
channels I missed.

> If not, is it repeatable with current HEAD?

The issue was reproduced on Ubuntu
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/ against
4.86.2, the example exploit did not fully work for me with 4.87, I
therefore did not yet try against HEAD.

It managed chown /lib/x86_64-linux-gnu/libpam.so.0.83.1 to
exim-user:exim-user, though.

> And... is that
> repeat-by relying on the writability of a library directory
> by an unpriv process?

/lib/x86_64-linux-gnu/ is 0755 root:root.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Exim4 spool directory symlink local root escalation - does this apply to 4.87?

2016-09-11 Thread Andreas Metzler 
Hello,

was there a thread or a bug report about
http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/ ?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] How about a release?

2016-08-19 Thread Andreas Metzler 
Hello,

afaict there multiple important bug fixes present in GIT head that might
warrant a release:

https://bugs.exim.org/show_bug.cgi?id=1874
fix continued use of a connection for further deliveries.
[...] As a result mail would be lost.

https://bugs.exim.org/show_bug.cgi?id=1810
mangled queue, possible mail loss.

https://bugs.exim.org/show_bug.cgi?id=1836
Unqualified arguments to VRFY (when received over local or remote SMTP)
cause a segfault.

https://bugs.exim.org/show_bug.cgi?id=1853
If the base64 strings for the b= or bh= tags in the DKIM-Signature
header are not actually valid base64, it will cause Exim to segfault.
[Bug report not yet closed]

https://bugs.exim.org/show_bug.cgi?id=1870
Use of ${run} in router conditions causes intermittent crash

None of these are critical, but still "mail lost" or "SUID binary
segfaults" are not nice things to have in the current stable release.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [patch] some typoes

2016-03-29 Thread Andreas Metzler 
Hello,

find attached a trivial patch against GIT master, fixing some typoes.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From 9fa2ac72349e5d686fa928c72cc15ebbfaa0e5cc Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametz...@bebt.de>
Date: Tue, 29 Mar 2016 18:57:55 +0200
Subject: [PATCH] Typo fix.

messsage -> message
receved -> received

Found/reported by Vincent Lefevre in <https://bugs.debian.org/819482>.
---
 doc/doc-docbook/spec.xfpt | 2 +-
 doc/doc-src/FAQ.src   | 2 +-
 doc/doc-txt/NewStuff  | 2 +-
 src/src/configure.default | 4 ++--
 src/src/globals.h | 2 +-
 src/src/receive.c | 8 
 src/src/spool_out.c   | 2 +-
 7 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 7dc05c6..6185536 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -14170,7 +14170,7 @@ If the message being returned has lines longer than this value it is
 treated as if the &%bounce_return_size_limit%& (below) restriction was exceeded.
 
 The option also applies to bounces returned when an error is detected
-during reception of a messsage.
+during reception of a message.
 In this case lines from the original are truncated.
 
 The option does not apply to messages generated by an &(autoreply)& transport.
diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src
index 03360be..9280e03 100644
--- a/doc/doc-src/FAQ.src
+++ b/doc/doc-src/FAQ.src
@@ -2316,7 +2316,7 @@ A0310: If a DNS lookup returns no MXs, Exim looks for an address record, in
 
 
 Q0311: When a DNS lookup for MX records fails to complete, why doesn't Exim
-   send the messsage to the host defined by the A record?
+   send the message to the host defined by the A record?
 
 A0311: The RFCs are quite clear on this. Only if it is known that there are no
MX records is an MTA allowed to make use of the A record. When an MX
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 80c92a5..4c42c75 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -269,7 +269,7 @@ Version 4.82
 "" and "a" lookups is done and the full set of results returned.
 
 14. New expansion variable $headers_added with content from ACL add_header
-modifier (but not yet added to messsage).
+modifier (but not yet added to message).
 
 15. New 8bitmime status logging option for received messages.  Log field "M8S".
 
diff --git a/src/src/configure.default b/src/src/configure.default
index e5feb77..3c8cf97 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -707,8 +707,8 @@ begin transports
 
 
 # This transport is used for delivering messages over SMTP connections.
-# Refuse to send any messsage with over-long lines, which could have
-# been receved other than via SMTP. The use of message_size_limit to
+# Refuse to send any message with over-long lines, which could have
+# been received other than via SMTP. The use of message_size_limit to
 # enforce this is a red herring.
 
 remote_smtp:
diff --git a/src/src/globals.h b/src/src/globals.h
index b7f9c34..b83f9fe 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -193,7 +193,7 @@ extern uschar *acl_smtp_starttls;  /* ACL run for STARTTLS */
 extern uschar *acl_smtp_vrfy;  /* ACL run for VRFY */
 extern BOOLacl_temp_details;   /* TRUE to give details for 4xx error */
 extern tree_node *acl_var_c;   /* ACL connection variables */
-extern tree_node *acl_var_m;   /* ACL messsage variables */
+extern tree_node *acl_var_m;   /* ACL message variables */
 extern uschar *acl_verify_message; /* User message for verify failure */
 extern string_item *acl_warn_logged;   /* Logged lines */
 extern uschar *acl_wherecodes[];   /* Response codes for ACL fails */
diff --git a/src/src/receive.c b/src/src/receive.c
index 6b69bcb..f4b3d78 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1292,7 +1292,7 @@ else if (rc != OK)
   if (  smtp_input
  && smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0)
 {
-*smtp_yield_ptr = FALSE;/* No more messsages after dropped connection */
+*smtp_yield_ptr = FALSE;/* No more messages after dropped connection */
 *smtp_reply_ptr = US""; /* Indicate reply already sent */
 }
   message_id[0] = 0;/* Indicate no message accepted */
@@ -3275,7 +3275,7 @@ else
 {
 Uunlink(spool_name);
 if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
-  smtp_yield = FALSE;/* No more messsages after dropped connection */
+  smtp_yield = FALSE;/* No more messages after dropped connection */
 smtp_reply = US"";   /* Indicate reply already sen

[exim-dev] warning on missing environment option

2016-03-10 Thread Andreas Metzler 
Hello,

I am a little bit unhappy with the current state of
add_environment/keep_environment:

* Exim throws a runtime warning if neither of the options is set.
* configure.default does not set either of the options
  (even f26587cbf325ebb365cd670db767363775391dc6 has only commented
  examples).
* Setting keep_environment to an empty value ("keep_environment =")
  makes the warning go away, doing the same for add_environment doesn't.

All this seems to be incongruent. The warning suggests that all but very
atypical installation will want to set at least one of the environment
options. But we are not able to come up with a a sane, safe default that
is set in our configuration example. (If there was a sane safe default
keep_environment would use this instead of "" by default and we would
not need to set it explicitely everywhere, and the warning would be
superfluous.)

I am personally wondering whether the warning is really necessary lor
too invasive. In Debian I have set "add_environment = <;
PATH=/bin:/usr/bin" for lack of a better idea and because my experiment
with "add_environment =" failed to suppress the warning.  If I started
fresh now I'd set "keep_environment =" instead.

The third issue mentioned above ("add_environment =" does not suppress
a warning) seems to be a bug as it is not documented.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Trivial patch - typos

2016-03-04 Thread Andreas Metzler 
Hello,

find attached a trivial patch fixing two typos.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
>From c1c175ec392986c9e8a6de0cc9f3e96b161ec33d Mon Sep 17 00:00:00 2001
From: Andreas Metzler <ametz...@bebt.de>
Date: Fri, 4 Mar 2016 19:59:08 +0100
Subject: [PATCH] Typo fixes supresses and formated

Also rename $formated_time perl variable to $formatted_time for
consistency.
---
 doc/doc-docbook/spec.xfpt |  2 +-
 src/src/deliver.c |  6 +++---
 src/src/eximstats.src | 10 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index a67f486..05e65b3 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3153,7 +3153,7 @@ settings can be obtained by using &%routers%&, &%transports%&, or
 
 .cindex "environment"
 If &%environment%& is given as an argument, the set of environment
-variables is output, line by line. Using the &%-n%& flag supresses the value of the
+variables is output, line by line. Using the &%-n%& flag suppresses the value of the
 variables.
 
 .cindex "options" "macro &-- extracting"
diff --git a/src/src/deliver.c b/src/src/deliver.c
index e588ee4..9066a14 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -6953,7 +6953,7 @@ if (addr_senddsn)
   if (auth_xtextdecode(dsn_envid, _envid) > 0)
 fprintf(f, "Original-Envelope-ID: %s\n", dsn_envid);
   else
-fprintf(f, "X-Original-Envelope-ID: error decoding xtext formated ENVID\n");
+fprintf(f, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
   }
 fputc('\n', f);
 
@@ -7339,7 +7339,7 @@ wording. */
 if (auth_xtextdecode(dsn_envid, _envid) > 0)
   fprintf(f, "Original-Envelope-ID: %s\n", dsn_envid);
 else
-  fprintf(f, "X-Original-Envelope-ID: error decoding xtext formated ENVID\n");
+  fprintf(f, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
 }
   fputc('\n', f);
 
@@ -7872,7 +7872,7 @@ else if (addr_defer != (address_item *)(+1))
   if (auth_xtextdecode(dsn_envid, _envid) > 0)
 fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid);
   else
-fprintf(f,"X-Original-Envelope-ID: error decoding xtext formated ENVID\n");
+fprintf(f,"X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
   }
 fputc('\n', f);
 
diff --git a/src/src/eximstats.src b/src/src/eximstats.src
index 4370b4e..2369ec3 100644
--- a/src/src/eximstats.src
+++ b/src/src/eximstats.src
@@ -757,7 +757,7 @@ sub volume_rounded {
   }
   else {
 # We don't want any rounding to be done.
-# and we don't need broken formated output which on one hand avoids numbers from
+# and we don't need broken formatted output which on one hand avoids numbers from
 # being interpreted as string by Spreadsheed Calculators, on the other hand
 # breaks if more than 4 digits! -> flexible length instead of fixed length
 # Format the return value at the output routine! -fh
@@ -871,10 +871,10 @@ $p;
 # Eg 3h20m5s => 12005
 ###
 sub unformat_time {
-  my($formated_time) = pop @_;
+  my($formatted_time) = pop @_;
   my $time = 0;
 
-  while ($formated_time =~ s/^(\d+)([wdhms]?)//) {
+  while ($formatted_time =~ s/^(\d+)([wdhms]?)//) {
 $time +=  $1 if ($2 eq '' || $2 eq 's');
 $time +=  $1 * 60 if ($2 eq 'm');
 $time +=  $1 * 60 * 60 if ($2 eq 'h');
@@ -3360,8 +3360,8 @@ sub parse_old_eximstat_reports {
 my $previous_seconds_on_queue = 0;
 if (/^\s*(Under|Over|)\s+(\d+[smhdw])\s+(\d+)/) {
   print STDERR "Parsing $_" if $debug;
-  my($modifier,$formated_time,$count) = ($1,$2,$3);
-  my $seconds = unformat_time($formated_time);
+  my($modifier,$formatted_time,$count) = ($1,$2,$3);
+  my $seconds = unformat_time($formatted_time);
   my $time_on_queue = ($seconds + $previous_seconds_on_queue) / 2;
   $previous_seconds_on_queue = $seconds;
   $time_on_queue = $seconds * 2 if ($modifier eq 'Over');
-- 
2.7.0

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.86 RC2 uploaded

2015-06-17 Thread Andreas Metzler 
On 2015-06-15 Jeremy Harris j...@wizmail.org wrote:
[rc2]
 Please report issues here in exim-dev, or in
 the exim-user mailinglist, or by raising bugs
 on http://bugs.exim/org

Hello,

I have just uploade to rc2 to Debian/experimental.

