Mailing List Archive

Exim 4.92-RC1
I've built and uploaded Exim 4.92-RC1 to

https://ftp.exim.org/pub/exim/exim4/test

The current ChangeLog and NewStuff files are attached to this message.
The tree is still open for commits. Please check if you've any pending
bugfixes or additions.

We need you: Please download, build and check the release candidate(s).

All files there are signed with my GPG key
0xD0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
The same key I used to sign this mail.

** We encourage you to check the signatures of the source tarballs.
** The signatures are in the above mentioned location AND attached to
** this message.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
Exim 4.92-RC1 [ In reply to ]
I've built and uploaded Exim 4.92-RC1 to

https://ftp.exim.org/pub/exim/exim4/test

The current ChangeLog (since 4.91) and NewStuff files are attached to
this message. The tree is still open for commits. Please check if
you've any pending bugfixes or additions.

We need you: Please download, build and check the release candidate(s).

All files there are signed with my GPG key
0xD0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
The same key I used to sign this mail.

** We encourage you to check the signatures of the source tarballs.
** The signatures are in the above mentioned location AND attached to
** this message.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
Re: Exim 4.92-RC1 [ In reply to ]
Hi,

can no longer compile this version with my current Makefile as there is

WITH_CONTENT_SCAN=yes

enabled and all other scanner interfaces disabled (as DISABLE_MAL_CLAM=yes, DISABLE_MAL_AVAST=yes etc.).

The error at compile-time is

gcc -DMACRO_PREDEF malware.c
malware.c:52:2: error: empty enum is invalid
} scanner_t;
^
malware.c:56:3: error: unknown type name ‘scanner_t’
scanner_t scancode;
^~~~~~~~~

I use rspamd for all scanning, so no direct malware scanning needed, but need the spamd_address setting for rspamd. So I need to enable at least one malware scanner interface (aka comment out DISABLE_MAL_CLAM=yes) to compile the source and use my current configuration.

Getting the following error when disabling the complete WITH_CONTENT_SCAN setting.

main option "spamd_address" unknown

Thanks,
Paul



> On 13. Dec 2018, at 23:52, Heiko Schlittermann via Exim-users <exim-users@exim.org> wrote:
>
> I've built and uploaded Exim 4.92-RC1 to
>
> https://ftp.exim.org/pub/exim/exim4/test
>
> The current ChangeLog and NewStuff files are attached to this message.
> The tree is still open for commits. Please check if you've any pending
> bugfixes or additions.
>
> We need you: Please download, build and check the release candidate(s).
>
> All files there are signed with my GPG key
> 0xD0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
> The same key I used to sign this mail.
>
> ** We encourage you to check the signatures of the source tarballs.
> ** The signatures are in the above mentioned location AND attached to
> ** this message.
>
> Best regards from Dresden/Germany
> Viele Grüße aus Dresden
> Heiko Schlittermann
> --
> SCHLITTERMANN.de ---------------------------- internet & unix support -
> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> gnupg encrypted messages are welcome --------------- key ID: F69376CE -
> <ChangeLog.txt><NewStuff.txt><exim-4.92-RC1.tar.bz2.asc><exim-4.92-RC1.tar.gz.asc><exim-4.92-RC1.tar.xz.asc><exim-html-4.92-RC1.tar.bz2.asc><exim-html-4.92-RC1.tar.gz.asc><exim-html-4.92-RC1.tar.xz.asc><exim-pdf-4.92-RC1.tar.bz2.asc><exim-pdf-4.92-RC1.tar.gz.asc><exim-pdf-4.92-RC1.tar.xz.asc><exim-postscript-4.92-RC1.tar.bz2.asc><exim-postscript-4.92-RC1.tar.gz.asc><exim-postscript-4.92-RC1.tar.xz.asc>--
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
Hi,

I tested under Debian Buster (actual testing version)
with openssl. After the installation I lost the possibility to serve TLS
to TLS1.0 and TLS1.1 Clients.

Debian buster runs with openssl 1.1.1 and a new TLS security setting.

In /etc/ssl/openssl.cnf we find

CipherString = DEFAULT@SECLEVEL=2

Of course there could be just a change to SECLEVEL=1 or SECLEVEL=0,

but than the security for the whole system will change.


With adding

SSL_CTX_set_min_proto_version(sctx, 0);

in tls-openssl.c

exim was able to serve TLS1.0 & TLS1.1 again.

I am not right sure where would be the best place to add this setting.

Regards

Torsten

Am 14.12.18 um 08:42 schrieb Heiko Schlittermann via Exim-users:
> I've built and uploaded Exim 4.92-RC1 to
>
> https://ftp.exim.org/pub/exim/exim4/test
>
> The current ChangeLog (since 4.91) and NewStuff files are attached to
> this message. The tree is still open for commits. Please check if
> you've any pending bugfixes or additions.
>
> We need you: Please download, build and check the release candidate(s).
>
> All files there are signed with my GPG key
> 0xD0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
> The same key I used to sign this mail.
>
> ** We encourage you to check the signatures of the source tarballs.
> ** The signatures are in the above mentioned location AND attached to
> ** this message.
>
> Best regards from Dresden/Germany
> Viele Gr??e aus Dresden
> Heiko Schlittermann
> --
> SCHLITTERMANN.de ---------------------------- internet & unix support -
> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> gnupg encrypted messages are welcome --------------- key ID: F69376CE -
>
>
--
Torsten


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
I have an extra feature request for the upcoming next version.

