diff --git a/exim-4.87-localhost-is-local.patch b/exim-4.87-localhost-is-local.patch deleted file mode 100644 index 5810698..0000000 --- a/exim-4.87-localhost-is-local.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index d1ce2f1..1f10008 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -55,7 +55,7 @@ - # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They - # are all colon-separated lists: - --domainlist local_domains = @ -+domainlist local_domains = @ : localhost : localhost.localdomain - domainlist relay_to_domains = - hostlist relay_from_hosts = localhost - # (We rely upon hostname resolution working for localhost, because the default diff --git a/exim-4.90.1-environment.patch b/exim-4.90.1-environment.patch deleted file mode 100644 index aae43f6..0000000 --- a/exim-4.90.1-environment.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index b955c6e..590c664 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -360,8 +360,8 @@ timeout_frozen_after = 7d - # Note that TZ is handled separately by the timezone runtime option - # and TIMEZONE_DEFAULT buildtime option. - --# keep_environment = ^LDAP --# add_environment = PATH=/usr/bin::/bin -+keep_environment = ^LDAP -+add_environment = PATH=/usr/bin::/bin - - - diff --git a/exim-4.91-allow-filter.patch b/exim-4.91-allow-filter.patch deleted file mode 100644 index 127da02..0000000 --- a/exim-4.91-allow-filter.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index 7d26076..ce3b3b0 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -733,7 +733,7 @@ userforward: - # local_part_suffix = +* : -* - # local_part_suffix_optional - file = $home/.forward --# allow_filter -+ allow_filter - no_verify - no_expn - check_ancestor diff --git a/exim-4.91-config.patch b/exim-4.91-config.patch deleted file mode 100644 index bd770f5..0000000 --- a/exim-4.91-config.patch +++ /dev/null @@ -1,299 +0,0 @@ -diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile -index 7e0bf38..c97ccec 100755 ---- a/scripts/Configure-Makefile -+++ b/scripts/Configure-Makefile -@@ -297,7 +297,7 @@ if [ "${EXIM_PERL}" != "" ] ; then - - mv $mft $mftt - echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft -- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft -+ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft - echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft - echo "" >>$mft - cat $mftt >> $mft -diff --git a/src/EDITME b/src/EDITME -index bd5151d..4cd3b4d 100644 ---- a/src/EDITME -+++ b/src/EDITME -@@ -98,7 +98,7 @@ - # /usr/local/sbin. The installation script will try to create this directory, - # and any superior directories, if they do not exist. - --BIN_DIRECTORY=/usr/exim/bin -+BIN_DIRECTORY=/usr/sbin - - - #------------------------------------------------------------------------------ -@@ -114,7 +114,7 @@ BIN_DIRECTORY=/usr/exim/bin - # don't exist. It will also install a default runtime configuration if this - # file does not exist. - --CONFIGURE_FILE=/usr/exim/configure -+CONFIGURE_FILE=/etc/exim/exim.conf - - # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. - # In this case, Exim will use the first of them that exists when it is run. -@@ -131,7 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure - # deliveries. (Local deliveries run as various non-root users, typically as the - # owner of a local mailbox.) Specifying these values as root is not supported. - --EXIM_USER= -+EXIM_USER=93 - - # If you specify EXIM_USER as a name, this is looked up at build time, and the - # uid number is built into the binary. However, you can specify that this -@@ -152,7 +152,7 @@ EXIM_USER= - # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless - # you want to use a group other than the default group for the given user. - --# EXIM_GROUP= -+EXIM_GROUP=93 - - # Many sites define a user called "exim", with an appropriate default group, - # and use -@@ -237,7 +237,7 @@ TRANSPORT_SMTP=yes - # This one is special-purpose, and commonly not required, so it is not - # included by default. - --# TRANSPORT_LMTP=yes -+TRANSPORT_LMTP=yes - - - #------------------------------------------------------------------------------ -@@ -246,9 +246,9 @@ TRANSPORT_SMTP=yes - # MBX, is included only when requested. If you do not know what this is about, - # leave these settings commented out. - --# SUPPORT_MAILDIR=yes --# SUPPORT_MAILSTORE=yes --# SUPPORT_MBX=yes -+SUPPORT_MAILDIR=yes -+SUPPORT_MAILSTORE=yes -+SUPPORT_MBX=yes - - - #------------------------------------------------------------------------------ -@@ -306,20 +306,22 @@ LOOKUP_DBM=yes - LOOKUP_LSEARCH=yes - LOOKUP_DNSDB=yes - --# LOOKUP_CDB=yes --# LOOKUP_DSEARCH=yes -+LOOKUP_CDB=yes -+LOOKUP_DSEARCH=yes - # LOOKUP_IBASE=yes --# LOOKUP_LDAP=yes --# LOOKUP_MYSQL=yes --# LOOKUP_MYSQL_PC=mariadb --# LOOKUP_NIS=yes --# LOOKUP_NISPLUS=yes -+LOOKUP_LDAP=yes -+LDAP_LIB_TYPE=OPENLDAP2 -+LOOKUP_LIBS=-lldap -llber -lsqlite3 -+LOOKUP_MYSQL=2 -+LOOKUP_MYSQL_PC=mariadb -+LOOKUP_NIS=yes -+LOOKUP_NISPLUS=yes - # LOOKUP_ORACLE=yes --# LOOKUP_PASSWD=yes --# LOOKUP_PGSQL=yes -+LOOKUP_PASSWD=yes -+LOOKUP_PGSQL=2 -+LOOKUP_PGSQL_LIBS=-lpq - # LOOKUP_REDIS=yes --# LOOKUP_SQLITE=yes --# LOOKUP_SQLITE_PC=sqlite3 -+LOOKUP_SQLITE=yes - # LOOKUP_WHOSON=yes - - # These two settings are obsolete; all three lookups are compiled when -@@ -402,7 +404,7 @@ EXIM_MONITOR=eximon.bin - # and the MIME ACL. Please read the documentation to learn more about these - # features. - --# WITH_CONTENT_SCAN=yes -+WITH_CONTENT_SCAN=yes - - # If you have content scanning you may wish to only include some of the scanner - # interfaces. Uncomment any of these lines to remove that code. -@@ -590,7 +592,7 @@ FIXED_NEVER_USERS=root - # CONFIGURE_OWNER setting, to specify a configuration file which is listed in - # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. - --# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs -+TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs - - - #------------------------------------------------------------------------------ -@@ -635,17 +637,14 @@ FIXED_NEVER_USERS=root - # included in the Exim binary. You will then need to set up the run time - # configuration to make use of the mechanism(s) selected. - --# AUTH_CRAM_MD5=yes --# AUTH_CYRUS_SASL=yes --# AUTH_DOVECOT=yes --# AUTH_GSASL=yes --# AUTH_GSASL_PC=libgsasl --# AUTH_HEIMDAL_GSSAPI=yes --# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi --# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 --# AUTH_PLAINTEXT=yes --# AUTH_SPA=yes --# AUTH_TLS=yes -+AUTH_CRAM_MD5=yes -+AUTH_CYRUS_SASL=yes -+AUTH_DOVECOT=yes -+AUTH_GSASL=yes -+AUTH_GSASL_PC=libgsasl -+AUTH_PLAINTEXT=yes -+AUTH_SPA=yes -+AUTH_TLS=yes - - # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 - # requires multiple pkg-config files to work with Exim, so the second example -@@ -669,7 +668,7 @@ FIXED_NEVER_USERS=root - # one that is set in the headers_charset option. The default setting is - # defined by this setting: - --HEADERS_CHARSET="ISO-8859-1" -+HEADERS_CHARSET="UTF-8" - - # If you are going to make use of $header_xxx expansions in your configuration - # file, or if your users are going to use them in filter files, and the normal -@@ -689,7 +688,7 @@ HEADERS_CHARSET="ISO-8859-1" - # the Sieve filter support. For those OS where iconv() is known to be installed - # as standard, the file in OS/Makefile-xxxx contains - # --# HAVE_ICONV=yes -+HAVE_ICONV=yes - # - # If you are not using one of those systems, but have installed iconv(), you - # need to uncomment that line above. In some cases, you may find that iconv() -@@ -758,11 +757,11 @@ HEADERS_CHARSET="ISO-8859-1" - # leave these settings commented out. - - # This setting is required for any TLS support (either OpenSSL or GnuTLS) --# SUPPORT_TLS=yes -+SUPPORT_TLS=yes - - # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not --# USE_OPENSSL_PC=openssl --# TLS_LIBS=-lssl -lcrypto -+TLS_INCLUDE=-I/usr/kerberos/include -+TLS_LIBS=-lssl -lcrypto - - # Uncomment the first and either the second or the third of these if you - # are using GnuTLS. If you have pkg-config, then the second, else the third. -@@ -834,7 +833,7 @@ HEADERS_CHARSET="ISO-8859-1" - # Once you have done this, "make install" will build the info files and - # install them in the directory you have defined. - --# INFO_DIRECTORY=/usr/share/info -+INFO_DIRECTORY=/usr/share/info - - - #------------------------------------------------------------------------------ -@@ -847,7 +846,7 @@ HEADERS_CHARSET="ISO-8859-1" - # %s. This will be replaced by one of the strings "main", "panic", or "reject" - # to form the final file names. Some installations may want something like this: - --# LOG_FILE_PATH=/var/log/exim_%slog -+LOG_FILE_PATH=/var/log/exim/%s.log - - # which results in files with names /var/log/exim_mainlog, etc. The directory - # in which the log files are placed must exist; Exim does not try to create -@@ -919,7 +918,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded - # Perl costs quite a lot of resources. Only do this if you really need it. - --# EXIM_PERL=perl.o -+EXIM_PERL=perl.o - - - #------------------------------------------------------------------------------ -@@ -929,7 +928,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # that the local_scan API is made available by the linker. You may also need - # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. - --# EXPAND_DLFUNC=yes -+EXPAND_DLFUNC=yes - - - #------------------------------------------------------------------------------ -@@ -939,7 +938,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # support, which is intended for use in conjunction with the SMTP AUTH - # facilities, is included only when requested by the following setting: - --# SUPPORT_PAM=yes -+SUPPORT_PAM=yes - - # You probably need to add -lpam to EXTRALIBS, and in some releases of - # GNU/Linux -ldl is also needed. -@@ -1047,7 +1046,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # group. Once you have installed saslauthd, you should arrange for it to be - # started by root at boot time. - --# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux -+CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux - - - #------------------------------------------------------------------------------ -@@ -1061,8 +1060,8 @@ ZCAT_COMMAND=/usr/bin/zcat - # library for TCP wrappers, so you probably need something like this: - # - # USE_TCP_WRAPPERS=yes --# CFLAGS=-O -I/usr/local/include --# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap -+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) -+EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic - # - # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM - # as well. -@@ -1114,7 +1113,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases - # is "yes", as well as supporting line editing, a history of input lines in the - # current run is maintained. - --# USE_READLINE=yes -+USE_READLINE=yes - - # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. - # Note that this option adds to the size of the Exim binary, because the -@@ -1131,7 +1130,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases - #------------------------------------------------------------------------------ - # Uncomment this setting to include IPv6 support. - --# HAVE_IPV6=yes -+HAVE_IPV6=yes - - ############################################################################### - # THINGS YOU ALMOST NEVER NEED TO MENTION # -@@ -1152,13 +1151,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases - # haven't got Perl, Exim will still build and run; you just won't be able to - # use those utilities. - --# CHOWN_COMMAND=/usr/bin/chown --# CHGRP_COMMAND=/usr/bin/chgrp --# CHMOD_COMMAND=/usr/bin/chmod --# MV_COMMAND=/bin/mv --# RM_COMMAND=/bin/rm --# TOUCH_COMMAND=/usr/bin/touch --# PERL_COMMAND=/usr/bin/perl -+CHOWN_COMMAND=/usr/bin/chown -+CHGRP_COMMAND=/usr/bin/chgrp -+CHMOD_COMMAND=/usr/bin/chmod -+MV_COMMAND=/usr/bin/mv -+RM_COMMAND=/usr/bin/rm -+TOUCH_COMMAND=/usr/bin/touch -+PERL_COMMAND=/usr/bin/perl - - - #------------------------------------------------------------------------------ -@@ -1360,7 +1359,7 @@ EXIM_TMPDIR="/tmp" - # (process id) to a file so that it can easily be identified. The path of the - # file can be specified here. Some installations may want something like this: - --# PID_FILE_PATH=/var/lock/exim.pid -+PID_FILE_PATH=/var/run/exim.pid - - # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory - # using the name "exim-daemon.pid". diff --git a/exim-4.91-cyrus.patch b/exim-4.91-cyrus.patch deleted file mode 100644 index 1782180..0000000 --- a/exim-4.91-cyrus.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index 78e44d2..ae50b15 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -774,6 +774,16 @@ address_reply: - driver = autoreply - - -+# This transport is used to deliver local mail to cyrus IMAP server via UNIX -+# socket. You'll need to configure the 'localuser' router above to use it. -+# -+#lmtp_delivery: -+# home_directory = /var/spool/imap -+# driver = lmtp -+# command = "/usr/lib/cyrus-imapd/deliver -l" -+# batch_max = 20 -+# user = cyrus -+ - - ###################################################################### - # RETRY CONFIGURATION # diff --git a/exim-4.91-dlopen-localscan.patch b/exim-4.91-dlopen-localscan.patch deleted file mode 100644 index c8db483..0000000 --- a/exim-4.91-dlopen-localscan.patch +++ /dev/null @@ -1,266 +0,0 @@ -diff --git a/src/EDITME b/src/EDITME -index 4cd3b4d..1b79e71 100644 ---- a/src/EDITME -+++ b/src/EDITME -@@ -817,6 +817,20 @@ TLS_LIBS=-lssl -lcrypto - # specified in INCLUDE. - - -+#------------------------------------------------------------------------------ -+# On systems which support dynamic loading of shared libraries, Exim can -+# load a local_scan function specified in its config file instead of having -+# to be recompiled with the desired local_scan function. For a full -+# description of the API to this function, see the Exim specification. -+ -+DLOPEN_LOCAL_SCAN=yes -+ -+# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the -+# linker flags. Without it, the loaded .so won't be able to access any -+# functions from exim. -+ -+LFLAGS=-rdynamic -ldl -pie -+ - #------------------------------------------------------------------------------ - # The default distribution of Exim contains only the plain text form of the - # documentation. Other forms are available separately. If you want to install -diff --git a/src/config.h.defaults b/src/config.h.defaults -index ce478d5..6ce0d45 100644 ---- a/src/config.h.defaults -+++ b/src/config.h.defaults -@@ -32,6 +32,8 @@ Do not put spaces between # and the 'define'. - - #define AUTH_VARS 3 - -+#define DLOPEN_LOCAL_SCAN -+ - #define BIN_DIRECTORY - - #define CONFIGURE_FILE -diff --git a/src/globals.c b/src/globals.c -index 7d18b38..438c993 100644 ---- a/src/globals.c -+++ b/src/globals.c -@@ -167,6 +167,10 @@ uschar *tls_verify_hosts = NULL; - uschar *tls_advertise_hosts = NULL; - #endif - -+#ifdef DLOPEN_LOCAL_SCAN -+uschar *local_scan_path = NULL; -+#endif -+ - #ifndef DISABLE_PRDR - /* Per Recipient Data Response variables */ - BOOL prdr_enable = FALSE; -diff --git a/src/globals.h b/src/globals.h -index da1230b..b9f0155 100644 ---- a/src/globals.h -+++ b/src/globals.h -@@ -126,6 +126,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */ - extern uschar *tls_verify_certificates;/* Path for certificates to check */ - extern uschar *tls_verify_hosts; /* Mandatory client verification */ - #endif -+ -+#ifdef DLOPEN_LOCAL_SCAN -+extern uschar *local_scan_path; /* Path to local_scan() library */ -+#endif -+ - extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ - - extern uschar *dsn_envid; /* DSN envid string */ -diff --git a/src/local_scan.c b/src/local_scan.c -index 3500047..8599172 100644 ---- a/src/local_scan.c -+++ b/src/local_scan.c -@@ -5,60 +5,131 @@ - /* Copyright (c) University of Cambridge 1995 - 2009 */ - /* See the file NOTICE for conditions of use and distribution. */ - -+#include "exim.h" - --/****************************************************************************** --This file contains a template local_scan() function that just returns ACCEPT. --If you want to implement your own version, you should copy this file to, say --Local/local_scan.c, and edit the copy. To use your version instead of the --default, you must set -- --LOCAL_SCAN_SOURCE=Local/local_scan.c -- --in your Local/Makefile. This makes it easy to copy your version for use with --subsequent Exim releases. -- --For a full description of the API to this function, see the Exim specification. --******************************************************************************/ -- -- --/* This is the only Exim header that you should include. The effect of --including any other Exim header is not defined, and may change from release to --release. Use only the documented interface! */ -- --#include "local_scan.h" -- -- --/* This is a "do-nothing" version of a local_scan() function. The arguments --are: -- -- fd The file descriptor of the open -D file, which contains the -- body of the message. The file is open for reading and -- writing, but modifying it is dangerous and not recommended. -- -- return_text A pointer to an unsigned char* variable which you can set in -- order to return a text string. It is initialized to NULL. -- --The return values of this function are: -- -- LOCAL_SCAN_ACCEPT -- The message is to be accepted. The return_text argument is -- saved in $local_scan_data. -- -- LOCAL_SCAN_REJECT -- The message is to be rejected. The returned text is used -- in the rejection message. -- -- LOCAL_SCAN_TEMPREJECT -- This specifies a temporary rejection. The returned text -- is used in the rejection message. --*/ -+#ifdef DLOPEN_LOCAL_SCAN -+#include -+static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; -+static int load_local_scan_library(void); -+#endif - - int - local_scan(int fd, uschar **return_text) - { - fd = fd; /* Keep picky compilers happy */ - return_text = return_text; --return LOCAL_SCAN_ACCEPT; -+#ifdef DLOPEN_LOCAL_SCAN -+/* local_scan_path is defined AND not the empty string */ -+if (local_scan_path && *local_scan_path) -+ { -+ if (!local_scan_fn) -+ { -+ if (!load_local_scan_library()) -+ { -+ char *base_msg , *error_msg , *final_msg ; -+ int final_length = -1 ; -+ -+ base_msg=US"Local configuration error - local_scan() library failure\n"; -+ error_msg = dlerror() ; -+ -+ final_length = strlen(base_msg) + strlen(error_msg) + 1 ; -+ final_msg = (char*)malloc( final_length*sizeof(char) ) ; -+ *final_msg = '\0' ; -+ -+ strcat( final_msg , base_msg ) ; -+ strcat( final_msg , error_msg ) ; -+ -+ *return_text = final_msg ; -+ return LOCAL_SCAN_TEMPREJECT; -+ } -+ } -+ return local_scan_fn(fd, return_text); -+ } -+else -+#endif -+ return LOCAL_SCAN_ACCEPT; - } - -+#ifdef DLOPEN_LOCAL_SCAN -+ -+static int load_local_scan_library(void) -+{ -+/* No point in keeping local_scan_lib since we'll never dlclose() anyway */ -+void *local_scan_lib = NULL; -+int (*local_scan_version_fn)(void); -+int vers_maj; -+int vers_min; -+ -+local_scan_lib = dlopen(local_scan_path, RTLD_NOW); -+if (!local_scan_lib) -+ { -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - " -+ "message temporarily rejected"); -+ return FALSE; -+ } -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_major() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The major number is increased when the ABI is changed in a non -+ backward compatible way. */ -+vers_maj = local_scan_version_fn(); -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_minor() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The minor number is increased each time a new feature is added (in a -+ way that doesn't break backward compatibility) -- Marc */ -+vers_min = local_scan_version_fn(); -+ -+ -+if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+ -+local_scan_fn = dlsym(local_scan_lib, "local_scan"); -+if (!local_scan_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+return TRUE; -+} -+ -+#endif /* DLOPEN_LOCAL_SCAN */ -+ - /* End of local_scan.c */ -diff --git a/src/readconf.c b/src/readconf.c -index cbbef6e..da3421a 100644 ---- a/src/readconf.c -+++ b/src/readconf.c -@@ -195,6 +195,9 @@ static optionlist optionlist_config[] = { - { "local_from_prefix", opt_stringptr, &local_from_prefix }, - { "local_from_suffix", opt_stringptr, &local_from_suffix }, - { "local_interfaces", opt_stringptr, &local_interfaces }, -+#ifdef DLOPEN_LOCAL_SCAN -+ { "local_scan_path", opt_stringptr, &local_scan_path }, -+#endif - { "local_scan_timeout", opt_time, &local_scan_timeout }, - { "local_sender_retain", opt_bool, &local_sender_retain }, - { "localhost_number", opt_stringptr, &host_number_string }, diff --git a/exim-4.91-greylist-conf.patch b/exim-4.91-greylist-conf.patch deleted file mode 100644 index 2d02d75..0000000 --- a/exim-4.91-greylist-conf.patch +++ /dev/null @@ -1,118 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index f1260cf..05e9371 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -107,6 +107,7 @@ hostlist relay_from_hosts = localhost - # manual for details. The lists above are used in the access control lists for - # checking incoming messages. The names of these ACLs are defined here: - -+acl_smtp_mail = acl_check_mail - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data - acl_smtp_mime = acl_check_mime -@@ -371,6 +372,29 @@ timeout_frozen_after = 7d - - begin acl - -+ -+# This access control list is used for the MAIL command in an incoming -+# SMTP message. -+ -+acl_check_mail: -+ -+ # Hosts are required to say HELO (or EHLO) before sending mail. -+ # So don't allow them to use the MAIL command if they haven't -+ # done so. -+ -+ deny condition = ${if eq{$sender_helo_name}{} {1}} -+ message = Nice boys say HELO first -+ -+ # Use the lack of reverse DNS to trigger greylisting. Some people -+ # even reject for it but that would be a little excessive. -+ -+ warn condition = ${if eq{$sender_host_name}{} {1}} -+ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons -+ -+ accept -+ -+ -+ - # This access control list is used for every RCPT command in an incoming - # SMTP message. The tests are run in order until the address is either - # accepted or denied. -@@ -496,7 +520,8 @@ acl_check_rcpt: - # There are no default checks on DNS black lists because the domains that - # contain these lists are changing all the time. However, here are two - # examples of how you can get Exim to perform a DNS black list lookup at this -- # point. The first one denies, whereas the second just warns. -+ # point. The first one denies, whereas the second just warns. The third -+ # triggers greylisting for any host in the blacklist. - # - # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text - # dnslists = black.list.example -@@ -504,6 +529,10 @@ acl_check_rcpt: - # warn dnslists = black.list.example - # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain - # log_message = found in $dnslist_domain -+ # -+ # warn dnslists = black.list.example -+ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons -+ # - ############################################################################# - - ############################################################################# -@@ -517,6 +546,10 @@ acl_check_rcpt: - # require verify = csa - ############################################################################# - -+ # Alternatively, greylist for it: -+ # warn !verify = csa -+ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons -+ - # At this point, the address has passed all the checks that have been - # configured, so we accept it unconditionally. - -@@ -555,6 +588,12 @@ acl_check_data: - # deny condition = ${if !def:h_Message-ID: {1}} - # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ - # Most messages without it are spam, so your mail has been rejected. -+ # -+ # Alternatively if we're feeling more lenient we could just use it to -+ # trigger greylisting instead: -+ -+ warn condition = ${if !def:h_Message-ID: {1}} -+ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons - - # Deny if the message contains a virus. Before enabling this check, you - # must install a virus scanner and set the av_scanner option above. -@@ -589,8 +628,30 @@ acl_check_data: - # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ - # $spam_report - -+ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 -+ # -+ # warn condition = ${if >{$spam_score_int}{5} {1}} -+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons -+ -+ -+ # If you want to greylist _all_ mail rather than only mail which looks like there -+ # might be something wrong with it, then you can do this... -+ # -+ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons -+ -+ # Now, invoke the greylisting. For this you need to have installed the exim-greylist -+ # package which contains this subroutine, and you need to uncomment the bit below -+ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, -+ # greylisting will kick in and will defer the mail to check if the sender is a -+ # proper mail which which retries, or whether it's a zombie. For more details, see -+ # the exim-greylist.conf.inc file itself. -+ # -+ # require acl = greylist_mail -+ - accept - -+# To enable the greylisting, also uncomment this line: -+# .include /etc/exim/exim-greylist.conf.inc - - acl_check_mime: - diff --git a/exim-4.91-pamconfig.patch b/exim-4.91-pamconfig.patch deleted file mode 100644 index b330a5b..0000000 --- a/exim-4.91-pamconfig.patch +++ /dev/null @@ -1,78 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index ae50b15..6966ad3 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -142,7 +142,7 @@ acl_smtp_data = acl_check_data - - # Allow any client to use TLS. - --# tls_advertise_hosts = * -+tls_advertise_hosts = * - - # Specify the location of the Exim server's TLS certificate and private key. - # The private key must not be encrypted (password protected). You can put -@@ -150,8 +150,8 @@ acl_smtp_data = acl_check_data - # need the first setting, or in separate files, in which case you need both - # options. - --# tls_certificate = /etc/ssl/exim.crt --# tls_privatekey = /etc/ssl/exim.pem -+tls_certificate = /etc/pki/tls/certs/exim.pem -+tls_privatekey = /etc/pki/tls/private/exim.pem - - # For OpenSSL, prefer EC- over RSA-authenticated ciphers - # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT -@@ -165,8 +165,8 @@ acl_smtp_data = acl_check_data - # them you should also allow TLS-on-connect on the traditional but - # non-standard port 465. - --# daemon_smtp_ports = 25 : 465 : 587 --# tls_on_connect_ports = 465 -+daemon_smtp_ports = 25 : 465 : 587 -+tls_on_connect_ports = 465 - - - # Specify the domain you want to be added to all unqualified addresses -@@ -224,6 +224,24 @@ never_users = root - - host_lookup = * - -+# This setting, if uncommented, allows users to authenticate using -+# their system passwords against saslauthd if they connect over a -+# secure connection. If you have network logins such as NIS or -+# Kerberos rather than only local users, then you possibly also want -+# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism -+# too. Once a user is authenticated, the acl_check_rcpt ACL then -+# allows them to relay through the system. -+# -+# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} -+# -+# By default, we set this option to allow SMTP AUTH from nowhere -+# (Exim's default would be to allow it from anywhere, even on an -+# unencrypted connection). -+# -+# Comment this one out if you uncomment the above. Did you make sure -+# saslauthd is actually running first? -+# -+auth_advertise_hosts = - - # The settings below cause Exim to make RFC 1413 (ident) callbacks - # for all incoming SMTP calls. You can limit the hosts to which these -@@ -853,7 +871,7 @@ begin authenticators - # driver = plaintext - # server_set_id = $auth2 - # server_prompts = : --# server_condition = Authentication is not yet configured -+# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} - # server_advertise_condition = ${if def:tls_in_cipher } - - # LOGIN authentication has traditional prompts and responses. There is no -@@ -865,7 +883,7 @@ begin authenticators - # driver = plaintext - # server_set_id = $auth1 - # server_prompts = <| Username: | Password: --# server_condition = Authentication is not yet configured -+# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} - # server_advertise_condition = ${if def:tls_in_cipher } - - diff --git a/exim-4.91-procmail.patch b/exim-4.91-procmail.patch deleted file mode 100644 index 5c70ae6..0000000 --- a/exim-4.91-procmail.