What I stumbled upon while browsing the diff to rc2 is that
doc/doc-txt/ChangeLog was not updated since rc1.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1599] Invalid MIME Content-Type header causes segfault in acl_smtp_mime

2015-03-17 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1599

Andreas Metzler eximus...@bebt.de changed:

   What|Removed |Added

 CC||eximus...@bebt.de




--- Comment #1 from Andreas Metzler eximus...@bebt.de  2015-03-17 18:02:43 ---
This looks related/identical to http://bugs.exim.org/show_bug.cgi?id=1558


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Should we always load the default trust store? (was: tls_verify_certificates forced failure vs. empty) string

2014-11-27 Thread Andreas Metzler 
On 2014-11-26 Heiko Schlittermann h...@schlittermann.de wrote:
[...]
 tls_verify_certificates seems to cause some trouble. I'm talking about
 the main config option, but I assume that everything holds for the smtp
 driver option of the same name too.

 There are two (probably only loosely related issues): 

 - The inconsistent results of not setting this option at all, 
   having a forced failure, and setting it to an empty value. 
   This could be talked about in another thread.

 - The confusing influence on loading a default trust store.
   This I'm talking about here and now …
[...]

Hello,

just to add another piece of the puzzle: Last time I checked
exim/openssl and exim/gnutls had a major difference in behavior with
respect to tls_(try)verify_certificates: exim/GnuTLS would send the
list of acceptable TLS certificates in the SSL handshake. If the list
is long enough, this breaks interconnectivity.

I do not know whether the code has changed since, though.

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1547] New: 4.85rc1 tarball includes copies of rfc

2014-11-18 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1547
   Summary: 4.85rc1 tarball includes copies of rfc
   Product: Exim
   Version: N/A
  Platform: Other
OS/Version: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: Release process
AssignedTo: ni...@exim.org
ReportedBy: eximus...@bebt.de
CC: exim-dev@exim.org


Hello,

4.85rc1 includes 4 IETF files

draft-ietf-dane-ops-06
draft-ietf-dane-smtp-with-dane-12.txt
draft-ietf-dane-smtp-with-dane.txt
rfc6698-dane.txt

Their license is considered non-free at least by Debian. Could you please
consider stopping to ship these in the tarball?

thanks, cu Andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] segfault in mime.c (was: Beginning Release Process for 4.85)

2014-11-13 Thread Andreas Metzler 
On 2014-11-13 Todd Lyons tly...@ivenue.com wrote:
[...]
 That commit will fix the issue he's seeing.  If you follow the thread
 on http://www.gossamer-threads.com/lists/exim/users/100138, you'll see
 in the last message the gentleman who reported it was also the one who
 confirmed the commit above fixed the symptoms for him (and we had
 tested it on our systems as well).  I also sent a message to the
 maintainers ML suggesting that it be included as part of their package
 maintained patches, but ultimately that's up to the distro package
 maintainers to decide to adopt it or not.

And thanks a lot for nudges like this. (It is included in Debian's
exim4 = 4.84-2)

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 1535] Option for SSL/TLS Protocol configuration missing/required

2014-10-18 Thread Andreas Metzler 
On 2014-10-18 Jeremy Harris j...@wizmail.org wrote:
 On 16/10/14 00:49, Phil Pennock wrote:
 Looks like the GnuTLS Priority String to use is:
 
 NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0

 Set this as the value of `tls_require_ciphers`, both main section and on SMTP
 transports.

 Would there be support for the next Exim release version have these
 options (and the OpenSSL one) set by default to disable ssl3 ?

Hello,

afaui POODLE should not be a reason to to disable SSL3 /for/ /SMTP/ -
20141017064416.258745a0...@testapps.cs.toronto.edu sounded
convincing to me.

Also I wonder whether exim shouldn't use the TLS library's
sane default values (I do not know about OpenSSL but GnuTLS default
priorities are supposed to be sane. :-)

Somehow related: GnuTLS will probably drop SSL 3.0 from the default
priority strings.
http://mid.gmane.org/CAJU7zaLCuh%3DsEEtg4MDiN%2B2ZuyoyDoEVCeQ9CCtJH%2B1uVEwL5w%40mail.gmail.com
cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1523] DANE support under GnuTLS

2014-09-02 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1523




--- Comment #1 from Andreas Metzler eximus...@bebt.de  2014-09-02 18:04:23 ---
On 2014-09-02 Jeremy Harris jgh146...@wizmail.org wrote:
 EXPERIMENTAL_DANE only works with an OpenSSL build.
 We should do a GnuTLS implementation also.

 Viktor has, I think, opined that the builtin support
 in GnuTLS for DANE is insufficient; possibly we should
 try to use the same library (basically Viktor's code)
 for both.

Just as a data point:

GnuTLS DANE support is currently not used a lot since it requires
unbound which in turn requires one of the other two big SSL toolkits
(NSS or OpenSSL). That is why we are not shipping the library in
Debian yet.

That is supposed to change, though, see
http://lists.gnutls.org/pipermail/gnutls-devel/2014-July/007039.html

cu Andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.84 RC1 uploaded

2014-08-02 Thread Andreas Metzler 
On 2014-08-02 Todd Lyons tly...@exim.org wrote:
 I have uploaded Exim 4.84 RC1 to
 ftp://ftp.exim.org/pub/exim/exim4/test/ 

 This release comes right on the heels of the previous 4.83 release.  We
 developers deemed it necessary to immediately release a new version to
 fix a regression in the MIME handling code.  Aside from the MIME fix,
 there is only one other minor bugfix in this release thus far: a small
 change to silence a compiler warning.  The rest of the changes are
 small documentation adjustments.

Thanks.

[...]
 The ChangeLog/NewStuff/README.UPDATING can be reviewed at:

 http://git.exim.org/exim.git/blob/exim-4_84_RC1:/doc/doc-txt/ChangeLog
 http://git.exim.org/exim.git/blob/exim-4_84_RC1:/doc/doc-txt/NewStuff
 http://git.exim.org/exim.git/blob/exim-4_84_RC1:/src/README.UPDATING
[...]

Is it possible that you forgot to push the tag to GIT, the links do
not work yet.

I have just uploaded 4_84_RC1 to Debian/unstable. The only really
obvious thing I saw is that doc/ChangeLog is not up to date.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1512] New: dovecot authenticator waits for server's DONE before sending DATA

2014-07-30 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1512
   Summary: dovecot authenticator waits for server's DONE before
sending DATA
   Product: Exim
   Version: 4.83
  Platform: Other
   URL: http://bugs.debian.org/756258
OS/Version: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: SMTP Authentication
AssignedTo: p...@exim.org
ReportedBy: eximus...@bebt.de
CC: exim-dev@exim.org


Hello,

this is http://bugs.debian.org/756258 as submitted by Mildred Ki'Lya:

Quote
When exim4 is configured with dovecot authenticator, it blocks at some
point, apparently expecting some information from dovecot. Dovecot on its
side is expecting additional information from exim. None of the two
parties move forward and exim do not respond to the SMTp client. After
some unspecified time, the MUA terminates the connection, because no
response is sent from the server.

Exim is configured with:

begin authenticators

dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-userdb
  server_set_id = $auth1

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-userdb
  server_set_id = $auth1

Dovecot configuration is left as default. It is:

service auth {
  unix_listener auth-userdb {}
}

Both daemons in full debug mode (-d+all for exim and auth_verbose,
auth_verbose_passwords, auth_debug, auth_debug_passwords activated in
dovecot). The last debug log from exim is:

@400053d5e25003272ac4 05:40:2261 SMTP EHLO toto
@400053d5e250032853a4 05:40:2261 toto in helo_lookup_domains? no (end
of list)
@400053d5e25003292694 05:40:2261 sender_fullhost = (toto) [172.17.42.1]
@400053d5e250032a0d0c 05:40:2261 sender_rcvhost = [172.17.42.1]
(helo=toto)
@400053d5e250032ad82c 05:40:2261 set_process_info:61 handling
incoming connection from (toto) [172.17.42.1]
@400053d5e250032baf04 05:40:2261 host in pipelining_advertise_hosts?
yes (matched *)
@400053d5e250032c6a84 05:40:2261 host in auth_advertise_hosts? yes
(matched *)
@400053d5e250032d2dd4 05:40:2261 host in tls_advertise_hosts? yes
(matched *)
@400053d5e250032df8f4 05:40:2261 SMTP 250-4a5b0a328ab7 Hello toto
[172.17.42.1]
@400053d5e250032df8f4 05:40:2261 250-SIZE 52428800
@400053d5e250032dfcdc 05:40:2261 250-8BITMIME
@400053d5e250032dfcdc 05:40:2261 250-PIPELINING
@400053d5e250032dfcdc 05:40:2261 250-AUTH PLAIN LOGIN
@400053d5e250032dfcdc 05:40:2261 250-STARTTLS
@400053d5e250032e00c4 05:40:2261 250 HELP
@400053d5e26322f6eb8c 05:40:4161 SMTP AUTH PLAIN
AG1AbWFpbHRlc3QubWlsZHJlZC5mcgAxMjM=
@400053d5e26322f7d204 05:40:4161 dovecot authentication
@400053d5e26322fe8cac 05:40:4161 received: VERSION  1   1
@400053d5e26322ff6b54 05:40:4161 received: SPID 48

(no debug log from dovecot at this point)

Running strace on exim leads to the following output for the AUTH PLAIN
command:

[pid 10113] read(10, AUTH PLAIN AG1AbWFpbHRlc3QubWlsZ..., 8192) = 48
[pid 10113] alarm(0)= 288
[pid 10113] rt_sigaction(SIGALRM, {0x7fb417616690, [], SA_RESTORER,
0x7fb414d17030}, NULL, 8) = 0
[pid 10113] stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=118, ...}) =
0
[pid 10113] write(2, 05:40:4161 SMTP AUTH PLAIN..., 70) = 70
[pid 10113] stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=118, ...}) =
0
[pid 10113] write(2, 05:40:4161 dovecot authentic..., 38) = 38
[pid 10113] socket(PF_LOCAL, SOCK_STREAM, 0) = 3
[pid 10113] connect(3, {sa_family=AF_LOCAL,
sun_path=/var/run/dovecot/auth-userdb}, 110) = 0
[pid 10113] read(3, VERSION\t1\t1\nSPID\t48\n, 256) = 20
[pid 10113] stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=118, ...}) =
0
[pid 10113] write(2, 05:40:4161 received: VERSION..., 37) = 37
[pid 10113] stat(/etc/localtime, {st_mode=S_IFREG|0644, st_size=118, ...}) =
0
[pid 10113] write(2, 05:40:4161 received: SPID\t48..., 33) = 33
[pid 10113] read(3, 
(blocked)

strace for dovecot auth process shows:

epoll_wait(13, {{EPOLLIN, {u32=967924496, u64=140021196741392}}}, 12, -1) = 1
accept(10, {sa_family=AF_LOCAL, NULL}, [2]) = 19
fcntl(19, F_GETFL)  = 0x2 (flags O_RDWR)
fcntl(19, F_SETFL, O_RDWR|O_NONBLOCK)   = 0
write(5, 0\0\0\0\5\0\0\0\345\3\0\0, 12) = 12
fstat(19, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
lseek(19, 0, SEEK_CUR)  = -1 ESPIPE (Illegal seek)
getsockname(19, {sa_family=AF_LOCAL,
sun_path=/var/run/dovecot/auth-userY\177}, [31]) = 0
epoll_ctl(13, EPOLL_CTL_ADD, 19, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP,
{u32=967948080, u64=140021196764976}}) = 0
write(19, VERSION\t1\t1\nSPID\t48\n, 20) = 20
getsockopt(19,

