diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | exim-4.96-pic.patch | 12 | ||||
| -rw-r--r-- | exim-4.99.1-config.patch (renamed from exim-4.98.2-config.patch) | 215 | ||||
| -rw-r--r-- | exim-4.99.1-dlopen-localscan.patch (renamed from exim-4.98.2-dlopen-localscan.patch) | 61 | ||||
| -rw-r--r-- | exim-4.99.1-no-gsasl.patch (renamed from exim-4.98.2-no-gsasl.patch) | 0 | ||||
| -rw-r--r-- | exim.spec | 19 | ||||
| -rw-r--r-- | sources | 2 |
7 files changed, 142 insertions, 168 deletions
@@ -1 +1,2 @@ /exim-4.98.2.tar.xz +/exim-4.99.1.tar.xz diff --git a/exim-4.96-pic.patch b/exim-4.96-pic.patch index 0d15a95..50c5a10 100644 --- a/exim-4.96-pic.patch +++ b/exim-4.96-pic.patch @@ -1,13 +1,11 @@ -diff --git a/src/lookups/Makefile b/src/lookups/Makefile -index 19585bf..a0d355f 100644 ---- a/src/lookups/Makefile -+++ b/src/lookups/Makefile -@@ -24,7 +24,7 @@ lookups.a: $(OBJ) +--- exim-4.99.1.orig/src/lookups/Makefile 2026-01-30 14:11:02.707533592 +0800 ++++ exim-4.99.1/src/lookups/Makefile 2026-01-30 14:35:41.614342701 +0800 +@@ -26,7 +26,7 @@ $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c .c.so:; @echo "$(CC) -shared $*.c" - $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@ + $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $(PIC) $*.c -o $@ - lf_check_file.o: $(HDRS) lf_check_file.c lf_functions.h - lf_quote.o: $(HDRS) lf_quote.c lf_functions.h + cdb.o cdb.so: $(HDRS) cdb.c + dbmdb.o dbmdb.so: $(HDRS) dbmdb.c diff --git a/exim-4.98.2-config.patch b/exim-4.99.1-config.patch index 12996b1..bec3580 100644 --- a/exim-4.98.2-config.patch +++ b/exim-4.99.1-config.patch @@ -1,21 +1,17 @@ -diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile -index dc5015f..07f8c23 100755 ---- a/scripts/Configure-Makefile -+++ b/scripts/Configure-Makefile -@@ -319,7 +319,7 @@ if [ "${EXIM_PERL}" != "" ] ; then +--- exim-4.99.1.orig/scripts/Configure-Makefile 2026-01-30 10:30:47.834924979 +0800 ++++ exim-4.99.1/scripts/Configure-Makefile 2026-01-30 11:52:29.722378196 +0800 +@@ -367,7 +367,7 @@ mv $mft $mftt - echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft -- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft -+ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft - echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft - echo "" >>$mft - cat $mftt >> $mft -diff --git a/src/EDITME b/src/EDITME -index ebfaf64..9e4e818 100644 ---- a/src/EDITME -+++ b/src/EDITME -@@ -103,7 +103,7 @@ + echo "PERL_CC=${perl_cc}" >>$mft +- echo "PERL_CCOPTS=${perl_ccopts}" >>$mft ++ echo "PERL_CCOPTS=${perl_ccopts} \$(CFLAGS)" >>$mft + echo "PERL_LIBS=${perl_libs}" >>$mft + echo "PERL_CFLAGS=${perl_cflags}" >>$mft + echo "PERL_LFLAGS=${perl_lflags}" >>$mft +--- exim-4.99.1.orig/src/EDITME 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/EDITME 2026-01-30 11:52:59.213474957 +0800 +@@ -104,7 +104,7 @@ # /usr/local/sbin. The installation script will try to create this directory, # and any superior directories, if they do not exist. @@ -24,7 +20,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -119,7 +119,7 @@ BIN_DIRECTORY=/usr/exim/bin +@@ -120,7 +120,7 @@ # don't exist. It will also install a default runtime configuration if this # file does not exist. @@ -33,7 +29,7 @@ index ebfaf64..9e4e818 100644 # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. # In this case, Exim will use the first of them that exists when it is run. -@@ -136,7 +136,7 @@ CONFIGURE_FILE=/usr/exim/configure +@@ -137,7 +137,7 @@ # deliveries. (Local deliveries run as various non-root users, typically as the # owner of a local mailbox.) Specifying these values as root is not supported. @@ -42,7 +38,7 @@ index ebfaf64..9e4e818 100644 # If you specify EXIM_USER as a name, this is looked up at build time, and the # uid number is built into the binary. However, you can specify that this -@@ -157,7 +157,7 @@ EXIM_USER= +@@ -158,7 +158,7 @@ # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless # you want to use a group other than the default group for the given user. @@ -51,7 +47,7 @@ index ebfaf64..9e4e818 100644 # Many sites define a user called "exim", with an appropriate default group, # and use -@@ -214,10 +214,10 @@ SPOOL_DIRECTORY=/var/spool/exim +@@ -215,10 +215,10 @@ # If you are building with