This version adds the ability to filter messages based on the content
of their headers. Please note that enabling this feature should
be accompanied by disabling the use of the "softlimit" program. In
addition to fixing some small bugs and a compiling error on Debian
7, it also fixes a series of major bugs that could lead to buffer
overflows. Depending on spamdyke's configuration, these could cause
remotely exploitable security holes. Please upgrade immediately!
Looks like there's a bug in the header blacklist filter. Don't
enable that filter yet.
Fixed config-test message for a graylist domain folder when the domain is not
in the list of local domains from ERROR to INFO. Thanks to Eric Shubert
for reporting this one.
Fixed a bunch of copy-and-paste errors in the option_list array in
prepare_settings() where options were designated
CONFIG_TYPE_STRING_SINGLETON instead of CONFIG_TYPE_OPTION_SINGLETON or
CONFIG_TYPE_STRING_ARRAY instead of CONFIG_TYPE_OPTION_ARRAY.
Fixed configure script errors and compilation warnings on Debian 7, which
enables the new GCC flags -Waddress and -Wunused-but-set-variable by
default. Thanks to Steve Cole for reporting this one.
Added some explanitory comments to spamdyke.h and spamdyke.c.
Added FILTER_FLAG_RETAIN and modified middleman() to buffer any data as long
as it is given.
Added FILTER_FLAG_CHILD_RESPONSE_INTERCEPT and modified middleman() to discard
any input from qmail when it is given.
Added FILTER_FLAG_DATA_CAPTURE and modified middleman() to capture qmail's
response to the end of the message data when it is given.
Fixed output_writeln() to send the data in bursts if more than one line is
given and no CRs need to be inserted. Previously, all data was sent
line-by-line, even though middleman() was trying to send bursts of data when
possible.
Changed middleman() to buffer the names of the accepted recipients until after
the message data is sent, then check qmail's response to the message body
and print ALLOWED/DENIED for each recipient accordingly, along with the text
of qmail's response.
Added the options header-blacklist-entry and header-blacklist-file to block
messages based on the contents of their headers.
Added the option rejection-text-header-blacklist to control the message from
the header blacklist filter.
Added a flag to smtpdummy to force it to reject all message content with an
error.
Added a more complete usage message to smtpdummy.
Fixed a number of very serious errors in the usage of snprintf()/vsnprintf().
The return value was being used as the length of the string printed into
the buffer, but the return value really indicates the length of the string
that *could* be printed if the buffer were of infinite size. Because the
returned value could be larger than the buffer's size, this meant remotely
exploitable buffer overflows were possible, depending on spamdyke's
configuration.
Added options to smtpdummy to make it appear to process authentication (and
unconditionally succeed or fail).
Changed the ALLOWED log message to show the text given by qmail when the
message is accepted.
* Stop to treat NetBSD's sed as GNU sed, not full compatible.
* Then, no need to reset TOOLS_PLATFORM.gsed for NetBSD if USE_TOOLS+=gsed and
real GNU sed is required.
* In addition, convert simple USE_TOOLS+=gsed to conditionally, without NetBSD.
* convert {BUILD_,}DEPENDS+=gsed to USE_TOOLS, all tools from gsed are real gsed.
* Proxying now supports sending SSL client certificate to server with
ssl_client_cert/key settings.
* doveadm dump: Added support for dumping dbox headers/metadata.
* Fixed memory leaks in login processes with SSL connections
* vpopmail support was broken in v2.0.16
contains fixes for PR#45785.
Version 1.4.27:
- Always use the internal MD5 functions for the built-in CRAM-MD5
implementation; never use the ones from OpenSSL. This fixes problems with
configurations that use OpenSSL and do not use GNU SASL. Thanks to Gleydson
Soares and Moritz Wilhelmy for providing information and for testing the fix.
- Fix a compiler warning with current OpenSSL versions.
This version extends the log messages to show why a blacklist is
matched. It also fixes a few minor bugs.
Added a filter to sendrecv so input containing "\r\n" will be
translated into CRLF without being interpreted as a line
terminator (so multiple commands can be sent in a single "packet")
and input containing "\0" will be translated into NULL bytes
so NULL characters don't have to be embedded in the test scripts.
Added support for the RSET command to smtpdummy.
Added a "priority" field to the input file for dnsdummy to force
some responses to be sent after others, no matter what order
they were received.
Fixed nihdns_mx() to query names for A records using the query
types configured for MX queries, not A queries. Thanks to Eric
Shubert for reporting this one.
Changed smtp_filter() and middleman() to discard any buffered
input after TLS is started. This prevents the injection of
commands into a secure session by sending extra input in the
same packet as the "STARTTLS" command. Not really a security
problem but good practice anyway. Thanks to Eric Shubert for
reporting this one.
Fixed a bug in examine_entry() that was cutting off 1-3 characters
from the end of target_entry every time it was called.
Changed check_ip_in_rdns_keyword() to return the line number of
the matching file as its return value and the name of the
matchine file in a reference variable.
Added reject_reason and strlen_reject_reason to struct rejection_data
to allow the triggered filter to return some text to indicate
why it triggered.
Changed set_rejection() to accept new parameters to set reason
text within the rejection structure if available.
Changed set_rejection() to accept a new parameter to append to
the rejection text if available.
Added reset_rejection() to change either the rejection text or
the reason text within an existing rejection_data structure
without erasing previously-set values.