[exim-dev] [Bug 1499] $tls_sni, $tls_in_sni and $tls_out_sni are not available when compiled against GnuTLS

2014-07-04 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1499

Andreas Metzler eximus...@bebt.de changed:

   What|Removed |Added

 CC||eximus...@bebt.de
 Status|NEW |RESOLVED
 Resolution||DUPLICATE




--- Comment #1 from Andreas Metzler eximus...@bebt.de  2014-07-05 06:40:21 ---


*** This bug has been marked as a duplicate of bug 1455 ***


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1455] tls_out_cipher or tls_cipher is empty

2014-07-04 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1455

Andreas Metzler eximus...@bebt.de changed:

   What|Removed |Added

 CC||o...@mirix.org




--- Comment #13 from Andreas Metzler eximus...@bebt.de  2014-07-05 06:40:21 
---
*** Bug 1499 has been marked as a duplicate of this bug. ***


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1498] New: AUTH GSSAPI does not work with cross-realm

2014-06-28 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1498
   Summary: AUTH GSSAPI does not work with cross-realm
   Product: Exim
   Version: 4.80.1
  Platform: Other
OS/Version: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: SMTP Authentication
AssignedTo: p...@exim.org
ReportedBy: eximus...@bebt.de
CC: exim-dev@exim.org


Hello,

this is http://bugs.debian.org/752853 submitted by Jaap Winius:

When Exim4 is configured to support AUTH GSSAPI, this does not work  
when cross-realm authentication is used -- only when clients have a  
Kerberos ticket for the same realm. Cross-realm authentication will  
work properly with other services on the same machine, such as SSH and  
Dovecot IMAP, but not with Exim4.

To illustrate, I've included two sets of Exim4 debug output, some  
lines of which have been shortened: one set with a successful  
authentication and the other with a failure.

The first involves a client using a Kerberos ticket from the same  
realm and results in a successful authentication:

  7280 ...
  7280 SMTP 250-hello.ebdeep.nl Hello bitis.umrk.nl [82.95.126.201]
  7280 250-SIZE 268435456
  7280 250-8BITMIME
  7280 250-AUTH GSSAPI
  7280 250 HELP
  7280 Calling gnutls_record_recv(0x7f45d639b5f0, 0x7f45d639fa30, 4096)
  7280 Calling gnutls_record_recv(0x7f45d639b5f0, 0x7f45d639fa30, 4096)
  7280 SMTP AUTH GSSAPI YIICggYJKoZIhvcSAQICAQ ... a7dywKw9uSiRsrIqRvPA0g==
  7280 Initialised Cyrus SASL server connection; service=smtp  
fqdn=hello.ebdeep.nl realm=DAPADAM.NL
  7280 Cyrus SASL set EXTERNAL SSF to 128
  7280 Calling sasl_server_start(GSSAPI,YIICggY ... dywKw9uSiRsrIqRvPA0g==)
  7280 SMTP 334 YIGZBgkqhkiG9xIBAgICAG+BiTCBhq ... X/45CnWuLqKO6mxQL36Uzofe
  7280 tls_do_write(0x7f45d6358730, 214)
  7280 gnutls_record_send(SSL, 0x7f45d6358730, 214)
  7280 outbytes=214
  7280 Calling gnutls_record_recv(0x7f45d639b5f0, 0x7f45d639fa30, 4096)
  7280 Calling gnutls_record_recv(0x7f45d639b5f0, 0x7f45d639fa30, 4096)
  7280 SMTP
  7280 Calling sasl_server_step()
  7280 SMTP 334 BQQF/wAMIgiYcgEAAABoYMqAQcSMI6LY2Ws=
  7280 tls_do_write(0x7f45d6358730, 50)
  7280 gnutls_record_send(SSL, 0x7f45d6358730, 50)
  7280 outbytes=50
  7280 Calling gnutls_record_recv(0x7f45d639b5f0, 0x7f45d639fa30, 4096)
  7280 Calling gnutls_record_recv(0x7f45d639b5f0, 0x7f45d639fa30, 4096)
  7280 SMTP BQQE/wAMIEXR/QEAAABqd2luaXVzeGET6yg4i7WxWq8G
  7280 Calling sasl_server_step(BQQE/wAMAAA ... luaXVzeGET6yg4i7WxWq8G)
  7280 Cyrus SASL GSSAPI authentication succeeded for jwin...@dapadam.nl
  7280 Cyrus SASL GSSAPI negotiated SSF: 0
  7280 sasl_gssapi authenticator server_condition:
  7280   $auth1 = jwin...@dapadam.nl
  7280   $1 = jwin...@dapadam.nl
  7280 SMTP 235 Authentication succeeded
  7280 ...

This second example is of an authentication failure involving a client  
with Kerberos ticket from a foreign, albeit trusted realm:

13448 ...
13448 SMTP 250-hello.ebdeep.nl Hello bitis.umrk.nl [82.95.126.201]
13448 250-SIZE 268435456
13448 250-8BITMIME
13448 250-AUTH GSSAPI
13448 250 HELP
13448 Calling gnutls_record_recv(0x7f3eca27f000, 0x7f3eca283440, 4096)
13448 Calling gnutls_record_recv(0x7f3eca27f000, 0x7f3eca283440, 4096)
13448 SMTP AUTH GSSAPI YIICUAYJKoZIhvcSAQICAQ ... k3bEkmKVJoPJo/84ZQIN/pc=
13448 Initialised Cyrus SASL server connection; service=smtp  
fqdn=hello.ebdeep.nl realm=DAPADAM.NL
13448 Cyrus SASL set EXTERNAL SSF to 128
13448 Calling sasl_server_start(GSSAPI,YIICUAY ... bEkmKVJoPJo/84ZQIN/pc=)
13448 SMTP 334 YIGZBgkqhkiG9xIBAgICAG+BiTCBhq ... JMUoa345XJ4rV9J7g8Q7l5Br
13448 tls_do_write(0x7f3eca23c730, 214)
13448 gnutls_record_send(SSL, 0x7f3eca23c730, 214)
13448 outbytes=214
13448 Calling gnutls_record_recv(0x7f3eca27f000, 0x7f3eca283440, 4096)
13448 Calling gnutls_record_recv(0x7f3eca27f000, 0x7f3eca283440, 4096)
13448 SMTP
13448 Calling sasl_server_step()
13448 SMTP 334 BQQF/wAMHB6hYwE8eyFNZeXq5Fs4j7w=
13448 tls_do_write(0x7f3eca23c730, 50)
13448 gnutls_record_send(SSL, 0x7f3eca23c730, 50)
13448 outbytes=50
13448 Calling gnutls_record_recv(0x7f3eca27f000, 0x7f3eca283440, 4096)
13448 Calling gnutls_record_recv(0x7f3eca27f000, 0x7f3eca283440, 4096)
13448 SMTP BQQE/wAMJF/wrAEAAABqd2luaXVzCUv6EURTgAGEo6yT
13448 Calling sasl_server_step(BQQE/wAMAAA ... luaXVzCUv6EURTgAGEo6yT)
13448 Cyrus SASL permanent failure -13 (authentication failure)
13448 LOG: REJECT
13448   sasl_gssapi authenticator (GSSAPI):
13448   Cyrus SASL permanent failure: authentication failure
13448 SMTP 535 Incorrect authentication data
13448 tls_do_write(0x7f3eca23c730, 35)
13448 gnutls_record_send(SSL, 0x7f3eca23c730, 35)
13448 outbytes=35
13448 LOG: MAIN REJECT
13448   sasl_gssapi authenticator failed for bitis.umrk.nl  
([192.168.2.20]) [82.95.126.201]: 535 Incorrect authentication data

[exim-dev] [Bug 654] [GnuTLS] [patch] Use a random seed file to limit entropy usage

2014-06-15 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=654

Nigel Metheringham ni...@exim.org changed:

   What|Removed |Added

   Target Milestone|Exim 4.70   |Exim 4.72
   Target Milestone|Exim 4.72   |Exim 4.73
   Target Milestone|Exim 4.73   |Exim 4.77

Andreas Metzler eximus...@bebt.de changed:

   What|Removed |Added

 Status|ASSIGNED|RESOLVED
 Resolution||WONTFIX




--- Comment #11 from Andreas Metzler eximus...@bebt.de  2014-06-15 17:30:05 
---
Closing, since GnuTLS is using nettle as crypto backend nowadays.


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1491] New: IPv6 support for spamd_address

2014-06-15 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1491
   Summary: IPv6 support for spamd_address
   Product: Exim
   Version: 4.82
  Platform: Other
OS/Version: Linux
Status: NEW
  Severity: wishlist
  Priority: medium
 Component: Content Scanning
AssignedTo: t...@duncanthrax.net
ReportedBy: eximus...@bebt.de
CC: exim-dev@exim.org


Currently spamd_address only supports sockeckts and literal IPv4 addresses. It
would be nice if IPv6 also worked.

cu Andreas

http://bugs.debian.org/751687


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.83 RC1 uploaded

2014-05-29 Thread Andreas Metzler 
In gmane.mail.exim.user Todd Lyons tly...@exim.org wrote:
 Hash: SHA1

 I have uploaded Exim 4.83 RC1 to
 ftp://ftp.exim.org/pub/exim/exim4/test/
[...]

Hello,

binary packages will be available from Debian/experimental after the
next mirror push.

cu Andreas
http://packages.qa.debian.org/e/exim4/news/20140529T114901Z.html
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1455] tls_out_cipher or tls_cipher is empty

2014-04-20 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1455




--- Comment #8 from Andreas Metzler eximus...@bebt.de  2014-04-20 07:46:12 ---
On 2014-04-15 Jeremy Harris jgh146...@wizmail.org wrote:
 --- You are receiving this mail because: ---
 You are on the CC list for the bug.

 http://bugs.exim.org/show_bug.cgi?id=1455

 --- Comment #7 from Jeremy Harris jgh146...@wizmail.org  2014-04-15 
 16:53:57 ---
 Created an attachment (id=711)
 -- (http://bugs.exim.org/attachment.cgi?id=711)
  -- (http://bugs.exim.org/attachment.cgi?id=711)
 proposed fix

 In the transport startup, repoint the legacy variables over to the new 
 outbound
 ones

Hello,

I have just tested the proposed patch in my trivial setup (mail sent
on to smarthost) by making the belowmentioned modifications to my
configuration and comparing headers with and without patch.

---
add this to acl check mail:
 warn message = X-TLS-info-rcpt: [tls_out_cipher $tls_out_cipher ] \
[tls_in_cipher $tls_in_cipher ] \
[tls_cipher $tls_cipher ]

add this to smarthost transport:
  headers_add = X-TLS-info-out: [tls_out_cipher $tls_out_cipher ] \
[tls_in_cipher $tls_in_cipher ] \
[tls_cipher $tls_cipher ]
---

On message reception (mail acl) the expected (=nothing) happens,
tls_out_cipher stays empty, tls_cipher and tls_in_cipher have the same
info.

