b333d0b822
Exim version 4.93 ----------------- JH/01 OpenSSL: With debug enabled output keying information sufficient, server side, to decode a TLS 1.3 packet capture. JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets. Previously the default library behaviour applied, sending two, each in its own TCP segment. JH/03 Debug output for ACL now gives the config file name and line number for each verb. JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. JH/05 DKIM: ensure that dkim_domain elements are lowercased before use. JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible buffer overrun for (non-chunking) other transports. JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under TLS1.3, means that a server rejecting a client certificate is not visible to the client until the first read of encrypted data (typically the response to EHLO). Add detection for that case and treat it as a failed TLS connection attempt, so that the normal retry-in-clear can work (if suitably configured). JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part and/or domain. Found and fixed by Jason Betts. JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid configuration). If a CNAME target was not a wellformed name pattern, a crash could result. JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when the OS reports them interleaved with other addresses. JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was used both for input and for a verify callout, both encrypted, SMTP responses being sent by the server could be lost. This resulted in dropped connections and sometimes bounces generated by a peer sending to this system. JH/11 Harden plaintext authenticator against a badly misconfigured client-send string. Previously it was possible to cause undefined behaviour in a library routine (usually a crash). Found by "zerons". JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no output. JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old API was removed, so update to use the newer ones. JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without any timeout set, is taking a long time. Previously we would hang on to a rotated logfile "forever" if the input was arriving with long gaps (a previous attempt to fix addressed lack, for a long time, of initial input). HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a shared (NFS) environment. The length of the tempfile name is now 4 + 16 ("hdr.$message_exim_id") which might break on file systems which restrict the file name length to lower values. (It was "hdr.$pid".) HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a shared (NFS) environment. HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it did for all versions <4.90). Notably -M, -m, --invert, -I may be affected. JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors on some platforms for bit 31. JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks to changes apparently associated with TLS1.3 handling some of the APIs previously used were either nonfunctional or inappropriate. Strings like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256 and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 . This affects log line X= elements, the $tls_{in,out}_cipher variables, and the use of specific cipher names in the encrypted= ACL condition. JH/17 OpenSSL: the default openssl_options now disables ssl_v3. JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the verification result was not updated unless hosts_require_ocsp applied. JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option queue_list_requires_admin set to false, non-admin users were denied the facility. JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in directory-of-certs mode. Previously they were advertised despite the documentation. JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. A single TCP connection by a client will now hold a TLS connection open for multiple message deliveries, by default. Previoud the default was to not do so. JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by default. If built with the facility, DANE will be used. The facility SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME". JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL must be defined and you must still, unless you define DISABLE_TLS, manage the the include-dir and library-file requirements that go with that choice. Non-TLS builds are still supported. JH/24 Fix duplicated logging of peer name/address, on a transport connection- reject under TFO. JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by default. If the platform supports and has the facility enabled, it will be requested on all coneections. JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now controlled by the build-time option SUPPORT_PIPE_CONNECT. PP/01 Unbreak heimdal_gssapi, broken in 4.92. JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for success-DSN messages. Previously the From: header was always the default one for these; the option was ignored. JH/28 Fix the timeout on smtp response to apply to the whole response. Previously it was reset for every read, so a teergrubing peer sending single bytes within the time limit could extend the connection for a long time. Credit to Qualsys Security Advisory Team for the discovery. JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing delivery address, which leaked information of the results of local forwarding. Change to the original envelope recipient address, per standards. JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is requested. Previously not bounce was generated and a log entry of error ignored was made. JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917) JH/32 Introduce a general tainting mechanism for values read from the input channel, and values derived from them. Refuse to expand any tainted values, to catch one form of exploit. JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result was unused and the unexpanded text used for the test. Found and fixed by Ruben Jenster. JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open, an attempt to use a TLS library read routine dereffed a nul pointer, causing a segfault. JH/35 Bug 2409: filter out-of-spec chars from callout response before using them in our smtp response. JH/36 Have the general router option retry_use_local_part default to true when any of the restrictive preconditions are set (to anything). Previously it was only for check_local user. The change removes one item of manual configuration which is required for proper retries when a remote router handles a subset of addresses for a domain. JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file link count into consideration. HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line caused the extension of big_buffer, the following lines were ignored. JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in accordance with RFC 2308. Previously there was no expiry, so a longlived receive process (eg. due to ACL delays) versus a short SOA value could surprise. HS/05 Handle trailing backslash gracefully. (CVE-2019-15846) JH/39 Promote DMARC support to mainline. JH/40 Bug 2452: Add a References: header to DSNs. JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman parameters. The relevant library call is documented as "Deprecated: This function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since 3.6.0, DH parameters are negotiated following RFC7919." HS/06 Change the default of dnssec_request_domains to "*" JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we carried on and emitted a BDAT command, even when PIPELINING was not active. JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted buffer was used for the filename, resulting in a trap when tainted arguments (eg. $domain) were used. JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below; recommended to avoid a possible server-load attack. The feature can be re-enabled via the openssl_options main cofiguration option. JH/45 local_scan API: documented the current smtp_printf() call. This changed for version 4.90 - adding a "more data" boolean to the arguments. Bumped the ABI version number also, this having been missed previously; release versions 4.90 to 4.92.3 inclusive were effectively broken in respect of usage of smtp_printf() by either local_scan code or libraries accessed via the ${dlfunc } expansion item. Both will need coding adjustment for any calls to smtp_printf() to match the new function signature; a FALSE value for the new argument is always safe. JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating the file-offset (which the Linux syscall does, and exim expects); this resulted in an indefinite loop. JH/47 ARC: fix crash in signing, triggered when a configuration error failed to do ARC verification. The Authentication-Results: header line added by the configuration then had no ARC item.
