From a2bf7fdd07d107b9102923d9613794b2617b856cec3fc5de21e9d776e400fc9d Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Thu, 24 May 2007 09:55:38 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=56 --- exim.spec | 680 +----------------------------------------------------- 1 file changed, 8 insertions(+), 672 deletions(-) diff --git a/exim.spec b/exim.spec index 095067e..7ddd19e 100644 --- a/exim.spec +++ b/exim.spec @@ -1,5 +1,5 @@ # -# spec file for package exim (Version 4.66) +# spec file for package exim (Version 4.67) # # Copyright (c) 2007 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -11,7 +11,7 @@ # norootforbuild Name: exim -BuildRequires: db-devel openldap2-devel pcre-devel +BuildRequires: db-devel openldap2-devel pcre-devel pwdutils %if %{?suse_version:1}%{?!suse_version:0} BuildRequires: tcpd-devel %if %suse_version > 910 @@ -45,6 +45,7 @@ Source1: sysconfig.exim Source2: exim.logrotate Source11: exim.rc Source12: permissions.exim +Source13: apparmor.usr.sbin.exim Source20: http://www.logic.univie.ac.at/~ametzler/debian/exim4manpages/exim4-manpages.tar.bz2 Source30: eximstats-html-update.py Source31: eximstats.conf @@ -310,6 +311,8 @@ mkdir -p $RPM_BUILD_ROOT/etc/apache2/conf.d/ cp -p $RPM_SOURCE_DIR/eximstats.conf $RPM_BUILD_ROOT/etc/apache2/conf.d/ install -m 0755 $RPM_SOURCE_DIR/eximstats-html-update.py $RPM_BUILD_ROOT/%{_sbindir} %endif +# apparmor profile +install -D -m 0644 $RPM_SOURCE_DIR/apparmor.usr.sbin.exim $RPM_BUILD_ROOT/etc/apparmor.d/usr.sbin.exim %if %{?suse_version:%suse_version}%{?!suse_version:99999} <= 800 @@ -389,6 +392,8 @@ exit 0 %if %{?suse_version:%suse_version}%{?!suse_version:99999} < 1000 %config(noreplace) /etc/permissions.d/exim %endif +%dir /etc/apparmor.d +/etc/apparmor.d/usr.sbin.exim /usr/sbin/rcexim /usr/bin/mailq /usr/bin/runq @@ -414,673 +419,4 @@ exit 0 %{_sbindir}/eximstats-html-update.py %endif -%changelog -n exim -* Thu Jan 25 2007 - sndirsch@suse.de -- move from /usr/X11R6 to /usr -* Tue Jan 09 2007 - poeml@suse.de -- update to 4.66 - PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one - fixed by 4.65/MH/01 (is this a record?) are fixed: - (i) An empty string was always treated as zero by the numeric comparison - operators. This behaviour has been restored. - (ii) It is documented that the numeric comparison operators always treat - their arguments as decimal numbers. This was broken in that numbers - starting with 0 were being interpreted as octal. - While fixing these problems I realized that there was another issue that - hadn't been noticed. Values of message_size_limit (both the global option - and the transport option) were treated as octal if they started with 0. - The documentation was vague. These values are now always treated as - decimal, and I will make that clear in the documentation. -* Tue Jan 02 2007 - poeml@suse.de -- update to 4.65 - TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with - Linux large file support (_FILE_OFFSET_BITS=64) on older glibc - versions. (#438) - MH/01 Don't check that the operands of numeric comparison operators are - integers when their expansion is in "skipping" mode (fixes bug - introduced by 4.64-PH/07). - PH/01 If a system filter or a router generates more than SHRT_MAX (32767) - child addresses, Exim now panics and dies. Previously, because the count - is held in a short int, deliveries were likely to be lost. As such a - large number of recipients for a single message is ridiculous - (performance will be very, very poor), I have chosen to impose a limit - rather than extend the field. -* Wed Dec 20 2006 - poeml@suse.de -- update to 4.64 - TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a - leftover -K file (the existence of which was triggered by #402). - While we were at it, introduced process PID as part of the -K - filename. This should rule out race conditions when creating - these files. - TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing - processing considerably. Previous code took too long for large mails, - triggering a timeout which in turn triggers #401. - TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used - in the DK code in transports.c. sendfile() is not really portable, - hence the _LINUX specificness. - TF/01 In the add_headers option to the mail command in an Exim filter, - there was a bug that Exim would claim a syntax error in any - header after the first one which had an odd number of characters - in the field name. - PH/01 If a server that rejects MAIL FROM:<> was the target of a sender - callout verification, Exim cached a "reject" for the entire domain. This - is correct for most verifications, but it is not correct for a recipient - verification with use_sender or use_postmaster set, because in that case - the callout does not use MAIL FROM:<>. Exim now distinguishes the special - case of MAIL FROM:<> rejection from other early rejections (e.g. - rejection of HELO). When verifying a recipient using a non-null MAIL - address, the cache is ignored if it shows MAIL FROM:<> rejection. - Whatever the result of the callout, the value of the domain cache is - left unchanged (for any other kind of callout, getting as far as trying - RCPT means that the domain itself is ok). - PH/02 Tidied a number of unused variable and signed/unsigned warnings that - gcc 4.1.1 threw up. - PH/03 On Solaris, an unexpectedly close socket (dropped connection) can - manifest itself as EPIPE rather than ECONNECT. When tidying away a - session, the daemon ignores ECONNECT errors and logs others; it now - ignores