Index: branches/2020Q3/mail/exim/Makefile =================================================================== --- branches/2020Q3/mail/exim/Makefile (revision 548184) +++ branches/2020Q3/mail/exim/Makefile (revision 548185) @@ -1,646 +1,646 @@ # Created by: markm@FreeBSD.org # $FreeBSD$ PORTNAME= exim PORTVERSION?= ${EXIM_VERSION} -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES= mail MASTER_SITES= EXIM:exim MASTER_SITE_SUBDIR= /exim4/:exim \ /exim4/fixes/:exim \ /exim4/old/:exim DISTNAME= ${PORTNAME}-${EXIM_VERSION} DISTFILES= ${DISTNAME}${EXTRACT_SUFX}:exim DIST_SUBDIR= exim EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} MAINTAINER= fluffy@FreeBSD.org COMMENT?= High performance MTA for Unix systems on the Internet LICENSE= GPLv2 USES= compiler cpe tar:bzip2 perl5 USE_CSTD= c99 USE_PERL5= run # Exim build system is job unsafe atm MAKE_JOBS_UNSAFE= yes # One can tune the following "hidden" knobs: # - EXIM_USER: user exim is running as; # - EXIM_GROUP: ditto for the group; # - LOGDIR: where Exim logs will be put; # - LOG_FILE_PATH: path where '%s' will be substituted with # the target name (main, reject, etc); # - CONFIG_FILE_PATH: path to the default configuration file; # - ALT_CONFIG_PREFIX: path to the default prefix for all # configuration files, excluding the main one; # will be effective only when WITH_ALT_CONFIG_PREFIX # will be set via OPTIONS. .if make(makesum) && !defined(FETCH_ALL) .error "You forgot to define FETCH_ALL to create the sane distinfo" .endif .include "options" OPTIONS_SUB= yes AUTH_SASL_LIB_DEPENDS= libsasl2.so:security/cyrus-sasl2 BDB_USES= bdb DMARC_LIB_DEPENDS= libopendmarc.so:mail/opendmarc EMBEDDED_PERL_USE= perl5=run,build EXIMON_USES= xorg EXIMON_USE= xorg=x11,xaw,xext,xmu,xt GNUTLS_LIB_DEPENDS= libgnutls.so:security/gnutls ICONV_USES= iconv:lib,build INTERNATIONAL_LIB_DEPENDS= libidn.so:dns/libidn LMDB_LIB_DEPENDS= liblmdb.so:databases/lmdb MYSQL_USES= mysql OPENLDAP_USE= openldap=yes PGSQL_LIB_DEPENDS= libicudata.so:devel/icu PGSQL_USES= pgsql pkgconfig REDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis SASLAUTHD_RUN_DEPENDS= ${LOCALBASE}/sbin/saslauthd:security/cyrus-sasl2-saslauthd SA_EXIM_RUN_DEPENDS= ${LOCALBASE}/bin/spamc:mail/spamassassin SPF_LIB_DEPENDS= libspf2.so:mail/libspf2 SQLITE_LIB_DEPENDS= libicudata.so:devel/icu SQLITE_USES= pkgconfig sqlite .include # OCSP is supported for openssl only .if ${PORT_OPTIONS:MOCSP} .if ! ${PORT_OPTIONS:MTLS} IGNORE= you cannot enable OCSP stapling without TLS support .elif ${PORT_OPTIONS:MGNUTLS} IGNORE= you cannot enable OCSP stapling with gnutls .endif .endif # DMARC implies SPF and DKIM .if ${PORT_OPTIONS:MDMARC} .if ! ${PORT_OPTIONS:MSPF} || ! ${PORT_OPTIONS:MDKIM} IGNORE= you cannot enable DMARC without SPF and DKIM support .endif .endif # ARC implies SPF and DKIM .if ${PORT_OPTIONS:MARC} .if ! ${PORT_OPTIONS:MSPF} || ! ${PORT_OPTIONS:MDKIM} IGNORE= you cannot enable ARC without SPF and DKIM support .endif .endif # DANE implies DNSSEC .if ${PORT_OPTIONS:MDANE} .if ! ${PORT_OPTIONS:MDNSSEC} || ! ${PORT_OPTIONS:MTLS} IGNORE= you cannot enable DANE without DNSSEC support or without TLS support .endif .endif .if ${PORT_OPTIONS:MSA_EXIM} || defined(FETCH_ALL) MASTER_SITES+= http://marc.merlins.org/linux/exim/files/:sa_exim \ SF/sa-exim/sa-exim/${SA_EXIM_VERSION}:sa_exim DISTFILES+= sa-exim-${SA_EXIM_VERSION}.tar.gz:sa_exim EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.c EXTRA_PATCHES+= ${FILESDIR}/extra-patch-Local-sa-exim.conf .endif EXIM_VERSION= 4.94 SA_EXIM_VERSION=4.2.1 EXIM_INSTALL_ARG+= "-no_chown" "-no_symlink" EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name '74_*.patch'|${SORT} -h` .if !defined(EXIMON_ONLY) PLIST_SUB+= EXIM="" .if defined(PKGNAMESUFFIX) CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}-4.* .endif .for suffix in -ldap2 -mysql -postgresql -sa-exim -sqlite .if !defined(PKGNAMESUFFIX) || ${PKGNAMESUFFIX} != ${suffix} CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}${suffix}-4.* .endif .endfor .if ${PORT_OPTIONS:MEXIMON} CONFLICTS+= ${PKGNAMEPREFIX}${PORTNAME}-monitor-4.* .endif PKGMESSAGE= ${WRKDIR}/POST-INSTALL-NOTES .else # !EXIMON_ONLY PLIST_SUB+= EXIM="@comment " PORT_OPTIONS+= EXIMON PKGMESSAGE= ${WRKDIR}/pkg-message EXIM_INSTALL_ARG+= "eximon" "eximon.bin" .endif # !EXIMON_ONLY PORTDOC_BASE= ACKNOWLEDGMENTS NOTICE README.UPDATING PORTDOC_FILES= ChangeLog Exim3.upgrade Exim4.upgrade NewStuff \ OptionLists.txt README README.SIEVE dbm.discuss.txt \ experimental-spec.txt filter.txt spec.txt PORT_EXAMPLES= convert4r3 convert4r4 transport-filter.pl DAILY_SCRIPTS= 150.exim-tidydb 460.exim-mail-rejects MAKE_ENV+= OSTYPE="${OPSYS}" ARCHTYPE="${ARCH}" DUMMY_LDFLAGS="${DUMMY_LDFLAGS}" STRIP_COMMAND="${STRIP_CMD}" EXIM_USER?= mailnull EXIM_GROUP?= mail # Default user/group are system ones, so we don't want to check them .if ${EXIM_USER} != "mailnull" USERS= ${EXIM_USER} .endif .if ${EXIM_GROUP} != "mail" GROUPS= ${EXIM_GROUP} .endif LOGDIR?= /var/log/exim LOG_FILE_PATH?= ${LOGDIR}/%slog CONFIG_FILE_PATH?= ${PREFIX}/etc/exim/configure ALT_CONFIG_PREFIX?= ${PREFIX}/etc/exim/ EXIM_DYNAMIC_LDFLAGS= -fPIC -rdynamic -Wl,--export-dynamic SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \ -e 's,%%DOCSDIR%%,${DOCSDIR},g' \ -e 's,%%EXAMPLESDIR%%,${EXAMPLESDIR},g' \ -e 's,%%EXIM_USER%%,${EXIM_USER},g' \ -e 's,%%EXIM_GROUP%%,${EXIM_GROUP},g' \ -e 's,%%LOGDIR%%,${LOGDIR},g' SEDLIST+= -e 's,XX_CFLAGS_XX,${CFLAGS:S/,/\\,/g},' \ -e 's,XX_PREFIX_XX,${PREFIX:S/,/\\,/g},' \ -e 's,XX_LOCALBASE_XX,${LOCALBASE:S/,/\\,/g},' \ -e 's,XX_LOG_FILE_PATH_XX,${LOG_FILE_PATH:S/,/\\,/g},' \ -e 's,XX_CONFIG_FILE_PATH_XX,${CONFIG_FILE_PATH:S/,/\\,/g},' \ -e 's,XX_ALT_CONFIG_PREFIX_XX,${ALT_CONFIG_PREFIX:S/,/\\,/g},' \ -e 's,XX_EXIM_USER_XX,${EXIM_USER:S/,/\\,/g},' \ -e 's,XX_EXIM_GROUP_XX,${EXIM_GROUP:S/,/\\,/g},' \ -e 's,XX_DEFAULT_CHARSET_XX,${WITH_DEFAULT_CHARSET:S/,/\\,/g},' \ -e 's,XX_DYNAMIC_LDFLAGS_XX,${EXIM_DYNAMIC_LDFLAGS:S/,/\\,/g},' PLIST_SUB+= EXIM_VERSION="${EXIM_VERSION}-${PORTREVISION}" \ EXIM_USER=${EXIM_USER} \ EXIM_GROUP=${EXIM_GROUP} \ LOGDIR="${LOGDIR:S/^\///}" # Exim refuses to run local deliveries as root by default. You can # add other users to this colon-separated list that cannot be # overridden at runtime below, but are advised not to remove "root". #WITH_FIXED_NEVER_USERS= root:daemon:bin # When Exim is decoding MIME "words" in header lines it converts any foreign # character sets to the one that is set in the headers_charset option. # The default setting is defined by this setting: WITH_DEFAULT_CHARSET?= ISO-8859-1 # You should not need to fiddle with anything below this point. LIB_DEPENDS+= libpcre.so:devel/pcre .if ! ${PORT_OPTIONS:MDKIM} SEDLIST+= -e 's,^\# (DISABLE_DKIM=),\1,' .endif .if ${PORT_OPTIONS:MLISTMATCH_RHS} SEDLIST+= -e 's,^\# (EXPAND_LISTMATCH_RHS=),\1,' .endif .if ${PORT_OPTIONS:MDCC} SEDLIST+= -e 's,^\# (EXPERIMENTAL_DCC=),\1,' .endif .if ${PORT_OPTIONS:MPROXY} SEDLIST+= -e 's,^\# (SUPPORT_PROXY=),\1,' .endif .if ${PORT_OPTIONS:MCERTNAMES} SEDLIST+= -e 's,^\# (EXPERIMENTAL_CERTNAMES=),\1,' .endif .if ${PORT_OPTIONS:MDSN} SEDLIST+= -e 's,^\# (EXPERIMENTAL_DSN=),\1,' .endif .if !${PORT_OPTIONS:MDANE} SEDLIST+= -e 's,^(SUPPORT_DANE=),\#\1,' .endif .if ${PORT_OPTIONS:MARC} SEDLIST+= -e 's,^\# (EXPERIMENTAL_ARC=),\1,' .endif .if !${PORT_OPTIONS:MEVENT} SEDLIST+= -e 's,^\# (DISABLE_EVENT=),\1,' .endif .if ${PORT_OPTIONS:MINTERNATIONAL} SEDLIST+= -e 's,^\# (SUPPORT_I18N=),\1,' \ -e 's,XX_IDN_LIBS_XX,-L${LOCALBASE}/lib -lidn,' .else SEDLIST+= -e 's,XX_IDN_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MSOCKS} SEDLIST+= -e 's,^\# (SUPPORT_SOCKS=),\1,' .endif .if !${PORT_OPTIONS:MPRDR} SEDLIST+= -e 's,^\# (DISABLE_PRDR=),\1,' .endif .if !${PORT_OPTIONS:MOCSP} SEDLIST+= -e 's,^\# (DISABLE_OCSP=),\1,' .endif .if !${PORT_OPTIONS:MDNSSEC} SEDLIST+= -e 's,^\# (DISABLE_DNSSEC=),\1,' .endif .if ${PORT_OPTIONS:MDMARC} SEDLIST+= -e 's,XX_DMARC_LIBS_XX,-L${LOCALBASE}/lib -lopendmarc,' \ -e 's,^\# (SUPPORT_DMARC=),\1,' .else SEDLIST+= -e 's,XX_DMARC_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MWISHLIST} EXTRA_PATCHES+= `${FIND} ${PATCHDIR} -name 'wishlist-*.patch'` .endif .if ${PORT_OPTIONS:MFIXED_NEVER_USERS} SEDLIST+= -e 's,^(FIXED_NEVER_USERS=).*,\1${WITH_FIXED_NEVER_USERS:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MEXIMON} SEDLIST+= -e 's,^\# (EXIM_MONITOR=),\1,' .endif .if ${PORT_OPTIONS:MTLS} .if ! ${PORT_OPTIONS:MGNUTLS} USES+= ssl SEDLIST+= -e 's,^\# (USE_OPENSSL=),\1,' SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lssl[[:space:]]),\1,' .else SEDLIST+= -e 's,^\# (USE_GNUTLS=),\1,' SEDLIST+= -e 's,^\# (TLS_LIBS=.