On the outgoing connection $tls_cipher expands to the same content as
$tls_out_cipher which is expected and wanted. However there is also an
unwanted change: tls_out_cipher is suddenly *nonempty*, it has gone
persistant, recording the tls-information as of message receipt.

cu Andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1455] tls_out_cipher or tls_cipher is empty

2014-04-20 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1455




--- Comment #10 from Andreas Metzler eximus...@bebt.de  2014-04-20 15:01:36 
---
On 2014-04-20 Jeremy Harris j...@wizmail.org wrote:
 On 20/04/14 14:20, Andreas Metzler wrote:
 On the outgoing connection $tls_cipher expands to the same content as
 $tls_out_cipher which is expected and wanted. However there is also an
 unwanted change: tls_in_cipher is suddenly *nonempty*, it has gone
   ^^
 persistant, recording the tls-information as of message receipt:

 I am not doing callouts or something like this, so afaiui
 tls_in_cipher should be empty in X-TLS-info-out.

 Ah, no.  That's what it's for; recording what the TLS information
 was during acceptance of the mail item in question (now being
 sent onwards).  There's no particular reason to make that
 information *un*-available now that the conflict in use
 of the legacy tls_cipher variable is resolved.

Hello,

Thanks, I see.

Just to be triple clear: 4.82 does not do that, this is a new
enhancement cause by the patch.

cu Andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1455] tls_out_cipher or tls_cipher is empty

2014-04-08 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1455

Andreas Metzler eximus...@bebt.de changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|WORKSFORME  |
Summary|tls_out_cipher is empty |tls_out_cipher or tls_cipher
   ||is empty




--- Comment #3 from Andreas Metzler eximus...@bebt.de  2014-03-31 18:22:37 ---
Reopen/retitle. Depending on some unknown factors expansion of either
tls_out_cipher or tls_cipher is broken and yields an empty string.


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1455] tls_out_cipher or tls_cipher is empty

2014-04-08 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1455




--- Comment #4 from Andreas Metzler eximus...@bebt.de  2014-04-05 13:44:32 ---
I am pretty much aware that I seem to be talking with myself here, but let's
ask anyway: Is it really ok that exim 4.82 broke compatibility with
configuration files for  4.82, and is it ok that this was not even documented?

Quoting expand.c:
/* The non-(in,out) variables are now deprecated */
[...]
{ tls_cipher,  vtype_stringptr,   tls_in.cipher },
---

Which I understand to say that the meaning of $tls_cipher expansion was changed
to be an alias for tls_in_cipher (instead of the merge of in and out) and is
therefore only filled on incoming connections.

This broke real-world configurations, especially the common

public_name = PLAIN
# do not send plaintext passwords on unencrypted connections.
client_condition = ${if !eq {$tls_out_cipher}{}}

spec.xftpf still says otherwise:
The deprecated $tls_cipher$ variable is the same as $tls_in_cipher$ during
message reception, but in the context of an outward SMTP delivery taking place
via the (smtp) transport becomes the same as $tls_out_cipher$.


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 1455] tls_out_cipher or tls_cipher is empty

2014-04-08 Thread Andreas Metzler 
On 2014-04-05 Jeremy Harris jgh146...@wizmail.org wrote:
[...]
 --- Comment #5 from Jeremy Harris jgh146...@wizmail.org  2014-04-05 
 14:14:48 ---
 I'm sorry I've not yet had time to look into this.  Do you have a suggested
 patch?  Enhanced tests for the regression suite would also be of benefit.

Hello,

sadly I have not got a patch. The initial idea of simply adding a
'tls_support *tls' and having it point to tls_in or tls_out as the
situation requires does not work, since it is not possible to use the 
pointer in expand.c (initializer element is not constant).

Which means it is not trivial to do and therefore shouldn't be done by
me. ;-)

OTOH, looking at the initial comment in git history
(817d9f576cdfbc27cf0536be348645baf27d7836) I am wondering whether it
is even possible to do:
--
Dual-tls - split management of TLS into in- and out-bound
connection-handling.

Enables concurrent use from a single process, and thereby use for
cutthrough delivery.  As a side-effect EHLO and TLS use for verify
callouts introduced.
--

With the concurrent use exim can hold open two TLS connections (message
receiption incoming and outgoing callout/cutthrough). - Which of these
should show up in $tls_cipher?

cu Andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1455] tls_out_cipher is empty

2014-03-30 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1455




--- Comment #2 from Andreas Metzler eximus...@bebt.de  2014-03-30 18:48:02 ---
On 2014-03-30 Jeremy Harris jgh146...@wizmail.org wrote:
 --- You are receiving this mail because: ---
 You reported the bug.

 http://bugs.exim.org/show_bug.cgi?id=1455

 Jeremy Harris jgh146...@wizmail.org changed:

What|Removed |Added
 
  Status|NEW |RESOLVED
  Resolution||WORKSFORME

 --- Comment #1 from Jeremy Harris jgh146...@wizmail.org  2014-03-30 
 17:13:29 ---
 I modified testsuite case 3465 with headers_add for tls_out_cipher and
 tls_cipher on the transport, and -d-all+deliver+transport+tls on the script 
 for
 the first queue-run.  Debug output shows the expected tls_out_cipher header
 being added (matching the tls connection setup) and an empty tls_cipher.

Did you test with OpenSSL or GnuTLS?

I am not sure what is happening, yesterday when I tested
$tls_out_cipher expanded to an empty string, and today I get the
behavior you described.

However I am quite sure I was not halluzinating yesterday.

Also the behavior you (and me) experienced today is broken, too. While
tls_cipher is deprecated, it still should work and is documented to
be. It must not expand to an empty string.

cu Andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1455] New: tls_out_cipher is empty

2014-03-29 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1455
   Summary: tls_out_cipher is empty
   Product: Exim
   Version: 4.82
  Platform: Other
OS/Version: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: TLS
AssignedTo: p...@exim.org
ReportedBy: eximus...@bebt.de
CC: exim-dev@exim.org


4.82 deprecated tls_cipher and introduced tls_out_cipher/tls_in_cipher. However
the new variables (at least out) expand to empty values.

For demonstration purposes I have added
headers_add = X-tls-info: tls_out_cipher $tls_out_cipher tls_cipher $tls_cipher
to my smarthost SMTP transport. The result is evidently incorrect:
X-tls-info: tls_out_cipher  tls_cipher TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256

cu Andreas

--
argenau:~# exim4 -bV
Exim version 4.82 #3 built 09-Nov-2013 16:31:25
Copyright (c) University of Cambridge, 1995 - 2013
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2013
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages DKIM
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz
dbmnz dnsdb dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1441] New: Gnu hurd missing support for TCLASS causes build failure

2014-02-09 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1441
   Summary: Gnu hurd missing support for TCLASS causes build failure
   Product: Exim
   Version: 4.82
  Platform: Other
   URL: http://bugs.debian.org/738445
OS/Version: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: Unfiled
AssignedTo: ni...@exim.org
ReportedBy: eximus...@bebt.de
CC: exim-dev@exim.org


Created an attachment (id=688)
 -- (http://bugs.exim.org/attachment.cgi?id=688)
trivial patch

Hello,

this was reported by Samuel Thibault:
--
exim4 currently FTBFS on hurd-i386 because it does not currently support
TCLASS. Could you apply the trivial attached patch to fix this?
--

Patch attached.

tia, cu Andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.82 RC5 uploaded

2013-10-27 Thread Andreas Metzler 
On 2013-10-26 Todd Lyons tly...@ivenue.com wrote:
 On Sat, Oct 26, 2013 at 4:53 AM, Andreas Metzler eximus...@bebt.de wrote:
[...]
  I have uploaded rc5 to Debian/experimental. it failed to build on
  GNU/hurd
[...]
 Regarding the hurd build error, is there some #ifdef guard we can put
 in place to properly protect against it for hurd like systems?  I
 assume this is just an old ipv6 stack that doesn't have some newer
 feature.  Something along the lines of this completely wild guess:

 #ifdef IPV6_TCLASS
   *optname = IPV6_TCLASS;
 #else
   *optname = NULL;
 #endif

 Is there an easy way to see what /usr/include/bits/in.h or
 /usr/include/linux/in6.h contains for hurd?

I have attached /usr/include/i386-gnu/bits/in.h from
http://packages.debian.org/sid/libc0.3-dev for your convenience.
cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
/* Copyright (C) 1997-2012 Free Software Foundation, Inc.
   This file is part of the GNU C Library.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   http://www.gnu.org/licenses/.  */

/* Generic version.  */

#ifndef _NETINET_IN_H
# error Never use bits/in.h directly; include netinet/in.h instead.
#endif

/* To select the IP level.  */
#define SOL_IP		0

/* Options for use with `getsockopt' and `setsockopt' at the IP level.
   The first word in the comment at the right is the data type used;
   bool means a boolean value stored in an `int'.  */
#define	IP_OPTIONS	1	/* ip_opts; IP per-packet options.  */
#define	IP_HDRINCL	2	/* int; Header is included with data.  */
#define	IP_TOS		3	/* int; IP type of service and precedence.  */
#define	IP_TTL		4	/* int; IP time to live.  */
#define	IP_RECVOPTS	5	/* bool; Receive all IP options w/datagram.  */
#define	IP_RECVRETOPTS	6	/* bool; Receive IP options for response.  */
#define	IP_RECVDSTADDR	7	/* bool; Receive IP dst addr w/datagram.  */
#define	IP_RETOPTS	8	/* ip_opts; Set/get IP per-packet options.  */
#define IP_MULTICAST_IF 9	/* in_addr; set/get IP multicast i/f */
#define IP_MULTICAST_TTL 10	/* u_char; set/get IP multicast ttl */
#define IP_MULTICAST_LOOP 11	/* i_char; set/get IP multicast loopback */
#define IP_ADD_MEMBERSHIP 12	/* ip_mreq; add an IP group membership */
#define IP_DROP_MEMBERSHIP 13	/* ip_mreq; drop an IP group membership */

/* Structure used to describe IP options for IP_OPTIONS and IP_RETOPTS.
   The `ip_dst' field is used for the first-hop gateway when using a
   source route (this gets put into the header proper).  */
struct ip_opts
  {
struct in_addr ip_dst;	/* First hop; zero without source route.  */
char ip_opts[40];		/* Actually variable in size.  */
  };

/* Socket-level values for IPv6.  */
#define SOL_IPV6		41
#define SOL_ICMPV6		58

/* IPV6 socket options.  */
#define IPV6_ADDRFORM		1
#define IPV6_PKTINFO		2
#define IPV6_HOPOPTS		3
#define IPV6_DSTOPTS		4
#define IPV6_RTHDR		5
#define IPV6_PKTOPTIONS		6
#define IPV6_CHECKSUM		7
#define IPV6_HOPLIMIT		8

#define IPV6_RXINFO		IPV6_PKTINFO
#define IPV6_TXINFO		IPV6_PKTINFO
#define SCM_SRCINFO		IPV6_PKTINFO
#define SCM_SRCRT		IPV6_RXSRCRT

#define IPV6_UNICAST_HOPS	16
#define IPV6_MULTICAST_IF	17
#define IPV6_MULTICAST_HOPS	18
#define IPV6_MULTICAST_LOOP	19
#define IPV6_JOIN_GROUP		20
#define IPV6_LEAVE_GROUP	21
#define IPV6_ROUTER_ALERT  22
#define IPV6_MTU_DISCOVER  23
#define IPV6_MTU   24
#define IPV6_RECVERR   25
#define IPV6_V6ONLY26
#define IPV6_JOIN_ANYCAST  27
#define IPV6_LEAVE_ANYCAST 28

/* Obsolete synonyms for the above.  */
#define IPV6_ADD_MEMBERSHIP	IPV6_JOIN_GROUP
#define IPV6_DROP_MEMBERSHIP	IPV6_LEAVE_GROUP
#define IPV6_RXHOPOPTS		IPV6_HOPOPTS
#define IPV6_RXDSTOPTS		IPV6_DSTOPTS

/* Routing header options for IPv6.  */
#define IPV6_RTHDR_LOOSE	0	/* Hop doesn't need to be neighbour. */
#define IPV6_RTHDR_STRICT	1	/* Hop must be a neighbour.  */

#define IPV6_RTHDR_TYPE_0	0	/* IPv6 Routing header type 0.  */
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.82 RC5 uploaded

2013-10-26 Thread Andreas Metzler 
On 2013-10-25 Todd Lyons tly...@exim.org wrote:
  I have uploaded Exim 4.82 RC5 to:
ftp://ftp.exim.org/pub/exim/exim4/test/
[...]
 I haven't heard of any further build issues with RC5.  If I don't hear
 anything show-stopper by the end of the weekend, especially with
 respect to the GnuTLS issues, I'll release on Monday morning.