169 lines
5.2 KiB
Makefile
169 lines
5.2 KiB
Makefile
# $NetBSD: options.mk,v 1.25 2019/12/09 18:46:00 adam Exp $
|
|
|
|
PKG_OPTIONS_VAR= PKG_OPTIONS.exim
|
|
PKG_SUPPORTED_OPTIONS= exim-appendfile-maildir exim-appendfile-mailstore
|
|
PKG_SUPPORTED_OPTIONS+= exim-appendfile-mbx exim-auth-dovecot exim-build-eximon
|
|
PKG_SUPPORTED_OPTIONS+= exim-content-scan exim-lookup-cdb exim-lookup-dnsdb
|
|
PKG_SUPPORTED_OPTIONS+= exim-lookup-dsearch exim-lookup-ldap exim-lookup-mysql
|
|
PKG_SUPPORTED_OPTIONS+= exim-lookup-pgsql exim-lookup-redis exim-lookup-sqlite
|
|
PKG_SUPPORTED_OPTIONS+= exim-lookup-whoson exim-old-demime exim-router-iplookup
|
|
PKG_SUPPORTED_OPTIONS+= exim-tcp-wrappers exim-tls exim-transport-lmtp gdbm
|
|
PKG_SUPPORTED_OPTIONS+= inet6 opendmarc saslauthd spf readline
|
|
|
|
PKG_SUGGESTED_OPTIONS= exim-appendfile-maildir exim-appendfile-mailstore
|
|
PKG_SUGGESTED_OPTIONS+= exim-appendfile-mbx exim-content-scan
|
|
PKG_SUGGESTED_OPTIONS+= exim-lookup-dsearch exim-old-demime exim-tcp-wrappers
|
|
PKG_SUGGESTED_OPTIONS+= exim-tls inet6
|
|
|
|
.include "../../mk/bsd.options.mk"
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-appendfile-maildir)
|
|
LOCAL_MAKEFILE_OPTIONS+= SUPPORT_MAILDIR=yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-appendfile-mailstore)
|
|
LOCAL_MAKEFILE_OPTIONS+= SUPPORT_MAILSTORE=yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-auth-dovecot)
|
|
LOCAL_MAKEFILE_OPTIONS+= AUTH_DOVECOT=yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-appendfile-mbx)
|
|
LOCAL_MAKEFILE_OPTIONS+= SUPPORT_MBX=yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-build-eximon)
|
|
LOCAL_MAKEFILE_OPTIONS+=EXIM_MONITOR=eximon.bin
|
|
LOCAL_MAKEFILE_OPTIONS+=X11=${X11BASE}
|
|
PLIST_SRC+=${PKGDIR}/PLIST.eximon
|
|
. include "../../x11/libXaw/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-content-scan)
|
|
LOCAL_MAKEFILE_OPTIONS+= WITH_CONTENT_SCAN=YES
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-cdb)
|
|
LOCAL_MAKEFILE_OPTIONS+= LOOKUP_CDB=YES
|
|
DEPENDS+= cdb-[0-9]*:../../databases/cdb
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-dnsdb)
|
|
LOCAL_MAKEFILE_OPTIONS+= LOOKUP_DNSDB=YES
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-dsearch)
|
|
LOCAL_MAKEFILE_OPTIONS+= LOOKUP_DSEARCH=YES
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-ldap)
|
|
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_LDAP=YES
|
|
LOCAL_MAKEFILE_OPTIONS+=LDAP_LIB_TYPE=OPENLDAP2
|
|
LOOKUP_LIBS+=-lldap -llber
|
|
. include "../../databases/openldap-client/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-mysql)
|
|
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_MYSQL=YES
|
|
LOOKUP_LIBS+=-lmysqlclient
|
|
. include "../../mk/mysql.buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-pgsql)
|
|
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_PGSQL=YES
|
|
LOOKUP_LIBS+=-lpq
|
|
. include "../../mk/pgsql.buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-redis)
|
|
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_REDIS=YES
