Jeremy Harris | 20 Aug 20:51 2014

[Bug 249] CN verification in client TLS code

------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=249

Jeremy Harris <jgh146exb <at> wizmail.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #4 from Jeremy Harris <jgh146exb <at> wizmail.org>  2014-08-20 19:51:14 ---
The above was pushed as a7538db - so closing this bug

--

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

Jeremy Harris | 15 Aug 17:41 2014

[Bug 282] Conversion of IDNA domain names for logging

------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=282

Nigel Metheringham <nigel <at> exim.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|Exim 4.72                   |Exim 4.73
   Target Milestone|Exim 4.73                   |Exim 4.77

Jeremy Harris <jgh146exb <at> wizmail.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jgh146exb <at> wizmail.org

--- Comment #2 from Jeremy Harris <jgh146exb <at> wizmail.org>  2014-08-15 16:41:03 ---
See also bug 1516

--

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

Todd Lyons | 12 Aug 17:07 2014

Compile error on newer OpenBSD

OpenBSD 5.5 was released on May 1 2014.  In it, there appears to be
movement on deprecating arc4random_* function calls.  A build client
builds all of the object files correctly, but is failing to link the
final exim binary with the following error:

ccache gcc -o exim  acl.o child.o crypt16.o daemon.o dbfn.o debug.o
deliver.o directory.o dns.o drtables.o enq.o exim.o expand.o filter.o
filtertest.o globals.o dkim.o header.o host.o ip.o log.o lss.o match.o
moan.o os.o parse.o queue.o rda.o readconf.o receive.o retry.o
rewrite.o rfc2047.o route.o search.o sieve.o smtp_in.o smtp_out.o
spool_in.o spool_out.o std-crypto.o store.o string.o tls.o tod.o
transport.o tree.o verify.o lookups/lf_quote.o lookups/lf_check_file.o
lookups/lf_sqlperform.o local_scan.o  malware.o mime.o regex.o spam.o
spool_mbox.o demime.o bmi_spam.o spf.o srs.o dcc.o dmarc.o version.o \
  routers/routers.a transports/transports.a lookups/lookups.a \
  auths/auths.a pdkim/pdkim.a \
   -lm    \
      \
    -L/usr/local/lib -Wl,-R/usr/local/lib -lpcre
acl.o(.text+0xe7): In function `acl_var_create':
: warning: strcpy() is almost always misused, please use strlcpy()
filter.o(.text+0x1a2d): In function `read_command_list':
: warning: strcat() is almost always misused, please use strlcat()
daemon.o(.text+0xb55): In function `daemon_go':
: warning: sprintf() is often misused, please use snprintf()
expand.o(.text+0x24c8): In function `vaguely_random_number':
: undefined reference to `arc4random_stir'
collect2: ld returned 1 exit status
Makefile:416: recipe for target 'exim' failed
gmake[1]: *** [exim] Error 1
(Continue reading)

Todd Lyons | 8 Aug 22:30 2014

Exim 4.84 RC2 Released


I have uploaded Exim 4.84 RC2 to
ftp://ftp.exim.org/pub/exim/exim4/test/

This release contains only a small change to fix compilation when built
with DSN, a small change to fix exipick to understand a new line format
in the spool file due to DSN, and a documentation update.  The only
other change expected before release is to update ChangeLog and
NewStuff.

The files are signed with the PGP key 0x04D29EBA, which has a uid
"Todd Lyons (Exim Maintainer) <tlyons <at> exim.org>". Please use your own
discretion in assessing what trust paths you might have to this uid.

Checksums below. Detached PGP signatures in .asc files are available
alongside the tarballs.

Please report issues by replying to this email, on exim-users or
exim-dev. 

SHA256 Checksums:
10f3a4b55610335ca402f5aec076e54e61fe4eb01cc2af2631c039bfda6057e1 exim-4.84_RC2.tar.bz2
97935e9f564491976a6bd3a8dc05804d78fc586c5867bf2fdbbb3900e11b52ed exim-4.84_RC2.tar.bz2.asc
4e910c809477d6e36573913b617092a1dd09a189186ccff4d5e11b436f1152d4 exim-4.84_RC2.tar.gz
c4382f29a65118a46932c2edccdc9db1b436f52fedab2d45b300fe97b578aa0b exim-4.84_RC2.tar.gz.asc
242c76c3390df83dd9644703575e24cbad341e7f4b157b0ddbff219fc881a7a2 exim-html-4.84_RC2.tar.bz2
d336da631d2294d15a1eea875df9f4f911df83e667a53492bad64a9f8d6cda26 exim-html-4.84_RC2.tar.bz2.asc
1e468c92184cb410f33bc76dddeffb6f3e8b7db8a2c002cf3e81c21ad16cf780 exim-html-4.84_RC2.tar.gz
1d96038acb69c12ee8cbe4798ef782232b9233fdde78e86ec607a9c76c6ce6aa exim-html-4.84_RC2.tar.gz.asc
ee3101758325e21903bd2cdca528332976ed70dabd5b370d796d8bda3461860c exim-pdf-4.84_RC2.tar.bz2
(Continue reading)

Mike Cardwell | 7 Aug 10:32 2014

[Bug 1516] New: SMTPUTF8 Extension for Internationalised Email Addresses

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1516
           Summary: SMTPUTF8 Extension for Internationalised Email Addresses
           Product: Exim
           Version: N/A
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: wishlist
          Priority: medium
         Component: Delivery in general
        AssignedTo: nigel <at> exim.org
        ReportedBy: exim-users <at> lists.grepular.com
                CC: exim-dev <at> exim.org