Hello,

I have uploaded rc5 to Debian/experimental. it failed to build on
GNU/hurd
https://buildd.debian.org/status/package.php?p=exim4suite=experimental
but I do not think that should stop a release.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.82 RC4 uploaded

2013-10-23 Thread Andreas Metzler 
On 2013-10-22 Todd Lyons tly...@exim.org wrote:
 I have uploaded Exim 4.82 RC4 to
[...]
 RC4 contains really only two fixes. The first is fixing a GnuTLS compile
 error on systems that have it built without PKCS11 support. The second
 is modifications to the runtest script in the test suite to allow it to
 be run with zero keyboard interaction.

 Pending any unforseeable issues, this version is intended to be the last
 version before the official release of 4.82.
[...]

Hello,

I think something went wrong when building the release, neither of the
abovementioned two fixes seems to be part of rc4:

ametzler@argenau:/tmp/EXIM4/foo$ diff -NurBbp exim-4.82_RC[34] | diffstat
 doc/filter.txt |2 +-
 doc/spec.txt   |5 +++--
 src/receive.c  |2 +-
 src/version.sh |2 +-
 4 files changed, 6 insertions(+), 5 deletions(-)

The only actual code change compared to rc3 is
54e3e5b64c9fa8b6f3628e200d63b028b97f4526 Format String safety.

The git tag seems to match the released tarball.

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.82 RC1 uploaded

2013-09-28 Thread Andreas Metzler 
On 2013-09-26 Todd Lyons tly...@exim.org wrote:
 I have uploaded Exim 4.82 RC1 to
   ftp://ftp.exim.org/pub/exim/exim4/test/
[...]

Thanks for starting the release process.

It builds ok and seems to work for me (see headers ;-), it does not
advertise itself as 4.82, though:

ametzler@argenau:$ /usr/sbin/exim4 -be '$version_number'
4.80_230-b1f3784

Also the txt docs are empty:
ametzler@argenau:/tmp/EXIM4/exim-4.82$ ls -l doc/filter.txt doc/spec.txt
-rw-r--r-- 1 ametzler ametzler 0 Sep 26 14:41 doc/filter.txt
-rw-r--r-- 1 ametzler ametzler 0 Sep 26 14:41 doc/spec.txt

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.82 RC1 uploaded

2013-09-28 Thread Andreas Metzler 
In gmane.mail.exim.user Todd Lyons tly...@exim.org wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I have uploaded Exim 4.82 RC1 to
[...]

Thanks for taking care of the release process.

spec.txt is empty:
ametzler@argenau:/tmp/EXIM4$ tar tvf exim4_4.82~rc1.orig.tar.bz2 | grep spec
-rw-r--r-- exim-build/exim-build  0 2013-09-26 14:41 
exim-4.82_RC1/doc/spec.txt
-rw-r--r-- exim-build/exim-build  33783 2013-09-24 17:37 
exim-4.82_RC1/doc/experimental-spec.txt

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1331] New: Fails to send mails on GNU hurd-i386 with ipv6 enable

2013-01-14 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1331
   Summary: Fails to send mails on GNU hurd-i386 with ipv6 enable
   Product: Exim
   Version: 4.80.1
  Platform: Other
   URL: http://bugs.debian.org/698092
OS/Version: All
Status: NEW
  Severity: bug
  Priority: medium
 Component: General execution
AssignedTo: ni...@exim.org
ReportedBy: eximus...@downhill.at.eu.org
CC: exim-dev@exim.org


Created an attachment (id=602)
 -- (http://bugs.exim.org/attachment.cgi?id=602)
suggested patch

Hello,

this is Debian bug #698092. Bug report and patch by Samuel Thibault:

--
Hello,

After enabling ipv6 on a hurd-i386 box, I couldn't send mails with exim4
any more:

LOG: PANIC DIE
  Unable to get IP address for lo interface: 1073741846 Invalid argument

Digging a bit, it seems it would actually also happen on Linux if it
didn't have SIOCGIFCONF_GIVES_ADDR . It happens that GNU/Hurd's
SIOCGIFCONF does give the address, so the attached patch sets
SIOCGIFCONF_GIVES_ADDR on GNU/Hurd too, which fixes the issue.

Samuel
--


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Maildir appendfile names longer than they need to be

2012-12-26 Thread Andreas Metzler 
Hello,

Andrew Buckeridge wrote on http://bugs.debian.org/481081:

- Forwarded message from Andrew Buckeridge andr...@bgcaus.com -
[...]
In ~/Maildir/cur/ I have: -
1210666181.H610983P31901.203.161.103.17.static.amnet.net.au
   ^^^   ^^
[...]
The bit after the second '.' should be from the POSIX gethostname() as
this is short, but unique in an NFS LAN context.  (Replace / with \057
and : with \072.  Also be mindful to replace ' ' with \040 to address
bug #446161.)

The file name and UIDL are longer than they need to be to be unique.
I think that this is a waste of resources. 
[...]
- End forwarded message -

e.g. dovecot indeed seems to use the unqualified hostname instead of
the FQDN for the last part of name.

Personally I do not have a strong opinion on this, I would just like
an answer (will change / should be changed - please report a bug /
current behavior is fine, we will keep it).

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1327] Undocumented option hosts_verify_avoid_tls afflicts smtp transport

2012-12-24 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1327

Andreas Metzler eximus...@downhill.at.eu.org changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution||INVALID




--- Comment #1 from Andreas Metzler eximus...@downhill.at.eu.org  2012-12-24 
17:34:02 ---
Hello,

hosts_verify_avoid_tls is only available in GIT, not in any released version.

GIT already includes documention for the option.

See how
http://git.exim.org/exim.git/commit/9940096804c9f3985ca3bc9d862cefa0daa29c96
also documents the option in spec.xfpt.

cu andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1324] Inconsistent interpretation of empty values in log_file_path

2012-12-23 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1324




--- Comment #5 from Andreas Metzler eximus...@downhill.at.eu.org  2012-12-23 
16:50:52 ---
Created an attachment (id=599)
 -- (http://bugs.exim.org/attachment.cgi?id=599)
Document unsetting log_file_path


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1324] Inconsistent interpretation of empty values in log_file_path

2012-12-23 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1324




--- Comment #6 from Andreas Metzler eximus...@downhill.at.eu.org  2012-12-23 
17:30:27 ---
Created an attachment (id=600)
 -- (http://bugs.exim.org/attachment.cgi?id=600)
Fix eximon's handling of empty items in log_file_path

eximon treated log_file_path = and log_file_path = : syslog the same.
However the former makes exim use $SPOOL_DIRECTORY/log/mainlog while the
latter uses the compile-time setting of LOG_FILE_PATH if available.

Find attached an (inelegant) fix for this issue.


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1324] Inconsistent interpretation of empty values in log_file_path

2012-12-19 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1324

Andreas Metzler eximus...@downhill.at.eu.org changed:

   What|Removed |Added

   Severity|bug |wishlist




--- Comment #3 from Andreas Metzler eximus...@downhill.at.eu.org  2012-12-19 
19:06:26 ---
Phil Pennock wrote
 the very first result is describing what the default for log_file_path is
 when it's unset.

Imho having 
log_file_path =
in the exim configuration file is not the same as it's unset. It is set, but
to an empty value.

That documentation is easily fixable, though. I just think it is really
counterintuitive that this happens:
1) I set a smart default for log_file_path at compile time.
2) log_file_path =  results in exim falling back to some uber-default instead
of the compile time value.

Is this argument convincing?
If it is, and if you think changing the way exim behaves does not have too big
chances to break existing systems please change it.
Otherwise, if you think the current behavior is fine (or not worth breaking
compatibility) tell me, and I will try to come up with a patch for the
documentation instead.

Thanks, cu andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1324] New: Inconsistent interpretation of empty values in log_file_path

2012-12-17 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1324
   Summary: Inconsistent interpretation of empty values in
log_file_path
   Product: Exim
   Version: 4.77
  Platform: Other
OS/Version: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: Logging
AssignedTo: ni...@exim.org
ReportedBy: eximus...@downhill.at.eu.org
CC: exim-dev@exim.org


This is not consistent:

[1] log_file_path = :
Writes to the compile time default if one was set or to %$spooldir/log/
otherwise
[2] log_file_path =
always writes to %$spooldir/log/ , even if a different compile time default was
set.

I think [2] does not match the documentation either.

cu andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] release builds

2012-09-30 Thread Andreas Metzler 
On 2012-09-30 Andreas Metzler eximus...@downhill.at.eu.org wrote:
[...]
 you might need the docbook-xsl package. Check where it installs its
 version of xhtml/docbook.xsl and change the path in exim's source.

I think the actual package name on RH is docbook-style-xsl

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Minor build fixes

2012-09-23 Thread Andreas Metzler 
Hello,

find attached two minor fixes to the build system by Simon Ruderich.

makefile-missing-fullecho.patch: $(FE) was not used for some cases.
fix-missing-lflags.patch: Also use lflags when building the helper
binary.

thanks, cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Author: Simon Ruderich si...@ruderich.org
Last-Update: 2012-09-14

Index: exim4-4.80/OS/Makefile-Base
===
--- exim4-4.80.orig/OS/Makefile-Base	2012-09-14 17:07:28.926489036 +0200
+++ exim4-4.80/OS/Makefile-Base	2012-09-14 17:07:31.190489123 +0200
@@ -113,7 +113,7 @@
 # Targets for special-purpose configuration header builders
 buildconfig: buildconfig.c
 	@echo $(CC) buildconfig.c
-	$(FE)$(CC) $(CFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS)
+	$(FE)$(CC) $(CFLAGS) $(LFLAGS) $(INCLUDE) -o buildconfig buildconfig.c $(LIBS)
 
 
 # Target for the exicyclog utility script
Description: Add missing $(FE) to Makefiles.
Author: Simon Ruderich si...@ruderich.org
Last-Update: 2012-09-14

Index: exim4-4.80/src/transports/Makefile
===
--- exim4-4.80.orig/src/transports/Makefile	2012-09-14 17:07:28.110489005 +0200
+++ exim4-4.80/src/transports/Makefile	2012-09-14 17:07:34.374489244 +0200
@@ -7,7 +7,7 @@
 transports.a:$(OBJ)
 		 @$(RM_COMMAND) -f transports.a
 		 @echo $(AR) transports.a
-		 @$(AR) transports.a $(OBJ)
+		 $(FE)$(AR) transports.a $(OBJ)
 		 $(RANLIB) $@
 
 .SUFFIXES:   .o .c
Index: exim4-4.80/src/routers/Makefile
===
--- exim4-4.80.orig/src/routers/Makefile	2012-09-14 17:07:28.110489005 +0200
+++ exim4-4.80/src/routers/Makefile	2012-09-14 17:07:34.374489244 +0200
@@ -14,7 +14,7 @@
 routers.a:   $(OBJ)
 		 @$(RM_COMMAND) -f routers.a
 		 @echo $(AR) routers.a
-		 @$(AR) routers.a $(OBJ)
+		 $(FE)$(AR) routers.a $(OBJ)
 		 $(RANLIB) $@
 
 .SUFFIXES:   .o .c
Index: exim4-4.80/src/lookups/Makefile
===
--- exim4-4.80.orig/src/lookups/Makefile	2012-09-14 17:07:28.110489005 +0200
+++ exim4-4.80/src/lookups/Makefile	2012-09-14 17:07:34.374489244 +0200
@@ -14,7 +14,7 @@
 lookups.a:   $(OBJ)
 		 @$(RM_COMMAND) -f lookups.a
 		 @echo $(AR) lookups.a
-		 @$(AR) lookups.a $(OBJ)
+		 $(FE)$(AR) lookups.a $(OBJ)
 		 $(RANLIB) $@
 
 .SUFFIXES:   .o .c .so
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Anybody ever use rspamd?