*-lgnutls[[:space:]]),\1,' .endif .else # TLS support SEDLIST+= -e 's,^\# (DISABLE_TLS=),\1,' .endif .if ${PORT_OPTIONS:MEMBEDDED_PERL} SEDLIST+= -e 's,^\# (EXIM_PERL=),\1,' .endif .if ${PORT_OPTIONS:MTCP_WRAPPERS} SEDLIST+= -e 's,XX_TCP_WRAPPERS_LIBS_XX,-lwrap,' \ -e 's,^\# (USE_TCP_WRAPPERS=),\1,' .else SEDLIST+= -e 's,XX_TCP_WRAPPERS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MICONV} SEDLIST+= -e 's,XX_ICONV_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib ${ICONV_LIB},' \ -e 's,^\# (HAVE_ICONV=),\1,' .else SEDLIST+= -e 's,XX_ICONV_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MOPENLDAP_VER} && ${WITH_OPENLDAP_VER:tl} != "auto" WANT_OPENLDAP_VER= ${WITH_OPENLDAP_VER} .endif .if ${PORT_OPTIONS:MOPENLDAP} LDAP_LIB_TYPE= OPENLDAP2 SEDLIST+= -e 's,XX_LDAP_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -llber -lldap,' \ -e 's,XX_LDAP_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include,' \ -e 's,XX_LDAP_TYPE_XX,${LDAP_LIB_TYPE:S/,/\\,/g},' \ -e 's,^\# (LOOKUP_LDAP=),\1,' .else SEDLIST+= -e 's,XX_LDAP_[^ ]*_XX,,' \ -e 's,^(LDAP_LIB_TYPE=),\# \1,' .endif .if ${PORT_OPTIONS:MBDB} INVALID_BDB_VER= 2 3 DB_LIBS= -L${BDB_LIB_DIR} -l${BDB_LIB_NAME} DB_INCLUDES= -I${BDB_INCLUDE_DIR} .else DB_LIBS= DB_INCLUDES= SEDLIST+= -e 's,^(DBMLIB=),\# \1,' .endif SEDLIST+= -e 's,XX_DB_LIBS_XX,${DB_LIBS:S/,/\\,/g},' \ -e 's,XX_DB_INCLUDES_XX,${DB_INCLUDES:S/,/\\,/g},' .if ${PORT_OPTIONS:MLMDB} _LMDB_LIBS= -L${LOCALBASE}/lib -llmdb _LMDB_INCLUDES= -I${LOCALBASE}/include SEDLIST+= -e 's,^\# (EXPERIMENTAL_LMDB=),\1,' .else _LMDB_LIBS= _LMDB_INCLUDES= .endif SEDLIST+= -e 's,XX_LMDB_LIBS_XX,${_LMDB_LIBS:S/,/\\,/g},' \ -e 's,XX_LMDB_INCLUDES_XX,${_LMDB_INCLUDES:S/,/\\,/g},' .if ${PORT_OPTIONS:MMYSQL} SEDLIST+= -e 's,XX_MYSQL_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib/mysql -l${_MYSQL_SHLIB:S/lib//},' \ -e 's,XX_MYSQL_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include/mysql,' \ -e 's,^\# (LOOKUP_MYSQL=),\1,' .else SEDLIST+= -e 's,XX_MYSQL_[^ ]*_XX,,' .endif .if ${PORT_OPTIONS:MSASLAUTHD} SASLAUTHD_SOCKET?= /var/run/saslauthd/mux SEDLIST+= -e 's,^\# (CYRUS_SASLAUTHD_SOCKET=).*,\1${SASLAUTHD_SOCKET:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MPAM} SEDLIST+= -e 's,XX_PAM_LIBS_XX,-lpam,' \ -e 's,^\# (SUPPORT_PAM=),\1,' .else SEDLIST+= -e 's,XX_PAM_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MAUTH_CRAM_MD5} SEDLIST+= -e 's,^\# (AUTH_CRAM_MD5=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_PLAINTEXT} SEDLIST+= -e 's,^\# (AUTH_PLAINTEXT=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_DOVECOT} SEDLIST+= -e 's,^\# (AUTH_DOVECOT=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_SPA} SEDLIST+= -e 's,^\# (AUTH_SPA=),\1,' .endif .if ${PORT_OPTIONS:MAUTH_SASL} SEDLIST+= -e 's,^\# (AUTH_CYRUS_SASL=),\1,' \ -e 's,^\# (AUTH_LIBS=.*-lsasl2),\1,' .endif .if ${PORT_OPTIONS:MAUTH_RADIUS} WITH_RADIUS_TYPE?= RADLIB .if ${WITH_RADIUS_TYPE:tl} == radlib SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,-lradius,' \ -e 's,^\# (RADIUS_CONFIG_FILE=).*,\1/etc/radius.conf,' \ -e 's,^\# (RADIUS_LIB_TYPE=).*,\1RADLIB,' .elif ${WITH_RADIUS_TYPE:tl} == radiusclient LIB_DEPENDS+= libfreeradius-client.so:net/freeradius-client SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -lfreeradius-client,' \ -e 's,^\# (RADIUS_CONFIG_FILE=).*,\1${LOCALBASE:S/,/\\,/g}/etc/radiusclient/radiusclient.conf,' \ -e 's,^\# (RADIUS_LIB_TYPE=).*,\1RADIUSCLIENTNEW,' .else IGNORE= the variable WITH_RADIUS_TYPE must be either RADLIB or RADIUSCLIENT .endif .else SEDLIST+= -e 's,XX_RADIUS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MPGSQL} SEDLIST+= -e 's,XX_PGSQL_LIBS_XX,-L${LOCALBASE:S/,/\\,/g}/lib -lpq,' \ -e 's,XX_PGSQL_INCLUDE_XX,-I${LOCALBASE:S/,/\\,/g}/include/pgsql,' \ -e 's,^\# (LOOKUP_PGSQL=),\1,' .else SEDLIST+= -e 's,XX_PGSQL_[^ ]*_XX,,' .endif .if ! ${PORT_OPTIONS:MPGSQL} && ! ${PORT_OPTIONS:MMYSQL} && !defined(LDAP_LIB_TYPE) && \ ! ${PORT_OPTIONS:MBDB} && ! ${PORT_OPTIONS:MLMDB} SEDLIST+= -e 's,^(LOOKUP_LIBS=),\# \1,' \ -e 's,^(LOOKUP_INCLUDE=),\# \1,' .endif .if ! ${PORT_OPTIONS:MDNSDB} SEDLIST+= -e 's,^(LOOKUP_DNSDB=),\# \1,' .endif .if ${PORT_OPTIONS:MMAILDIR} SEDLIST+= -e 's,^\# (SUPPORT_MAILDIR=),\1,' .endif .if ${PORT_OPTIONS:MMAILSTORE} SEDLIST+= -e 's,^\# (SUPPORT_MAILSTORE=),\1,' .endif .if ${PORT_OPTIONS:MMBX} SEDLIST+= -e 's,^\# (SUPPORT_MBX=),\1,' .endif .if ${PORT_OPTIONS:MCDB} SEDLIST+= -e 's,^\# (LOOKUP_CDB=),\1,' .endif .if ${PORT_OPTIONS:MDSEARCH} SEDLIST+= -e 's,^\# (LOOKUP_DSEARCH=),\1,' .endif .if ! ${PORT_OPTIONS:MLSEARCH} SEDLIST+= -e 's,^(LOOKUP_LSEARCH=),\# \1,' .endif .if ${PORT_OPTIONS:MNIS} SEDLIST+= -e 's,^\# (LOOKUP_NIS=),\1,' .endif .if ${PORT_OPTIONS:MPASSWD} SEDLIST+= -e 's,^\# (LOOKUP_PASSWD=),\1,' .endif .if ${PORT_OPTIONS:MSQLITE} SEDLIST+= -e 's,XX_SQLITE_LIBS_XX,`pkg-config --static --libs sqlite3`,' \ -e 's,XX_SQLITE_FLAGS_XX,`pkg-config --cflags sqlite3`,' \ -e 's,^\# (LOOKUP_SQLITE=),\1,' .else SEDLIST+= -e 's,XX_SQLITE_LIBS_XX,,' \ -e 's,XX_SQLITE_FLAGS_XX,,' .endif .if ${PORT_OPTIONS:MREDIS} SEDLIST+= -e 's,XX_REDIS_LIBS_XX,-L${LOCALBASE}/lib -lhiredis,' \ -e 's,^\# (LOOKUP_REDIS=),\1,' \ -e 's,^\# (REDIS=),\1,' .else SEDLIST+= -e 's,XX_REDIS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MLMTP} SEDLIST+= -e 's,^\# (TRANSPORT_LMTP=),\1,' .endif .if ! ${PORT_OPTIONS:MALT_CONFIG_PREFIX} SEDLIST+= -e 's,^(ALT_CONFIG_PREFIX=),\# \1,' .endif .if ${PORT_OPTIONS:MSPF} SEDLIST+= -e 's,XX_SPF_FLAGS_XX,-DSPF,' \ -e 's,XX_SPF_LIBS_XX,-L${LOCALBASE}/lib -lspf2 -lpthread,' \ -e 's,^\# (SUPPORT_SPF=),\1,' .else SEDLIST+= -e 's,XX_SPF_FLAGS_XX,,' \ -e 's,XX_SPF_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MSRS} LIB_DEPENDS+= libsrs_alt.so:mail/libsrs_alt SEDLIST+= -e 's,XX_SRS_FLAGS_XX,-DEXPERIMENTAL_SRS,' \ -e 's,XX_SRS_LIBS_XX,-L${LOCALBASE}/lib -lsrs_alt,' .else SEDLIST+= -e 's,XX_SRS_FLAGS_XX,,' \ -e 's,XX_SRS_LIBS_XX,,' .endif .if ${PORT_OPTIONS:MREADLINE} SEDLIST+= -e 's,^\# (USE_READLINE=),\1,' .endif .if ${PORT_OPTIONS:MCONTENT_SCAN} SEDLIST+= -e 's,^\# (WITH_CONTENT_SCAN=),\1,' .endif .if !defined(EXIMON_ONLY) && ${PORT_OPTIONS:MDAEMON} USE_RC_SUBR= exim PLIST_SUB+= EXIMDAEMON="" SUB_LIST+= LOGDIR="${LOGDIR}" .else PLIST_SUB+= EXIMDAEMON="@comment " .endif .if ${PORT_OPTIONS:MIPV6} SEDLIST+= -e 's,^\# (HAVE_IPV6=),\1,' .endif .if ${PORT_OPTIONS:MDISABLE_D_OPT} SEDLIST+= -e 's,^\# (DISABLE_D_OPTION=),\1,' .else .if defined(WHITELIST_D_MACROS) SEDLIST+= -e 's,^\# (WHITELIST_D_MACROS=).*$$,\1${WHITELIST_D_MACROS:S/,/\\,/g},' .endif .endif .if defined(TRUSTED_CONFIG_LIST) SEDLIST+= -e 's,^\# (TRUSTED_CONFIG_LIST=).*$$,\1${TRUSTED_CONFIG_LIST:S/,/\\,/g},' .endif .if ${PORT_OPTIONS:MQUEUEFILE} SEDLIST+= -e 's,^\# (EXPERIMENTAL_QUEUEFILE=),\1,' .endif MAKE_ENV+= INSTALL_ARG="${EXIM_INSTALL_ARG}" DUMMY_LDFLAGS!= ${ECHO_CMD} ${LDFLAGS} | ${SED} -e 's|-Wl,-rpath|-Wl,-DUMMYrpath|g; s|-rpath|-Wl,-rpath|g; s|-DUMMYrpath|-rpath|g' pre-everything:: @${ECHO} 'Exim now drops privileges when alternate configuration' @${ECHO} 'files are used. You can set make variable TRUSTED_CONFIG_LIST' @${ECHO} 'to specify the list of configuration files for which' @${ECHO} 'root privileges will be retained.' @${ECHO} '' @${ECHO} 'You can whitelist some macros using the make variable' @${ECHO} 'WHITELIST_D_MACROS. This is useful if you are running' @${ECHO} 'with DISABLE_D_OPT set, but macros whitelisting will be' @${ECHO} 'removed in some future Exim release, so it is better' @${ECHO} 'to use TRUSTED_CONFIG_LIST to set the list of trusted' @${ECHO} 'configuration files.' .if empty(.MAKEFLAGS:M-s) && ${PORT_OPTIONS:MWISHLIST} @${ECHO} '' @${ECHO} 'Included extra patches:' @${FIND} ${PATCHDIR} -name 'wishlist-*.patch' \ -exec ${SED} -ne 's,^# , ,p' {} \; @${ECHO} '' .endif post-extract: .if ${PORT_OPTIONS:MSA_EXIM} @cd ${WRKDIR} && ${TAR} ${EXTRACT_BEFORE_ARGS} ${_DISTDIR}/sa-exim-${SA_EXIM_VERSION}.tar.gz ${EXTRACT_AFTER_ARGS} @@${CP} ${WRKDIR}/sa-exim-${SA_EXIM_VERSION}/sa-exim.c ${WRKSRC}/Local @@${CP} ${WRKDIR}/sa-exim-${SA_EXIM_VERSION}/sa-exim.conf ${WRKSRC}/Local .endif do-configure: @${MKDIR} ${WRKSRC}/Local @${SED} -E ${SEDLIST} ${WRKSRC}/src/EDITME > ${WRKSRC}/Local/Makefile .if ${PORT_OPTIONS:MEXIMON} @${CP} ${WRKSRC}/exim_monitor/EDITME ${WRKSRC}/Local/eximon.conf .endif @${REINPLACE_CMD} -E ${SEDLIST} ${WRKSRC}/src/configure.default @${REINPLACE_CMD} -e 's!$$(LDFLAGS)!$$(DUMMY_LDFLAGS) -L$${LOCALBASE}/lib!' ${WRKSRC}/OS/Makefile-Base @${REINPLACE_CMD} -e 's/"(Exim $$version_number)\\n\\t"/"(Exim $$version_number (${OPSYS}))\\n\\t"/' \ ${WRKSRC}/src/globals.c @${REINPLACE_CMD} -e 's/Exim version %s \(#%s \)\{0,1\}/&(${OPSYS} ${OSREL}) /' ${WRKSRC}/src/exim.c @${REINPLACE_CMD} -e 's/^#include "cnumber\.h"$$/${PORTREVISION}/' ${WRKSRC}/src/version.c @${REINPLACE_CMD} -E -e 's/^(PERL_COMMAND=).*/\1${PERL:S,/,\/,g}/' \ -e 's/^(CC=).*/\1${CC:S,/,\/,g}/' ${WRKSRC}/OS/Makefile-Default .if ${PORT_OPTIONS:MSA_EXIM} @${REINPLACE_CMD} -E -e 's/^\# (HAVE_LOCAL_SCAN=).*/\1yes/' \ ${WRKSRC}/OS/Makefile-Default @${REINPLACE_CMD} -E -e 's/^(LOCAL_SCAN_SOURCE=).*/\1Local\/sa-exim.c/' \ ${WRKSRC}/OS/Makefile-Default @{ \ ${ECHO_CMD} "char *version=\"${SA_EXIM_VERSION}\";"; \ ${ECHO_CMD} "#define SPAMC_LOCATION \"${LOCALBASE}/bin/spamc\""; \ ${ECHO_CMD} "#define SPAMASSASSIN_CONF \"${PREFIX}/etc/exim/sa-exim.conf\""; \ } > ${WRKSRC}/Local/sa-exim.h @${REINPLACE_CMD} -e 's,/usr/bin/spamc,${LOCALBASE}/bin/spamc,' \ ${WRKSRC}/Local/sa-exim.conf .endif @${REINPLACE_CMD} -E -e 's/XX_STRIPCMD_XX/${STRIP_CMD:S,/,\/,g}/' \ ${WRKSRC}/OS/Makefile-FreeBSD @(cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} ${MAKE_ARGS} configure) post-build: .for script in ${DAILY_SCRIPTS} @${SED} ${SED_SCRIPT} ${FILESDIR}/${script}.sh > ${WRKDIR}/${script}.sh .endfor @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES > \ ${WRKDIR}/POST-INSTALL-NOTES @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES.clamd > ${WRKDIR}/POST-INSTALL-NOTES.clamd @${SED} ${SED_SCRIPT} ${FILESDIR}/POST-INSTALL-NOTES > ${WRKDIR}/POST-INSTALL-NOTES @[ ! -f ${PKGDIR}/pkg-message ] || ${SED} ${SED_SCRIPT} ${PKGDIR}/pkg-message > ${WRKDIR}/pkg-message .if !defined(EXIMON_ONLY) post-install: .if ${PORT_OPTIONS:MDAEMON} ${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/daily .for script in ${DAILY_SCRIPTS} ${INSTALL_SCRIPT} ${WRKDIR}/${script}.sh ${STAGEDIR}${PREFIX}/etc/periodic/daily/${script} .endfor .endif @${MKDIR} -m 750 ${STAGEDIR}${LOGDIR} ${INSTALL_MAN} ${WRKSRC}/doc/exim.8 ${STAGEDIR}${MAN8PREFIX}/man/man8 .if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKDIR}/POST-INSTALL-NOTES ${STAGEDIR}${DOCSDIR} ${INSTALL_DATA} ${WRKDIR}/POST-INSTALL-NOTES.clamd ${STAGEDIR}${DOCSDIR} .for docfile in ${PORTDOC_BASE} ${INSTALL_DATA} ${WRKSRC}/${docfile} ${STAGEDIR}${DOCSDIR} .endfor .for docfile in ${PORTDOC_FILES} ${INSTALL_DATA} ${WRKSRC}/doc/${docfile} ${STAGEDIR}${DOCSDIR} .endfor @${MKDIR} ${STAGEDIR}${EXAMPLESDIR} .for example in ${PORT_EXAMPLES} ${INSTALL_SCRIPT} ${WRKSRC}/build-${OPSYS}-${ARCH}/${example} ${STAGEDIR}${EXAMPLESDIR} .endfor .endif .if ${PORT_OPTIONS:MSA_EXIM} ${INSTALL_DATA} ${WRKSRC}/Local/sa-exim.conf \ ${STAGEDIR}${PREFIX}/etc/exim/sa-exim.conf.sample .endif .endif # ! defined(EXIMON_ONLY) .include # If using clang, avoid too many warnings due to Exim code style .if ${CHOSEN_COMPILER_TYPE} == "clang" EXIM_WARN_FLAGS?