Changed nihdns_rbl(), check_dnsrbl() and check_rhsbl() not to
accept a format string or build part of the rejection message.
That job belongs to the caller(s).
Changed filter_rdns_blacklist(), filter_rdns_blacklist_file(),
filter_rdns_blacklist_dir(), filter_ip_blacklist(),
filter_ip_in_rdns_blacklist(), filter_dns_rbl(), filter_dns_rhsbl(),
filter_sender_blacklist(), filter_sender_rhsbl() and
filter_recipient_blacklist() to save the reason for their
rejection in the reject_reason variable in rejection_data.
Changed the log messages showing ALLOWED/DENIED to always output
the "reason:" field and fill it with the text returned by the
triggered filter so the sysadmin can figure out what happened
or "(empty)" if no text was saved. Thanks to Eric Shubert for
suggesting this one.
Changed the way DNS timeout values are read from the configuration
file, the command line, /etc/resolv.conf and the environment
so that values given in the config file or on the command line
are not overridden by values in /etc/resolv.conf or the
environment. Thanks to Teodor Milkov for reporting this one.
Changed the reject-empty-rdns filter, the IP-related black/whitelist
filters and the IP-related RBL filters to skip their tests if
the incoming IP address is 0.0.0.0. This is for connections
from IPv6 hosts -- those filters can be skipped until full IPv6
support can be added. Thanks to Daniel Anliker for suggesting
this.
Changed the way the flag FILTER_DECISION_TRANSIENT_DO_NOT_FILTER
is handled by smtp_filter() and middleman() so a transient
non-rejection (e.g a recipient whitelist) isn't held over to
later recipients. The interaction between the recipient whitelist
and the graylist filter was fixed in version 4.0.0 but an issue
still remained between recipient whitelists and other non-transient
rejections like the missing rDNS filter. Thanks to bischowski
for reporting this one.
Changed smtpdummy to use memchr() instead of strchr() so testing
input with NULL bytes will work correctly.
While here, remove paches for ancient Darwin.
Changes to the Cyrus IMAP Server since 2.4.12
* Bug #3565 - fix gcc compiler warnings - thanks Dilyan Palauzov
<dilyan.palauzov@aegee.org>
* Bug #2685 - rename annots in delayed folder delete. Avoids
annotations "reappearing" when a folder is recreated
* Bug #3566 - actually fix in a backward compatible way. 2.4.12 broke
older versions of bison
* Lots of small cleanups from CMU as they prepared to build RSS into
their 2.4 build. Thanks Ken
* Bug #3591/#3609 - fix crash in mupdate on partition move
* Bug #3610 - fix replication of partition move
* Bug #3564 - document the way prefork interacts with multiple
network protocols
* Bug #3586 - allow rename of "\Noselect" if subfolders exist
* A handful of small cleanups (#3593, #3594, #3595) from David Carter
<dpc22@cam.ac.uk>. Very much appreciated
* Disabled duplicate_check DEBUG level log messages by default.
Thanks Philip Prindeville <philipp@redfish-solutions.com>
* Bug #3608 - log mailbox name in more sync failure cases
* Bug #3615 - fix proxyd_disable_mailbox_referrals. Thanks Andrew
Morgan <morgan@orst.edu>
* Bug #3611 - fix crash in sync_mailbox_full if expunge fails
* Backported some nice fixes from master, including safer thread/sort
(there were some crashes on bad messages before)
* Fixed infinite loop on suppress_capabilities with substrings of
other capabilities. Ouch.
* Fixed LIST and LSUB again - this time to make LIST "" "*%" work
without breaking other things
* Bug #3588 - make XFER not break if the wrong server name was used.
The start of making murder safer
* Bug #3603 - tidied up usage of kick_mupdate so it never gets called
on standard murder backends
* Bug #3604 - always suppress the DELETED.* mailbox names, even if
delete_mode is immediate. It means a config change or different
frontend won't show undeletable mailboxes
* Bug #3602 - allow UpperCase in service names to work
Pantomine defines a structure named "timezone" which clashes with the
system definition. It was renamed to "timezonePantomine". While
technically it may result in change in the pkg binary, no PKGREVISION
bump is necessary because it's functionally the same as the previous
version, assuming it actually built on the platform in question.
According to the commit on 2009-12-15, the previous version of mail/cue
(20090209) was patched to support OpenSSL 1.0. However, mail/cue still
uses MD2 which is not built by default by OpenSSL 1.0. The update to
version 20100426 on 2011-11-27 did not improve the situation.
Until mail/cue is fixed upstream or patched here to avoid using MD2, it is
being marked NOT-FOR-DRAGONFLY.
Builtin librarys like com_err should only be used if there is are proper
buildlink3.mk and builtin.mk files for the library, otherwise part of the
point of having the buildlink/builtin system is lost.
There no point in having a buildlink/builtin files for com_err as
currently only three packages use it by itself (mail/cyrus-imapd*) and
using the package suppled library only adds 72K to the package size.
== Tue Apr 26 09:59:56 UTC 2011 Mikel Lindsaar <mikel@rubyx.com>
* Remove ActiveSupport from the dependencies, load Active Support if present, or use internals if not
* Created v2.2 branch for all 2.2 related commits
* Update activesupport require to use inflector - closes#217
* Version bump to 2.3 and gem release