|
|
LOOKUP_LIBS+=-lhiredis
|
|
. include "../../databases/hiredis/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-sqlite)
|
|
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_SQLITE=YES
|
|
LOOKUP_LIBS+=-lsqlite3
|
|
. include "../../databases/sqlite3/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-lookup-whoson)
|
|
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_WHOSON=YES
|
|
LOOKUP_LIBS+=-lwhoson
|
|
. include "../../net/whoson/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-old-demime)
|
|
LOCAL_MAKEFILE_OPTIONS+= WITH_OLD_DEMIME=YES
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-router-iplookup)
|
|
LOCAL_MAKEFILE_OPTIONS+= ROUTER_IPLOOKUP=yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-tcp-wrappers)
|
|
LOCAL_MAKEFILE_OPTIONS+=USE_TCP_WRAPPERS=yes
|
|
LOOKUP_LIBS+=-lwrap
|
|
. include "../../security/tcp_wrappers/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-tls)
|
|
LOCAL_MAKEFILE_OPTIONS+=SUPPORT_TLS=yes
|
|
LOCAL_MAKEFILE_OPTIONS+=USE_OPENSSL=yes
|
|
LOOKUP_LIBS+=-lssl -lcrypto
|
|
. include "../../security/openssl/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mexim-transport-lmtp)
|
|
LOCAL_MAKEFILE_OPTIONS+= TRANSPORT_LMTP=yes
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Minet6)
|
|
LOCAL_MAKEFILE_OPTIONS+= HAVE_IPV6=YES
|
|
.else
|
|
LOCAL_MAKEFILE_OPTIONS+= HAVE_IPV6=NO
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mopendmarc)
|
|
LOCAL_MAKEFILE_OPTIONS+=EXPERIMENTAL_DMARC=yes
|
|
LOOKUP_LIBS+= -lopendmarc
|
|
. include "../../mail/opendmarc/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mgdbm)
|
|
. include "../../databases/gdbm/buildlink3.mk"
|
|
EXIM_USE_DB_CONFIG= USE_GDBM=yes
|
|
EXIM_DBMLIB= DBMLIB=${LDFLAGS} -lgdbm
|
|
EXIM_INCLUDE= -I${PREFIX}/include
|
|
.else # use native or Berkeley DB as defined by BDB_DEFAULT and BDB_ACCEPTED
|
|
. include "../../mk/bdb.buildlink3.mk"
|
|
EXIM_USE_DB_CONFIG= USE_DB=yes # the default
|
|
. if ${BDB_TYPE} == "db1"
|
|
EXIM_DBMLIB= # empty so use defaults
|
|
EXIM_USE_DB_CONFIG= # empty so use defaults
|
|
EXIM_INCLUDE= -I/usr/${BUILDLINK_INCDIRS.db-native}
|
|
. else
|
|
EXIM_DBMLIB= DBMLIB=${LDFLAGS} ${BDB_LIBS}
|
|
EXIM_INCLUDE= -I${PREFIX}/${BUILDLINK_INCDIRS.${BDB_TYPE}}
|
|
. endif
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Msaslauthd)
|
|
LOCAL_MAKEFILE_OPTIONS+=AUTH_CYRUS_SASL=YES
|
|
LOCAL_MAKEFILE_OPTIONS+=CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
|
|
LOOKUP_LIBS+=${COMPILER_RPATH_FLAG}${LOCALBASE}/${BUILDLINK_LIBDIRS.cyrus-sasl} -L${LOCALBASE}/${BUILDLINK_LIBDIRS.cyrus-sasl} -lsasl2
|
|
. include "../../security/cyrus-sasl/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mspf)
|
|
LOCAL_MAKEFILE_OPTIONS+=SUPPORT_SPF=yes
|
|
LOOKUP_LIBS+= -lspf2
|
|
. include "../../mail/libspf2/buildlink3.mk"
|
|
.endif
|
|
|
|
.if !empty(PKG_OPTIONS:Mreadline)
|
|
LOCAL_MAKEFILE_OPTIONS+=USE_READLINE=yes
|
|
LOOKUP_LIBS+= -lreadline
|
|
. include "../../devel/readline/buildlink3.mk"
|
|
.endif
|