EPIPE as well. - PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c - (quoted-printable decoding). - PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and - later the small subsequent patch to fix an introduced bug. - PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer. - PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}. - PH/08 An error is now given if message_size_limit is specified negative. - PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables - to be given (somewhat) arbitrary names. - JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced - in 4.64-PH/09. - JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions, - miscellaneous code fixes - PH/10 Added the log_reject_target ACL modifier to specify where to log - rejections. - PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_ - hostname. This is wrong, because it relates to the incoming message (and - probably the interface on which it is arriving) and not to the outgoing - callout (which could be using a different interface). This has been - changed to use the value of the helo_data option from the smtp transport - instead - this is what is used when a message is actually being sent. If - there is no remote transport (possible with a router that sets up host - addresses), $smtp_active_hostname is used. - PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various - tweaks were necessary in order to get it to work (see also 21 below): - (a) The code assumed that strncpy() returns a negative number on buffer - overflow, which isn't the case. Replaced with Exim's string_format() - function. - (b) There were several signed/unsigned issues. I just did the minimum - hacking in of casts. There is scope for a larger refactoring. - (c) The code used strcasecmp() which is not a standard C function. - Replaced with Exim's strcmpic() function. - (d) The code set only $1; it now sets $auth1 as well. - (e) A simple test gave the error "authentication client didn't specify - service in request". It would seem that Dovecot has changed its - interface. Fortunately there's a specification; I followed it and - changed what the client sends and it appears to be working now. - PH/13 Added $message_headers_raw to provide the headers without RFC 2047 - decoding. - PH/14 Corrected misleading output from -bv when -v was also used. Suppose the - address A is aliased to B and C, where B exists and C does not. Without - -v the output is "A verified" because verification stops after a - successful redirection if more than one address is generated. However, - with -v the child addresses are also verified. Exim was outputting "A - failed to verify" and then showing the successful verification for C, - with its parentage. It now outputs "B failed to verify", showing B's - parentage before showing the successful verification of C. - PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to - look up a TXT record in a specific list after matching in a combined - list. - PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and - RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when - they consult the DNS. I had assumed they would set it the way they - wanted; and indeed my experiments on Linux seem to show that in some - cases they do (I could influence IPv6 lookups but not IPv4 lookups). - To be on the safe side, however, I have now made the interface to - host_find_byname() similar to host_find_bydns(), with an argument - containing the DNS resolver options. The host_find_byname() function now - sets these options at its start, just as host_find_bydns() does. The smtp - transport options dns_qualify_single and dns_search_parents are passed to - host_find_byname() when gethostbyname=TRUE in this transport. Other uses - of host_find_byname() use the default settings of RES_DEFNAMES - (qualify_single) but not RES_DNSRCH (search_parents). - PH/17 Applied (a modified version of) Nico Erfurth's patch to make - spool_read_header() do less string testing, by means of a preliminary - switch on the second character of optional "-foo" lines. (This is - overdue, caused by the large number of possibilities that now exist. - Originally there were few.) While I was there, I also converted the - str(n)cmp tests so they don't re-test the leading "-" and the first - character, in the hope this might squeeze out yet more improvement. - PH/18 Two problems with "group" syntax in header lines when verifying: (1) The - flag allowing group syntax was set by the header_syntax check but not - turned off, possible causing trouble later; (2) The flag was not being - set at all for the header_verify test, causing "group"-style headers to - be rejected. I have now set it in this case, and also caused header_ - verify to ignore an empty address taken from a group. While doing this, I - came across some other cases where the code for allowing group syntax - while scanning a header line wasn't quite right (mostly, not resetting - the flag correctly in the right place). These bugs could have caused - trouble for malformed header lines. I hope it is now all correct. - PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called - with the "reply" argument non-NULL. The code, however (which originally - came from elsewhere) had *some* tests for NULL when it wrote to *reply, - but it didn't always do it. This confused somebody who was copying the - code for some other use. I have removed all the tests. - PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a - feature that was used to support insecure browsers during the