pkgsrc/mail/exim/options.mk
adam b333d0b822 exim: updated to 4.93
Exim version 4.93
-----------------

JH/01 OpenSSL: With debug enabled output keying information sufficient, server
      side, to decode a TLS 1.3 packet capture.

JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
      Previously the default library behaviour applied, sending two, each in
      its own TCP segment.

JH/03 Debug output for ACL now gives the config file name and line number for
      each verb.

JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.

JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.

JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
      buffer overrun for (non-chunking) other transports.

JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
      TLS1.3, means that a server rejecting a client certificate is not visible
      to the client until the first read of encrypted data (typically the
      response to EHLO).  Add detection for that case and treat it as a failed
      TLS connection attempt, so that the normal retry-in-clear can work (if
      suitably configured).

JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
      and/or domain.  Found and fixed by Jason Betts.

JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
      configuration).  If a CNAME target was not a wellformed name pattern, a
      crash could result.

JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
      the OS reports them interleaved with other addresses.

JH/10 OpenSSL: Fix aggregation of messages.  Previously, when PIPELINING was
      used both for input and for a verify callout, both encrypted, SMTP
      responses being sent by the server could be lost.  This resulted in
      dropped connections and sometimes bounces generated by a peer sending
      to this system.

JH/11 Harden plaintext authenticator against a badly misconfigured client-send
      string.  Previously it was possible to cause undefined behaviour in a
      library routine (usually a crash).  Found by "zerons".

JH/12 Bug 2384: fix "-bP smtp_receive_timeout".  Previously it returned no
      output.

JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward.  Some old
      API was removed, so update to use the newer ones.

JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
      any timeout set, is taking a long time.  Previously we would hang on to a
      rotated logfile "forever" if the input was arriving with long gaps
      (a previous attempt to fix addressed lack, for a long time, of initial
      input).

HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
      shared (NFS) environment. The length of the tempfile name is now
      4 + 16 ("hdr.$message_exim_id") which might break on file
      systems which restrict the file name length to lower values.
      (It was "hdr.$pid".)

HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
      shared (NFS) environment.

HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
      did for all versions <4.90). Notably -M, -m, --invert, -I may be
      affected.

JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
      on some platforms for bit 31.

JH/16 GnuTLS: rework ciphersuite strings under recent library versions.  Thanks
      to changes apparently associated with TLS1.3 handling some of the APIs
      previously used were either nonfunctional or inappropriate.  Strings
      like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
      and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
      the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
      This affects log line X= elements, the $tls_{in,out}_cipher variables,
      and the use of specific cipher names in the encrypted= ACL condition.

JH/17 OpenSSL: the default openssl_options now disables ssl_v3.

JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
      verification result was not updated unless hosts_require_ocsp applied.

JH/19 Bug 2398: fix listing of a named-queue.  Previously, even with the option
      queue_list_requires_admin set to false, non-admin users were denied the
      facility.

JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
      directory-of-certs mode.  Previously they were advertised despite the
      documentation.

JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
      A single TCP connection by a client will now hold a TLS connection open
      for multiple message deliveries, by default.  Previoud the default was to
      not do so.

JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
      default.  If built with the facility, DANE will be used.  The facility
      SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".

JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
      is replaced with DISABLE_TLS.  Either USE_GNUTLS or (the new) USE_OPENSSL
      must be defined and you must still, unless you define DISABLE_TLS, manage
      the the include-dir and library-file requirements that go with that
      choice.  Non-TLS builds are still supported.

JH/24 Fix duplicated logging of peer name/address, on a transport connection-
      reject under TFO.

JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
      default.  If the platform supports and has the facility enabled, it will
      be requested on all coneections.

JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
      controlled by the build-time option SUPPORT_PIPE_CONNECT.

PP/01 Unbreak heimdal_gssapi, broken in 4.92.

JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
      success-DSN messages.  Previously the From: header was always the default
      one for these; the option was ignored.

JH/28 Fix the timeout on smtp response to apply to the whole response.
      Previously it was reset for every read, so a teergrubing peer sending
      single bytes within the time limit could extend the connection for a
      long time.  Credit to Qualsys Security Advisory Team for the discovery.

JH/29 Fix DSN Final-Recipient: field.  Previously it was the post-routing
      delivery address, which leaked information of the results of local
      forwarding.  Change to the original envelope recipient address, per
      standards.

JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
      requested.  Previously not bounce was generated and a log entry of
      error ignored was made.

JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)

JH/32 Introduce a general tainting mechanism for values read from the input
      channel, and values derived from them.  Refuse to expand any tainted
      values, to catch one form of exploit.

JH/33 Bug 2413: Fix dkim_strict option.  Previously the expansion result
      was unused and the unexpanded text used for the test.  Found and
      fixed by Ruben Jenster.

JH/34 Fix crash after TLS shutdown.  When the TCP/SMTP channel was left open,
      an attempt to use a TLS library read routine dereffed a nul pointer,
      causing a segfault.