Please consider adding support for the SMTPUTF8 SMTP extension from RFC6530 so
that Exim can support internationalised email addresses:

https://tools.ietf.org/html/rfc6530

Google recently announced that they would be adding support to Gmail:

http://googleblog.blogspot.com.au/2014/08/a-first-step-toward-more-global-email.html

--

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

(Continue reading)

Jeremy Harris | 4 Aug 23:47 2014

[Bug 249] CN verification in client TLS code

------- You are receiving this mail because: -------
You are the QA contact for the bug.

http://bugs.exim.org/show_bug.cgi?id=249

--- Comment #3 from Jeremy Harris <jgh146exb <at> wizmail.org>  2014-08-04 22:47:18 ---
There's work-in-progress to expand the EXPERIMENTAL_TPDA feature into providing
a callback for certificate verification; this would handle the missing need for
client-side enformcement.

--

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

Jeremy Harris | 4 Aug 23:25 2014

[Bug 1514] New: callouts with smtp auth need $host

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1514
           Summary: callouts with smtp auth need $host
           Product: Exim
           Version: 4.82
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Transports
        AssignedTo: jgh146exb <at> wizmail.org
        ReportedBy: jgh146exb <at> wizmail.org
                CC: exim-dev <at> exim.org

(reported by Russell King)
Let's say that you wish to use callout verification between various hosts
which you control, and you also wish to use SMTP auth between them.  Let's
also say that you use per-host secrets as well, and you look them up via
this authenticator:

cram:
  driver = cram_md5
  public_name = CRAM-MD5
  client_name = ${extract{1}{.}{$primary_hostname}}
  client_secret =
${lookup{$host}lsearch{/etc/exim/host/auth-client}{$value}fail}

(Continue reading)

Jeremy Harris | 4 Aug 20:10 2014

tls server certs

The current exim OpenSSL build takes the "verify" bundle
specified by global "tls_verify_certificates" and (presumably
only if if can find a match?) decorates the server cert
specified by global "tls_certificate" to give (in my
testing - testcase 5760) a full certificate chain.

No particular harm ensues; I only saw this due
to the expanded version of TPDA I'm working on
  (it has a tls:cert event, raised once per cert
  in the server chain seen by a client) -
but this does seem to unfortunately conflate
the meanings of the configuration options.

You can confirm the wire traffic using wireshark.

The exim GnuTLS build does not do this; it
does the simple thing.

The relevant docs seem to be:

https://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html#
"When building its own certificate chain, an OpenSSL client/server will
try to fill in missing certificates from CAfile/CApath, if the
certificate chain was not explicitly specified"

https://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html
"If additional certificates are needed to complete the chain during the
TLS negotiation, CA certificates are additionally looked up in the
locations of trusted CA certificates"

(Continue reading)

Timo Sirainen | 1 Aug 13:16 2014
Picon
Picon

Dovecot auth socket correctness check

Dovecot has multiple auth socket types for different purposes: client, userdb and master. Admins
sometimes configure the wrong socket to Exim, which currently simply causes Exim to hang until it reaches
a timeout. Unfortunately due to some initial design mistakes the different socket types aren't
especially easy to differentiate from each others in the code. But it is still possible, so this patch
gives a nicer error message if wrong socket type is used:

authentication socket type mismatch (connected to auth-master instead of auth-client)

Attachment (exim-auth-socket-type-check.diff): application/octet-stream, 1989 bytes
Dovecot has multiple auth socket types for different purposes: client, userdb and master. Admins
sometimes configure the wrong socket to Exim, which currently simply causes Exim to hang until it reaches
a timeout. Unfortunately due to some initial design mistakes the different socket types aren't
especially easy to differentiate from each others in the code. But it is still possible, so this patch
gives a nicer error message if wrong socket type is used:

authentication socket type mismatch (connected to auth-master instead of auth-client)

Jeremy Harris | 30 Jul 20:41 2014

[Bug 1513] New: mime handling broken

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1513
           Summary: mime handling broken
           Product: Exim
           Version: 4.83
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: bug
          Priority: high
         Component: ACLs
        AssignedTo: jgh146exb <at> wizmail.org
        ReportedBy: jgh146exb <at> wizmail.org
                CC: exim-dev <at> exim.org

Seems like 4.83 breaks the mime ACL:

1)  "I've logged $mime_filename for all attachments.  I see that it is now
quoted but looking back through older logs, it wasn't before."

https://lists.exim.org/lurker/message/20140729.150921.14661476.en.html

2) "mainlog shows that acl_check_mime was called only once"

https://lists.exim.org/lurker/message/20140730.142622.5f693c48.en.html

--

-- 
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email
(Continue reading)

Andreas Metzler | 30 Jul 19:28 2014
Picon

[Bug 1512] New: dovecot authenticator waits for server's DONE before sending DATA

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1512
           Summary: dovecot authenticator waits for server's DONE before
                    sending DATA
           Product: Exim
           Version: 4.83
          Platform: Other
               URL: http://bugs.debian.org/756258
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: SMTP Authentication
        AssignedTo: pdp <at> exim.org
        ReportedBy: eximusers <at> bebt.de
                CC: exim-dev <at> exim.org

Hello,

this is <http://bugs.debian.org/756258> as submitted by Mildred Ki'Lya:

<Quote>
When exim4 is configured with dovecot authenticator, it blocks at some
point, apparently expecting some information from dovecot. Dovecot on its
side is expecting additional information from exim. None of the two
parties move forward and exim do not respond to the SMTp client. After
some unspecified time, the MUA terminates the connection, because no
response is sent from the server.
(Continue reading)


Gmane