Commit graph

22 commits

Author SHA1 Message Date
manu
d49eed8431 Update to dkim-milter 2.8.2, contributed from Fredrik Pettai <pettai@nordu.net>
2.8.2           2009/02/17
        Request a signature with an "i=" tag if signing for subdomains and
                a keylist entry matches.  Previously this only occurred when
                using an explicit domain list.  Problem noted by
                S. Moonesamy of Eland Systems.
        Fixes in and around dkim_socket_cleanup().  Problem noted by
                S. Moonesamy of Eland Systems.
        LIBDKIM: When logging a d2i_PUBKEY_bio() or EVP_PKEY_get1_RSA()
                failure, also log the selector and domain involved so manual
                diagnostics are possible.
        LIBDKIM/LIBAR: Feature request #SF2380508: Add new test for
                WITHOUT_LIBSM which removes references to libsm's sm_strl*()
                functions, so that libdkim and libar can stand on their own
                on systems which provide the strl*() functions.  Requested by
                Frederik Pettai.
        LIBDKIM: Report DKIM_STAT_NOSIG if the caller commands that all
                signatures should be ignored.
        LIBDKIM: Plug a memory leak caused when responding to a malloc()
                failure.
        LIBDKIM: New signature error code DKIM_SIGERROR_KEYDECODE, used if
                 d2i_PUBKEY_BIO() or EVP_PKEY_get1_RSA fails in
                dkim_sig_process().
        LIBAR: Make reference to the "_res" structure more thread-safe.
        BUILD: Make use of conf_dkim_filter_ENVDEF since site.config.m4.dist
                refers to it.  Problem noted by S. Moonesamy of Eland Systems.
2009-02-28 15:44:55 +00:00
joerg
dd2376eca5 Fix DESTDIR installation 2009-02-24 23:41:44 +00:00
joerg
82874648cf Fix installation. 2009-01-29 17:11:25 +00:00
adrianp
b4b3c19dd5 Update to 2.8.1
2.8.1		2009/01/16
	LIBDKIM: Fix bug #SF2508602: Add a translation string for
		DKIM_SIGERROR_KEYREVOKED and fix dkim_eom_verify() so it
		returns DKIM_STAT_REVOKED when appropriate.  Problem noted
		by Mike Markley of Bank of America.

2.8.0		2009/01/08
	Add configuration option "EnableCoredumps" which makes an explicit
		kernel request for cores on crashes.  Currently only meaningful
		on Linux.
	Add configuration option "AuthServID" which sets the "authserv-id"
		token to use when generating Authentication-Results header
		fields.
	Report "fail" instead of "hardfail" on authentication failures,
		in compliance with the Authentication-Results: draft.
	Add _FFR_REPORT_INTERVALS, experimental support for the "ri" tag
		extension to DKIM policy and key records for specifying
		reporting intervals.
	Feature request #SF1985886: Add _FFR_MULTIPLE_SIGNATURES, allowing
		one instance of the filter to add multiple signatures.
		Suggested by Dave Crocker.
	Add "TemporaryDirectory" configuration file option for requesting that
		libdkim use an alternate directory for creating temporary
		files, and "KeepTemporaryFiles" for requesting that libdkim
		not delete those files for debugging purposes.
	Add optional support for the "unbound" asynchronous resolver
		library as it is DNSSEC-aware.  Adds four new configuration
		file items: "BogusKey", "BogusPolicy", "InsecureKey" and
		"InsecurePolicy".  Also add dkim_sig_getdnssec()
		and dkim_policy_getdnssec() to libdkim so callers can tell
		what the DNSSEC evaluation result was for each query.
		Based on a patch from John Dickinson.
	Add "BaseDirectory" configuration file option for specifying
		the desired current directory of the process.
	Make use of the key and policy "rs" tag, if present, when doing
		SMTP rejections.
	Use MTA macro "$j" as the hostname in generated reports instead of
		the output of gethostname() since on some systems the latter
		may not be fully-qualified.
	Remove ANTICIPATE_SENDMAIL_MUNGE, replacing it with a runtime check
		for the milter v2 feature which suppresses the addition of
		spaces in headers.
	Add _FFR_COMMAIZE which attempts to predict the reformatting
		the MTA will do to certain header fields to reduce verification
		failures.
	Add _FFR_DKIM_REPUTATION enabling a function used to query
		an open DKIM reputation service regarding the signing user
		and signing domain.  The service's URL is
		http://www.dkim-reputation.org. (EXPERIMENTAL)
	Fix preloading of configuration defaults.
	Fix bug #SF2236040: Quote all of the POSIX regular expression special
		characters, not just some of them.  Reported by Mark Martinec.
	When possible, log the selector and domain of the signature evaluated
		along with any errors in the libcrypto stack.
	LIBDKIM: Add "smtpbuf", "smtplen" and "interval" parameters to
		dkim_sig_getreportinfo() and dkim_policy_getreportinfo().
		Also, remove the assertion that "addr" be non-NULL.
	LIBDKIM: Add DKIM_LIBFLAGS_ACCEPTDK which enables compatibility
		with DomainKeys-formatted key records.
	LIBDKIM: Adjust signature formatting for legibility.
	LIBDKIM: Check return status from dkim_canon_getfinal() to avoid
		bad dereferences.  Problem noted by Chris Behrens of
		Concentric Network Corporation.
	LIBDKIM: Render the DKIM handle unusable in dkim_eoh_sign() if a
		required header was absent.
	Activate _FFR_REQUIRED_HEADERS.

