diff --git a/exim-4.33-cyrus.patch b/exim-4.33-cyrus.patch index bcd144c..c1d8be8 100644 --- a/exim-4.33-cyrus.patch +++ b/exim-4.33-cyrus.patch @@ -5,9 +5,9 @@ +# This transport is used to deliver local mail to cyrus IMAP server via UNIX -+# socket. ++# socket. You'll need to configure the 'localuser' router above to use it. +# -+#local_delivery: ++#lmtp_delivery: +# driver = lmtp +# command = "/usr/lib/cyrus-imapd/deliver -l" +# batch_max = 20 diff --git a/exim-4.43-pamconfig.patch b/exim-4.43-pamconfig.patch index 0ad36e8..08d4c78 100644 --- a/exim-4.43-pamconfig.patch +++ b/exim-4.43-pamconfig.patch @@ -1,25 +1,40 @@ --- exim-4.43/src/configure.default.pam 2004-12-16 13:27:55.000000000 +0000 +++ exim-4.43/src/configure.default 2004-12-16 15:41:34.000000000 +0000 -@@ -238,6 +238,40 @@ +@@ -160,7 +160,7 @@ acl_smtp_data = acl_check_data - timeout_frozen_after = 7d + # Allow any client to use TLS. -+# This option, if uncommented, allows Exim to listen on ports other than -+# just the default port 25. For example, you may wish Exim to sldo listen -+# on the 'message submission' port 587 for roaming clients which cannot -+# use port 25 directly from their current location. (cf. RFC 2476). -+# -+# daemon_smtp_ports = smtp : msa -+ -+# This option instructs Exim to advertise the availability of encrypted -+# connections to all hosts, and uses the certificate which is automatically -+# generated when the RPM is installed. You can disable TLS, should you need -+# to do so, by commenting out the three lines below. -+ +-# tls_advertise_hosts = * +tls_advertise_hosts = * + + # Specify the location of the Exim server's TLS certificate and private key. + # The private key must not be encrypted (password protected). You can put +@@ -168,8 +168,8 @@ acl_smtp_data = acl_check_data + # need the first setting, or in separate files, in which case you need both + # options. + +-# tls_certificate = /etc/ssl/exim.crt +-# tls_privatekey = /etc/ssl/exim.pem +tls_certificate = /etc/pki/tls/certs/exim.pem +tls_privatekey = /etc/pki/tls/private/exim.pem -+ + + # In order to support roaming users who wish to send email from anywhere, + # you may want to make Exim listen on other ports as well as port 25, in +@@ -180,8 +180,8 @@ acl_smtp_data = acl_check_data + # them you should also allow TLS-on-connect on the traditional but + # non-standard port 465. + +-# daemon_smtp_ports = 25 : 465 : 587 +-# tls_on_connect_ports = 465 ++daemon_smtp_ports = 25 : 465 : 587 ++tls_on_connect_ports = 465 + + + # Specify the domain you want to be added to all unqualified addresses +@@ -238,6 +238,24 @@ + + timeout_frozen_after = 7d + +# This setting, if uncommented, allows users to authenticate using +# their system passwords against saslauthd if they connect over a +# secure connection. If you have network logins such as NIS or @@ -41,23 +56,21 @@ ###################################################################### -@@ -657,6 +691,19 @@ - - begin authenticators +@@ -850,7 +837,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_cipher } -+plain: -+ driver = plaintext -+ public_name = PLAIN -+ server_prompts = : -+ server_condition = "${if saslauthd{{$2}{$3}{smtp}} {1}}" -+ server_set_id = $2 -+ -+login: -+ driver = plaintext -+ public_name = LOGIN -+ server_prompts = "Username:: : Password::" -+ server_condition = "${if saslauthd{{$1}{$2}{smtp}} {1}}" -+ server_set_id = $1 + # LOGIN authentication has traditional prompts and responses. There is no +@@ -862,7 +849,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_cipher } - ###################################################################### diff --git a/exim-4.50-spamdconf.patch b/exim-4.50-spamdconf.patch index 3be0bac..36fe304 100644 --- a/exim-4.50-spamdconf.patch +++ b/exim-4.50-spamdconf.patch @@ -1,86 +1,102 @@ --- exim-4.50/src/configure.default.orig 2005-02-22 19:49:15.000000000 +0000 +++ exim-4.50/src/configure.default 2005-02-22 19:46:55.000000000 +0000 -@@ -108,6 +108,26 @@ +@@ -108,6 +108,7 @@ + + acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data = acl_check_data ++acl_smtp_mime = acl_check_mime # You should not change that setting until you understand how ACLs work. -+# The following ACL entries are used if you want to do content scanning with -+# the exiscan-acl patch. When you uncomment one of these lines, you must also -+# review the respective entries in the ACL section further below. -+ -+# acl_smtp_mime = acl_check_mime -+# acl_smtp_data = acl_check_content -+ -+# This configuration variable defines the virus scanner that is used with -+# the 'malware' ACL condition of the exiscan acl-patch. If you do not use -+# virus scanning, leave it commented. Please read doc/exiscan-acl-readme.txt -+# for a list of supported scanners. -+ -+# av_scanner = sophie:/var/run/sophie -+ -+# The following setting is only needed if you use the 'spam' ACL condition -+# of the exiscan-acl patch. It specifies on which host and port the SpamAssassin -+# "spamd" daemon is listening. If you do not use this condition, or you use -+# the default of "127.0.0.1 783", you can omit this option. +@@ -120,7 +120,7 @@ acl_smtp_mime = acl_check_mime + # of what to set for other virus scanners. The second modification is in the + # acl_check_data access control list (see below). + +-# av_scanner = clamd:/tmp/clamd ++av_scanner = clamd:/var/run/clamd.exim/clamd.sock + + + # For spam scanning, there is a similar option that defines the interface to +@@ -365,7 +365,8 @@ acl_check_rcpt: + accept local_parts = postmaster + domains = +local_domains + +- # Deny unless the sender address can be verified. ++ # Deny unless the sender address can be routed. For proper verification of the ++ # address, read the documentation on callouts and add the /callout modifier. + + require verify = sender + +@@ -455,26 +456,62 @@ acl_check_rcpt: + + acl_check_data: + ++ # Put simple tests first. A good one is to check for the presence of a ++ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken ++ # or misconfigured mailer software occasionally omits this from genuine ++ # messages too, though -- although it's not hard for the offender to fix ++ # after they receive a bounce because of it. ++ # ++ # deny condition = ${if !def:h_Message-ID: {1}} ++ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ ++ # Most messages without it are spam, so your mail has been rejected. + -+# spamd_address = 127.0.0.1 783 + # Deny if the message contains a virus. Before enabling this check, you + # must install a virus scanner and set the av_scanner option above. + # + # deny malware = * + # message = This message contains a virus ($malware_name). - # Specify the domain you want to be added to all unqualified addresses - # here. An unqualified address is one that does not contain an "@" character -@@ -376,6 +396,56 @@ - deny message = relay not permitted +- # Add headers to a message if it is judged to be spam. Before enabling this, +- # you must install SpamAssassin. You may also need to set the spamd_address +- # option above. +- # +- # warn spam = nobody +- # add_header = X-Spam_score: $spam_score\n\ +- # X-Spam_score_int: $spam_score_int\n\ +- # X-Spam_bar: $spam_bar\n\ +- # X-Spam_report: $spam_report ++ # Bypass SpamAssassin checks if the message is too large. ++ # ++ # accept condition = ${if >={$message_size}{100000} {1}} ++ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size +- # Accept the