Re: [exim-dev] Administrivia: this should be munged

2017-02-05 Thread Phil Pennock via Exim-dev
On 2017-02-05 at 14:43 +, Phil Pennock wrote: > Mailman on @exim.org should now be DMARC-munging, including for p=none > domains where failure to munge is a privacy breach. You know, that would have been a better test if I hadn't used my @exim.org address for the send. Hopefully the last

Re: [exim-dev] DNSSEC / log spam

2018-06-29 Thread Phil Pennock via Exim-dev
On 2018-06-29 at 20:16 -0500, Larry Rosenman via Exim-dev wrote: > Greetings, > I have my DNS Zone DNSSEC enabled, but some of my dynamic > sub-domains are NOT DNSSEC due to HE.net not supporting DNSSEC yet. > can we suppress/change exim to not spam the logs with: > > Jun 29 20:12:53

Re: [exim-dev] DNSSEC / log spam

2018-06-30 Thread Phil Pennock via Exim-dev
On 2018-06-30 at 00:01 -0400, Viktor Dukhovni via Exim-dev wrote: > So there is a potential solution, if you're > willing to change how manage _res.options. No. Messing with _res was always dangerous and since NetBSD went and made incompatible changes, life became hell.

[exim-dev] OpenSSL revamp work (WIP, nowhere near ready)

2018-06-30 Thread Phil Pennock via Exim-dev
Nowhere near complete yet, but: https://git.exim.org/users/pdp/exim.git/shortlog/refs/heads/openssl_revamp git://git.exim.org/users/pdp/exim.git branch openssl_revamp What's there so far is a WIP commit showing how I think things should look from a parsing PoV and how the settings are

Re: [exim-dev] [Bug 2235] New: CVE-2018-6789

2018-02-12 Thread Phil Pennock via Exim-dev
On 2018-02-09 at 15:32 +, Vsevolod Stakhov via Exim-dev wrote: > It seems that FreeBSD is no longer considered in CVE early disclosure, > isn't it? There has been no change from Exim's side in how this was communicated. We have an exim-maintainers mailing-list which has vetted people from any

[exim-dev] Bugzilla maintenance (security upgrade); old mail sent

2018-02-16 Thread Phil Pennock via Exim-dev
Bugzilla had a security release today; I have upgraded bugs.exim.org to 4.4.13. Part of the pre-flight checklist involved running a sanity check, which found two bugs with unsent mail. I sent those mails out. This sent out messages dated 2017-03-07 for bugs 1294 and 1998. Sorry; if I'd known

[exim-dev] UTF-8 and Exim string operations

2018-08-16 Thread Phil Pennock via Exim-dev
Anyone have strong feelings on how Exim should handle UTF-8 with operators such as ${length_1:STR} ? Document that the current operators work on bytes and add ulength_1 for being UTF-8 aware? Look at the top-bit being set and assume UTF-8, or will that break too much with all the places which

Re: [exim-dev] UTF-8 and Exim string operations

2018-08-17 Thread Phil Pennock via Exim-dev
On 2018-08-17 at 10:36 -, Jasen Betts via Exim-dev wrote: > > and add ulength_1 for being UTF-8 aware? > > Would also need utf8-aware also substr and strlen. Yes, I was using length as an exemplar, not as an exhaustive list. :) I favored ulength too, but didn't want to just add a slew of

[exim-dev] build-farm / macOS

2018-08-17 Thread Phil Pennock via Exim-dev
For awareness, I've applied on behalf of Exim to to get a free VM to be used as a build animal. If we're approved, we'll get rote paperwork every six months to confirm that we're actually still using it. I'd like to get macOS/Darwin builds back on the

[exim-dev] GnuTLS 3.6.3 / TLS 1.3

2018-07-17 Thread Phil Pennock via Exim-dev
FWIW, if anyone is working on the GnuTLS integration these days: } From: Nikos Mavrogiannopoulos } Subject: gnutls 3.6.3 } } Hello, } I've just released gnutls 3.6.3. This is the first release which adds } full support of TLS1.3 (draft28), and several other features on the } 3.6.x branch. } } *

[exim-dev] exim mail outage

2018-07-19 Thread Phil Pennock via Exim-dev
Folks, I seriously messed up and didn't test enough scenarios when making a change to Exim configs for exim.org on Tuesday. I then spent yesterday heads-down on work and didn't see Jeremy's report to me. I broke things such that sender verification failed for almost everybody. Sorry. I've

Re: [exim-dev] [Bug 2266] TLS SNI should default set

2018-04-20 Thread Phil Pennock via Exim-dev
On 2018-04-20 at 19:16 -0400, Viktor Dukhovni via Exim-dev wrote: > In Postfix we have a notion that is the "next-hop" domain, > which is normally the envelope recipient domain, but when > a smarthost (or domain whose MX records are used for routing) > is specified, then the next-hop domain is the

Re: [exim-dev] [Bug 2266] TLS SNI should default set

2018-04-20 Thread Phil Pennock via Exim-dev
On 2018-04-20 at 20:09 -0400, Viktor Dukhovni via Exim-dev wrote: > Question about this "$host". Are smarthost settings ever subject to > MX lookups, so that the actual remote SMTP server is one of the MX > hosts of the smarthost domain? Not with the format specified in the example

Re: [exim-dev] TLS 1.3 *does not* mandate SNI.