2012-08-08 Thread Andreas Metzler 
On 2012-08-08 Phil Pennock p...@exim.org wrote:
[...]
 It appears to be under a BSD-ish with-advertising license.
[...]

Actually afaict it is BSD-2-clause, not the (GPL incompatible) version
with advertising clause. ;-)

cu andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [patch] spec in GIT does not build

2012-07-15 Thread Andreas Metzler 
Hello,

spec.xfpt in GIT does not build, * is closed with '. Patch attached.

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From f57badd2a0eb857831b76342ed3c68c884ae3e73 Mon Sep 17 00:00:00 2001
From: Andreas Metzler ametz...@downhill.at.eu.org
Date: Sat, 14 Jul 2012 18:39:20 +0200
Subject: [PATCH 05/12] Fix non-matching -construct

---
 doc/doc-docbook/spec.xfpt |2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 4791fa1..2c9a9cb 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -9752,7 +9752,7 @@ when %length% is used as an operator.
 The string is interpreted as a list and the number of items is returned.
 
 
-.vitem *${listnamed:*'name'*}*~and~*${list_*'type'*name'*}*
+.vitem *${listnamed:*'name'*}*~and~*${list_*'type'*name**}*
 .cindex expansion named list
 .cindex %listnamed% expansion item
 The name is interpreted as a named list and the content of the list is returned,
-- 
1.7.10.4

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [patch] Minor documentation fixes.

2012-07-15 Thread Andreas Metzler 
Hello,

find attached some fixes for spec.xfpt, courtesy of Regid Ichira.
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From ff61cda4fd566b503c6567b04cd34e289822e926 Mon Sep 17 00:00:00 2001
From: Andreas Metzler ametz...@downhill.at.eu.org
Date: Sun, 15 Jul 2012 13:02:46 +0200
Subject: [PATCH 1/2] Fix typos

Multiple typos and minor errors in documentation, found by Regid Ichira.
---
 doc/doc-docbook/spec.xfpt |   16 
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 140d8f9..e1a74c6 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -1936,7 +1936,7 @@ in your _/etc/hosts.allow_ file allows connections from the local host, from
 the subnet 192.168.1.0/24, and from all hosts in 'friendly.domain.example'.
 All other connections are denied. The daemon name used by 'tcpwrappers'
 can be changed at build time by setting TCP_WRAPPERS_DAEMON_NAME in
-in _Local/Makefile_, or by setting tcp_wrappers_daemon_name in the
+_Local/Makefile_, or by setting tcp_wrappers_daemon_name in the
 configure file. Consult the 'tcpwrappers' documentation for
 further details.
 
@@ -4094,8 +4094,8 @@ message.
 Provided
 this error message is successfully sent, the Exim receiving process
 exits with a return code of zero. If not, the return code is 2 if the problem
-is that the original message has no recipients, or 1 any other error. This is
-the default %-oe%'x' option if Exim is called as 'rmail'.
+is that the original message has no recipients, or 1 for any other error.
+This is the default %-oe%'x' option if Exim is called as 'rmail'.
 
 .vitem %-oem%
 .oindex %-oem%
@@ -4515,7 +4515,7 @@ has 'f' or 'ff' in its flags, the associated action is taken.
 
 .vitem %-Tqt%~'times'
 .oindex %-Tqt%
-This an option that is exclusively for use by the Exim testing suite. It is not
+This is an option that is exclusively for use by the Exim testing suite. It is not
 recognized when Exim is run normally. It allows for the setting up of explicit
 queue times so that various warning/retry features can be tested.
 
@@ -19906,7 +19906,7 @@ message, which happens if the %return_message% option is set.
 
 .option transport_filter_timeout transports time 5m
 .cindex transport filter, timeout
-When Exim is reading the output of a transport filter, it a applies a timeout
+When Exim is reading the output of a transport filter, it applies a timeout
 that can be set by this option. Exceeding the timeout is normally treated as a
 temporary delivery failure. However, if a transport filter is used with a
 (pipe) transport, a timeout in the transport filter is treated in the same
@@ -26613,7 +26613,7 @@ others specify text for messages that are used when access is denied or a
 warning is generated. The %control% modifier affects the way an incoming
 message is handled.
 
-The positioning of the modifiers in an ACL statement important, because the
+The positioning of the modifiers in an ACL statement is important, because the
 processing of a verb ceases as soon as its outcome is known. Only those
 modifiers that have already been encountered will take effect. For example,
 consider this use of the %message% modifier:
@@ -27345,7 +27345,7 @@ system filter or in a router or transport.
 
 .section ACL conditions SECTaclconditions
 .cindex ACL; conditions; list of
-Some of conditions listed in this section are available only when Exim is
+Some of the conditions listed in this section are available only when Exim is
 compiled with the content-scanning extension. They are included here briefly
 for completeness. More detailed descriptions can be found in the discussion on
 content scanning in chapter CHAPexiscan.
@@ -28125,7 +28125,7 @@ dnslists = a.b.c!0.0.0.1
 If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is
 false because 127.0.0.1 matches.
 .next
-If `!==` or `!=` is used, the condition is true there is at least one
+If `!==` or `!=` is used, the condition is true if there is at least one
 looked up IP address that does not match. Consider:
 .code
 dnslists = a.b.c!=0.0.0.1
-- 
1.7.10.4

From 555b68641b2161829a7fee1b5161a9b0fcb1b6f7 Mon Sep 17 00:00:00 2001
From: Andreas Metzler ametz...@downhill.at.eu.org
Date: Sun, 15 Jul 2012 13:05:34 +0200
Subject: [PATCH 2/2] More minor documentation fixes.

Some more fixes by Regid Ichira:
* s/current input/standard input/ for -bm documentation
* The example for splitting entries over multiple lines in lsearched
  files was missing the leading whitespace on the continued line.
* The local_interfaces listed the same IP address twice.
* The delay modifier is may appear in any ACL *except* *notquit*.
---
 doc/doc-docbook/spec.xfpt |   18 +-
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index e1a74c6

[exim-dev] gnutls / exim : gnome-keyring:: couldn't connect to: /home/ametzler/.cache/keyring-vZ6lZn/pkcs11: Permission denied

2012-06-23 Thread Andreas Metzler 
Hello,

After the the GnuTLS revamp it loooks like PKCS#11 modules are
suddenly (unnecessarily) autoloaded and fail due to SUID:

ametzler@argenau:~$ mailq
ametzler@argenau:~$ gnome-keyring-daemon --start --components=pkcs11
GNOME_KEYRING_CONTROL=/home/ametzler/.cache/keyring-Blme9u
GNOME_KEYRING_PID=1274
ametzler@argenau:~$ export 
GNOME_KEYRING_CONTROL=/home/ametzler/.cache/keyring-Blme9u 
GNOME_KEYRING_PID=1274
ametzler@argenau:~$ mailq
WARNING: gnome-keyring:: couldn't connect to: 
/home/ametzler/.cache/keyring-Blme9u/pkcs11: Permission denied
ametzler@argenau:~$

The same behavior can also be reproduced with a SUID gnutls-cli[1].
Any idea on how to properly fix this?
cu andreas

[1]
argenau:~# cp /usr/bin/gnutls-cli /tmp/
argenau:~# chown nobody:nogroup /tmp/gnutls-cli 
argenau:~# chmod ug+s /tmp/gnutls-cli 
argenau:~# ls -l  /tmp/gnutls-cli 
-rwsr-sr-x 1 nobody nogroup 82156 Jun 23 08:58 /tmp/gnutls-cli
ametzler@argenau:~$ /tmp/gnutls-cli db.debian.org  /dev/null
WARNING: gnome-keyring:: couldn't connect to: 
/home/ametzler/.cache/keyring-Blme9u/pkcs11: Permission denied
[...]

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] gnutls / exim : gnome-keyring:: couldn't connect to: /home/ametzler/.cache/keyring-vZ6lZn/pkcs11: Permission denied

2012-06-23 Thread Andreas Metzler 
On 2012-06-23 Phil Pennock p...@exim.org wrote:
 On 2012-06-23 at 09:07 +0200, Andreas Metzler wrote:
  After the the GnuTLS revamp it loooks like PKCS#11 modules are
  suddenly (unnecessarily) autoloaded and fail due to SUID:

 Note: the problem here isn't suid itself, but that environment variables
 passed through are no longer valid.

 If you find the two calls to gnutls_global_init() in tls-gnu.c and
 before them insert:

   rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
 and one of:
   exim_gnutls_err_check(USgnutls_pkcs11_init);
   validate_check_rc(USgnutls_pkcs11_init);
 (it should be obvious which goes where, just stay consistent)

 then does that fix the problem?
[...]

It does, thank you for the fix and explanation.

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Description: Disable autoloading of PKCS#11 modules.
Author: Phil Pennock p...@exim.org
Origin: upstream
Bug-Debian: http://bugs.debian.org/678238
Forwarded: http://article.gmane.org/gmane.mail.exim.devel/5732
Last-Update: 2012-06-23

Index: b/src/tls-gnu.c
===
--- a/src/tls-gnu.c	2012-06-23 18:17:41.0 +0200
+++ b/src/tls-gnu.c	2012-06-23 18:18:31.0 +0200
@@ -39,6 +39,8 @@ require current GnuTLS, then we'll drop
 #include gnutls/x509.h
 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
 #include gnutls/crypto.h
+/* needed for gnutls_pkcs11_init */
+#include gnutls/pkcs11.h
 
 /* GnuTLS 2 vs 3
 
@@ -910,6 +912,8 @@ if (!exim_gnutls_base_init_done)
   {
   DEBUG(D_tls) debug_printf(GnuTLS global init required.\n);
 
+  rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+  exim_gnutls_err_check(USgnutls_pkcs11_init);
   rc = gnutls_global_init();
   exim_gnutls_err_check(USgnutls_global_init);
 
@@ -1942,6 +1946,8 @@ if (exim_gnutls_base_init_done)
   log_write(0, LOG_MAIN|LOG_PANIC,
   already initialised GnuTLS, Exim developer bug);
 
+rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+validate_check_rc(USgnutls_pkcs11_init);
 rc = gnutls_global_init();
 validate_check_rc(USgnutls_global_init());
 exim_gnutls_base_init_done = TRUE;
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] gnutls_compat_mode is only available as main configuration option

2012-06-03 Thread Andreas Metzler 
On 2012-06-02 Phil Pennock p...@exim.org wrote:
 On 2012-06-01 at 19:26 +0200, Andreas Metzler wrote:
  The docs for gnutls_compat_mode are not correct: It only exists as a
[...}
  I can try to come up with a patch for the docmentation, unless you
  think the sorce should be changed.