2.7.2		2008/09/02
	Avoid memory leaks and infinite loops when releasing thread-specific
		memory.  Reported by Jeff Earickson.

2.7.1		2008/08/27
	Set up required callbacks for OpenSSL thread-safety.  Problem
		noted by Zbigniew Szalbot.
	Disallow empty "t=" and "x=" tags.
	Return DKIM_STAT_KEYFAIL for various DNS key retrieval failures
		instead of DKIM_STAT_INTERNAL.

2.7.0		2008/07/23
	Update to draft-ietf-dkim-ssp-04.  In doing so, rename "ASPDiscard"
		to "ADSPDiscard", "ASPNoSuchDomain" to "ADSPNoSuchDomain"
		and "SendASPReports" to "SendADSPReports" in the configuration
		file.
	Feature request #29738: Add "TrustSignaturesFrom" configuration
		file item allowing fine-grained control over third-party
		signature handling.
	Feature request #SF2018848: Add "LocalADSP" feature allowing
		policy assertions from domains known to have specific policies
		but which don't publish ADSP records.  Suggested by
		Bruno Kraychete da Costa.
	LIBDKIM: Fix an off-by-one overrun check in key and policy record
		decoding.  Problem noted by John Dickinson.

2.6.0		2008/06/11
	Remove "signaturemissing" as an old-style configuration action
		as it has been superseded by "ASPDiscard" and related
		functions.
	Add "SendASPReports" configuration option which generates ASP failure
		reports if requested by the sending domain.
	Update report generation for verification failures to use the
		new Abuse Reporting Format (ARF) and DKIM Reporting
		draft proposals.
	Add "MustBeSigned" configuration option, requiring signatures to
		cover specific headers if present.
	Rename "UseASPDiscard" to "ASPDiscard".
	Add "ASPNoSuchDomain" configuration option which rejects mail that
		appears to come from nonexistent domains as reported by the
		Author Signing Practises check.
	Add "ReportAddress" configuration option, used for defining the
		From: header of reports mailed out.
	Yet another compatibility fix with respect to Sleepycat DB.
	Fix processing of "LogWhy" configuration parameter.  Problem noted
		by Erik Lotspeich.
	Add "-n" command line flag which parses the command line arguments
		and configuration file(s), then exits with an appropriate
		status code.
	Report DKIM and ASP results separately via the same
		Authentication-Results header field.  Previous versions would
		alter the DKIM result based on ASP.
	Fix bug #SF1976931: Restore function of "nosignature" old-style
		action configuration, connected to "AlwaysAddARHeader".
		Problem noted by Lucas Brasilino.
	Feature request #SF1940233: Add "DontSignMailTo" configuration option,
		allowing a list of recipient patterns whose mail should not
		be signed.  Requested by Don Hughes.
	LIBDKIM: Rename dkim_reportinfo() to dkim_sig_getreportinfo(),
		and add dkim_policy_getreportinfo().
	LIBDKIM: Add several more signature error codes covering various
		key-related errors.
	LIBDKIM: Add dkim_sig_hdrsigned() utility, DKIM_OPTS_MUSTBESIGNED
		option, and DKIM_SIGERROR_MBSFAILED error code.
	LIBDKIM: Fix a bug in the computation of the result for
		dkim_canon_minbody().
	LIBDKIM: Report corrupted base64 chunks instead of quietly
		tolerating them.
	LIBDKIM: Tidy up the cleanup code in dkim-canon.c.
	LIBDKIM: Properly handle "tag=" at the end of a data set (i.e.
		the tag exists and has an empty value).
	LIBDKIM: Use larger unsigned data types in dkim_sig_future() as