= -Wno-logical-op-parentheses -Wno-macro-redefined -Wno-parentheses -Wno-dangling-else .endif CFLAGS+= ${EXIM_WARN_FLAGS} .include Index: branches/2020Q3/mail/exim/files/patch-z0027-Fix-spelling-of-local_part_data-in-docs-and-debug-output =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0027-Fix-spelling-of-local_part_data-in-docs-and-debug-output (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0027-Fix-spelling-of-local_part_data-in-docs-and-debug-output (revision 548185) @@ -0,0 +1,54 @@ +From d08a4ba2c5216195c107b123842da17bc1b0559f Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 9 Aug 2020 01:38:00 +0100 +Subject: [PATCH 27/37] Fix spelling of local_part_data in docs and debug + output + +(cherry picked from commit ccec2d82e2fda6d764f6cd1a9dd21c4f6285b614) +--- + doc/ChangeLog | 2 +- + doc/NewStuff | 2 +- + src/routers/rf_queue_add.c | 2 +- + +diff --git doc/ChangeLog doc/ChangeLog +index aaea04caf..703f4b9ee 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -6700,7 +6700,7 @@ Exim version 4.31 + same list, then the first domain was re-checked, the value of $domain_data + after the final check could be wrong. In particular, if the second check + failed, it could be set empty. This bug probably also applied to +- $localpart_data. ++ $local_part_data. + + 41. The strip_trailing_dot option was not being applied to the address given + with the -f command-line option. +diff --git doc/NewStuff doc/NewStuff +index 43e170e11..16dec8808 100644 +--- doc/NewStuff ++++ doc/NewStuff +@@ -57,7 +57,7 @@ Version 4.94 + 16. An option on all single-key lookups, to return (on a hit) a de-tainted + version of the lookup key rather than the looked-up data. + +-17. $domain_data and $localpart_data are now set by all list-match successes. ++17. $domain_data and $local_part_data are now set by all list-match successes. + Previously only list items that performed lookups did so. + Also, matching list items that are tail-match or RE-match now set the + numeric variables $0 (etc) in the same way os other RE matches. +diff --git src/routers/rf_queue_add.c src/routers/rf_queue_add.c +index 938eee30a..4dab60dfe 100644 +--- src/routers/rf_queue_add.c ++++ src/routers/rf_queue_add.c +@@ -98,7 +98,7 @@ DEBUG(D_route) + " errors_to=%s\n", + addr->transport ? addr->transport->name : US"", + addr->local_part, addr->domain, addr->prop.errors_address); +- debug_printf(" domain_data=%s localpart_data=%s\n", addr->prop.domain_data, ++ debug_printf(" domain_data=%s local_part_data=%s\n", addr->prop.domain_data, + addr->prop.localpart_data); + } + +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0027-Fix-spelling-of-local_part_data-in-docs-and-debug-output ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0028-Fix-readsocket-eol-replacement.-Bug-2630 =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0028-Fix-readsocket-eol-replacement.-Bug-2630 (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0028-Fix-readsocket-eol-replacement.-Bug-2630 (revision 548185) @@ -0,0 +1,216 @@ +From 18a352ae8a799bb7be3a03b14bbf3ce9e0ba4945 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Fri, 14 Aug 2020 13:09:53 +0100 +Subject: [PATCH 28/37] Fix ${readsocket } eol-replacement. Bug 2630 + +(cherry picked from commit 7f83b348ccf4cd815e9758ab9ca1012e66324e9d) +--- + doc/ChangeLog | 4 ++++ + src/expand.c | 11 +++++++---- + src/functions.h | 2 +- + src/lookups/readsock.c | 6 ++++-- + src/macros.h | 6 ++++-- + src/readconf.c | 4 ++-- + src/string.c | 30 +++++++++++++++++----------- + +diff --git doc/ChangeLog doc/ChangeLog +index 703f4b9ee..2d2dc1f9f 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -78,6 +78,10 @@ JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the + rewrite with the "h" flag, by using the "-F" command-line option, or + by using a "name=" option on a control=submission ACL modifier. + ++JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. ++ Previously when a whitespace character was specified it was not inserted ++ after removing the newline. ++ + + Exim version 4.94 + ----------------- +diff --git src/expand.c src/expand.c +index 791222324..bb9fd79ef 100644 +--- src/expand.c ++++ src/expand.c +@@ -4920,7 +4920,7 @@ while (*s != 0) + { + expand_string_message = + string_sprintf("lookup of \"%s\" gave DEFER: %s", +- string_printing2(key, FALSE), search_error_message); ++ string_printing2(key, SP_TAB), search_error_message); + goto EXPAND_FAILED; + } + if (expand_setup > 0) expand_nmax = expand_setup; +@@ -5334,11 +5334,14 @@ while (*s != 0) + while ((item = string_nextinlist(&list, &sep, NULL, 0))) + g = string_append_listele(g, ',', item); + +- /* possibly plus an EOL string */ ++ /* possibly plus an EOL string. Process with escapes, to protect ++ from list-processing. The only current user of eol= in search ++ options is the readsock expansion. */ ++ + if (sub_arg[3] && *sub_arg[3]) + g = string_append_listele(g, ',', +- string_sprintf("eol=%s", sub_arg[3])); +- ++ string_sprintf("eol=%s", ++ string_printing2(sub_arg[3], SP_TAB|SP_SPACE))); + } + + /* Gat a (possibly cached) handle for the connection */ +diff --git src/functions.h src/functions.h +index f4d1622dc..51bb17a09 100644 +--- src/functions.h ++++ src/functions.h +@@ -529,7 +529,7 @@ extern int string_is_ip_address(const uschar *, int *); + #ifdef SUPPORT_I18N + extern BOOL string_is_utf8(const uschar *); + #endif +-extern const uschar *string_printing2(const uschar *, BOOL); ++extern const uschar *string_printing2(const uschar *, int); + extern uschar *string_split_message(uschar *); + extern uschar *string_unprinting(uschar *); + #ifdef SUPPORT_I18N +diff --git src/lookups/readsock.c src/lookups/readsock.c +index c2088b7a5..cfc9b4ad8 100644 +--- src/lookups/readsock.c ++++ src/lookups/readsock.c +@@ -186,7 +186,9 @@ FILE * fp; + gstring * yield; + int ret = DEFER; + +-DEBUG(D_lookup) debug_printf_indent("readsock: file=\"%s\" key=\"%s\" len=%d opts=\"%s\"\n", filename, keystring, length, opts); ++DEBUG(D_lookup) ++ debug_printf_indent("readsock: file=\"%s\" key=\"%s\" len=%d opts=\"%s\"\n", ++ filename, keystring, length, opts); + + /* Parse options */ + +@@ -200,7 +202,7 @@ if (opts) for (uschar * s; s = string_nextinlist(&opts, &sep, NULL, 0); ) + lf.do_tls = TRUE; + #endif + else if (Ustrncmp(s, "eol=", 4) == 0) +- eol = s + 4; ++ eol = string_unprinting(s + 4); + else if (Ustrcmp(s, "cache=yes") == 0) + lf.cache = TRUE; + else if (Ustrcmp(s, "send=no") == 0) +diff --git src/macros.h src/macros.h +index a507bbf83..2378773cb 100644 +--- src/macros.h ++++ src/macros.h +@@ -41,9 +41,11 @@ manipulate them. */ + + + /* For almost all calls to convert things to printing characters, we want to +-allow tabs. A macro just makes life a bit easier. */ ++allow tabs & spaces. A macro just makes life a bit easier. */ + +-#define string_printing(s) string_printing2((s), TRUE) ++#define string_printing(s) string_printing2((s), 0) ++#define SP_TAB BIT(0) ++#define SP_SPACE BIT(1) + + + /* We need a special return code for "no recipients and failed to send an error +diff --git src/readconf.c src/readconf.c +index 0d0769c88..948fa2403 100644 +--- src/readconf.c ++++ src/readconf.c +@@ -1546,7 +1546,7 @@ if (flags & opt_fn_print) + { + if (flags & opt_fn_print_label) printf("%s = ", name); + printf("%s\n", smtp_receive_timeout_s +- ? string_printing2(smtp_receive_timeout_s, FALSE) ++ ? string_printing2(smtp_receive_timeout_s, SP_TAB) + : readconf_printtime(smtp_receive_timeout)); + } + else if (*str == '$') +@@ -2463,7 +2463,7 @@ switch(ol->type & opt_mask) + case opt_rewrite: /* Show the text value */ + s = *(USS value); + if (!no_labels) printf("%s = ", name); +- printf("%s\n", s ? string_printing2(s, FALSE) : US""); ++ printf("%s\n", s ? string_printing2(s, SP_TAB) : US""); + break; + + case opt_int: +diff --git src/string.c src/string.c +index 5acee1b00..f91a6a428 100644 +--- src/string.c ++++ src/string.c +@@ -281,17 +281,17 @@ return ch; + /* This function is called for critical strings. It checks for any + non-printing characters, and if any are found, it makes a new copy + of the string with suitable escape sequences. It is most often called by the +-macro string_printing(), which sets allow_tab TRUE. ++macro string_printing(), which sets flags to 0. + + Arguments: + s the input string +- allow_tab TRUE to allow tab as a printing character ++ flags Bit 0: convert tabs. Bit 1: convert spaces. + + Returns: string with non-printers encoded as printing sequences + */ + + const uschar * +-string_printing2(const uschar *s, BOOL allow_tab) ++string_printing2(const uschar *s, int flags) + { + int nonprintcount = 0; + int length = 0; +@@ -301,7 +301,10 @@ uschar *ss, *tt; + while (*t != 0) + { + int c = *t++; +- if (!mac_isprint(c) || (!allow_tab && c == '\t')) nonprintcount++; ++ if ( !mac_isprint(c) ++ || flags & SP_TAB && c == '\t' ++ || flags & SP_SPACE && c == ' ' ++ ) nonprintcount++; + length++; + } + +@@ -310,17 +313,19 @@ if (nonprintcount == 0) return s; + /* Get a new block of store guaranteed big enough to hold the + expanded string. */ + +-ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s)); ++tt = ss = store_get(length + nonprintcount * 3 + 1, is_tainted(s)); + + /* Copy everything, escaping non printers. */ + +-t = s; +-tt = ss; +- +-while (*t != 0) ++for (t = s; *t; ) + { + int c = *t; +- if (mac_isprint(c) && (allow_tab || c != '\t')) *tt++ = *t++; else ++ if ( mac_isprint(c) ++ && (!