JH/35 Bug 2409: filter out-of-spec chars from callout response before using
      them in our smtp response.

JH/36 Have the general router option retry_use_local_part default to true when
      any of the restrictive preconditions are set (to anything).  Previously it
      was only for check_local user.  The change removes one item of manual
      configuration which is required for proper retries when a remote router
      handles a subset of addresses for a domain.

JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
      link count into consideration.

HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
      caused the extension of big_buffer, the following lines were ignored.

JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
      accordance with RFC 2308.  Previously there was no expiry, so a longlived
      receive process (eg. due to ACL delays) versus a short SOA value could
      surprise.

HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)

JH/39 Promote DMARC support to mainline.

JH/40 Bug 2452: Add a References: header to DSNs.

JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
      parameters.  The relevant library call is documented as "Deprecated: This
      function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
      3.6.0, DH parameters are negotiated following RFC7919."

HS/06 Change the default of dnssec_request_domains to "*"

JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected.  Previously we
      carried on and emitted a BDAT command, even when PIPELINING was not
      active.

JH/43 Bug 2465: Fix taint-handling in dsearch lookup.  Previously a nontainted
      buffer was used for the filename, resulting in a trap when tainted
      arguments (eg. $domain) were used.

JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
      recommended to avoid a possible server-load attack.  The feature can be
      re-enabled via the openssl_options main cofiguration option.

JH/45 local_scan API: documented the current smtp_printf() call. This changed
      for version 4.90 - adding a "more data" boolean to the arguments.
      Bumped the ABI version number also, this having been missed previously;
      release versions 4.90 to 4.92.3 inclusive were effectively broken in
      respect of usage of smtp_printf() by either local_scan code or libraries
      accessed via the ${dlfunc } expansion item.  Both will need coding
      adjustment for any calls to smtp_printf() to match the new function
      signature; a FALSE value for the new argument is always safe.

JH/46 FreeBSD: fix use of the sendfile() syscall.  The shim was not updating
      the file-offset (which the Linux syscall does, and exim expects); this
      resulted in an indefinite loop.

JH/47 ARC: fix crash in signing, triggered when a configuration error failed
      to do ARC verification.  The Authentication-Results: header line added
      by the configuration then had no ARC item.
2019-12-09 18:46:00 +00:00