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index dd5bfeb..7d26076 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -741,6 +741,12 @@ userforward: - pipe_transport = address_pipe - reply_transport = address_reply - -+procmail: -+ driver = accept -+ check_local_user -+ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail -+ transport = procmail -+ no_verify - - # This router matches local user mailboxes. If the router fails, the error - # message is "Unknown user". -@@ -782,6 +788,16 @@ remote_smtp: - driver = smtp - message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} - -+# This transport invokes procmail to deliver mail -+procmail: -+ driver = pipe -+ command = "/usr/bin/procmail -d $local_part" -+ return_path_add -+ delivery_date_add -+ envelope_to_add -+ user = $local_part -+ initgroups -+ return_output - - # This transport is used for local delivery to user mailboxes in traditional - # BSD mailbox format. By default it will be run under the uid and gid of the diff --git a/exim-4.91-rhl.patch b/exim-4.91-rhl.patch deleted file mode 100644 index 7cdfba8..0000000 --- a/exim-4.91-rhl.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index 79bbc8c..78e44d2 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -639,7 +639,7 @@ system_aliases: - driver = redirect - allow_fail - allow_defer -- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} -+ data = ${lookup{$local_part}lsearch{/etc/aliases}} - # user = exim - file_transport = address_file - pipe_transport = address_pipe -@@ -740,8 +740,8 @@ local_delivery: - delivery_date_add - envelope_to_add - return_path_add --# group = mail --# mode = 0660 -+ group = mail -+ mode = 0660 - - - # This transport is used for handling pipe deliveries generated by alias or diff --git a/exim-4.91-smarthost-config.patch b/exim-4.91-smarthost-config.patch deleted file mode 100644 index ba1dad8..0000000 --- a/exim-4.91-smarthost-config.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index 05e9371..5e61818 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -849,6 +849,15 @@ remote_smtp: - driver = smtp - message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} - -+# This transport is used for delivering messages over SMTP using the -+# "message submission" port (RFC4409). -+ -+remote_msa: -+ driver = smtp -+ port = 587 -+ hosts_require_auth = * -+ -+ - # This transport invokes procmail to deliver mail - procmail: - driver = pipe -@@ -957,6 +966,21 @@ begin rewrite - # AUTHENTICATION CONFIGURATION # - ###################################################################### - -+begin authenticators -+ -+# This authenticator supports CRAM-MD5 username/password authentication -+# with Exim acting as a _client_, as it might when sending its outgoing -+# mail to a smarthost rather than directly to the final recipient. -+# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. -+ -+#client_auth: -+# driver = cram_md5 -+# public_name = CRAM-MD5 -+# client_name = SMTPAUTH_USERNAME -+# client_secret = SMTPAUTH_PASSWORD -+ -+# -+ - # The following authenticators support plaintext username/password - # authentication using the standard PLAIN mechanism and the traditional - # but non-standard LOGIN mechanism, with Exim acting as the server. -@@ -972,7 +996,7 @@ begin rewrite - # The default RCPT ACL checks for successful authentication, and will accept - # messages from authenticated users from anywhere on the Internet. - --begin authenticators -+# - - # PLAIN authentication has no server prompts. The client sends its - # credentials in one lump, containing an authorization ID (which we do not diff --git a/exim-4.91-spamdconf.patch b/exim-4.91-spamdconf.patch deleted file mode 100644 index 3edc425..0000000 --- a/exim-4.91-spamdconf.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff --git a/src/configure.default b/src/configure.default -index 6966ad3..dd5bfeb 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -109,6 +109,7 @@ hostlist relay_from_hosts = localhost - - acl_smtp_rcpt = acl_check_rcpt - acl_smtp_data = acl_check_data -+acl_smtp_mime = acl_check_mime - - # You should not change those settings until you understand how ACLs work. - -@@ -121,7 +122,7 @@ acl_smtp_data = acl_check_data - # of what to set for other virus scanners. The second modification is in the - # acl_check_data access control list (see below). - --# av_scanner = clamd:/tmp/clamd -+av_scanner = clamd:/var/run/clamd.exim/clamd.sock - - - # For spam scanning, there is a similar option that defines the interface to -@@ -434,7 +435,8 @@ acl_check_rcpt: - accept local_parts = postmaster - domains = +local_domains - -- # Deny unless the sender address can be verified. -+ # Deny unless the sender address can be routed. For proper verification of the -+ # address, read the documentation on callouts and add the /callout modifier. - - require verify = sender - -@@ -544,27 +546,63 @@ acl_check_data: - message = header syntax - log_message = header syntax ($acl_verify_message) - -+ # Put simple tests first. A good one is to check for the presence of a -+ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken -+ # or misconfigured mailer software occasionally omits this from genuine -+ # messages too, though -- although it's not hard for the offender to fix -+ # after they receive a bounce because of it. -+ # -+ # deny condition = ${if !def:h_Message-ID: {1}} -+ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ -+ # Most messages without it are spam, so your mail has been rejected. -+ - # Deny if the message contains a virus. Before enabling this check, you - # must install a virus scanner and set the av_scanner option above. - # - # deny malware = * - # message = This message contains a virus ($malware_name). - -- # Add headers to a message if it is judged to be spam. Before enabling this, -- # you must install SpamAssassin. You may also need to set the spamd_address -- # option above. -+ # Bypass SpamAssassin checks if the message is too large. - # -- # warn spam = nobody -- # add_header = X-Spam_score: $spam_score\n\ -- # X-Spam_score_int: $spam_score_int\n\ -- # X-Spam_bar: $spam_bar\n\ -- # X-Spam_report: $spam_report -+ # accept condition = ${if >={$message_size}{100000} {1}} -+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size - -- # Accept the message. -+ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message -+ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA -+ # score exceeds the SA system threshold. -+ # -+ # warn spam = nobody/defer_ok -+ # add_header = X-Spam-Flag: YES -+ # -+ # accept condition = ${if !def:spam_score_int {1}} -+ # add_header = X-Spam-Note: SpamAssassin invocation failed -+ # -+ -+ # Unconditionally add score and report headers -+ # -+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ -+ # X-Spam-Report: $spam_report -+ -+ # And reject if the SpamAssassin score is greater than ten -+ # -+ # deny condition = ${if >{$spam_score_int}{100} {1}} -+ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ -+ # $spam_report - - accept - - -+acl_check_mime: -+ -+ # File extension filtering. -+ deny message = Blacklisted file extension detected -+ condition = ${if match \ -+ {${lc:$mime_filename}} \ -+ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ -+ {1}{0}} -+ -+ accept -+ - - ###################################################################### - # ROUTERS CONFIGURATION # diff --git a/exim-4.92-allow-filter.patch b/exim-4.92-allow-filter.patch new file mode 100644 index 0000000..d5b5664 --- /dev/null +++ b/exim-4.92-allow-filter.patch @@ -0,0 +1,13 @@ +diff --git a/src/configure.default b/src/configure.default +index cef3779..09f0b36 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -810,7 +810,7 @@ userforward: + # local_part_suffix = +* : -* + # local_part_suffix_optional + file = $home/.forward +-# allow_filter ++ allow_filter + no_verify + no_expn + check_ancestor diff --git a/exim-4.92-config.patch b/exim-4.92-config.patch new file mode 100644 index 0000000..83d09e8 --- /dev/null +++ b/exim-4.92-config.patch @@ -0,0 +1,299 @@ +diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile +index 7e0bf38..c97ccec 100755 +--- a/scripts/Configure-Makefile ++++ b/scripts/Configure-Makefile +@@ -297,7 +297,7 @@ if [ "${EXIM_PERL}" != "" ] ; then + + mv $mft $mftt + echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft +- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft ++ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft + echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft + echo "" >>$mft + cat $mftt >> $mft +diff --git a/src/EDITME b/src/EDITME +index cbb0805..a42cd6f 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -98,7 +98,7 @@ + # /usr/local/sbin. The installation script will try to create this directory, + # and any superior directories, if they do not exist. + +-BIN_DIRECTORY=/usr/exim/bin ++BIN_DIRECTORY=/usr/sbin + + + #------------------------------------------------------------------------------ +@@ -114,7 +114,7 @@ BIN_DIRECTORY=/usr/exim/bin + # don't exist. It will also install a default runtime configuration if this + # file does not exist. + +-CONFIGURE_FILE=/usr/exim/configure ++CONFIGURE_FILE=/etc/exim/exim.conf + + # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. + # In this case, Exim will use the first of them that exists when it is run. +@@ -131,7 +131,7 @@ CONFIGURE_FILE=/usr/exim/configure + # deliveries. (Local deliveries run as various non-root users, typically as the + # owner of a local mailbox.) Specifying these values as root is not supported. + +-EXIM_USER= ++EXIM_USER=93 + + # If you specify EXIM_USER as a name, this is looked up at build time, and the + # uid number is built into the binary. However, you can specify that this +@@ -152,7 +152,7 @@ EXIM_USER= + # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless + # you want to use a group other than the default group for the given user. + +-# EXIM_GROUP= ++EXIM_GROUP=93 + + # Many sites define a user called "exim", with an appropriate default group, + # and use +@@ -237,7 +237,7 @@ TRANSPORT_SMTP=yes + # This one is special-purpose, and commonly not required, so it is not + # included by default. + +-# TRANSPORT_LMTP=yes ++TRANSPORT_LMTP=yes + + + #------------------------------------------------------------------------------ +@@ -246,9 +246,9 @@ TRANSPORT_SMTP=yes + # MBX, is included only when requested. If you do not know what this is about, + # leave these settings commented out. + +-# SUPPORT_MAILDIR=yes +-# SUPPORT_MAILSTORE=yes +-# SUPPORT_MBX=yes ++SUPPORT_MAILDIR=yes ++SUPPORT_MAILSTORE=yes ++SUPPORT_MBX=yes + + + #------------------------------------------------------------------------------ +@@ -306,20 +306,22 @@ LOOKUP_DBM=yes + LOOKUP_LSEARCH=yes + LOOKUP_DNSDB=yes + +-# LOOKUP_CDB=yes +-# LOOKUP_DSEARCH=yes ++LOOKUP_CDB=yes ++LOOKUP_DSEARCH=yes + # LOOKUP_IBASE=yes +-# LOOKUP_LDAP=yes +-# LOOKUP_MYSQL=yes +-# LOOKUP_MYSQL_PC=mariadb +-# LOOKUP_NIS=yes +-# LOOKUP_NISPLUS=yes ++LOOKUP_LDAP=yes ++LDAP_LIB_TYPE=OPENLDAP2 ++LOOKUP_LIBS=-lldap -llber -lsqlite3 ++LOOKUP_MYSQL=2 ++LOOKUP_MYSQL_PC=mariadb ++LOOKUP_NIS=yes ++LOOKUP_NISPLUS=yes + # LOOKUP_ORACLE=yes +-# LOOKUP_PASSWD=yes +-# LOOKUP_PGSQL=yes ++LOOKUP_PASSWD=yes ++LOOKUP_PGSQL=2 ++LOOKUP_PGSQL_LIBS=-lpq + # LOOKUP_REDIS=yes +-# LOOKUP_SQLITE=yes +-# LOOKUP_SQLITE_PC=sqlite3 ++LOOKUP_SQLITE=yes + # LOOKUP_WHOSON=yes + + # These two settings are obsolete; all three lookups are compiled when +@@ -402,7 +404,7 @@ EXIM_MONITOR=eximon.bin + # and the MIME ACL. Please read the documentation to learn more about these + # features. + +-# WITH_CONTENT_SCAN=yes ++WITH_CONTENT_SCAN=yes + + # If you have content scanning you may wish to only include some of the scanner + # interfaces. Uncomment any of these lines to remove that code. +@@ -595,7 +597,7 @@ FIXED_NEVER_USERS=root + # CONFIGURE_OWNER setting, to specify a configuration file which is listed in + # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. + +-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs ++TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs + + + #------------------------------------------------------------------------------ +@@ -640,17 +642,14 @@ FIXED_NEVER_USERS=root + # included in the Exim binary. You will then need to set up the run time + # configuration to make use of the mechanism(s) selected. + +-# AUTH_CRAM_MD5=yes +-# AUTH_CYRUS_SASL=yes +-# AUTH_DOVECOT=yes +-# AUTH_GSASL=yes +-# AUTH_GSASL_PC=libgsasl +-# AUTH_HEIMDAL_GSSAPI=yes +-# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi +-# AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 +-# AUTH_PLAINTEXT=yes +-# AUTH_SPA=yes +-# AUTH_TLS=yes ++AUTH_CRAM_MD5=yes ++AUTH_CYRUS_SASL=yes ++AUTH_DOVECOT=yes ++AUTH_GSASL=yes ++AUTH_GSASL_PC=libgsasl ++AUTH_PLAINTEXT=yes ++AUTH_SPA=yes ++AUTH_TLS=yes + + # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 + # requires multiple pkg-config files to work with Exim, so the second example +@@ -674,7 +673,7 @@ FIXED_NEVER_USERS=root + # one that is set in the headers_charset option. The default setting is + # defined by this setting: + +-HEADERS_CHARSET="ISO-8859-1" ++HEADERS_CHARSET="UTF-8" + + # If you are going to make use of $header_xxx expansions in your configuration + # file, or if your users are going to use them in filter files, and the normal +@@ -694,7 +693,7 @@ HEADERS_CHARSET="ISO-8859-1" + # the Sieve filter support. For those OS where iconv() is known to be installed + # as standard, the file in OS/Makefile-xxxx contains + # +-# HAVE_ICONV=yes ++HAVE_ICONV=yes + # + # If you are not using one of those systems, but have installed iconv(), you + # need to uncomment that line above. In some cases, you may find that iconv() +@@ -763,11 +762,11 @@ HEADERS_CHARSET="ISO-8859-1" + # leave these settings commented out. + + # This setting is required for any TLS support (either OpenSSL or GnuTLS) +-# SUPPORT_TLS=yes ++SUPPORT_TLS=yes + + # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not +-# USE_OPENSSL_PC=openssl +-# TLS_LIBS=-lssl -lcrypto ++TLS_INCLUDE=-I/usr/kerberos/include ++TLS_LIBS=-lssl -lcrypto + + # Uncomment the first and either the second or the third of these if you + # are using GnuTLS. If you have pkg-config, then the second, else the third. +@@ -839,7 +838,7 @@ HEADERS_CHARSET="ISO-8859-1" + # Once you have done this, "make install" will build the info files and + # install them in the directory you have defined. + +-# INFO_DIRECTORY=/usr/share/info ++INFO_DIRECTORY=/usr/share/info + + + #------------------------------------------------------------------------------ +@@ -852,7 +851,7 @@ HEADERS_CHARSET="ISO-8859-1" + # %s. This will be replaced by one of the strings "main", "panic", or "reject" + # to form the final file names. Some installations may want something like this: + +-# LOG_FILE_PATH=/var/log/exim_%slog ++LOG_FILE_PATH=/var/log/exim/%s.log + + # which results in files with names /var/log/exim_mainlog, etc. The directory + # in which the log files are placed must exist; Exim does not try to create +@@ -924,7 +923,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded + # Perl costs quite a lot of resources. Only do this if you really need it. + +-# EXIM_PERL=perl.o ++EXIM_PERL=perl.o + + + #------------------------------------------------------------------------------ +@@ -934,7 +933,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # that the local_scan API is made available by the linker. You may also need + # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. + +-# EXPAND_DLFUNC=yes ++EXPAND_DLFUNC=yes + + + #------------------------------------------------------------------------------ +@@ -944,7 +943,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # support, which is intended for use in conjunction with the SMTP AUTH + # facilities, is included only when requested by the following setting: + +-# SUPPORT_PAM=yes ++SUPPORT_PAM=yes + + # You probably need to add -lpam to EXTRALIBS, and in some releases of + # GNU/Linux -ldl is also needed. +@@ -1052,7 +1051,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # group. Once you have installed saslauthd, you should arrange for it to be + # started by root at boot time. + +-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux ++CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux + + + #------------------------------------------------------------------------------ +@@ -1066,8 +1065,8 @@ ZCAT_COMMAND=/usr/bin/zcat + # library for TCP wrappers, so you probably need something like this: + # + # USE_TCP_WRAPPERS=yes +-# CFLAGS=-O -I/usr/local/include +-# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap ++CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) ++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic + # + # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM + # as well. +@@ -1119,7 +1118,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases + # is "yes", as well as supporting line editing, a history of input lines in the + # current run is maintained. + +-# USE_READLINE=yes ++USE_READLINE=yes + + # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. + # Note that this option adds to the size of the Exim binary, because the +@@ -1136,7 +1135,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases + #------------------------------------------------------------------------------ + # Uncomment this setting to include IPv6 support. + +-# HAVE_IPV6=yes ++HAVE_IPV6=yes + + ############################################################################### + # THINGS YOU ALMOST NEVER NEED TO MENTION # +@@ -1157,13 +1156,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases + # haven't got Perl, Exim will still build and run; you just won't be able to + # use those utilities. + +-# CHOWN_COMMAND=/usr/bin/chown +-# CHGRP_COMMAND=/usr/bin/chgrp +-# CHMOD_COMMAND=/usr/bin/chmod +-# MV_COMMAND=/bin/mv +-# RM_COMMAND=/bin/rm +-# TOUCH_COMMAND=/usr/bin/touch +-# PERL_COMMAND=/usr/bin/perl ++CHOWN_COMMAND=/usr/bin/chown ++CHGRP_COMMAND=/usr/bin/chgrp ++CHMOD_COMMAND=/usr/bin/chmod ++MV_COMMAND=/usr/bin/mv ++RM_COMMAND=/usr/bin/rm ++TOUCH_COMMAND=/usr/bin/touch ++PERL_COMMAND=/usr/bin/perl + + + #------------------------------------------------------------------------------ +@@ -1365,7 +1364,7 @@ EXIM_TMPDIR="/tmp" + # (process id) to a file so that it can easily be