(flags & SP_TAB) || c != '\t') ++ && (!(flags & SP_SPACE) || c != ' ') ++ ) ++ *tt++ = *t++; ++ else + { + *tt++ = '\\'; + switch (*t) +@@ -947,7 +952,10 @@ else + s = ss; + if (!*s || *++s != sep || sep_is_special) break; + } +- while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; ++ /* while (g->ptr > 0 && isspace(g->s[g->ptr-1])) g->ptr--; */ ++ while ( g->ptr > 0 && isspace(g->s[g->ptr-1]) ++ && (g->ptr == 1 || g->s[g->ptr-2] != '\\') ) ++ g->ptr--; + buffer = string_from_gstring(g); + gstring_release_unused(g); + } +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0028-Fix-readsocket-eol-replacement.-Bug-2630 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0029-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0029-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0029-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 (revision 548185) @@ -0,0 +1,51 @@ +From d2671b04d025dee3b8311d2d83e0a0342c670f52 Mon Sep 17 00:00:00 2001 +From: Gavan +Date: Fri, 21 Aug 2020 15:46:01 +0100 +Subject: [PATCH 29/37] Taint: fix off-by-one in is_tainted(). Bug 2634 + +(cherry picked from commit e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97) +--- + doc/ChangeLog | 5 +++++ + src/store.c | 4 ++-- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git doc/ChangeLog doc/ChangeLog +index 2d2dc1f9f..6d944f204 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -82,6 +82,11 @@ JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. + Previously when a whitespace character was specified it was not inserted + after removing the newline. + ++JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for ++ is_tainted() had an off-by-one error in the overenthusiastic direction. ++ Find and fix by Gavan. Although NetBSD is not a supported platform for ++ 4.94 this bug could affect other platforms. ++ + + Exim version 4.94 + ----------------- +diff --git src/store.c src/store.c +index c460ba383..7d08c9804 100644 +--- src/store.c ++++ src/store.c +@@ -188,14 +188,14 @@ for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++) + if ((b = current_block[pool])) + { + uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK; +- if (US p >= bc && US p <= bc + b->length) return TRUE; ++ if (US p >= bc && US p < bc + b->length) return TRUE; + } + + for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++) + for (b = chainbase[pool]; b; b = b->next) + { + uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK; +- if (US p >= bc && US p <= bc + b->length) return TRUE; ++ if (US p >= bc && US p < bc + b->length) return TRUE; + } + return FALSE; + } +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0029-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0030-Build-ifdef-guard-for-EXPERIMENTAL_QUEUEFILE =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0030-Build-ifdef-guard-for-EXPERIMENTAL_QUEUEFILE (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0030-Build-ifdef-guard-for-EXPERIMENTAL_QUEUEFILE (revision 548185) @@ -0,0 +1,32 @@ +From 4970c58b394eb0778542c97e3f86b565f9e3daa7 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Mon, 24 Aug 2020 20:14:34 +0100 +Subject: [PATCH 30/37] Build: ifdef guard for EXPERIMENTAL_QUEUEFILE + +(cherry picked from commit 1f5d0a9551205febf6729c7ee36c27626a76b4a4) +--- + src/transports/queuefile.c | 4 ++++ + +diff --git src/transports/queuefile.c src/transports/queuefile.c +index 21ed3527f..97218548b 100644 +--- src/transports/queuefile.c ++++ src/transports/queuefile.c +@@ -8,7 +8,10 @@ + /* See the file NOTICE for conditions of use and distribution. */ + + ++ + #include "../exim.h" ++ ++#ifdef EXPERIMENTAL_QUEUEFILE /* whole file */ + #include "queuefile.h" + + /* Options specific to the appendfile transport. They must be in alphabetic +@@ -276,3 +279,4 @@ return FALSE; + } + + #endif /*!MACRO_PREDEF*/ ++#endif /*EXPERIMENTAL_QUEUEFILE*/ +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0030-Build-ifdef-guard-for-EXPERIMENTAL_QUEUEFILE ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0031-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0031-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0031-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 (revision 548185) @@ -0,0 +1,28 @@ +From 976ef0e5fa7896394fe045e824dfb3e7d7502a68 Mon Sep 17 00:00:00 2001 +From: Gavan +Date: Fri, 21 Aug 2020 15:46:01 +0100 +Subject: [PATCH 31/37] Taint: fix off-by-one in is_tainted(). Bug 2634 + +(cherry picked from commit e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97) +--- + doc/ChangeLog | 5 +++++ + +diff --git doc/ChangeLog doc/ChangeLog +index 6d944f204..ae4050322 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -87,6 +87,11 @@ JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for + Find and fix by Gavan. Although NetBSD is not a supported platform for + 4.94 this bug could affect other platforms. + ++JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for ++ is_tainted() had an off-by-one error in the overenthusiastic direction. ++ Find and fix by Gavan. Although NetBSD is not a supported platform for ++ 4.94 this bug could affect other platforms. ++ + + Exim version 4.94 + ----------------- +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0031-Taint-fix-off-by-one-in-is_tainted-.-Bug-2634 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 (revision 548185) @@ -0,0 +1,102 @@ +From d8e99d6047e709b35eabb1395c2046100d1a1dda Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 19 Aug 2020 21:09:04 +0100 +Subject: [PATCH 32/37] DANE: force SNI to use $domain. Bug 2265 + +Note: this is not a complete fix for the issue +(cherry picked from commit 7044dd8fd62e215572ecf5a2c7f1bb9581cf6628) +--- + doc/ChangeLog | 10 ++++++++++ + src/receive.c | 2 +- + src/smtp_in.c | 2 +- + src/tls-gnu.c | 2 +- + src/tls-openssl.c | 1 + + src/transports/smtp.c | 1 + + +diff --git doc/ChangeLog doc/ChangeLog +index ae4050322..ec1b03304 100644 +--- doc/ChangeLog ++++ doc/ChangeLog +@@ -91,6 +91,16 @@ JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for + is_tainted() had an off-by-one error in the overenthusiastic direction. + Find and fix by Gavan. Although NetBSD is not a supported platform for + 4.94 this bug could affect other platforms. ++JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. ++ Previously when a whitespace character was specified it was not inserted ++ after removing the newline. ++ ++JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be ++ the domain part of the recipient address. This overrides any tls_sni ++ option set, which was previously used. ++ ++JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI ++ in quotes. + + + Exim version 4.94 +diff --git src/receive.c src/receive.c +index 0db897e9e..ec90e93cd 100644 +--- src/receive.c ++++ src/receive.c +@@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) + if (LOGGING(tls_peerdn) && tls_in.peerdn) + g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); + if (LOGGING(tls_sni) && tls_in.sni) +- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); ++ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); + #endif + + if (sender_host_authenticated) +diff --git src/smtp_in.c src/smtp_in.c +index 526164c46..a13f0ed63 100644 +--- src/smtp_in.c ++++ src/smtp_in.c +@@ -1811,7 +1811,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) + if (LOGGING(tls_peerdn) && tls_in.peerdn) + g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); + if (LOGGING(tls_sni) && tls_in.sni) +- g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); ++ g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); + return g; + } + #endif +diff --git src/tls-gnu.c src/tls-gnu.c +index 875c82efa..a34633390 100644 +--- src/tls-gnu.c ++++ src/tls-gnu.c +@@ -2863,7 +2863,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so + /* If dane is flagged, have either request or require dane for this host, and + a TLSA record found. Therefore, dane verify required. Which implies cert must + be requested and supplied, dane verify must pass, and cert verify irrelevant +-(incl. hostnames), and (caller handled) require_tls */ ++(incl. hostnames), and (caller handled) require_tls and sni=$domain */ + + if (conn_args->dane && ob->dane_require_tls_ciphers) + { +diff --git src/tls-openssl.c src/tls-openssl.c +index a62322928..054b23d0c 100644 +--- src/tls-openssl.c ++++ src/tls-openssl.c +@@ -3197,6 +3197,7 @@ tlsp->tlsa_usage = 0; + #ifndef DISABLE_OCSP + { + # ifdef SUPPORT_DANE ++ /*XXX this should be moved to caller, to be common across gnutls/openssl */ + if ( conn_args->dane + && ob->hosts_request_ocsp[0] == '*' + && ob->hosts_request_ocsp[1] == '\0' +diff --git src/transports/smtp.c src/transports/smtp.c +index 8492a7f25..28dd8ff24 100644 +--- src/transports/smtp.c ++++ src/transports/smtp.c +@@ -2020,6 +2020,7 @@ if (!continue_hostname) + { + case OK: sx->conn_args.dane = TRUE; + ob->tls_tempfail_tryclear = FALSE; ++ ob->tls_sni = sx->addrlist->domain; + break; + case FAIL_FORCED: break; + default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0032-DANE-force-SNI-to-use-domain.