2018-04-17 Thread Phil Pennock via Exim-dev
On 2018-04-17 at 18:20 -0400, Viktor Dukhovni via Exim-dev wrote: > The mandatory to implement language in the TLS 1.3 spec does not mean > "mandatory to use", in particular, while servers must tolerate the > extension, clients are not obligated to send it: > >

[exim-dev] Preliminary dane_require_tls_ciphers support

2018-03-28 Thread Phil Pennock via Exim-dev
I've written support for a new SMTP Transport option dane_require_tls_ciphers which is like tls_require_ciphers but is used in _preference_ to tls_require_ciphers when DANE enabled. This seemed much saner than requiring lots of conditional logic, especially since we already ignore most of the TLS

Re: [exim-dev] Preliminary dane_require_tls_ciphers support

2018-03-29 Thread Phil Pennock via Exim-dev
On 2018-03-29 at 10:33 +0100, Jeremy Harris via Exim-dev wrote: > I'm unsure about the philosophy of the interface; having one option > override another. You mentioned "complex expansions" before in the > discussion but without detail. I assume that's the same consideration > as "lots of

Re: [exim-dev] Exim 4.91 RC1

2018-03-18 Thread Phil Pennock via Exim-dev
On 2018-03-18 at 00:47 -0400, Viktor Dukhovni via Exim-dev wrote: > You may find the notes for the below commits to OpenSSL 1.1.0 and upcoming > 1.1.1 useful for building alternate versions of OpenSSL "on the side": > >

Re: [exim-dev] Exim 4.91 RC1

2018-03-17 Thread Phil Pennock via Exim-dev
On 2018-03-17 at 15:00 +, Jeremy Harris via Exim-dev wrote: > > Enabling DMARC without enabling > >SPF led to a build failure almost at the very end. > > Compile-time or link-time failure? Do you think we need > a specific check early in the build? I think it was compile-time, but am

Re: [exim-dev] Exim 4.91 RC1

2018-03-16 Thread Phil Pennock via Exim-dev
On 2018-03-15 at 21:31 +, Jeremy Harris via Exim-dev wrote: > I have built and uploaded Exim 4.91 RC1 to: > > https://ftp.exim.org/pub/exim/exim4/test/ Building for `next-exim` on the exim.org box, the port-26 listener: * `EXPERIMENTAL_ARC` is not given with `=yes` in `src/EDITME`,

Re: [exim-dev] "25 lost" is giving me useful clues

2018-09-03 Thread Phil Pennock via Exim-dev
On 2018-08-30 at 12:27 +0200, Mark Elkins via Exim-dev wrote: > What this is telling me is someone at 157.0.116.189 is making > connections to my mail server - presumable to see if they can detect the > accounts of users on my machine? This really belongs on exim-users, not exim-dev (bcc'd)

Re: [exim-dev] buildfarm client proposal: tests configure support

2018-09-21 Thread Phil Pennock via Exim-dev
On 2018-09-21 at 00:15 +0200, Heiko Schlittermann via Exim-dev wrote: > Heiko Schlittermann via Exim-dev (Mi 19 Sep 2018 11:46:52 > CEST): > > I'll do so this evening (roughly UTC). > Almost …. > > I made the changes, pushed it and pulled it into macstadiums > /opt/buildfarm/home/code and

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-21 Thread Phil Pennock via Exim-dev
On 2018-12-20 at 20:50 +, Jeremy Harris via Exim-dev wrote: > The wording "should be" could be relaxed slightly, maybe, since it isn't > required by Exim's parsing. "It is simplest to", perhaps? Didn't we used to require it? I forget. Feel free to update it. > I see you quietly removed

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-16 Thread Phil Pennock via Exim-dev
On 2018-12-16 at 10:42 +, Jeremy Harris via Exim-dev wrote: > On 16/12/2018 10:20, Andreas Metzler via Exim-dev wrote: > > 4.92rc1 adds this to the smarthost_smtp transport: > > > > tls_sni = $host > > > > I do not think that always works as expected. Depending on the DNS setup > > (CNAME,

[exim-dev] Exim website: logos for testers

2018-09-14 Thread Phil Pennock via Exim-dev
Folks, I'm setting up macOS buildfarm stuff for Exim using hosting provided for free by MacStadium. They ask that their logo be on our web landing-page, which seems eminently fair and "normal practice" to me. But at present, there are no such logos. The fix is to say: if you are providing a

[exim-dev] buildfarm client proposal: tests configure support

2018-09-14 Thread Phil Pennock via Exim-dev
I've made the buildfarm repos visible† on git.exim.org since there's nothing secret in them and we point folks to them on public wiki pages, and all the repos can be cloned without authentication. I've pushed to buildfarm-client.git a new branch `test_configure_tuning` with one additional commit:

Re: [exim-dev] buildfarm client proposal: tests configure support

2018-09-18 Thread Phil Pennock via Exim-dev
On 2018-09-16 at 12:49 +0100, Jeremy Harris via Exim-dev wrote: > The code addition looks reasonable on the surface. Go head and > push it to master. I'm going to let Heiko make his suggested improvements. > I'm not going to spend time trying to duplicate your work... > once you're up and

Re: [exim-dev] tls_sni = $host in default configuration file

2018-12-18 Thread Phil Pennock via Exim-dev
On 2018-12-17 at 18:44 -, Jasen Betts via Exim-dev wrote: > What does DANE say we shoud ask for? I remember it being non-obvious but > easily explained. However I don't however remember the detail. RFC 7672 section 2.2.2. If DNSSEC is available for every step along the way, for all CNAMEs in