169 lines
5.2 KiB
Makefile

# $NetBSD: options.mk,v 1.25 2019/12/09 18:46:00 adam Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.exim
PKG_SUPPORTED_OPTIONS= exim-appendfile-maildir exim-appendfile-mailstore
PKG_SUPPORTED_OPTIONS+= exim-appendfile-mbx exim-auth-dovecot exim-build-eximon
PKG_SUPPORTED_OPTIONS+= exim-content-scan exim-lookup-cdb exim-lookup-dnsdb
PKG_SUPPORTED_OPTIONS+= exim-lookup-dsearch exim-lookup-ldap exim-lookup-mysql
PKG_SUPPORTED_OPTIONS+= exim-lookup-pgsql exim-lookup-redis exim-lookup-sqlite
PKG_SUPPORTED_OPTIONS+= exim-lookup-whoson exim-old-demime exim-router-iplookup
PKG_SUPPORTED_OPTIONS+= exim-tcp-wrappers exim-tls exim-transport-lmtp gdbm
PKG_SUPPORTED_OPTIONS+= inet6 opendmarc saslauthd spf readline
PKG_SUGGESTED_OPTIONS= exim-appendfile-maildir exim-appendfile-mailstore
PKG_SUGGESTED_OPTIONS+= exim-appendfile-mbx exim-content-scan
PKG_SUGGESTED_OPTIONS+= exim-lookup-dsearch exim-old-demime exim-tcp-wrappers
PKG_SUGGESTED_OPTIONS+= exim-tls inet6
.include "../../mk/bsd.options.mk"
.if !empty(PKG_OPTIONS:Mexim-appendfile-maildir)
LOCAL_MAKEFILE_OPTIONS+= SUPPORT_MAILDIR=yes
.endif
.if !empty(PKG_OPTIONS:Mexim-appendfile-mailstore)
LOCAL_MAKEFILE_OPTIONS+= SUPPORT_MAILSTORE=yes
.endif
.if !empty(PKG_OPTIONS:Mexim-auth-dovecot)
LOCAL_MAKEFILE_OPTIONS+= AUTH_DOVECOT=yes
.endif
.if !empty(PKG_OPTIONS:Mexim-appendfile-mbx)
LOCAL_MAKEFILE_OPTIONS+= SUPPORT_MBX=yes
.endif
.if !empty(PKG_OPTIONS:Mexim-build-eximon)
LOCAL_MAKEFILE_OPTIONS+=EXIM_MONITOR=eximon.bin
LOCAL_MAKEFILE_OPTIONS+=X11=${X11BASE}
PLIST_SRC+=${PKGDIR}/PLIST.eximon
. include "../../x11/libXaw/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-content-scan)
LOCAL_MAKEFILE_OPTIONS+= WITH_CONTENT_SCAN=YES
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-cdb)
LOCAL_MAKEFILE_OPTIONS+= LOOKUP_CDB=YES
DEPENDS+= cdb-[0-9]*:../../databases/cdb
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-dnsdb)
LOCAL_MAKEFILE_OPTIONS+= LOOKUP_DNSDB=YES
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-dsearch)
LOCAL_MAKEFILE_OPTIONS+= LOOKUP_DSEARCH=YES
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-ldap)
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_LDAP=YES
LOCAL_MAKEFILE_OPTIONS+=LDAP_LIB_TYPE=OPENLDAP2
LOOKUP_LIBS+=-lldap -llber
. include "../../databases/openldap-client/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-mysql)
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_MYSQL=YES
LOOKUP_LIBS+=-lmysqlclient
. include "../../mk/mysql.buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-pgsql)
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_PGSQL=YES
LOOKUP_LIBS+=-lpq
. include "../../mk/pgsql.buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-redis)
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_REDIS=YES
LOOKUP_LIBS+=-lhiredis
. include "../../databases/hiredis/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-sqlite)
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_SQLITE=YES
LOOKUP_LIBS+=-lsqlite3
. include "../../databases/sqlite3/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-lookup-whoson)
LOCAL_MAKEFILE_OPTIONS+=LOOKUP_WHOSON=YES
LOOKUP_LIBS+=-lwhoson
. include "../../net/whoson/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-old-demime)
LOCAL_MAKEFILE_OPTIONS+= WITH_OLD_DEMIME=YES
.endif
.if !empty(PKG_OPTIONS:Mexim-router-iplookup)
LOCAL_MAKEFILE_OPTIONS+= ROUTER_IPLOOKUP=yes
.endif
.if !empty(PKG_OPTIONS:Mexim-tcp-wrappers)
LOCAL_MAKEFILE_OPTIONS+=USE_TCP_WRAPPERS=yes
LOOKUP_LIBS+=-lwrap
. include "../../security/tcp_wrappers/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-tls)
LOCAL_MAKEFILE_OPTIONS+=SUPPORT_TLS=yes
LOCAL_MAKEFILE_OPTIONS+=USE_OPENSSL=yes
LOOKUP_LIBS+=-lssl -lcrypto
. include "../../security/openssl/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mexim-transport-lmtp)
LOCAL_MAKEFILE_OPTIONS+= TRANSPORT_LMTP=yes
.endif
.if !empty(PKG_OPTIONS:Minet6)
LOCAL_MAKEFILE_OPTIONS+= HAVE_IPV6=YES
.else
LOCAL_MAKEFILE_OPTIONS+= HAVE_IPV6=NO
.endif
.if !empty(PKG_OPTIONS:Mopendmarc)
LOCAL_MAKEFILE_OPTIONS+=EXPERIMENTAL_DMARC=yes
LOOKUP_LIBS+= -lopendmarc
. include "../../mail/opendmarc/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mgdbm)
. include "../../databases/gdbm/buildlink3.mk"
EXIM_USE_DB_CONFIG= USE_GDBM=yes
EXIM_DBMLIB= DBMLIB=${LDFLAGS} -lgdbm
EXIM_INCLUDE= -I${PREFIX}/include
.else # use native or Berkeley DB as defined by BDB_DEFAULT and BDB_ACCEPTED
. include "../../mk/bdb.buildlink3.mk"
EXIM_USE_DB_CONFIG= USE_DB=yes # the default
. if ${BDB_TYPE} == "db1"
EXIM_DBMLIB= # empty so use defaults
EXIM_USE_DB_CONFIG= # empty so use defaults
EXIM_INCLUDE= -I/usr/${BUILDLINK_INCDIRS.db-native}
. else
EXIM_DBMLIB= DBMLIB=${LDFLAGS} ${BDB_LIBS}
EXIM_INCLUDE= -I${PREFIX}/${BUILDLINK_INCDIRS.${BDB_TYPE}}
. endif
.endif
.if !empty(PKG_OPTIONS:Msaslauthd)
LOCAL_MAKEFILE_OPTIONS+=AUTH_CYRUS_SASL=YES
LOCAL_MAKEFILE_OPTIONS+=CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux
LOOKUP_LIBS+=${COMPILER_RPATH_FLAG}${LOCALBASE}/${BUILDLINK_LIBDIRS.cyrus-sasl} -L${LOCALBASE}/${BUILDLINK_LIBDIRS.cyrus-sasl} -lsasl2
. include "../../security/cyrus-sasl/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mspf)
LOCAL_MAKEFILE_OPTIONS+=SUPPORT_SPF=yes
LOOKUP_LIBS+= -lspf2
. include "../../mail/libspf2/buildlink3.mk"
.endif
.if !empty(PKG_OPTIONS:Mreadline)
LOCAL_MAKEFILE_OPTIONS+=USE_READLINE=yes
LOOKUP_LIBS+= -lreadline
. include "../../devel/readline/buildlink3.mk"
.endif