		was done elsewhere.
	LIBDKIM: Always populate a DKIM_SIGINFO with domain and selector
		before there's an opportunity for other parsing
		short-circuits.
	LIBDKIM: Fix bug #SF1984685: Remove the "margin" parameter from
		dkim_getsighdr(); make it controlled by a new function,
		dkim_set_margin(), so that the signed copy and the
		user-requested copy are identical.
	Activate _FFR_AUTHSERV_JOBID.

2.5.5		2008/04/25
	Fix bug #SF1947301: Close up a logic problem in "UseASPDiscard"
		handling which could cause false rejections of mail from
		domains advertising "discardable" policies.  Problem noted
		by Doug Kingston.
	LIBDKIM: Another compatibility fix with respect to Sleepycat DB.
2009-01-19 23:24:28 +00:00
joerg
78f49c9582 Fix build on NetBSD. 2008-10-06 14:56:52 +00:00
adrianp
db43a8d9df Fixes for new PLIST magic 2008-04-20 17:36:15 +00:00
adrianp
44a69a21cb Update to 2.5.4
- Add dkim-stats option to install dkim-stats(8) FFR
- Only install dkim-stats(8) man page if dkim-stats option has been specified

2.5.4           2008/04/17
* Skip signatures with errors in dkimf_authorsigok().
* Avoid a NULL dereference in dkimf_config_reload() when starting
without a configuration file.
* Fix an alignment problem in dkimf_checkip().  Problem reported
by Jeff A. Earickson.
* LIBDKIM: Fix bug #SF1942387: Per RFC4871, disallow "l=" values
that exceed the size of the canonicalized message body.

2.5.3           2008/04/14
* Add "AllowSHA1Only" configuration option which permits operation
of verifiers that only know about SHA1.  Without this, a
filter compiled with only SHA1 support will refuse to start
in verifier mode.
* Add "LogWhy" configuration parameter and "-W" command line flag
to request detailed logging about why a message was not
signed by the filter.  Intended for debugging; not intended
for normal operation.
* Another tweak to parameters passed to db->open().  Based on patches
from Jukka Salmi and S. Moonesamy.
* Fixes in ares_parse() to match the current syntax.  In particular,
deal with the fact that some of our tokens can legally appear
in e-mail addresses.  Problem noted by S. Moonesamy of
Eland Systems.
* LIBDKIM: Evaluate key granularity against the "i=" value rather than
the value of the From: header per RFC4871.  Problem noted by
Jason Long.
* LIBDKIM: Remove the chartable stuff from dkim-tables.c as it is
not used anywhere.
* LIBDKIM: Fix bug #SF1940302: Perform stronger validation of the value
of the "h=" tag.
2008-04-20 17:20:20 +00:00
jlam
841dfa0e7a Convert to use PLIST_VARS instead of manually passing "@comment "
through PLIST_SUBST to the plist module.
2008-04-12 22:42:57 +00:00
adrianp
6b7f62ff93 2.5.1 2008/03/20
Update for draft-kucherawy-sender-auth-header-14.
Add "subject" to "should_signhdrs" per RFC4871 section 5.5.
Fix bug #SF1911328: Restore proper behaviour of SignHeaders and
OmitHeaders, broken in the prior release's configuration
overhaul.  Problem reported by Jason Molzen.
Fix bug #SF1912332: Fix parameters passed to db->open().  Problem
reported by Tony Earnshaw.
Fix bug #SF1912569: Initialize mutexes before entering test mode.
Patch from Kaspar Brand.
LIBDKIM: More boundary checking fixes in dkim_canon_selecthdrs().
Problem noted by Warren Horvath.
LIBDKIM: Fix bug #SF1820084: Return DKIM_STAT_MULTIDNSREPLY
if a DNS query returns multiple records.