message. ++ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message ++ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA ++ # score exceeds the SA system threshold. ++ # ++ # warn spam = nobody/defer_ok ++ # add_header = X-Spam-Flag: YES ++ # ++ # accept condition = ${if !def:spam_score_int {1}} ++ # add_header = X-Spam-Note: SpamAssassin invocation failed ++ # ++ ++ # Unconditionally add score and report headers ++ # ++ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ ++ # X-Spam-Report: $spam_report ++ ++ # And reject if the SpamAssassin score is greater than ten ++ # ++ # deny condition = ${if >{$spam_score_int}{100} {1}} ++ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ ++ # $spam_report + + accept -+# These access control lists are used for content scanning with the exiscan-acl -+# patch. You must also uncomment the entries for acl_smtp_data and acl_smtp_mime -+# (scroll up), otherwise the ACLs will not be used. IMPORTANT: the default entries here -+# should be treated as EXAMPLES. You MUST read the file doc/exiscan-acl-spec.txt -+# to fully understand what you are doing ... + +acl_check_mime: + -+ # Decode MIME parts to disk. This will support virus scanners later. -+ warn decode = default -+ + # File extension filtering. + deny message = Blacklisted file extension detected + condition = ${if match \ + {${lc:$mime_filename}} \ + {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ + {1}{0}} -+ -+# # Reject messages that carry chinese character sets. -+# # WARNING: This is an EXAMPLE. -+# deny message = Sorry, noone speaks chinese here -+# condition = ${if eq{$mime_charset}{gb2312}{1}{0}} + + accept -+ -+acl_check_content: -+ -+ # Reject virus infested messages. -+ deny message = This message contains malware ($malware_name) -+ malware = * -+ -+ # Always add X-Spam-Score and X-Spam-Report headers, using SA system-wide settings -+ # (user "nobody"), no matter if over threshold or not. -+ warn message = X-Spam-Score: $spam_score ($spam_bar) -+ spam = nobody:true -+ warn message = X-Spam-Report: $spam_report -+ spam = nobody:true -+ -+ # Add X-Spam-Flag if spam is over system-wide threshold -+ warn message = X-Spam-Flag: YES -+ spam = nobody -+ -+ # Reject spam messages with score over 10, using an extra condition. -+ deny message = This message scored $spam_score points. Congratulations! -+ spam = nobody:true -+ condition = ${if >{$spam_score_int}{100}{1}{0}} -+ -+ # finally accept all the rest -+ accept -+ ###################################################################### # ROUTERS CONFIGURATION # diff --git a/exim-4.63-allow-filter.patch b/exim-4.63-allow-filter.patch new file mode 100644 index 0000000..8f18ae4 --- /dev/null +++ b/exim-4.63-allow-filter.patch @@ -0,0 +1,11 @@ +--- exim-4.63/src/configure.default~ 2006-09-03 15:02:28.000000000 -0700 ++++ exim-4.63/src/configure.default 2006-09-03 15:46:53.000000000 -0700 +@@ -672,7 +672,7 @@ userforward: + # local_part_suffix = +* : -* + # local_part_suffix_optional + file = $home/.forward +-# allow_filter ++ allow_filter + no_verify + no_expn + check_ancestor diff --git a/exim-4.63-localhost-is-local.patch b/exim-4.63-localhost-is-local.patch new file mode 100644 index 0000000..e58f483 --- /dev/null +++ b/exim-4.63-localhost-is-local.patch @@ -0,0 +1,11 @@ +--- exim-4.63/src/configure.default~ 2006-09-03 19:31:28.000000000 -0700 ++++ exim-4.63/src/configure.default 2006-09-03 19:37:42.000000000 -0700 +@@ -56,7 +56,7 @@ + # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They + # are all colon-separated lists: + +-domainlist local_domains = @ ++domainlist local_domains = @ : localhost : localhost.localdomain + domainlist relay_to_domains = + hostlist relay_from_hosts = 127.0.0.1 + diff --git a/exim-4.63-procmail.patch