identified. The path of the + # file can be specified here. Some installations may want something like this: + +-# PID_FILE_PATH=/var/lock/exim.pid ++PID_FILE_PATH=/var/run/exim.pid + + # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory + # using the name "exim-daemon.pid". diff --git a/exim-4.92-cyrus.patch b/exim-4.92-cyrus.patch new file mode 100644 index 0000000..f8e2984 --- /dev/null +++ b/exim-4.92-cyrus.patch @@ -0,0 +1,21 @@ +diff --git a/src/configure.default b/src/configure.default +index 69e0ed1..6db4947 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -901,6 +901,16 @@ address_reply: + driver = autoreply + + ++# This transport is used to deliver local mail to cyrus IMAP server via UNIX ++# socket. You'll need to configure the 'localuser' router above to use it. ++# ++#lmtp_delivery: ++# home_directory = /var/spool/imap ++# driver = lmtp ++# command = "/usr/lib/cyrus-imapd/deliver -l" ++# batch_max = 20 ++# user = cyrus ++ + + ###################################################################### + # RETRY CONFIGURATION # diff --git a/exim-4.92-dlopen-localscan.patch b/exim-4.92-dlopen-localscan.patch new file mode 100644 index 0000000..3c2f00c --- /dev/null +++ b/exim-4.92-dlopen-localscan.patch @@ -0,0 +1,267 @@ +diff --git a/src/EDITME b/src/EDITME +index a42cd6f..0acd673 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -822,6 +822,20 @@ TLS_LIBS=-lssl -lcrypto + # specified in INCLUDE. + + ++#------------------------------------------------------------------------------ ++# On systems which support dynamic loading of shared libraries, Exim can ++# load a local_scan function specified in its config file instead of having ++# to be recompiled with the desired local_scan function. For a full ++# description of the API to this function, see the Exim specification. ++ ++DLOPEN_LOCAL_SCAN=yes ++ ++# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the ++# linker flags. Without it, the loaded .so won't be able to access any ++# functions from exim. ++ ++LFLAGS=-rdynamic -ldl -pie ++ + #------------------------------------------------------------------------------ + # The default distribution of Exim contains only the plain text form of the + # documentation. Other forms are available separately. If you want to install +diff --git a/src/config.h.defaults b/src/config.h.defaults +index 7c2e534..3fafe61 100644 +--- a/src/config.h.defaults ++++ b/src/config.h.defaults +@@ -32,6 +32,8 @@ Do not put spaces between # and the 'define'. + + #define AUTH_VARS 3 + ++#define DLOPEN_LOCAL_SCAN ++ + #define BIN_DIRECTORY + + #define CONFIGURE_FILE +diff --git a/src/globals.c b/src/globals.c +index b3362a3..0884fe5 100644 +--- a/src/globals.c ++++ b/src/globals.c +@@ -173,6 +173,10 @@ uschar *tls_verify_hosts = NULL; + uschar *tls_advertise_hosts = NULL; + #endif + ++#ifdef DLOPEN_LOCAL_SCAN ++uschar *local_scan_path = NULL; ++#endif ++ + #ifndef DISABLE_PRDR + /* Per Recipient Data Response variables */ + BOOL prdr_enable = FALSE; +diff --git a/src/globals.h b/src/globals.h +index f71f104..3faf176 100644 +--- a/src/globals.h ++++ b/src/globals.h +@@ -131,6 +131,11 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */ + extern uschar *tls_verify_certificates;/* Path for certificates to check */ + extern uschar *tls_verify_hosts; /* Mandatory client verification */ + #endif ++ ++#ifdef DLOPEN_LOCAL_SCAN ++extern uschar *local_scan_path; /* Path to local_scan() library */ ++#endif ++ + extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ + + extern uschar *dsn_envid; /* DSN envid string */ +diff --git a/src/local_scan.c b/src/local_scan.c +index 4dd0b2b..8599172 100644 +--- a/src/local_scan.c ++++ b/src/local_scan.c +@@ -5,61 +5,131 @@ + /* Copyright (c) University of Cambridge 1995 - 2009 */ + /* See the file NOTICE for conditions of use and distribution. */ + ++#include "exim.h" + +-/****************************************************************************** +-This file contains a template local_scan() function that just returns ACCEPT. +-If you want to implement your own version, you should copy this file to, say +-Local/local_scan.c, and edit the copy. To use your version instead of the +-default, you must set +- +-HAVE_LOCAL_SCAN=yes +-LOCAL_SCAN_SOURCE=Local/local_scan.c +- +-in your Local/Makefile. This makes it easy to copy your version for use with +-subsequent Exim releases. +- +-For a full description of the API to this function, see the Exim specification. +-******************************************************************************/ +- +- +-/* This is the only Exim header that you should include. The effect of +-including any other Exim header is not defined, and may change from release to +-release. Use only the documented interface! */ +- +-#include "local_scan.h" +- +- +-/* This is a "do-nothing" version of a local_scan() function. The arguments +-are: +- +- fd The file descriptor of the open -D file, which contains the +- body of the message. The file is open for reading and +- writing, but modifying it is dangerous and not recommended. +- +- return_text A pointer to an unsigned char* variable which you can set in +- order to return a text string. It is initialized to NULL. +- +-The return values of this function are: +- +- LOCAL_SCAN_ACCEPT +- The message is to be accepted. The return_text argument is +- saved in $local_scan_data. +- +- LOCAL_SCAN_REJECT +- The message is to be rejected. The returned text is used +- in the rejection message. +- +- LOCAL_SCAN_TEMPREJECT +- This specifies a temporary rejection. The returned text +- is used in the rejection message. +-*/ ++#ifdef DLOPEN_LOCAL_SCAN ++#include ++static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; ++static int load_local_scan_library(void); ++#endif + + int + local_scan(int fd, uschar **return_text) + { + fd = fd; /* Keep picky compilers happy */ + return_text = return_text; +-return LOCAL_SCAN_ACCEPT; ++#ifdef DLOPEN_LOCAL_SCAN ++/* local_scan_path is defined AND not the empty string */ ++if (local_scan_path && *local_scan_path) ++ { ++ if (!local_scan_fn) ++ { ++ if (!load_local_scan_library()) ++ { ++ char *base_msg , *error_msg , *final_msg ; ++ int final_length = -1 ; ++ ++ base_msg=US"Local configuration error - local_scan() library failure\n"; ++ error_msg = dlerror() ; ++ ++ final_length = strlen(base_msg) + strlen(error_msg) + 1 ; ++ final_msg = (char*)malloc( final_length*sizeof(char) ) ; ++ *final_msg = '\0' ; ++ ++ strcat( final_msg , base_msg ) ; ++ strcat( final_msg , error_msg ) ; ++ ++ *return_text = final_msg ; ++ return LOCAL_SCAN_TEMPREJECT; ++ } ++ } ++ return local_scan_fn(fd, return_text); ++ } ++else ++#endif ++ return LOCAL_SCAN_ACCEPT; + } + ++#ifdef DLOPEN_LOCAL_SCAN ++ ++static int load_local_scan_library(void) ++{ ++/* No point in keeping local_scan_lib since we'll never dlclose() anyway */ ++void *local_scan_lib = NULL; ++int (*local_scan_version_fn)(void); ++int vers_maj; ++int vers_min; ++ ++local_scan_lib = dlopen(local_scan_path, RTLD_NOW); ++if (!local_scan_lib) ++ { ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - " ++ "message temporarily rejected"); ++ return FALSE; ++ } ++ ++local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major"); ++if (!local_scan_version_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan_version_major() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++/* The major number is increased when the ABI is changed in a non ++ backward compatible way. */ ++vers_maj = local_scan_version_fn(); ++ ++local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor"); ++if (!local_scan_version_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan_version_minor() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++/* The minor number is increased each time a new feature is added (in a ++ way that doesn't break backward compatibility) -- Marc */ ++vers_min = local_scan_version_fn(); ++ ++ ++if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR) ++ { ++ dlclose(local_scan_lib); ++ local_scan_lib = NULL; ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major" ++ "version number, you need to recompile your module for this version" ++ "of exim (The module was compiled for version %d.%d and this exim provides" ++ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, ++ LOCAL_SCAN_ABI_VERSION_MINOR); ++ return FALSE; ++ } ++else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR) ++ { ++ dlclose(local_scan_lib); ++ local_scan_lib = NULL; ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor" ++ "version number, you need to recompile your module for this version" ++ "of exim (The module was compiled for version %d.