U.S. crypto - embargo. It requires special client support, and Exim is probably the - only MTA that supported it -- and would never use it because real RSA is - always available. This code has been removed, because it had the bad - effect of slowing Exim down by computing (never used) parameters for the - RSA_EXPORT functionality. - PH/21 On the advice of Timo Sirainen, added a check to the dovecot - authenticator to fail if there's a tab character in the incoming data - (there should never be unless someone is messing about, as it's supposed - to be base64-encoded). Also added, on Timo's advice, the "secured" option - if the connection is using TLS or if the remote IP is the same as the - local IP, and the "valid-client-cert option" if a client certificate has - been verified. - PH/22 As suggested by Dennis Davis, added a server_condition option to *all* - authenticators. This can be used for authorization after authentication - succeeds. (In the case of plaintext, it servers for both authentication - and authorization.) - PH/23 Testing for tls_required and lost_connection in a retry rule didn't work - if any retry times were supplied. - PH/24 Exim crashed if verify=helo was activated during an incoming -bs - connection, where there is no client IP address to check. In this - situation, the verify now always succeeds. - PH/25 Applied John Jetmore's -Mset patch. - PH/26 Added -bem to be like -Mset, but loading a message from a file. - PH/27 In a string expansion for a processed (not raw) header when multiple - headers of the same name were present, leading whitespace was being - removed from all of them, but trailing whitespace was being removed only - from the last one. Now trailing whitespace is removed from each header - before concatenation. Completely empty headers in a concatenation (as - before) are ignored. - PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John - Jetmore). It would have mis-read ACL variables from pre-4.61 spool files. - PH/29 [Removed. This was a change that I later backed out, and forgot to - correct the ChangeLog entry (that I had efficiently created) before - committing the later change.] - PH/30 Exim was sometimes attempting to deliver messages that had suffered - address errors (4xx response to RCPT) over the same connection as other - messages routed to the same hosts. Such deliveries are always "forced", - so retry times are not inspected. This resulted in far too many retries - for the affected addresses. The effect occurred only when there were more - hosts than the hosts_max_try setting in the smtp transport when it had - the 4xx errors. Those hosts that it had tried were not added to the list - of hosts for which the message was waiting, so if all were tried, there - was no problem. Two fixes have been applied: - (i) If there are any address or message errors in an SMTP delivery, none - of the hosts (tried or untried) are now added to the list of hosts - for which the message is waiting, so the message should not be a - candidate for sending over the same connection that was used for a - successful delivery of some other message. This seems entirely - reasonable: after all the message is NOT "waiting for some host". - This is so "obvious" that I'm not sure why it wasn't done - previously. Hope I haven't missed anything, but it can't do any - harm, as the worst effect is to miss an optimization. - (ii) If, despite (i), such a delivery is accidentally attempted, the - routing retry time is respected, so at least it doesn't keep - hammering the server. - PH/31 Installed Andrew Findlay's patch to close the writing end of the socket - in ${readsocket because some servers need this prod. - PH/32 Added some extra debug output when updating a wait-xxx database. - PH/33 The hint "could be header name not terminated by colon", which has been - given for certain expansion errors for a long time, was not being given - for the ${if def:h_colon_omitted{... case. - PH/34 The spec says: "With one important exception, whenever a domain list is - being scanned, $domain contains the subject domain." There was at least - one case where this was not true. - PH/35 The error "getsockname() failed: connection reset by peer" was being - written to the panic log as well as the main log, but it isn't really - panic-worthy as it just means the connection died rather early on. I have - removed the panic log writing for the ECONNRESET error when getsockname() - fails. - PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue - runs only) independently of the message's sender address. This meant - that, if the 4xx error was in fact related to the sender, a different - message to the same recipient with a different sender could confuse - things. In particualar, this can happen when sending to a greylisting - server, but other circumstances could also provoke similar problems. - I have changed the default so that the retry time for these errors is now - based a combination of the sender and recipient addresses. This change - can be overridden by setting address_retry_include_sender=false in the - smtp transport. - PH/37 For LMTP over TCP/IP (the smtp transport), error responses from the - remote server are returned as part of bounce messages. This was not - happening for LMTP over a pipe (the lmtp transport), but now it is the - same for both kinds of LMTP. - PH/38 Despite being documented as not happening, Exim was rewriting addresses - in header lines that were in fact CNAMEs. This is no longer the case. - PH/39 If -R or -S was given with -q