b/exim-4.63-procmail.patch new file mode 100644 index 0000000..b8c233c --- /dev/null +++ b/exim-4.63-procmail.patch @@ -0,0 +1,32 @@ +--- exim-4.63/src/configure.default~ 2006-09-03 15:02:28.000000000 -0700 ++++ exim-4.63/src/configure.default 2006-09-03 15:46:53.000000000 -0700 +@@ -680,6 +680,12 @@ userforward: + pipe_transport = address_pipe + reply_transport = address_reply + ++procmail: ++ driver = accept ++ check_local_user ++ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail ++ transport = procmail ++ no_verify + + # This router matches local user mailboxes. If the router fails, the error + # message is "Unknown user". +@@ -717,6 +723,16 @@ begin transports + remote_smtp: + driver = smtp + ++# This transport invokes procmail to deliver mail ++procmail: ++ driver = pipe ++ command = "/usr/bin/procmail -d $local_part" ++ return_path_add ++ delivery_date_add ++ envelope_to_add ++ user = $local_part ++ initgroups ++ return_output + + # This transport is used for local delivery to user mailboxes in traditional + # BSD mailbox format. By default it will be run under the uid and gid of the diff --git a/exim.spec b/exim.spec index 3e060be..ffb54a6 100644 --- a/exim.spec +++ b/exim.spec @@ -1,11 +1,18 @@ # SA-Exim has long since been obsoleted by the proper built-in ACL support # from exiscan. Disable it for FC6 unless people scream. -# %define buildsa 1 +%if 0%{?fedora} < 6 +%define buildsa 1 +%endif + +# Build clamav subpackage for FC5 and above. +%if 0%{?fedora} >= 5 +%define buildclam 1 +%endif Summary: The exim mail transfer agent Name: exim Version: 4.63 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL Url: http://www.exim.org/ Group: System Environment/Daemons @@ -15,6 +22,9 @@ Provides: /usr/sbin/sendmail /usr/bin/mailq /usr/bin/rmail Requires(post): /sbin/chkconfig /sbin/service %{_sbindir}/alternatives Requires(preun): /sbin/chkconfig /sbin/service %{_sbindir}/alternatives Requires(pre): %{_sbindir}/groupadd, %{_sbindir}/useradd +%if 0%{?buildclam} +BuildRequires: clamav-devel +%endif Source: ftp://ftp.exim.org/pub/exim/exim4/exim-%{version}.tar.bz2 Source2: exim.init Source3: exim.sysconfig @@ -32,6 +42,9 @@ Patch14: exim-4.50-spamdconf.patch Patch15: exim-4.52-dynamic-pcre.patch Patch17: exim-4.61-ldap-deprecated.patch Patch18: exim-4.62-dlopen-localscan.patch +Patch19: exim-4.63-procmail.patch +Patch20: exim-4.63-allow-filter.patch +Patch21: exim-4.63-localhost-is-local.patch Requires: /etc/aliases BuildRequires: db4-devel openssl-devel openldap-devel pam-devel @@ -70,6 +83,31 @@ Requires: exim = %{version}-%{release} Allows running of SA on incoming mail and rejection at SMTP time as well as other nasty things like teergrubing. +%package clamav +Summary: Clam Antivirus scanner dæmon configuration for use with Exim +Group: System Environment/Daemons +Requires: clamav-server +Obsoletes: clamav-exim <= 0.86.2 +Requires(post): /sbin/chkconfig /sbin/service +Requires(preun): /sbin/chkconfig /sbin/service + +%description clamav +This package contains configuration files which invoke a copy of the +clamav dæmon for use with Exim. It can be activated by adding (or +uncommenting) + + av_scanner = clamd:%{_var}/run/clamd.exim/clamd.sock + +in your exim.conf, and using the 'malware' condition in the DATA ACL, +as follows: + + deny message = This message contains malware ($malware_name) + malware = * + +For further details of Exim content scanning, see chapter 40 of the Exim +specification: +http://www.exim.org/exim-html-4.62/doc/html/spec_html/ch40.html#SECTscanvirus + %prep %setup -q %if 0%{?buildsa} @@ -87,6 +125,9 @@ cp exim_monitor/EDITME Local/eximon.conf %patch15 -p1 -b .pcre %patch17 -p1 -b .ldap %patch18 -p1 -b .dl +%patch19 -p1 -b .procmail +%patch20 -p1 -b .filter +%patch21 -p1 -b .localhost %build %ifnarch s390 s390x @@ -159,8 +200,8 @@ pod2man --center=EXIM --section=8 \ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig install -m 644 %SOURCE3 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/exim -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d -install %SOURCE2 $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/exim +mkdir -p $RPM_BUILD_ROOT%{_initrddir} +install %SOURCE2 $RPM_BUILD_ROOT%{_initrddir}/exim mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d install -m 0644 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/exim @@ -179,12 +220,41 @@ mkdir -p $RPM_BUILD_ROOT/etc/pki/tls/{certs,private} touch $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem chmod 600 $RPM_BUILD_ROOT/etc/pki/tls/{certs,private}/exim.pem +%if 0%{?buildclam} +# Munge the clamav init and config files from clamav-devel. This really ought +# to be a subpackage of clamav, but this hack will have to do for now. +function clamsubst() { + sed -e "s!!$3!g;s!!$4!g;""$5" %{_datadir}/clamav/template/"$1" >"$RPM_BUILD_ROOT$2" +} + +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/clamd.d +clamsubst clamd.conf %{_sysconfdir}/clamd.d/exim.conf exim exim \ + 's!^##*\(\(LogFile\|LocalSocket\|PidFile\|User\)\s\|\(StreamSaveToDisk\|ScanMail\|LogTime\|ScanArchive\)$\)!\1!;s!^Example!#Example!;' + +clamsubst clamd.init %{_initrddir}/clamd.exim exim exim '' +clamsubst clamd.logrotate %{_sysconfdir}/logrotate.d/clamd.exim exim exim '' +cat < $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/clamd.exim +CLAMD_CONFIG='%_sysconfdir/clamd.d/exim.conf' +CLAMD_SOCKET=%{_var}/run/clamd.exim/clamd.sock +EOF +ln -sf clamd $RPM_BUILD_ROOT/usr/sbin/clamd.exim + +mkdir -p $RPM_BUILD_ROOT%{_var}/run/clamd.exim +%endif + %clean rm -rf $RPM_BUILD_ROOT %pre %{_sbindir}/useradd -d %{_var}/spool/exim -s /sbin/nologin -G mail -M -r -u 93 exim 2>/dev/null +# Copy TLS certs from old location to new -- don't move them, because the +# config file may be modified and may be pointing to the old location. +if [ ! -f /etc/pki/tls/certs/exim.pem -a -f %{_datadir}/ssl/certs/exim.pem ] ; then + cp %{_datadir}/ssl/certs/exim.pem /etc/pki/tls/certs/exim.pem + cp %{_datadir}/ssl/private/exim.pem /etc/pki/tls/private/exim.pem +fi + exit 0 %post @@ -301,7 +371,35 @@ fi %doc sa-exim*/{ACKNOWLEDGEMENTS,INSTALL,LICENSE,TODO} %endif +%if 0%{?buildclam} +%post clamav +/sbin/chkconfig --add clamd.exim + +%preun clamav +test "$1" != 0 || %{_initrddir}/clamd.exim stop &>/dev/null || : +test "$1" != 0 || /sbin/chkconfig --del clamd.exim + +%postun clamav +test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null || : + +%files clamav +%defattr(0644,root,root,-) +%attr(0755,root,root)%{_sbindir}/clamd.exim +%config %{_initrddir}/clamd.exim +%config(noreplace) %verify(not mtime) %{_sysconfdir}/clamd.d/exim.conf +%config(noreplace) %verify(not mtime) %{_sysconfdir}/sysconfig/clamd.exim +%config(noreplace) %verify(not mtime) %{_sysconfdir}/logrotate.d/clamd.exim +%attr(0750,exim,exim) %dir %{_var}/run/clamd.exim +%endif + %changelog +* Sun Sep 3 2006 David Woodhouse - 4.63-2 +- Add procmail router and transport (#146848) +- Add localhost and localhost.localdomain as local domains (#198511) +- Fix mispatched authenticators (#204591) +- Other cleanups of config file and extra examples +- Add exim-clamav subpackage + * Sat Aug 26 2006 David Woodhouse - 4.63-1 - Update to 4.63 - Disable sa-exim, but leave the dlopen patch in diff --git a/needs.rebuild b/needs.rebuild deleted file mode 100644 index 815fd29..0000000 --- a/needs.rebuild +++ /dev/null @@ -1 +0,0 @@ -http://fedoraproject.org/wiki/Extras/Schedule/FC6MassRebuild