 Doc fix please.  The tls_require_ciphers, as you say, means that
 gnutls_compat_mode is not needed and should probably be marked
 deprecated.  Feel free to call it that and advise people to use
 tls_require_ciphers instead.

Patch attached, please doublecheck the wording.

thanks, cu andreas
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 3c5f5bd..8053bdf 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13745,7 +13745,12 @@ See %gecos_name% above.
 .option gnutls_compat_mode main boolean unset
 This option controls whether GnuTLS is used in compatibility mode in an Exim
 server. This reduces security slightly, but improves interworking with older
-implementations of TLS.
+implementations of TLS. This deprecated setting applies to both incoming and
+outgoing connections. Using the special keyword %COMPAT in the GnuTLS
+priority string (exim option %tls_require_ciphers%, see section
+SECTreqciphgnu) has the same effect and allows to selectively enable
+compat mode for incoming (main option) or outgoing (smtp transport option)
+connections.
 
 .option headers_charset main string see below
 This option sets a default character set for translating from encoded MIME
@@ -22177,11 +22182,6 @@ being used, names are looked up using [gethostbyname()]
 instead of using the DNS. Of course, that function may in fact use the DNS, but
 it may also consult other sources of information such as _/etc/hosts_.
 
-.option gnutls_compat_mode smtp boolean unset
-This option controls whether GnuTLS is used in compatibility mode in an Exim
-server. This reduces security slightly, but improves interworking with older
-implementations of TLS.
-
 .option helo_data smtp string!! see below
 .cindex HELO argument, setting
 .cindex EHLO argument, setting
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] gnutls_compat_mode is only available as main configuration option

2012-06-01 Thread Andreas Metzler 
Hello,

The docs for gnutls_compat_mode are not correct: It only exists as a
main configuration option, the corresponding option on the SMTP
transport does not exist. However (differently from other tls options)
the main configuration setting applies to both incoming and outgoing
corrections.

This is no new behavior in 4.80, 4.77 behaves the same way.

I do not think code changes are needed, people who want to use
compat_mode selectively for incoming or outgoing connections can use
NORMAL:%COMPAT in the respective tls_require_ciphers. (Afaict the
priority string setting is a superset of gnutls_compat_mode).

I can try to come up with a patch for the docmentation, unless you
think the sorce should be changed.

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Trivial patch: overriden

2012-05-27 Thread Andreas Metzler 
Hello,

find attached a trivial patch for git head, s/overriden/overridden/g

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
From 55a5cd59ae965cc41c93b10c9f5e127fd395dd43 Mon Sep 17 00:00:00 2001
From: Andreas Metzler ametz...@downhill.at.eu.org
Date: Sun, 27 May 2012 18:05:10 +0200
Subject: [PATCH] Typo fix: overriden - overridden

---
 src/src/buildconfig.c |2 +-
 src/src/exim.h|2 +-
 src/src/tls-gnu.c |2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c
index c90d940..62114fc 100644
--- a/src/src/buildconfig.c
+++ b/src/src/buildconfig.c
@@ -849,7 +849,7 @@ else if (isgroup)
   /* how many bits Exim, as a client, demands must be in D-H */
   /* as of GnuTLS 2.12.x, we ask for normal for D-H PK; before that, we
   specify the number of bits.  We've stuck with the historical value, but
-  it can be overriden. */
+  it can be overridden. */
   else if ((strcmp(name, EXIM_CLIENT_DH_MIN_BITS) == 0) ||
(strcmp(name, EXIM_SERVER_DH_BITS_PRE2_12) == 0))
 {
diff --git a/src/src/exim.h b/src/src/exim.h
index c18c9ae..3287166 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -55,7 +55,7 @@ making unique names. */
 #define LOCALHOST_MAX  10
 #endif
 
-/* If not overriden by os.h, dynamic libraries have filenames ending .so */
+/* If not overridden by os.h, dynamic libraries have filenames ending .so */
 #ifndef DYNLIB_FN_EXT
 # define DYNLIB_FN_EXT so
 #endif
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7aab309..c8bf634 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1231,7 +1231,7 @@ if ((rc  0) || (verify  (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
 return FALSE;
 }
   DEBUG(D_tls)
-debug_printf(TLS verify failure overriden (host in tls_try_verify_hosts)\n);
+debug_printf(TLS verify failure overridden (host in tls_try_verify_hosts)\n);
   }
 else
   {
-- 
1.7.10

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [ADMIN] http://news.gmane.org/gmane.mail.exim.devel/ has stopped updating

2012-05-20 Thread Andreas Metzler 
Hello,

gmane's exim-dev archive has stopped updating. Could some list admin
check wether the problem is on tahini's side (disabled delivery) or on
gmanes's side?

thanks, cu andreas


-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] 4.80 RC2 / GnuTLS 2.12.19: tls_require_ciphers (server side) ignored

2012-05-20 Thread Andreas Metzler 
Hello,

tls_require_ciphers seems to be ignored on the server side:

argenau:/tmp/EXIM4# exim4 -bP tls_require_ciphers
tls_require_ciphers = EXPORT:-VERS-TLS1.2

argenau:/tmp/EXIM4# exim4 -bd -d+all-memory -v
Library version: GnuTLS: Compile: 2.12.19
 Runtime: 2.12.19
[...]
13:41:31 20414 Listening...
[...]


Ok, now let's connect:
ametzler@argenau:/tmp/EXIM4$ openssl s_client  -connect localhost:465
[...]
SSL-Session:
Protocol  : TLSv1.2
[...]

And the debug log shows this:
13:42:57 20414 Connection request from 127.0.0.1 port 48534
13:42:57 20414 interface address=127.0.0.1 port=465
[...]
13:42:57 20416 initialising GnuTLS as a server
13:42:57 20416 GnuTLS global init required.
13:42:57 20416 initialising GnuTLS server session
13:42:57 20416 Expanding various TLS configuration options for session 
credentials.
13:42:57 20416 certificate file = /etc/exim4/exim.crt
13:42:57 20416 key file = /etc/exim4/exim.key
13:42:57 20416 TLS: cert/key registered
[...]
13:42:57 20416 Initialising GnuTLS server params.
13:42:57 20416 GnuTLS tells us that for D-H PK, NORMAL is 2432 bits.
13:42:57 20416 read D-H parameters from file 
/var/spool/exim4/gnutls-params-2432
13:42:57 20416 initialized server D-H parameters
13:42:57 20416 GnuTLS using default session cipher/priority NORMAL

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.80 RC1 uploaded

2012-05-20 Thread Andreas Metzler 
On 2012-05-19 Phil Pennock p...@exim.org wrote:
 On 2012-05-19 at 16:26 +0200, Andreas Metzler wrote:
[...]
 If you're going to build with -Werror=format-security then you need to
 #define PRINTF_FUNCTION(A,B) to /**/ in mytypes.h, which will also shut
 up a bunch of other warnings.  The PRINTF_FUNCTION() usage has caught a
 number of small issues and been generally useful, but it's not a perfect
 match.  If there were a pragma to define a new format and register what
 each escape expects, as a type, and declare that some do not consume
 arguments, we could use that and there would be no mismatches.
[...]
 I think, realistically, people are going to turn on -Wformat=security
 and we need to accept that and remove the safety-checks instead.
 They're useful to the developers, in figuring out where there *might* be
 issues, but there's so many false positive warnings, and this, that it
 is not tenable for a release.

 For now, can you please build without -Wformat=security and see if it
 works?

FWIW I have just uploaded to Debian/experimental to check for
build-errors. In a first try we are building with -Wformat=security
and 

--- exim4-4.80~rc2.orig/src/functions.h
+++ exim4-4.80~rc2/src/functions.h
@@ -325,7 +325,7 @@ extern uschar *string_copy_malloc(uschar
 extern uschar *string_copylc(uschar *);
 extern uschar *string_copynlc(uschar *, int);
 extern uschar *string_dequote(uschar **);
-extern BOOLstring_format(uschar *, int, const char *, ...) 
PRINTF_FUNCTION(3,4);
+extern BOOLstring_format(uschar *, int, const char *, ...);

as this has worked for me. ;-)

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] Exim 4.80 RC1 uploaded

2012-05-19 Thread Andreas Metzler 
On 2012-05-18 Andreas Metzler eximus...@downhill.at.eu.org wrote:
 On 2012-05-18 Phil Pennock p...@exim.org wrote:
  I have uploaded Exim 4.80 RC1 to:
[...]

 I get a strange error when building with -Werror=format-security:
 -
 gcc -o em_main.o -c -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 
 -Wformat -Werror=format-security -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 
 -D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -fvisibility=hidden -I. 
 -I../exim_monitor  -I/usr/X11R6/include \
../exim_monitor/`echo em_main.o | sed 's/o$/c/'`
 ../exim_monitor/em_main.c: In function 'numlock_modifiers':
 ../exim_monitor/em_main.c:576:5: warning: 'XKeycodeToKeysym' is deprecated 
 (declared at /usr/include/X11/Xlib.h:1695) [-Wdeprecated-declarations]
 ../exim_monitor/em_main.c: In function 'main':
 ../exim_monitor/em_main.c:659:3: error: format not a string literal and no 
 format arguments [-Werror=format-security]
 cc1: some warnings being treated as errors
 make[2]: *** [em_main.o] Error 1
 -

 which corresponds to
 /* Do *not* use %s here, we need the %D datestamp in the log_file to
   be expanded! */
   (void)string_format(log_file_open, sizeof(log_file_open), CS log_file);
[...]

Hello,

Reverting a part of e0df1c8324f0e0c4112302fa473cff6a6110a044 makes the
problem unreproducible:

--- exim4-4.80~rc2.orig/src/functions.h
+++ exim4-4.80~rc2/src/functions.h
@@ -325,7 +325,7 @@ extern uschar *string_copy_malloc(uschar
 extern uschar *string_copylc(uschar *);
 extern uschar *string_copynlc(uschar *, int);
 extern uschar *string_dequote(uschar **);
-extern BOOLstring_format(uschar *, int, const char *, ...) 
PRINTF_FUNCTION(3,4);
+extern BOOLstring_format(uschar *, int, const char *, ...);
 extern uschar *string_format_size(int, uschar *);
 extern int string_interpret_escape(uschar **);
 extern int string_is_ip_address(uschar *, int *);


What also makes exim compile is reverting this part of
c6e95d22d77f480804ddb5c505891206b427dfb1 (which was a partial revert
of abovementioned e0df1c8324f0e0c4112302fa473cff6a6110a044):

--- exim4-4.80~rc2.orig/exim_monitor/em_main.c
+++ exim4-4.80~rc2/exim_monitor/em_main.c
@@ -656,7 +656,7 @@ if (log_file[0] != 0)
   {
   /* Do *not* use %s here, we need the %D datestamp in the log_file to
   be expanded! */
-  (void)string_format(log_file_open, sizeof(log_file_open), CS log_file);
+  (void)string_format(log_file_open, sizeof(log_file_open), %s, CS log_file);
   log_datestamping = string_datestamp_offset = 0;
 
cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] Typo writable?