-Bug-2265 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0033-DANE-Fix-2-rcpt-message-diff-domins-case.-Bug-2265 =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0033-DANE-Fix-2-rcpt-message-diff-domins-case.-Bug-2265 (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0033-DANE-Fix-2-rcpt-message-diff-domins-case.-Bug-2265 (revision 548185) @@ -0,0 +1,217 @@ +From a505cf777f90755bce69ab53a899b284a304127b Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 23 Aug 2020 15:32:48 +0100 +Subject: [PATCH 33/37] DANE: Fix 2-rcpt message, diff domins case. Bug 2265 + +(cherry picked from commit 99350dede64ad634300ddf15d0d97a81fd75d330) +--- + src/debug.c | 11 ++++- + src/deliver.c | 3 ++ + src/macros.h | 1 + + src/transports/smtp.c | 71 ++++++++++++++++++++++++---- + src/verify.c | 2 +- + +diff --git src/debug.c src/debug.c +index 6d6132e39..819e83331 100644 +--- src/debug.c ++++ src/debug.c +@@ -30,7 +30,16 @@ const uschar * rc_names[] = { /* Mostly for debug output */ + [UNEXPECTED] = US"UNEXPECTED", + [CANCELLED] = US"CANCELLED", + [FAIL_SEND] = US"FAIL_SEND", +- [FAIL_DROP] = US"FAIL_DROP" ++ [FAIL_DROP] = US"FAIL_DROP", ++ [DANE] = US"DANE", ++}; ++ ++const uschar * dns_rc_names[] = { ++ [DNS_SUCCEED] = US"DNS_SUCCEED", ++ [DNS_NOMATCH] = US"DNS_NOMATCH", ++ [DNS_NODATA] = US"DNS_NODATA", ++ [DNS_AGAIN] = US"DNS_AGAIN", ++ [DNS_FAIL] = US"DNS_FAIL", + }; + + +diff --git src/deliver.c src/deliver.c +index 40db50084..f5e28941f 100644 +--- src/deliver.c ++++ src/deliver.c +@@ -460,6 +460,9 @@ TRUE if the lists refer to the same hosts in the same order, except that + This enables Exim to use a single SMTP transaction for sending to two entirely + different domains that happen to end up pointing at the same hosts. + ++We do not try to batch up different A-record host names that refer to the ++same IP. ++ + Arguments: + one points to the first host list + two points to the second host list +diff --git src/macros.h src/macros.h +index 2378773cb..6fd5db94c 100644 +--- src/macros.h ++++ src/macros.h +@@ -304,6 +304,7 @@ Use rc_names[] for debug strings. */ + #define CANCELLED 13 /* Authentication cancelled */ + #define FAIL_SEND 14 /* send() failed in authenticator */ + #define FAIL_DROP 15 /* Fail and drop connection (used in ACL) */ ++#define DANE 16 /* Deferred for domain mismatch (used in transport) */ + + /* Returns from the deliver_message() function */ + +diff --git src/transports/smtp.c src/transports/smtp.c +index 28dd8ff24..6ca4552a6 100644 +--- src/transports/smtp.c ++++ src/transports/smtp.c +@@ -2019,11 +2019,12 @@ if (!continue_hostname) + switch (rc = tlsa_lookup(sx->conn_args.host, &sx->conn_args.tlsa_dnsa, sx->dane_required)) + { + case OK: sx->conn_args.dane = TRUE; +- ob->tls_tempfail_tryclear = FALSE; +- ob->tls_sni = sx->addrlist->domain; ++ ob->tls_tempfail_tryclear = FALSE; /* force TLS */ ++ ob->tls_sni = sx->first_addr->domain; /* force SNI */ + break; + case FAIL_FORCED: break; +- default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, ++ default: ++ set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, + string_sprintf("DANE error: tlsa lookup %s", + rc_to_string(rc)), + rc, FALSE, &sx->delivery_start); +@@ -3430,6 +3431,7 @@ BOOL pass_message = FALSE; + uschar *message = NULL; + uschar new_message_id[MESSAGE_ID_LENGTH + 1]; + smtp_context * sx = store_get(sizeof(*sx), TRUE); /* tainted, for the data buffers */ ++BOOL dane_held; + + suppress_tls = suppress_tls; /* stop compiler warning when no TLS support */ + *message_defer = FALSE; +@@ -3446,13 +3448,36 @@ sx->conn_args.tblock = tblock; + gettimeofday(&sx->delivery_start, NULL); + sx->sync_addr = sx->first_addr = addrlist; + +-/* Get the channel set up ready for a message (MAIL FROM being the next +-SMTP command to send */ ++DANE_DOMAINS: ++dane_held = FALSE; ++ ++/* Get the channel set up ready for a message, MAIL FROM being the next ++SMTP command to send. */ + + if ((rc = smtp_setup_conn(sx, suppress_tls)) != OK) + { + timesince(&addrlist->delivery_time, &sx->delivery_start); +- return rc; ++ yield = rc; ++ goto TIDYUP; ++ } ++ ++/*XXX*/ ++/* If the connection used DANE, ignore for now any addresses with incompatible ++domains. The SNI has to be the domain. Arrange a whole new TCP conn later, ++just in case only TLS isn't enough. */ ++ ++if (sx->conn_args.dane) ++ { ++ const uschar * dane_domain = sx->first_addr->domain; ++ ++ for (address_item * a = sx->first_addr->next; a; a = a->next) ++ if ( a->transport_return == PENDING_DEFER ++ && Ustrcmp(dane_domain, a->domain) != 0) ++ { ++ DEBUG(D_transport) debug_printf("DANE: holding %s for later\n", a->domain); ++ dane_held = TRUE; ++ a->transport_return = DANE; ++ } + } + + /* If there is a filter command specified for this transport, we can now +@@ -4203,7 +4228,7 @@ if (sx->completed_addr && sx->ok && sx->send_quit) + + + if (sx->first_addr != NULL) /* More addresses still to be sent */ +- { /* in this run of the transport */ ++ { /* on this connection */ + continue_sequence++; /* Causes * in logging */ + pipelining_active = sx->pipelining_used; /* was cleared at DATA */ + goto SEND_MESSAGE; +@@ -4235,7 +4260,7 @@ if (sx->completed_addr && sx->ok && sx->send_quit) + '2', ob->command_timeout); + + if (sx->ok && f.continue_more) +- return yield; /* More addresses for another run */ ++ goto TIDYUP; /* More addresses for another run */ + } + else + { +@@ -4255,7 +4280,7 @@ if (sx->completed_addr && sx->ok && sx->send_quit) + else + #endif + if (f.continue_more) +- return yield; /* More addresses for another run */ ++ goto TIDYUP; /* More addresses for another run */ + + /* If the socket is successfully passed, we mustn't send QUIT (or + indeed anything!) from here. */ +@@ -4295,7 +4320,7 @@ propagate it from the initial + sx->cctx.sock = -1; + continue_transport = NULL; + continue_hostname = NULL; +- return yield; ++ goto TIDYUP; + } + log_write(0, LOG_PANIC_DIE, "fork failed"); + } +@@ -4370,9 +4395,35 @@ if (sx->send_quit) + (void) event_raise(tblock->event_action, US"tcp:close", NULL); + #endif + ++/*XXX*/ ++if (dane_held) ++ { ++ sx->first_addr = NULL; ++ for (address_item * a = sx->addrlist->next; a; a = a->next) ++ if (a->transport_return == DANE) ++ { ++ a->transport_return = PENDING_DEFER; ++ if (!sx->first_addr) ++ { ++ /* Remember the new start-point in the addrlist, for smtp_setup_conn() ++ to get the domain string for SNI */ ++ ++ sx->first_addr = a; ++ DEBUG(D_transport) debug_printf("DANE: go-around for %s\n", a->domain); ++ } ++ } ++ goto DANE_DOMAINS; ++ } ++ + continue_transport = NULL; + continue_hostname = NULL; + return yield; ++ ++TIDYUP: ++if (dane_held) for (address_item * a = sx->addrlist->next; a; a = a->next) ++ if (a->transport_return == DANE) ++ a->transport_return = PENDING_DEFER; ++return yield; + } + + +diff --git src/verify.c src/verify.c +index 5f4181de9..43343a646 100644 +--- src/verify.c ++++ src/verify.c +@@ -674,7 +674,7 @@ coding means skipping this whole loop and doing the append separately. */ + if (!sx) sx = store_get(sizeof(*sx), TRUE); /* tainted buffers */ + memset(sx, 0, sizeof(*sx)); + +- sx->addrlist = addr; ++ sx->addrlist = sx->first_addr = addr; + sx->conn_args.host = host; + sx->conn_args.host_af = host_af, + sx->port = port; +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0033-DANE-Fix-2-rcpt-message-diff-domins-case.-Bug-2265 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0034-Fix-non-DANE-build =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0034-Fix-non-DANE-build (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0034-Fix-non-DANE-build (revision 548185) @@ -0,0 +1,92 @@ +From 7dad62cced33eebd10d13fd1f6cd59696175fa44 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Sun, 23 Aug 2020 17:27:30 +0100 +Subject: [PATCH 34/37] Fix non-DANE build + +(cherry picked from commit 79b19a30d9fc64a7b7f70928cdefe4f51064280b) +--- + src/transports/smtp.c | 15 +++++++++++---- + +diff --git src/transports/smtp.c src/transports/smtp.c +index 6ca4552a6..d63379e37 100644 +--- src/transports/smtp.c ++++ src/transports/smtp.c +@@ -2023,8 +2023,7 @@ if (!continue_hostname) + ob->tls_sni = sx->first_addr->domain; /* force SNI */ + break; + case FAIL_FORCED: break; +- default: +- set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, ++ default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, + string_sprintf("DANE error: tlsa lookup %s", + rc_to_string(rc)), + rc, FALSE, &sx->delivery_start); +@@ -3431,7 +3430,9 @@ BOOL pass_message = FALSE; + uschar *message = NULL; + uschar new_message_id[MESSAGE_ID_LENGTH + 1]; + smtp_context * sx = store_get(sizeof(*sx), TRUE); /* tainted, for the data buffers */ ++#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) + BOOL dane_held; ++#endif + + suppress_tls = suppress_tls; /* stop compiler warning when no TLS support */ + *message_defer = FALSE; +@@ -3448,8 +3449,10 @@ sx->conn_args.tblock = tblock; + gettimeofday(&sx->delivery_start, NULL); + sx->sync_addr = sx->first_addr = addrlist; + ++#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) + DANE_DOMAINS: + dane_held = FALSE; ++#endif + + /* Get the channel set up ready