2.5.2           2008/03/28
Preserve the sender's domain name outside of mlfi_eoh() as it's
now needed in mlfi_eom().  Problem noted by Andy Fiddaman.
Fix bug #SF1921873: Pass "-K" command line switch into the new
configuration handling code.  Problem noted by Al Smith.
TOOLS: Fix flags portion of the TXT record output by dkim-genkey.
Problem noted by Michael Carland.
BUILD: Fix bug #SF1922422: Fix linker problems when POPAUTH is
defined.
2008-04-06 12:59:11 +00:00
adrianp
84fbd1ed14 Update to 2.5.0
Add "AutoRestartCount" and "AutoRestartRate" configuration
parameters to limit runaway restart loops.
Feature request #SF1735573: Add "AlwaysAddARHeader" option, which
will add an Authentication-Results of "none" for unsigned
messages from domains without a "strict" policy.
Feature request #SF1807748: Reload the configuration file on
receipt of SIGUSR1.  Requested by Florian Sager.
Feature request #SF1811969: Add _FFR_BODYLENGTH_DB which adds a
"BodyLengthDBFile" feature, allowing a per-recipient decision
on whether or not to use an "l=" tag when signing.  Patch
contributed by Daniel Black.
Feature request #SF1841955: Add an "Include" facility to the
configuration file.
Feature request #SF1876941: Make the syslog facility selectable.
Based on a patch from Jose-Marcio Martins da Cruz of Ecole
des Mines de Paris.
Feature request #SF1876943: Add _FFR_AUTHSERV_JOBID allowing the
job ID to be included as part of the "authserv-id" in
Authentication-Results: headers.  Based on a patch from
Jose-Marcio Martins da Cruz of Ecole des Mines de Paris.
Feature request #SF1890581: Attempt to clean up a UNIX domain
socket in the non-AutoRestart case as well.  Requested
by Daniel Black.
Add "MilterDebug" configuration file option for requesting debugging
output from the filter.
Add "FixCRLF" configuration file option which activates the
DKIM_LIBFLAGS_FIXCRLF flag (see below).
Update to draft-ietf-dkim-ssp-03.  In doing so, rename the
"UseSSPDeny" configuration option to "UseASPDiscard".
Handle an error from dkim_getsighdr() properly in mlfi_eom().
When VERIFY_DOMAINKEYS is active, don't short-circuit mlfi_eoh()
between dk_verify() and dk_eoh() or a segmentation fault below
dk_body() could result.
LIBDKIM: Feature request #SF1823059: Export key, signature and
policy syntax checking capability via the API.  Based on
a patch from Chris Behrens of Concentric Network Corporation.
LIBDKIM: Assert defaults for "c" and "q" tags when parsing
signature headers.  Patch from Chris Behrens of Concentric
Network Corporation.
LIBDKIM: Better handling of truncated DNS replies; instead of
just giving up if the "tc" (truncated) bit is set in the
reply, see if there was enough of a reply returned to be able
to complete the request.
LIBDKIM: Fix recycling bug in header canonicalizations which was
causing signatures other than the first one to fail in most
cases.
LIBDKIM: Add new dkim_chunk() interface.
LIBDKIM: Enforce DKIM_OPTS_QUERYMETHOD library option even if there
were no valid signatures.
LIBDKIM: New DKIM_LIBFLAGS_FIXCRLF which requests that "naked"
CRs and LFs be converted to CRLFs during canonicalization
when signing.
LIBDKIM: Fix bounds checking in dkim_canon_selecthdrs().
LIBAR: Eliminate a possible race condition in ar_dispatcher().
LIBAR: Timeouts passed to select() can't be bigger than 10^8.
Problem noted by S. Moonesamy of Eland Systems.
BUILD: Feature request #SF1876242: Install the filter in EBINDIR
and everything else in UBINDIR.
2008-03-09 15:09:26 +00:00
adrianp
772cb172c3 Pull in improvements from wip (packaged by j+pkgsrc (at) salmi.ch):
* Install documentation for the library
* Install a static version of the dkim library
* Move to external options.mk
* Add support for ar(3) and debug
2008-03-09 14:02:08 +00:00
adrianp
fa37ceac10 Update to 2.4.4
* LIBDKIM: Fix bug #SF1867839: 64-bit portability in rfc2822.c.
  Patch from Geoff Adams.
* Update for latest Authentication-Results: header draft.
* Take advantage of some more features that were introduced with
  milter v2 in sendmail 8.14.0:
* Report "hardfail" instead of "fail" on authentication failures,
  in compliance with the Authentication-Results: draft.
* Fix use of "UseSSPDeny" to include handling of unsigned messages.
* Replace "gentxt.csh" with more robust "dkim-genkey" utility.