2012-05-19 Thread Andreas Metzler 
Hello,

lintian warned me about
I: exim4-base: spelling-error-in-manpage usr/share/man/man8/exim.8.gz writeable 
writable

Assuming this really is an error (and not british vs american
english) find attached a trivial patch to change all occurences of
writeable to writable.

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index c4c181e..e2b203b 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -3428,7 +3428,7 @@ file contains a list of full pathnames, one per line, for configuration files
 which are trusted. Root privilege is retained for any configuration file so
 listed, as long as the caller is the Exim user (or the user specified in the
 CONFIGURE_OWNER option, if any), and as long as the configuration file is
-not writeable by inappropriate users or groups.
+not writable by inappropriate users or groups.
 
 Leaving TRUSTED_CONFIG_LIST unset precludes the possibility of testing a
 configuration using %-C% right through message reception and delivery,
@@ -4599,7 +4599,7 @@ existing file in the list.
 .cindex ownership configuration file
 The run time configuration file must be owned by root or by the user that is
 specified at compile time by the CONFIGURE_OWNER option (if set). The
-configuration file must not be world-writeable, or group-writeable unless its
+configuration file must not be world-writable, or group-writable unless its
 group is the root group or the one specified at compile time by the
 CONFIGURE_GROUP option.
 
@@ -4610,7 +4610,7 @@ CONFIGURE_OWNER or CONFIGURE_GROUP options, then that user and/or any users
 who are members of that group will trivially be able to obtain root privileges.
 
 Up to Exim version 4.72, the run time configuration file was also permitted to
-be writeable by the Exim user and/or group. That has been changed in Exim 4.73
+be writable by the Exim user and/or group. That has been changed in Exim 4.73
 since it offered a simple privilege escalation for any attacker who managed to
 compromise the Exim user account.
 
@@ -34258,8 +34258,8 @@ Generate verbose output.
 If none of %-fcntl%, %-flock%, %-lockfile% or %-mbx% are given, the
 default is to create a lock file and also to use [fcntl()] locking on the
 mailbox, which is the same as Exim's default. The use of %-flock% or
-%-fcntl% requires that the file be writeable; the use of %-lockfile%
-requires that the directory containing the file be writeable. Locking by lock
+%-fcntl% requires that the file be writable; the use of %-lockfile%
+requires that the directory containing the file be writable. Locking by lock
 file does not last for ever; Exim assumes that a lock file is expired if it is
 more than 30 minutes old.
 
@@ -34886,7 +34886,7 @@ Unless the local user mailboxes are all owned by the Exim user (possible in
 some POP3 or IMAP-only environments):
 
 .olist
-They must be owned by the Exim group and be writeable by that group. This
+They must be owned by the Exim group and be writable by that group. This
 implies you must set %mode% in the appendfile configuration, as well as the
 mode of the mailbox files themselves.
 .next
diff --git a/doc/doc-misc/Ext-mbx-locking b/doc/doc-misc/Ext-mbx-locking
index f1b0523..8e4c311 100644
--- a/doc/doc-misc/Ext-mbx-locking
+++ b/doc/doc-misc/Ext-mbx-locking
@@ -33,13 +33,13 @@ multi-threaded applications such as operating system kernels.  It
 makes several presumptions:
  (1) it is alright to keep testing the lock (no overflow)
  (2) the critical resource is single-access only
- (3) there is shared writeable memory between the two threads
+ (3) there is shared writable memory between the two threads
  (4) the threads can be trusted to release the lock when finished
 
  In applications programming on multi-user systems, most commonly
 the other threads are in an entirely different process, which may even
 be logged in as a different user.  Few operating systems offer shared
-writeable memory between such processes.
+writable memory between such processes.
 
  A means of communicating this is by use of a file with a mutually
 agreed upon name.  A binary semaphore can be passed by means of the
diff --git a/doc/doc-src/FAQ.src b/doc/doc-src/FAQ.src
index 03360be..6dd2886 100644
--- a/doc/doc-src/FAQ.src
+++ b/doc/doc-src/FAQ.src
@@ -1158,7 +1158,7 @@ A0065: When Exim is called with -C, it passes on -C to any instances of itself
option. This defines a file containing a list of 'trusted' prefixes for
configuration files. Any configuration file specified with -C, if it
matches a prefix listed in that file, will be used without dropping root
-   privileges (as long as it is not writeable by a non-root user).
+   privileges (as long as it is not writable by a non-root user).
 
 
 Q0066: What does the message \*unable to set gid=xxx or uid=xxx*\

Re: [exim-dev] Exim 4.80 RC1 uploaded

2012-05-18 Thread Andreas Metzler 
On 2012-05-18 Phil Pennock p...@exim.org wrote:
 I have uploaded Exim 4.80 RC1 to:
   ftp://ftp.exim.org/pub/exim/exim4/test/

 This release contains a number of backwards-incompatible changes, for
 both OpenSSL and GnuTLS, in the name of security (about the only reason
 we normally accept for being backwards incompatible).  Please read over
 README.UPDATING carefully!  We have jumped from 4.77 to 4.80 for this
 reason.
[...]

I get a strange error when building with -Werror=format-security:
-
gcc -o em_main.o -c -g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 
-Wformat -Werror=format-security -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 
-D_LARGEFILE_SOURCE -fno-strict-aliasing -Wall -fvisibility=hidden -I. 
-I../exim_monitor  -I/usr/X11R6/include \
   ../exim_monitor/`echo em_main.o | sed 's/o$/c/'`
../exim_monitor/em_main.c: In function 'numlock_modifiers':
../exim_monitor/em_main.c:576:5: warning: 'XKeycodeToKeysym' is deprecated 
(declared at /usr/include/X11/Xlib.h:1695) [-Wdeprecated-declarations]
../exim_monitor/em_main.c: In function 'main':
../exim_monitor/em_main.c:659:3: error: format not a string literal and no 
format arguments [-Werror=format-security]
cc1: some warnings being treated as errors
make[2]: *** [em_main.o] Error 1
-

which corresponds to
/* Do *not* use %s here, we need the %D datestamp in the log_file to
  be expanded! */
  (void)string_format(log_file_open, sizeof(log_file_open), CS log_file);

What's really strange is that em_main.c has not changed (except for
adding a comment), and 4.77 continues to builds with same flags and
compiler.

cu andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1196] New: spec.txt still refers to relay_domains in some places.

2012-01-08 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1196
   Summary: spec.txt still refers to relay_domains in some places.
   Product: Exim
   Version: 4.77
  Platform: Other
OS/Version: Linux
Status: NEW
  Keywords: work:tiny
  Severity: bug
  Priority: low
 Component: Documentation
AssignedTo: ni...@exim.org
ReportedBy: eximus...@downhill.at.eu.org
CC: exim-dev@exim.org


Created an attachment (id=529)
 -- (http://bugs.exim.org/attachment.cgi?id=529)
bugfix

Hello,

find attached a simple patch for spec to *always* use
relay_to_domains/relay_from_hosts instead of the old relay_domains/relay_hosts.
cu andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [One line patch] fix example in docs.

2012-01-08 Thread Andreas Metzler 
Hello,

find attached a trivial documentation fix.

cu andreas
From aa79cfa6d290f84b96a73b520448cc0f16c515b4 Mon Sep 17 00:00:00 2001
From: Andreas Metzler ametz...@downhill.at.eu.org
Date: Sun, 8 Jan 2012 12:01:08 +0100
Subject: [PATCH 2/2] don't use the same address twice in example

This example did not make sense, there is no use in listing the same IP
address twice. (Found by Regid Ichira http://bugs.debian.org/653750
---
 doc/doc-docbook/spec.xfpt |2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index fb0ec74..670921a 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -12262,7 +12262,7 @@ local_interfaces = 0.0.0.0 : 127.0.0.1.26
 .endd
 To specify listening on the default port on specific interfaces only:
 .code
-local_interfaces = 192.168.34.67 : 192.168.34.67
+local_interfaces = 192.168.34.66 : 192.168.34.67
 .endd
 *Warning*: Such a setting excludes listening on the loopback interfaces.
 
-- 
1.7.2.5

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [admin] Why didn't bugzilla#1192 end up on exim-dev?

2012-01-08 Thread Andreas Metzler 
Hello,

just wondering: Was bugzilla#1192 not cced to exim-dev intentionally
(perhaps because I selected component DKIM) or was there a (temporary)
error?

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions

2011-12-23 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1095




--- Comment #5 from Andreas Metzler eximus...@downhill.at.eu.org  2011-12-23 
13:55:58 ---
On 2011-10-22 Christof Meerwald cme...@cmeerw.org wrote:
[...]
 Created an attachment (id=509)
 -- (http://bugs.exim.org/attachment.cgi?id=509)
  -- (http://bugs.exim.org/attachment.cgi?id=509)
 Update exim gnutls support

 This patch replaces tls_require_ciphers, gnutls_require_kx,
 gnutls_require_mac and gnutls_require_protocols with gnutls_priority
 (which is passed directly to gnutls_priority_set_direct).
[...]
 I don't expect this patch to be the final version, but rather as a basis for
 further discussions.

How about accepting (but ignoring) the old options gnutls_require_kx
gnutls_require_mac and gnutls_require_protocols? Or do you think a
hard failure is preferable?
cu andreas


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Re: [exim-dev] [Bug 1156] New: GnuTLS protocol support update

2011-09-24 Thread Andreas Metzler 
On 2011-09-24 Phil Pennock p...@exim.org wrote:


 GnuTLS supports TLS1.1 and TLS1.2, but Exim constrains it to SSL3
 and TLS1, and does not provide support for configuring higher
 versions.

 Let's fix that.

Hello,

I see that you already branched in git for that. Would you mind also
adding (after doublechecking) the simple patch in
http://bugs.exim.org/show_bug.cgi?id=1095? It is necessary for
building against GnuTLS 3.x.

thanks, cu andreas

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

[exim-dev] [Bug 1154] New: -D expansion does not work on long identifiers

2011-09-18 Thread Andreas Metzler 
--- You are receiving this mail because: ---
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1154
   Summary: -D expansion does not work on long identifiers
   Product: Exim
   Version: 4.76
  Platform: Other
OS/Version: Linux
Status: NEW
  Severity: bug
  Priority: medium
 Component: Unfiled
AssignedTo: ni...@exim.org
ReportedBy: eximus...@downhill.at.eu.org
CC: exim-dev@exim.org


The -D commandline facililty for setting macros fails on long identifiers, 
only the first 22 characters of the identifier are replaced.

-

ametzler@argenau:~$ cat /tmp/exim4conftest
.ifdef A123456789B123456789C123
primary_hostname = A123456789B123456789C123
.endif
ametzler@argenau:~$ /usr/sbin/exim -C /tmp/exim4conftest \
 -DA123456789B123456789C123=foo.com -bP primary_hostname
primary_hostname = foo.com3
ametzler@argenau:~$ cat /tmp/exim4conftest
.ifdef A123456789B123456789C12
primary_hostname = A123456789B123456789C12
.endif
ametzler@argenau:~$ /usr/sbin/exim -C /tmp/exim4conftest \
-DA123456789B123456789C12=foo.com -bP primary_hostname
primary_hostname = foo.com
-

Setting the macro in a (.included) file works, however:
-
ametzler@argenau:~$ cat /tmp/exim4conftest
A123456789B123456789C123=blubb.com
.ifdef A123456789B123456789C123
primary_hostname = A123456789B123456789C123
.endif
ametzler@argenau:~$ /usr/sbin/exim -C /tmp/exim4conftest \
-bP primary_hostname
primary_hostname = blubb.com
-


-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

  1   2   >