for a message, MAIL FROM being the next + SMTP command to send. */ +@@ -3461,7 +3464,7 @@ if ((rc = smtp_setup_conn(sx, suppress_tls)) != OK) + goto TIDYUP; + } + +-/*XXX*/ ++#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) + /* If the connection used DANE, ignore for now any addresses with incompatible + domains. The SNI has to be the domain. Arrange a whole new TCP conn later, + just in case only TLS isn't enough. */ +@@ -3479,6 +3482,7 @@ if (sx->conn_args.dane) + a->transport_return = DANE; + } + } ++#endif + + /* If there is a filter command specified for this transport, we can now + set it up. This cannot be done until the identity of the host is known. */ +@@ -4395,7 +4399,7 @@ if (sx->send_quit) + (void) event_raise(tblock->event_action, US"tcp:close", NULL); + #endif + +-/*XXX*/ ++#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) + if (dane_held) + { + sx->first_addr = NULL; +@@ -4414,15 +4418,18 @@ if (dane_held) + } + goto DANE_DOMAINS; + } ++#endif + + continue_transport = NULL; + continue_hostname = NULL; + return yield; + + TIDYUP: ++#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) + if (dane_held) for (address_item * a = sx->addrlist->next; a; a = a->next) + if (a->transport_return == DANE) + a->transport_return = PENDING_DEFER; ++#endif + return yield; + } + +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0034-Fix-non-DANE-build ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0035-DANE-Fix-2-messages-from-queue-case =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0035-DANE-Fix-2-messages-from-queue-case (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0035-DANE-Fix-2-messages-from-queue-case (revision 548185) @@ -0,0 +1,525 @@ +From 569be4bc51fd4806edcf6b3abcf550dbbba90df5 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 26 Aug 2020 23:43:54 +0100 +Subject: [PATCH 35/37] DANE: Fix 2 messages from queue case + +(cherry picked from commit b6054898ace169a0e5143117397a4f666a5e7283) +--- + src/deliver.c | 12 +++- + src/exim.c | 14 +++- + src/globals.c | 2 + + src/globals.h | 2 + + src/spool_in.c | 24 +++---- + src/tls-gnu.c | 6 +- + src/transport.c | 32 ++++++--- + src/transports/smtp.c | 89 ++++++++++++++++++++--- + src/transports/smtp.h | 2 +- + +diff --git src/deliver.c src/deliver.c +index f5e28941f..8f21c607e 100644 +--- src/deliver.c ++++ src/deliver.c +@@ -1195,7 +1195,7 @@ else + if (addr->host_used) + { + g = d_hostlog(g, addr); +- if (continue_sequence > 1) ++ if (continue_sequence > 1) /*XXX this is wrong for a dropped proxyconn. Would have to pass back from transport */ + g = string_catn(g, US"*", 1); + + #ifndef DISABLE_EVENT +@@ -4275,6 +4275,10 @@ for (int delivery_count = 0; addr_remote; delivery_count++) + } + } + ++/*XXX need to defeat this when DANE is used - but we don't know that yet. ++So look out for the place it gets used. ++*/ ++ + /* Get the flag which specifies whether the transport can handle different + domains that nevertheless resolve to the same set of hosts. If it needs + expanding, get variables set: $address_data, $domain_data, $localpart_data, +@@ -4353,6 +4357,11 @@ for (int delivery_count = 0; addr_remote; delivery_count++) + /************************************************************************/ + + ++/*XXX don't know yet if DANE will be used. So tpt will have to ++check at the point if gets next addr from list, and skip/defer any ++nonmatch domains ++*/ ++ + /* Pick off all addresses which have the same transport, errors address, + destination, and extra headers. In some cases they point to the same host + list, but we also need to check for identical host lists generated from +@@ -4499,6 +4508,7 @@ for (int delivery_count = 0; addr_remote; delivery_count++) + if (continue_transport) + { + BOOL ok = Ustrcmp(continue_transport, tp->name) == 0; ++/*XXX do we need to check for a DANEd conn vs. a change of domain? */ + + /* If the transport is about to override the host list do not check + it here but take the cost of running the transport process to discover +diff --git src/exim.c src/exim.c +index ac0ff5523..630ac4038 100644 +--- src/exim.c ++++ src/exim.c +@@ -2806,10 +2806,22 @@ on the second character (the one after '-'), to save some effort. */ + case 'S': smtp_peer_options |= OPTION_SIZE; break; + + #ifndef DISABLE_TLS ++ /* -MCs: used with -MCt; SNI was sent */ ++ /* -MCr: ditto, DANE */ ++ ++ case 'r': ++ case 's': if (++i < argc) ++ { ++ continue_proxy_sni = string_copy_taint(argv[i], TRUE); ++ if (argrest[1] == 'r') continue_proxy_dane = TRUE; ++ } ++ else badarg = TRUE; ++ break; ++ + /* -MCt: similar to -MCT below but the connection is still open + via a proxy process which handles the TLS context and coding. + Require three arguments for the proxied local address and port, +- and the TLS cipher. */ ++ and the TLS cipher. */ + + case 't': if (++i < argc) + sending_ip_address = string_copy_taint(argv[i], TRUE); +diff --git src/globals.c src/globals.c +index fc3086f72..c34ac9ddd 100644 +--- src/globals.c ++++ src/globals.c +@@ -729,6 +729,8 @@ uid_t config_uid = 0; + + int connection_max_messages= -1; + uschar *continue_proxy_cipher = NULL; ++BOOL continue_proxy_dane = FALSE; ++uschar *continue_proxy_sni = NULL; + uschar *continue_hostname = NULL; + uschar *continue_host_address = NULL; + int continue_sequence = 1; +diff --git src/globals.h src/globals.h +index c80c8532f..a4c1143b7 100644 +--- src/globals.h ++++ src/globals.h +@@ -425,6 +425,8 @@ extern uschar *config_main_filename; /* File name actually used */ + extern uschar *config_main_directory; /* Directory where the main config file was found */ + extern uid_t config_uid; /* Additional owner */ + extern uschar *continue_proxy_cipher; /* TLS cipher for proxied continued delivery */ ++extern BOOL continue_proxy_dane; /* proxied conn is DANE */ ++extern uschar *continue_proxy_sni; /* proxied conn SNI */ + extern uschar *continue_hostname; /* Host for continued delivery */ + extern uschar *continue_host_address; /* IP address for ditto */ + extern int continue_sequence; /* Sequence num for continued delivery */ +diff --git src/spool_in.c src/spool_in.c +index a0147d5ee..1b4cefdb2 100644 +--- src/spool_in.c ++++ src/spool_in.c +@@ -55,7 +55,7 @@ for (int i = 0; i < 2; i++) + + set_subdir_str(message_subdir, id, i); + fname = spool_fname(US"input", message_subdir, id, US"-D"); +- DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname); ++ DEBUG(D_deliver) debug_printf_indent("Trying spool file %s\n", fname); + + /* We protect against symlink attacks both in not propagating the + * file-descriptor to other processes as we exec, and also ensuring that we +@@ -367,7 +367,7 @@ for (int n = 0; n < 2; n++) + errno = 0; + + #ifndef COMPILE_UTILITY +-DEBUG(D_deliver) debug_printf("reading spool file %s\n", name); ++DEBUG(D_deliver) debug_printf_indent("reading spool file %s\n", name); + #endif /* COMPILE_UTILITY */ + + /* The first line of a spool file contains the message id followed by -H (i.e. +@@ -430,7 +430,7 @@ if (f.running_in_test_harness) + #endif + + #ifndef COMPILE_UTILITY +-DEBUG(D_deliver) debug_printf("user=%s uid=%ld gid=%ld sender=%s\n", ++DEBUG(D_deliver) debug_printf_indent("user=%s uid=%ld gid=%ld sender=%s\n", + originator_login, (long int)originator_uid, (long int)originator_gid, + sender_address); + #endif +@@ -715,7 +715,7 @@ host_build_sender_fullhost(); + + #ifndef COMPILE_UTILITY + DEBUG(D_deliver) +- debug_printf("sender_local=%d ident=%s\n", f.sender_local, ++ debug_printf_indent("sender_local=%d ident=%s\n", f.sender_local, + sender_ident ? sender_ident : US"unset"); + #endif /* COMPILE_UTILITY */ + +@@ -743,7 +743,7 @@ if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384) + goto SPOOL_FORMAT_ERROR; + + #ifndef COMPILE_UTILITY +-DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount); ++DEBUG(D_deliver) debug_printf_indent("recipients_count=%d\n", rcount); + #endif /* COMPILE_UTILITY */ + + recipients_list_max = rcount; +@@ -814,7 +814,7 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) + { + int dummy; + #if !defined (COMPILE_UTILITY) +- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim 3 spool file\n"); ++ DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim 3 spool file\n"); + #endif + while (isdigit(*(--p)) || *p == ','); + if (*p == ' ') +@@ -829,7 +829,7 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) + else if (*p == ' ') + { + #if !defined (COMPILE_UTILITY) +- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - early Exim 4 spool file\n"); ++ DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - early Exim 4 spool file\n"); + #endif + *p++ = 0; + (void)sscanf(CS p, "%d", &pno); +@@ -842,7 +842,7 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) + int flags; + + #if !defined (COMPILE_UTILITY) +- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - Exim standard format spoolfile\n"); ++ DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - Exim standard format spoolfile\n"); + #endif + + (void)sscanf(CS p+1, "%d", &flags); +@@ -878,13 +878,13 @@ for (recipients_count = 0; recipients_count < rcount; recipients_count++) + } + #if !defined(COMPILE_UTILITY) + else +- { DEBUG(D_deliver) debug_printf("**** SPOOL_IN - No additional fields\n"); } ++ { DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - No additional fields\n"); } + + if (orcpt || dsn_flags) +- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n", ++ DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> orcpt: <%s> dsn_flags: 0x%x\n", + big_buffer, orcpt, dsn_flags); + if (errors_to) +- DEBUG(D_deliver) debug_printf("**** SPOOL_IN - address: <%s> errorsto: <%s>\n", ++ DEBUG(D_deliver) debug_printf_indent("**** SPOOL_IN - address: <%s> errorsto: <%s>\n", + big_buffer, errors_to); + #endif + +@@ -956,7 +956,7 @@ line count by adding the body linecount to the header linecount. Close the file + and give a positive response. */ + + #ifndef COMPILE_UTILITY +-DEBUG(D_deliver) debug_printf("body_linecount=%d message_linecount=%d\n", ++DEBUG(D_deliver) debug_printf_indent("body_linecount=%d message_linecount=%d\n", + body_linecount, message_linecount); + #endif /* COMPILE_UTILITY */ + +diff --git src/tls-gnu.c src/tls-gnu.c +index a34633390..dafe1be0c 100644 +--- src/tls-gnu.c ++++ src/tls-gnu.c +@@ -545,7 +545,10 @@ else + + /* peercert is set in peer_status() */ + tlsp->peerdn = state->peerdn; +-tlsp->sni = state->received_sni; ++ ++/* do not corrupt sni sent by client; record sni rxd by server */ ++if (!state->host) ++ tlsp->sni = state->received_sni; + + /* record our certificate */ + { +@@ -2890,6 +2893,7 @@ if (!cipher_list) + cipher_list, &state, tlsp, errstr) != OK) + return FALSE; + ++ + #ifdef MEASURE_TIMING + report_time_since(&t0, US"client tls_init (delta)"); + #endif +diff --git src/transport.c src/transport.c +index 2d8426f29..b1cda55fd 100644 +--- src/transport.c ++++ src/transport.c +@@ -1661,6 +1661,7 @@ DEBUG(D_transport) + debug_printf("transport_check_waiting entered\n"); + debug_printf(" sequence=%d local_max=%d global_max=%d\n", + continue_sequence, local_message_max, connection_max_messages); ++ acl_level++; + } + + /* Do nothing if we have hit the maximum number that can be send down one +@@ -1670,23 +1671,23 @@ if (connection_max_messages >= 0) local_message_max = connection_max_messages; + if (local_message_max > 0 && continue_sequence >= local_message_max) + { + DEBUG(D_transport) +- debug_printf("max messages for one connection reached: returning\n"); +- return FALSE; ++ debug_printf_indent("max messages for one connection reached: returning\n"); ++ goto retfalse; + } + + /* Open the waiting information database. */ + + if (!(dbm_file = dbfn_open(string_sprintf("wait-%.200s", transport_name), + O_RDWR, &dbblock, TRUE, TRUE))) +- return FALSE; ++ goto retfalse; + + /* See if there is a record for this host; if not, there's nothing to do. */ + + if (!(host_record = dbfn_read(dbm_file, hostname))) + { + dbfn_close(dbm_file); +- DEBUG(D_transport) debug_printf("no messages waiting for %s\n", hostname); +- return FALSE; ++ DEBUG(D_transport) debug_printf_indent("no messages waiting for %s\n", hostname); ++ goto retfalse; + } + + /* If the data in the record looks corrupt, just log something and +@@ -1697,7 +1698,7 @@ if (host_record->count > WAIT_NAME_MAX) + dbfn_close(dbm_file); + log_write(0, LOG_MAIN|LOG_PANIC, "smtp-wait database entry for %s has bad " + "count=%d (max=%d)", hostname, host_record->count, WAIT_NAME_MAX); +- return FALSE; ++ goto retfalse; + } + + /* Scan the message ids in the record from the end towards the beginning, +@@ -1835,8 +1836,8 @@ while (1) + if (host_length <= 0) + { + dbfn_close(dbm_file); +- DEBUG(D_transport) debug_printf("waiting messages already delivered\n"); +- return FALSE; ++ DEBUG(D_transport) debug_printf_indent("waiting messages already delivered\n"); ++ goto retfalse; + } + + /* we were not able to find an acceptable message, nor was there a +@@ -1847,7 +1848,7 @@ while (1) + { + Ustrcpy(new_message_id, message_id); + dbfn_close(dbm_file); +- return FALSE; ++ goto retfalse; + } + } /* we need to process a continuation record */ + +@@ -1865,7 +1866,12 @@ if (host_length > 0) + } + + dbfn_close(dbm_file); ++DEBUG(D_transport) {acl_level--; debug_printf("transport_check_waiting: TRUE\n"); } + return TRUE; ++ ++retfalse: ++DEBUG(D_transport) {acl_level--; debug_printf("transport_check_waiting: FALSE\n"); } ++return FALSE; + } + + /************************************************* +@@ -1877,7 +1883,7 @@ void + transport_do_pass_socket(const uschar *transport_name, const uschar *hostname, + const uschar *hostaddress, uschar *id, int socket_fd) + { +-int i = 20; ++int i = 22; + const uschar **argv; + + /* Set up the calling arguments; use the standard function for the basics, +@@ -1898,6 +1904,12 @@ if (smtp_peer_options & OPTION_TLS) + argv[i++] = sending_ip_address; + argv[i++] = string_sprintf("%d", sending_port); + argv[i++] = tls_out.active.sock >= 0 ? tls_out.cipher : continue_proxy_cipher; ++ ++ if (tls_out.sni) ++ { ++ argv[i++] = tls_out.dane_verified ? US"-MCr" : US"-MCs"; ++ argv[i++] = tls_out.sni; ++ } + } + else + argv[i++] = US"-MCT"; +diff --git src/transports/smtp.c src/transports/smtp.c +index d63379e37..7fc2a48bb 100644 +--- src/transports/smtp.c ++++ src/transports/smtp.c +@@ -1620,8 +1620,8 @@ return FALSE; + + typedef struct smtp_compare_s + { +- uschar *current_sender_address; +- struct transport_instance *tblock; ++ uschar * current_sender_address; ++ struct transport_instance * tblock; + } smtp_compare_t; + + +@@ -1991,6 +1991,74 @@ if (sx->smtps) + } + #endif + ++#ifdef SUPPORT_DANE ++/* If we have a proxied TLS connection, check usability for this message */ ++ ++if (continue_hostname && continue_proxy_cipher) ++ { ++ int rc; ++ const uschar * sni = US""; ++ ++ /* Check if the message will be DANE-verified; if so force its SNI */ ++ ++ smtp_port_for_connect(sx->conn_args.host, sx->port); ++ if ( sx->conn_args.host->dnssec == DS_YES ++ && ( sx->dane_required ++ || verify_check_given_host(CUSS &ob->hosts_try_dane, sx->conn_args.host) == OK ++ ) ) ++ switch (rc = tlsa_lookup(sx->conn_args.host, &sx->conn_args.tlsa_dnsa, sx->dane_required)) ++ { ++ case OK: sx->conn_args.dane = TRUE; ++ ob->tls_tempfail_tryclear = FALSE; /* force TLS */ ++ ob->tls_sni = sx->first_addr->domain; /* force SNI */ ++ break; ++ case FAIL_FORCED: break; ++ default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, ++ string_sprintf("DANE error: tlsa lookup %s", ++ rc_to_string(rc)), ++ rc, FALSE, &sx->delivery_start); ++# ifndef DISABLE_EVENT ++ (void) event_raise(sx->conn_args.tblock->event_action, ++ US"dane:fail", sx->dane_required ++ ? US"dane-required" : US"dnssec-invalid"); ++# endif ++ return rc; ++ } ++ ++ /* If the SNI required for the new message differs from the existing conn ++ drop the connection to force a new one. */ ++ ++ if (ob->tls_sni && !(sni = expand_cstring(ob->tls_sni))) ++ log_write(0, LOG_MAIN|LOG_PANIC, ++ "<%s>: failed to expand transport's tls_sni value: %s", ++ sx->addrlist->address, expand_string_message); ++ ++ if ( (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni) ++ && continue_proxy_dane == sx->conn_args.dane) ++ { ++ tls_out.sni = US sni; ++ if ((tls_out.dane_verified = continue_proxy_dane)) ++ sx->conn_args.host->dnssec = DS_YES; ++ } ++ else ++ { ++ DEBUG(D_transport) ++ debug_printf("Closing proxied-TLS connection due to SNI mismatch\n"); ++ ++ HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> QUIT\n"); ++ write(0, "QUIT\r\n", 6); ++ close(0); ++ tls_out.dane_verified = FALSE; ++ continue_hostname = continue_proxy_cipher = NULL; ++ f.continue_more = FALSE; ++ continue_sequence = 1; /* Unfortunately, this process cannot affect success log ++ which is done by delivery proc. Would have to pass this ++ back through reporting pipe. */ ++ } ++ } ++#endif ++ ++ + /* Make a connection to the host if this isn't a continued delivery, and handle + the initial interaction and HELO/EHLO/LHLO. Connect timeout errors are handled + specially so they can be identified for retries. */ +@@ -3430,7 +3498,7 @@ BOOL pass_message = FALSE; + uschar *message = NULL; + uschar new_message_id[MESSAGE_ID_LENGTH + 1]; + smtp_context * sx = store_get(sizeof(*sx), TRUE); /* tainted, for the data buffers */ +-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) ++#ifdef SUPPORT_DANE + BOOL dane_held; + #endif + +@@ -3449,7 +3517,7 @@ sx->conn_args.tblock = tblock; + gettimeofday(&sx->delivery_start, NULL); + sx->sync_addr = sx->first_addr = addrlist; + +-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) ++#ifdef SUPPORT_DANE + DANE_DOMAINS: + dane_held = FALSE; + #endif +@@ -3464,7 +3532,7 @@ if ((rc = smtp_setup_conn(sx, suppress_tls)) != OK) + goto TIDYUP; + } + +-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) ++#ifdef SUPPORT_DANE + /* If the connection used DANE, ignore for now any addresses with incompatible + domains. The SNI has to be the domain. Arrange a whole new TCP conn later, + just in case only TLS isn't enough. */ +@@ -4184,8 +4252,8 @@ if (sx->completed_addr && sx->ok && sx->send_quit) + t_compare.tblock = tblock; + t_compare.current_sender_address = sender_address; + +- if ( sx->first_addr != NULL +- || f.continue_more ++ if ( sx->first_addr != NULL /* more addrs for this message */ ++ || f.continue_more /* more addrs for coninued-host */ + || ( + #ifndef DISABLE_TLS + ( tls_out.active.sock < 0 && !continue_proxy_cipher +@@ -4232,7 +4300,7 @@ if (sx->completed_addr && sx->ok && sx->send_quit) + + + if (sx->first_addr != NULL) /* More addresses still to be sent */ +- { /* on this connection */ ++ { /* for this message */ + continue_sequence++; /* Causes * in logging */ + pipelining_active = sx->pipelining_used; /* was cleared at DATA */ + goto SEND_MESSAGE; +@@ -4256,6 +4324,7 @@ if (sx->completed_addr && sx->ok && sx->send_quit) + + tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_WAIT); + sx->cctx.tls_ctx = NULL; ++ tls_out.active.sock = -1; + smtp_peer_options = smtp_peer_options_wrap; + sx->ok = !sx->smtps + && smtp_write_command(sx, SCMD_FLUSH, "EHLO %s\r\n", sx->helo_data) +@@ -4399,7 +4468,7 @@ if (sx->send_quit) + (void) event_raise(tblock->event_action, US"tcp:close", NULL); + #endif + +-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) ++#ifdef SUPPORT_DANE + if (dane_held) + { + sx->first_addr = NULL; +@@ -4425,7 +4494,7 @@ continue_hostname = NULL; + return yield; + + TIDYUP: +-#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) ++#ifdef SUPPORT_DANE + if (dane_held) for (address_item * a = sx->addrlist->next; a; a = a->next) + if (a->transport_return == DANE) + a->transport_return = PENDING_DEFER; +diff --git src/transports/smtp.h src/transports/smtp.h +index 6e63a002d..213bca1a8 100644 +--- src/transports/smtp.h ++++ src/transports/smtp.h +@@ -87,7 +87,7 @@ typedef struct { + # ifdef EXPERIMENTAL_TLS_RESUME + uschar *tls_resumption_hosts; + # endif +- uschar *tls_sni; ++ const uschar *tls_sni; + uschar *tls_verify_certificates; + int tls_dh_min_bits; + BOOL tls_tempfail_tryclear; +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0035-DANE-Fix-2-messages-from-queue-case ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/files/patch-z0036-Fix-non-DANE-build =================================================================== --- branches/2020Q3/mail/exim/files/patch-z0036-Fix-non-DANE-build (nonexistent) +++ branches/2020Q3/mail/exim/files/patch-z0036-Fix-non-DANE-build (revision 548185) @@ -0,0 +1,114 @@ +From 6742503035564e057edc7d3eba88b108f7d3d74c Mon Sep 17 00:00:00 2001 +From: Jeremy Harris +Date: Wed, 26 Aug 2020 23:59:28 +0100 +Subject: [PATCH 36/37] Fix non-DANE build + +(cherry picked from commit 651946cbf8e3849687332049730e5fa23d42b4b7) +--- + src/smtp_out.c | 2 +- + src/transport.c | 6 +++++- + src/transports/smtp.c | 15 ++++++++++----- + +diff --git src/smtp_out.c src/smtp_out.c +index 86c3e4127..c4c409677 100644 +--- src/smtp_out.c ++++ src/smtp_out.c +@@ -375,7 +375,7 @@ smtp_port_for_connect(host_item * host, int port) + { + if (host->port != PORT_NONE) + { +- HDEBUG(D_transport|D_acl|D_v) ++ HDEBUG(D_transport|D_acl|D_v) if (port != host->port) + debug_printf_indent("Transport port=%d replaced by host-specific port=%d\n", port, + host->port); + port = host->port; +diff --git src/transport.c src/transport.c +index b1cda55fd..609fd128c 100644 +--- src/transport.c ++++ src/transport.c +@@ -1907,7 +1907,11 @@ if (smtp_peer_options & OPTION_TLS) + + if (tls_out.sni) + { +- argv[i++] = tls_out.dane_verified ? US"-MCr" : US"-MCs"; ++ argv[i++] = ++#ifdef SUPPORT_DANE ++ tls_out.dane_verified ? US"-MCr" : ++#endif ++ US"-MCs"; + argv[i++] = tls_out.sni; + } + } +diff --git src/transports/smtp.c src/transports/smtp.c +index 7fc2a48bb..77335af09 100644 +--- src/transports/smtp.c ++++ src/transports/smtp.c +@@ -1991,7 +1991,6 @@ if (sx->smtps) + } + #endif + +-#ifdef SUPPORT_DANE + /* If we have a proxied TLS connection, check usability for this message */ + + if (continue_hostname && continue_proxy_cipher) +@@ -1999,8 +1998,10 @@ if (continue_hostname && continue_proxy_cipher) + int rc; + const uschar * sni = US""; + ++#ifdef SUPPORT_DANE + /* Check if the message will be DANE-verified; if so force its SNI */ + ++ tls_out.dane_verified = FALSE; + smtp_port_for_connect(sx->conn_args.host, sx->port); + if ( sx->conn_args.host->dnssec == DS_YES + && ( sx->dane_required +@@ -2024,15 +2025,17 @@ if (continue_hostname && continue_proxy_cipher) + # endif + return rc; + } ++#endif + +- /* If the SNI required for the new message differs from the existing conn +- drop the connection to force a new one. */ ++ /* If the SNI or the DANE status required for the new message differs from the ++ existing conn drop the connection to force a new one. */ + + if (ob->tls_sni && !(sni = expand_cstring(ob->tls_sni))) + log_write(0, LOG_MAIN|LOG_PANIC, + "<%s>: failed to expand transport's tls_sni value: %s", + sx->addrlist->address, expand_string_message); + ++#ifdef SUPPORT_DANE + if ( (continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni) + && continue_proxy_dane == sx->conn_args.dane) + { +@@ -2040,6 +2043,10 @@ if (continue_hostname && continue_proxy_cipher) + if ((tls_out.dane_verified = continue_proxy_dane)) + sx->conn_args.host->dnssec = DS_YES; + } ++#else ++ if ((continue_proxy_sni ? (Ustrcmp(continue_proxy_sni, sni) == 0) : !*sni)) ++ tls_out.sni = US sni; ++#endif + else + { + DEBUG(D_transport) +@@ -2048,7 +2055,6 @@ if (continue_hostname && continue_proxy_cipher) + HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP>> QUIT\n"); + write(0, "QUIT\r\n", 6); + close(0); +- tls_out.dane_verified = FALSE; + continue_hostname = continue_proxy_cipher = NULL; + f.continue_more = FALSE; + continue_sequence = 1; /* Unfortunately, this process cannot affect success log +@@ -2056,7 +2062,6 @@ if (continue_hostname && continue_proxy_cipher) + back through reporting pipe. */ + } + } +-#endif + + + /* Make a connection to the host if this isn't a continued delivery, and handle +-- +2.28.0 + Property changes on: branches/2020Q3/mail/exim/files/patch-z0036-Fix-non-DANE-build ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2020Q3/mail/exim/options =================================================================== --- branches/2020Q3/mail/exim/options (revision 548184) +++ branches/2020Q3/mail/exim/options (revision 548185) @@ -1,129 +1,130 @@ OPTIONS_DEFINE+= ALT_CONFIG_PREFIX \ CONTENT_SCAN \ DAEMON \ DANE \ DEBUG \ DISABLE_D_OPT \ DKIM \ SPF \ DNSSEC \ DOCS \ EMBEDDED_PERL \ EXIMON \ ICONV \ IPV6 \ LISTMATCH_RHS \ LMTP \ OCSP \ PRDR \ READLINE \ SUID \ TCP_WRAPPERS \ WISHLIST \ EVENT \ PROXY \ SOCKS \ INTERNATIONAL OPTIONS_DEFAULT+= AUTH_CRAM_MD5 \ AUTH_DOVECOT \ AUTH_PLAINTEXT \ AUTH_SPA \ CDB \ CONTENT_SCAN \ DAEMON \ DISABLE_D_OPT \ DKIM \ DNSDB \ DNSSEC \ DSEARCH \ EMBEDDED_PERL \ EVENT \ ICONV \ INTERNATIONAL \ LMTP \ LSEARCH \ MAILDIR \ MAILSTORE \ MBX \ OCSP \ PAM \ PASSWD \ PRDR \ + SPF \ SUID \ TLS OPTIONS_RADIO_TLS= TLS GNUTLS TLS_DESC= TLS support OPTIONS_RADIO_LS= SA_EXIM LS_DESC= Local scan patch OPTIONS_RADIO_SRSR= SRS SRSR_DESC= Sender Rewriting Scheme OPTIONS_RADIO= TLS LS SRSR OPTIONS_GROUP_AUTH= AUTH_CRAM_MD5 AUTH_DOVECOT AUTH_PLAINTEXT AUTH_RADIUS AUTH_SASL AUTH_SPA SASLAUTHD PAM PASSWD AUTH_DESC= SMTP Authorization OPTIONS_GROUP_LOOKUP= CDB BDB DNSDB DSEARCH LSEARCH MYSQL NIS OPENLDAP PGSQL REDIS SQLITE LOOKUP_DESC= Lookup support OPTIONS_GROUP_STORAGE= MAILDIR MAILSTORE MBX STORAGE_DESC= Supported storage formats OPTIONS_GROUP_EXPERIMENTAL= CERTNAMES DCC DMARC DSN ARC LMDB QUEUEFILE EXPERIMENTAL_DESC= Experimental options OPTIONS_GROUP= AUTH LOOKUP STORAGE EXPERIMENTAL ALT_CONFIG_PREFIX_DESC= Restrict the set of configuration files ARC_DESC= Enable experimental ARC support AUTH_CRAM_MD5_DESC= Enable CRAM-MD5 authentication mechanisms AUTH_DOVECOT_DESC= Enable Dovecot authentication mechanisms AUTH_PLAINTEXT_DESC= Enable plaintext authentication AUTH_RADIUS_DESC= Enable radius (RFC 2865) authentication AUTH_SASL_DESC= Enable use of Cyrus SASL auth library AUTH_SPA_DESC= Enable Secure Password Authentication CERTNAMES_DESC= Check certiticates ownership BDB_DESC= Enable Berkeley DB lookups CDB_DESC= Enable CDB-style lookups CONTENT_SCAN_DESC= Enable exiscan email content scanner DAEMON_DESC= Install scripts to run as a daemon DANE_DESC= Enable experimental DANE support DCC_DESC= Enable DCC at ACL support via dccifd DISABLE_D_OPT_DESC= Disable macros overrides using option -D DKIM_DESC= Enable support for DKIM DMARC_DESC= Enable DMARC support DNSDB_DESC= Enable DNS-style lookups DNSSEC_DESC= Enable DNSSEC validation DSEARCH_DESC= Enable directory-list lookups DSN_DESC= Enable Delivery Status Notifications EMBEDDED_PERL_DESC= Enable embedded Perl interpreter EVENT_DESC= Messages events support (TPDA namely) EXIMON_DESC= Build eximon monitor (requires X libraries) ICONV_DESC= Enable header charset conversion INTERNATIONAL_DESC= Enable support for the transmission of UTF-8 envelope addresses LISTMATCH_RHS_DESC= Enable pre-4.77 behaviour for match_* LMDB_DESC= Enable LMDB lookups LMTP_DESC= RFC2033 SMTP over command pipe transport LSEARCH_DESC= Enable wildcarded-file lookups MAILDIR_DESC= Enable Maildir mailbox format MAILSTORE_DESC= Enable Mailstore mailbox format MBX_DESC= Enable MBX mailbox format MYSQL_DESC= Enable mysql lookups NIS_DESC= Enable NIS-style lookups OPENLDAP_DESC= Enable LDAP lookups OCSP_DESC= Enable OCSP stapling QUEUEFILE_DESC= Enable queuefile transport PAM_DESC= Enable PAM authentication mechanisms PASSWD_DESC= Enable /etc/passwd lookups PGSQL_DESC= Enable postgresql lookups PRDR_DESC= Enable Per-Recipient-Data-Response support PROXY_DESC= Enable Experimental Proxy Protocol READLINE_DESC= Enable readline(3) library REDIS_DESC= Enable redis lookups SASLAUTHD_DESC= Enable use of Cyrus SASL auth daemon SA_EXIM_DESC= Build with Spamassassin local scan SOCKS_DESC= Enable smtp transport via socks5 proxies SPF_DESC= Enable Sender Policy Framework checking SQLITE_DESC= Enable SQLite lookups SRS_DESC= Enable Sender Rewriting Scheme SUID_DESC= Install the exim binary suid root TCP_WRAPPERS_DESC= Enable /etc/hosts.allow access control GNUTLS_DESC= Use GnuTLS instead of OpenSSL for TLS WISHLIST_DESC= Include the unsupported patches Index: branches/2020Q3 =================================================================== --- branches/2020Q3 (revision 548184) +++ branches/2020Q3 (revision 548185) Property changes on: branches/2020Q3 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r548081