And *lots* more (the package in pkgsrc was 2 years+ old)

See RELEASE_NOTES for all the details
2008-02-19 13:23:06 +00:00
tnn
ad6ceadd25 Per the process outlined in revbump(1), perform a recursive revbump
on packages that are affected by the switch from the openssl 0.9.7
branch to the 0.9.8 branch. ok jlam@
2008-01-18 05:06:18 +00:00
gdt
223613307e Add sendmail-open-source-license as found in tarballs, and remove
inexplicable and deprecated no-profit LICENSE tag.
2007-08-10 15:52:15 +00:00
joerg
161c920c15 Prepare for switching to NO_MTREE=yes. 2007-03-24 19:21:18 +00:00
rillig
2829e658f2 Mechanically replaced man/* with ${PKGMANDIR}/* in the definition of
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.

Fixes PR 35265, although I did not use the patch provided therein.
2007-01-07 09:13:46 +00:00
rillig
9fc2d7d281 Removed the superfluous "quotes" and 'quotes' from variables that don't
need them, for example RESTRICTED and SUBST_MESSAGE.*.
2006-04-22 09:22:05 +00:00
reed
5abef9be14 Over 1200 files touched but no revisions bumped :)
RECOMMENDED is removed. It becomes ABI_DEPENDS.

BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.

BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.

BUILDLINK_DEPENDS does not change.

IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".

Added to obsolete.mk checking for IGNORE_RECOMMENDED.

I did not manually go through and fix any aesthetic tab/spacing issues.

I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.

I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.

As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.

As discussed on tech-pkg.

I will commit to revbump, pkglint, pkg_install, createbuildlink separately.

Note that if you use wip, it will fail!  I will commit to pkgsrc-wip
later (within day).
2006-04-06 06:21:32 +00:00
joerg
05b3e09f14 Use FreeBSD config for DragonFly and teach the host include header
about it.
2006-01-08 18:20:30 +00:00
jlam
dc9594e09d Remove USE_PKGINSTALL from pkgsrc now that mk/install/pkginstall.mk
automatically detects whether we want the pkginstall machinery to be
used by the package Makefile.
2005-12-29 06:21:30 +00:00
rillig
b71a1d488b Fixed pkglint warnings. The warnings are mostly quoting issues, for
example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some
other changes are outlined in

    http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
2005-12-05 20:49:47 +00:00
minskim
23a242b680 Import dkim-milter from pkgsrc. Packaged by iMil.
dkim-milter consists of two parts: A milter-based application
(dkim-filter) which plugs in to Sendmail to provide DomainKeys
Identified Mail service, and a library (libdkim) which can be used to
build DKIM-compliant applications or MTAs.
2005-10-27 19:49:07 +00:00