When I run exim on a satellite System to send mails only to a smarthost
with authentication, I find no way to use SCRAM-SHA-1 as a client setting.

When I check the gsasl code I can only find the settings for the server
version.

To prevend the exposure of a plaintext password when for whatever
reasons DNS/TLS could be redirected to a malicious system.

If SCRAM-SHA-1 could be added, the changes to add also SCRAM-SHA-256
should be small.

Regards Torsten

Am 14.12.18 um 08:42 schrieb Heiko Schlittermann via Exim-users:
> I've built and uploaded Exim 4.92-RC1 to
>
> https://ftp.exim.org/pub/exim/exim4/test
>
> The current ChangeLog (since 4.91) and NewStuff files are attached to
> this message. The tree is still open for commits. Please check if
> you've any pending bugfixes or additions.
>
> We need you: Please download, build and check the release candidate(s).
>
> All files there are signed with my GPG key
> 0xD0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142
> The same key I used to sign this mail.
>
> ** We encourage you to check the signatures of the source tarballs.
> ** The signatures are in the above mentioned location AND attached to
> ** this message.
>
> Best regards from Dresden/Germany
> Viele Gr??e aus Dresden
> Heiko Schlittermann
> --
> SCHLITTERMANN.de ---------------------------- internet & unix support -
> Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
> gnupg encrypted messages are welcome --------------- key ID: F69376CE -
>
>
--
Torsten


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
On Fri, Dec 14, 2018 at 05:18:44PM +0100, Torsten Tributh via Exim-users wrote:
> I tested under Debian Buster (actual testing version)
> with openssl. After the installation I lost the possibility to serve TLS
> to TLS1.0 and TLS1.1 Clients.
>
> Debian buster runs with openssl 1.1.1 and a new TLS security setting.
>
> In /etc/ssl/openssl.cnf we find
>
> CipherString = DEFAULT@SECLEVEL=2
>
> Of course there could be just a change to SECLEVEL=1 or SECLEVEL=0,

Do not touch it. In [system_default_sect] of openssl.cnf there should be
line "MinProtocol = TLSv1.2" (debian-specific system restriction),
just change it to allow lower TLS version.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
On 14/12/2018 16:30, Torsten Tributh via Exim-users wrote:
> I have an extra feature request for the upcoming next version.
>
> When I run exim on a satellite System to send mails only to a smarthost
> with authentication, I find no way to use SCRAM-SHA-1 as a client setting.
>
> When I check the gsasl code I can only find the settings for the server
> version.
>
> To prevend the exposure of a plaintext password when for whatever
> reasons DNS/TLS could be redirected to a malicious system.
>
> If SCRAM-SHA-1 could be added, the changes to add also SCRAM-SHA-256
> should be small.

We're a bit late for features of any size. Please raise a
wishlist-level bug for this.
--
Thanks,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
On 14/12/2018 16:18, Torsten Tributh via Exim-users wrote:
> I tested under Debian Buster (actual testing version)
> with openssl. After the installation I lost the possibility to serve TLS
> to TLS1.0 and TLS1.1 Clients.
>
> Debian buster runs with openssl 1.1.1 and a new TLS security setting.
>
> In /etc/ssl/openssl.cnf we find
>

> I am not right sure where would be the best place to add this setting.

Possibly the main-config option openssl_options?

The docs list possibilities including
no_tlsv1
no_tlsv1_1

so I'd be tempted to try those without the "no_".

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
On 2018-12-14 at 17:22 +0000, Jeremy Harris via Exim-users wrote:
> Possibly the main-config option openssl_options?
>
> The docs list possibilities including
> no_tlsv1
> no_tlsv1_1
>
> so I'd be tempted to try those without the "no_".

Alas, no. You'd want `-no_tlsv1` but I doubt that works here: OpenSSL
is using an orthogonal set of tuning options.

The problem is that the system is using the new OpenSSL configuration
system which is not supported by LibreSSL, so until now we've avoided
it.

This config file is much simpler to support than "moving the TLS
configuration inside the Exim config file". Pretty much we'd want to
use the `SSL_CTX_config()` library call inside Exim's
`tls-openssl.c:tls_init()`, guarded by some macro to protect against
LibreSSL/BoringSSL/whatever.

if (!SSL_CTX_config(ctx, "exim")) {
handle_failure_accordingly();
}

Bonus points for copying the `tcp_wrappers_daemon_name` pattern and
making `"exim"` the default which can be overridden by an administrator.

(I'm not volunteering to do this, I'm busy)

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
In gmane.mail.exim.user Heiko Schlittermann via Exim-dev <exim-dev@exim.org> wrote:

> I've built and uploaded Exim 4.92-RC1 to

> https://ftp.exim.org/pub/exim/exim4/test
[...]


Uploaded to Debian/experimental.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim 4.92-RC1 [ In reply to ]
Please do not cross-post to lists and private addresses.

Paul Hecker <paul@iwascoding.com> (Fr 14 Dez 2018 16:24:43 CET):
> can no longer compile this version with my current Makefile as there is
> WITH_CONTENT_SCAN=yes
> enabled and all other scanner interfaces disabled (as DISABLE_MAL_CLAM=yes, DISABLE_MAL_AVAST=yes etc.).

Can you send me your Local/Makefile?


--
Heiko