%d and this exim provides" ++ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, ++ LOCAL_SCAN_ABI_VERSION_MINOR); ++ return FALSE; ++ } ++ ++local_scan_fn = dlsym(local_scan_lib, "local_scan"); ++if (!local_scan_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++return TRUE; ++} ++ ++#endif /* DLOPEN_LOCAL_SCAN */ ++ + /* End of local_scan.c */ +diff --git a/src/readconf.c b/src/readconf.c +index 5742d10..3f1d9c1 100644 +--- a/src/readconf.c ++++ b/src/readconf.c +@@ -199,6 +199,9 @@ static optionlist optionlist_config[] = { + { "local_from_prefix", opt_stringptr, &local_from_prefix }, + { "local_from_suffix", opt_stringptr, &local_from_suffix }, + { "local_interfaces", opt_stringptr, &local_interfaces }, ++#ifdef DLOPEN_LOCAL_SCAN ++ { "local_scan_path", opt_stringptr, &local_scan_path }, ++#endif + #ifdef HAVE_LOCAL_SCAN + { "local_scan_timeout", opt_time, &local_scan_timeout }, + #endif diff --git a/exim-4.92-environment.patch b/exim-4.92-environment.patch new file mode 100644 index 0000000..831a4e7 --- /dev/null +++ b/exim-4.92-environment.patch @@ -0,0 +1,15 @@ +diff --git a/src/configure.default b/src/configure.default +index 241a961..1403d4a 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -384,8 +384,8 @@ timeout_frozen_after = 7d + # Note that TZ is handled separately by the timezone runtime option + # and TIMEZONE_DEFAULT buildtime option. + +-# keep_environment = ^LDAP +-# add_environment = PATH=/usr/bin::/bin ++keep_environment = ^LDAP ++add_environment = PATH=/usr/bin::/bin + + + diff --git a/exim-4.92-greylist-conf.patch b/exim-4.92-greylist-conf.patch new file mode 100644 index 0000000..f9bfb4f --- /dev/null +++ b/exim-4.92-greylist-conf.patch @@ -0,0 +1,118 @@ +diff --git a/src/configure.default b/src/configure.default +index 9242bac..439287a 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -119,6 +119,7 @@ hostlist relay_from_hosts = localhost + # manual for details. The lists above are used in the access control lists for + # checking incoming messages. The names of these ACLs are defined here: + +++acl_smtp_mail = acl_check_mail + acl_smtp_rcpt = acl_check_rcpt + .ifdef _HAVE_PRDR + acl_smtp_data_prdr = acl_check_prdr +@@ -395,6 +396,29 @@ timeout_frozen_after = 7d + + begin acl + ++ ++# This access control list is used for the MAIL command in an incoming ++# SMTP message. ++ ++acl_check_mail: ++ ++ # Hosts are required to say HELO (or EHLO) before sending mail. ++ # So don't allow them to use the MAIL command if they haven't ++ # done so. ++ ++ deny condition = ${if eq{$sender_helo_name}{} {1}} ++ message = Nice boys say HELO first ++ ++ # Use the lack of reverse DNS to trigger greylisting. Some people ++ # even reject for it but that would be a little excessive. ++ ++ warn condition = ${if eq{$sender_host_name}{} {1}} ++ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons ++ ++ accept ++ ++ ++ + # This access control list is used for every RCPT command in an incoming + # SMTP message. The tests are run in order until the address is either + # accepted or denied. +@@ -520,7 +544,8 @@ acl_check_rcpt: + # There are no default checks on DNS black lists because the domains that + # contain these lists are changing all the time. However, here are two + # examples of how you can get Exim to perform a DNS black list lookup at this +- # point. The first one denies, whereas the second just warns. ++ # point. The first one denies, whereas the second just warns. The third ++ # triggers greylisting for any host in the blacklist. + # + # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text + # dnslists = black.list.example +@@ -528,6 +553,10 @@ acl_check_rcpt: + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain ++ # ++ # warn dnslists = black.list.example ++ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons ++ # + ############################################################################# + + ############################################################################# +@@ -554,6 +583,10 @@ acl_check_rcpt: + # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + ############################################################################# + ++ # Alternatively, greylist for it: ++ # warn !verify = csa ++ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons ++ + # At this point, the address has passed all the checks that have been + # configured, so we accept it unconditionally. + +@@ -612,6 +645,12 @@ acl_check_data: + # deny condition = ${if !def:h_Message-ID: {1}} + # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ + # Most messages without it are spam, so your mail has been rejected. ++ # ++ # Alternatively if we're feeling more lenient we could just use it to ++ # trigger greylisting instead: ++ ++ warn condition = ${if !def:h_Message-ID: {1}} ++ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons + + # Deny if the message contains a virus. Before enabling this check, you + # must install a virus scanner and set the av_scanner option above. +@@ -669,8 +708,30 @@ acl_check_mime: + {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ + {1}{0}} + ++ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 ++ # ++ # warn condition = ${if >{$spam_score_int}{5} {1}} ++ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons ++ ++ ++ # If you want to greylist _all_ mail rather than only mail which looks like there ++ # might be something wrong with it, then you can do this... ++ # ++ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons ++ ++ # Now, invoke the greylisting. For this you need to have installed the exim-greylist ++ # package which contains this subroutine, and you need to uncomment the bit below ++ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, ++ # greylisting will kick in and will defer the mail to check if the sender is a ++ # proper mail which which retries, or whether it's a zombie. For more details, see ++ # the exim-greylist.conf.inc file itself. ++ # ++ # require acl = greylist_mail ++ + accept + ++# To enable the greylisting, also uncomment this line: ++# .include /etc/exim/exim-greylist.conf.inc + + ###################################################################### + # ROUTERS CONFIGURATION # diff --git a/exim-4.92-localhost-is-local.patch b/exim-4.92-localhost-is-local.patch new file mode 100644 index 0000000..02a10a2 --- /dev/null +++ b/exim-4.92-localhost-is-local.patch @@ -0,0 +1,13 @@ +diff --git a/src/configure.default b/src/configure.default +index 09f0b36..9242bac 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -67,7 +67,7 @@ + # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They + # are all colon-separated lists: + +-domainlist local_domains = @ ++domainlist local_domains = @ : localhost : localhost.localdomain + domainlist relay_to_domains = + hostlist relay_from_hosts = localhost + # (We rely upon hostname resolution working for localhost, because the default diff --git a/exim-4.92-pamconfig.patch b/exim-4.92-pamconfig.patch new file mode 100644 index 0000000..bbe3dde --- /dev/null +++ b/exim-4.92-pamconfig.patch @@ -0,0 +1,78 @@ +diff --git a/src/configure.default b/src/configure.default +index 6db4947..f1198b1 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -157,7 +157,7 @@ acl_smtp_data = acl_check_data + + # Allow any client to use TLS. + +-# tls_advertise_hosts = * ++tls_advertise_hosts = * + + # Specify the location of the Exim server's TLS certificate and private key. + # The private key must not be encrypted (password protected). You can put +@@ -165,8 +165,8 @@ acl_smtp_data = acl_check_data + # need the first setting, or in separate files, in which case you need both + # options. + +-# tls_certificate = /etc/ssl/exim.crt +-# tls_privatekey = /etc/ssl/exim.pem ++tls_certificate = /etc/pki/tls/certs/exim.pem ++tls_privatekey = /etc/pki/tls/private/exim.pem + + # For OpenSSL, prefer EC- over RSA-authenticated ciphers + # tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT +@@ -180,8 +180,8 @@ acl_smtp_data = acl_check_data + # them you should also allow TLS-on-connect on the traditional but + # non-standard port 465. + +-# daemon_smtp_ports = 25 : 465 : 587 +-# tls_on_connect_ports = 465 ++daemon_smtp_ports = 25 : 465 : 587 ++tls_on_connect_ports = 465 + + + # Specify the domain you want to be added to all unqualified addresses +@@ -239,6 +239,24 @@ never_users = root + + host_lookup = * + ++# This setting, if uncommented, allows users to authenticate using ++# their system passwords against saslauthd if they connect over a ++# secure connection. If you have network logins such as NIS or ++# Kerberos rather than only local users, then you possibly also want ++# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism ++# too. Once a user is authenticated, the acl_check_rcpt ACL then ++# allows them to relay through the system. ++# ++# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} ++# ++# By default, we set this option to allow SMTP AUTH from nowhere ++# (Exim's default would be to allow it from anywhere, even on an ++# unencrypted connection). ++# ++# Comment this one out if you uncomment the above. Did you make sure ++# saslauthd is actually running first? ++# ++auth_advertise_hosts = + + # The setting below causes Exim to try to initialize the system resolver + # library with DNSSEC support. It has no effect if your library lacks +@@ -980,7 +998,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + # LOGIN authentication has traditional prompts and responses. There is no +@@ -992,7 +1010,7 @@ begin authenticators + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + diff --git a/exim-4.92-procmail.patch b/exim-4.92-procmail.patch new file mode 100644 index 0000000..5fd6f73 --- /dev/null +++ b/exim-4.92-procmail.patch @@ -0,0 +1,34 @@ +diff --git a/src/configure.default b/src/configure.default +index 8f88a3b..cef3779 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -818,6 +818,12 @@ userforward: + pipe_transport = address_pipe + reply_transport = address_reply + ++procmail: ++ driver = accept ++ check_local_user ++ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail ++ transport = procmail ++ no_verify + + # This router matches local user mailboxes. If the router fails, the error + # message is "Unknown user". +@@ -866,6 +872,16 @@ remote_smtp: + hosts_try_prdr = * + .endif + ++# This transport invokes procmail to deliver mail ++procmail: ++ driver = pipe ++ command = "/usr/bin/procmail -d $local_part" ++ return_path_add ++ delivery_date_add ++ envelope_to_add ++ user = $local_part ++ initgroups ++ return_output + + # This transport is used for delivering messages to a smarthost, if the + # smarthost router is enabled. This starts from the same basis as diff --git a/exim-4.92-rhl.patch b/exim-4.92-rhl.patch new file mode 100644 index 0000000..236da8f --- /dev/null +++ b/exim-4.92-rhl.patch @@ -0,0 +1,24 @@ +diff --git a/src/configure.default b/src/configure.default +index 555dec3..69e0ed1 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -718,7 +718,7 @@ system_aliases: + driver = redirect + allow_fail + allow_defer +- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} ++ data = ${lookup{$local_part}lsearch{/etc/aliases}} + # user = exim + file_transport = address_file + pipe_transport = address_pipe +@@ -867,8 +867,8 @@ local_delivery: + delivery_date_add + envelope_to_add + return_path_add +-# group = mail +-# mode = 0660 ++ group = mail ++ mode = 0660 + + + # This transport is used for handling pipe deliveries generated by alias or diff --git a/exim-4.92-smarthost-config.patch b/exim-4.92-smarthost-config.patch new file mode 100644 index 0000000..42e6d1a --- /dev/null +++ b/exim-4.92-smarthost-config.patch @@ -0,0 +1,51 @@ +diff --git a/src/configure.default b/src/configure.default +index 439287a..241a961 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -933,6 +933,15 @@ remote_smtp: + hosts_try_prdr = * + .endif + ++# This transport is used for delivering messages over SMTP using the ++# "message submission" port (RFC4409). ++ ++remote_msa: ++ driver = smtp ++ port = 587 ++ hosts_require_auth = * ++ ++ + # This transport invokes procmail to deliver mail + procmail: + driver = pipe +@@ -1082,6 +1091,21 @@ begin rewrite + # AUTHENTICATION CONFIGURATION # + ###################################################################### + ++begin authenticators ++ ++# This authenticator supports CRAM-MD5 username/password authentication ++# with Exim acting as a _client_, as it might when sending its outgoing ++# mail to a smarthost rather than directly to the final recipient. ++# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. ++ ++#client_auth: ++# driver = cram_md5 ++# public_name = CRAM-MD5 ++# client_name = SMTPAUTH_USERNAME ++# client_secret = SMTPAUTH_PASSWORD ++ ++# ++ + # The following authenticators support plaintext username/password + # authentication using the standard PLAIN mechanism and the traditional + # but non-standard LOGIN mechanism, with Exim acting as the server. +@@ -1097,7 +1121,7 @@ begin rewrite + # The default RCPT ACL checks for successful authentication, and will accept + # messages from authenticated users from anywhere on the Internet. + +-begin authenticators ++# + + # PLAIN authentication has no server prompts. The client sends its + # credentials in one lump, containing an authorization ID (which we do not diff --git a/exim-4.92-spamdconf.patch b/exim-4.92-spamdconf.patch new file mode 100644 index 0000000..cab7969 --- /dev/null +++ b/exim-4.92-spamdconf.patch @@ -0,0 +1,108 @@ +diff --git a/src/configure.default b/src/configure.default +index f1198b1..8f88a3b 100644 +--- a/src/configure.default ++++ b/src/configure.default +@@ -124,6 +124,7 @@ acl_smtp_rcpt = acl_check_rcpt + acl_smtp_data_prdr = acl_check_prdr + .endif + acl_smtp_data = acl_check_data ++acl_smtp_mime = acl_check_mime + + # You should not change those settings until you understand how ACLs work. + +@@ -136,7 +137,7 @@ acl_smtp_data = acl_check_data + # of what to set for other virus scanners. The second modification is in the + # acl_check_data access control list (see below). + +-# av_scanner = clamd:/tmp/clamd ++av_scanner = clamd:/var/run/clamd.exim/clamd.sock + + + # For spam scanning, there is a similar option that defines the interface to +@@ -458,7 +459,8 @@ acl_check_rcpt: + accept local_parts = postmaster + domains = +local_domains + +- # Deny unless the sender address can be verified. ++ # Deny unless the sender address can be routed. For proper verification of the ++ # address, read the documentation on callouts and add the /callout modifier. + + require verify = sender + +@@ -601,21 +603,26 @@ acl_check_data: + message = header syntax + log_message = header syntax ($acl_verify_message) + ++ # Put simple tests first. A good one is to check for the presence of a ++ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken ++ # or misconfigured mailer software occasionally omits this from genuine ++ # messages too, though -- although it's not hard for the offender to fix ++ # after they receive a bounce because of it. ++ # ++ # deny condition = ${if !def:h_Message-ID: {1}} ++ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ ++ # Most messages without it are spam, so your mail has been rejected. ++ + # Deny if the message contains a virus. Before enabling this check, you + # must install a virus scanner and set the av_scanner option above. + # + # deny malware = * + # message = This message contains a virus ($malware_name). + +- # Add headers to a message if it is judged to be spam. Before enabling this, +- # you must install SpamAssassin. You may also need to set the spamd_address +- # option above. ++ # Bypass SpamAssassin checks if the message is too large. + # +- # warn spam = nobody +- # add_header = X-Spam_score: $spam_score\n\ +- # X-Spam_score_int: $spam_score_int\n\ +- # X-Spam_bar: $spam_bar\n\ +- # X-Spam_report: $spam_report ++ # accept condition = ${if >={$message_size}{100000} {1}} ++ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size + + ############################################################################# + # No more tests if PRDR was actively used. +@@ -629,11 +636,40 @@ acl_check_data: + # condition = ... + ############################################################################# + ++ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message ++ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA ++ # score exceeds the SA system threshold. ++ # ++ # warn spam = nobody/defer_ok ++ # add_header = X-Spam-Flag: YES ++ # ++ # accept condition = ${if !def:spam_score_int {1}} ++ # add_header = X-Spam-Note: SpamAssassin invocation failed ++ # + +- # Accept the message. ++ # Unconditionally add score and report headers ++ # ++ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ ++ # X-Spam-Report: $spam_report ++ ++ # And reject if the SpamAssassin score is greater than ten ++ # ++ # deny condition = ${if >{$spam_score_int}{100} {1}} ++ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ ++ # $spam_report + + accept + ++acl_check_mime: ++ ++ # File extension filtering. ++ deny message = Blacklisted file extension detected ++ condition = ${if match \ ++ {${lc:$mime_filename}} \ ++ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ ++ {1}{0}} ++ ++ accept + + + ###################################################################### diff --git a/exim.spec b/exim.spec index 444fb3d..372f5be 100644 --- a/exim.spec +++ b/exim.spec @@ -13,8 +13,8 @@ Summary: The exim mail transfer agent Name: exim -Version: 4.91 -Release: 6%{?dist} +Version: 4.92 +Release: 1%{?dist} License: GPLv2+ Url: http://www.exim.org/ Provides: MTA smtpd smtpdaemon server(smtp) @@ -44,20 +44,20 @@ Source24: exim.service Source25: exim-gen-cert Source26: clamd.exim.service -Patch4: exim-4.91-rhl.patch -Patch6: exim-4.91-config.patch +Patch4: exim-4.92-rhl.patch +Patch6: exim-4.92-config.patch Patch8: exim-4.82-libdir.patch -Patch12: exim-4.91-cyrus.patch -Patch13: exim-4.91-pamconfig.patch -Patch14: exim-4.91-spamdconf.patch -Patch18: exim-4.91-dlopen-localscan.patch -Patch19: exim-4.91-procmail.patch -Patch20: exim-4.91-allow-filter.patch -Patch21: exim-4.87-localhost-is-local.patch -Patch22: exim-4.91-greylist-conf.patch -Patch23: exim-4.91-smarthost-config.patch +Patch12: exim-4.92-cyrus.patch +Patch13: exim-4.92-pamconfig.patch +Patch14: exim-4.92-spamdconf.patch +Patch18: exim-4.92-dlopen-localscan.patch +Patch19: exim-4.92-procmail.patch +Patch20: exim-4.92-allow-filter.patch +Patch21: exim-4.92-localhost-is-local.patch +Patch22: exim-4.92-greylist-conf.patch +Patch23: exim-4.92-smarthost-config.patch Patch26: exim-4.85-pic.patch -Patch27: exim-4.90.1-environment.patch +Patch27: exim-4.92-environment.patch # Workaround for NIS removal from glibc, bug 1534920 Patch33: exim-4.90.1-nsl-fix.patch @@ -571,6 +571,10 @@ test "$1" = 0 || %{_initrddir}/clamd.exim condrestart >/dev/null 2>&1 || : %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Mon Feb 11 2019 Jaroslav Škarvada - 4.92-1 +- New version + Resolves: rhbz#1674282 + * Thu Jan 31 2019 Fedora Release Engineering - 4.91-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/sources b/sources index 8490f67..2e882ad 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (exim-4.91.tar.xz) = 35b34dda8dd0f27c0429e6eb8409756ecd3cf9e535bac421d696b1560db0ff3bf4cd0e4a00bc0b7e32137d31bb5de20776c7c1830ec125aa36b5c4376b0c71a2 +SHA512 (exim-4.92.tar.xz) = 62c327e6184a358ba7f0dbc38b44d2537234be91727a5bfac97e74af64a8d77e376b3221dcfdd8f6eca7d812f9233595503dc6e50e2972bed40a1b74eb209c31