TLS, the library configuration must be done: # Uncomment this if you are using OpenSSL @@ -64,7 +60,7 @@ index ebfaf64..9e4e818 100644 # TLS_LIBS=-lssl -lcrypto # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto -@@ -344,7 +344,7 @@ TRANSPORT_SMTP=yes +@@ -362,7 +362,7 @@ # This one is special-purpose, and commonly not required, so it is not # included by default. @@ -73,7 +69,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -353,9 +353,9 @@ TRANSPORT_SMTP=yes +@@ -371,9 +371,9 @@ # MBX, is included only when requested. If you do not know what this is about, # leave these settings commented out. @@ -86,7 +82,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -413,22 +413,28 @@ LOOKUP_DBM=yes +@@ -434,22 +434,28 @@ LOOKUP_LSEARCH=yes LOOKUP_DNSDB=yes @@ -104,12 +100,10 @@ index ebfaf64..9e4e818 100644 -# LOOKUP_MYSQL=yes -# LOOKUP_MYSQL_PC=mariadb --# LOOKUP_NIS=yes --# LOOKUP_NISPLUS=yes +LOOKUP_MYSQL=2 -+LOOKUP_MYSQL_PC=mariadb -+# LOOKUP_NIS=yes -+# LOOKUP_NISPLUS=yes ++LOOKUP_MYSQL_PC=mysqlclient + # LOOKUP_NIS=yes + # LOOKUP_NISPLUS=yes +CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc +LIBS+=-L/usr/$(_lib)/nsl + @@ -125,16 +119,7 @@ index ebfaf64..9e4e818 100644 # LOOKUP_SQLITE_PC=sqlite3 # LOOKUP_WHOSON=yes -@@ -441,7 +447,7 @@ LOOKUP_DNSDB=yes - - - # Some platforms may need this for LOOKUP_NIS: --# LIBS += -lnsl -+LIBS += -lnsl - - #------------------------------------------------------------------------------ - # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate -@@ -515,7 +521,7 @@ SUPPORT_DANE=yes +@@ -551,7 +557,7 @@ # files are defaulted in the OS/Makefile-Default file, but can be overridden in # local OS-specific make files. @@ -143,7 +128,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -525,7 +531,7 @@ SUPPORT_DANE=yes +@@ -583,7 +589,7 @@ # and the MIME ACL. Please read the documentation to learn more about these # features. @@ -152,15 +137,16 @@ index ebfaf64..9e4e818 100644 # If you have content scanning you may wish to only include some of the scanner # interfaces. Uncomment any of these lines to remove that code. -@@ -609,12 +615,12 @@ DISABLE_MAL_MKS=yes - - # Uncomment the following line to add DMARC checking capability, implemented - # using libopendmarc libraries. You must have SPF and DKIM support enabled also. +@@ -677,13 +683,13 @@ + # is historic). The same rules as for other module builds apply; use + # SUPPORT_DMARC_{INCLUDE,LIBS}. + # -# SUPPORT_DMARC=yes +SUPPORT_DMARC=yes # CFLAGS += -I/usr/local/include -# LDFLAGS += -lopendmarc +LDFLAGS += -lopendmarc + # # Uncomment the following if you need to change the default. You can # override it at runtime (main config option dmarc_tld_file) -# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds @@ -168,7 +154,7 @@ index ebfaf64..9e4e818 100644 # # Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; # 1.3.2-3 works. It seems that the OpenDMARC project broke their API. -@@ -749,7 +755,7 @@ FIXED_NEVER_USERS=root +@@ -821,7 +827,7 @@ # CONFIGURE_OWNER setting, to specify a configuration file which is listed in # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. @@ -177,9 +163,9 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -794,18 +800,18 @@ FIXED_NEVER_USERS=root - # included in the Exim binary. You will then need to set up the run time - # configuration to make use of the mechanism(s) selected. +@@ -879,18 +885,18 @@ + # core exim build. This gets them linked with the module instead. + # The heimdal does build but we have no test coverage so it is not know to work. -# AUTH_CRAM_MD5=yes -# AUTH_CYRUS_SASL=yes @@ -204,7 +190,7 @@ index ebfaf64..9e4e818 100644 # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 # requires multiple pkg-config files to work with Exim, so the second example -@@ -832,7 +838,7 @@ FIXED_NEVER_USERS=root +@@ -917,7 +923,7 @@ # one that is set in the headers_charset option. The default setting is # defined by this setting: @@ -213,7 +199,7 @@ index ebfaf64..9e4e818 100644 # If you are going to make use of $header_xxx expansions in your configuration # file, or if your users are going to use them in filter files, and the normal -@@ -852,7 +858,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -937,7 +943,7 @@ # the Sieve filter support. For those OS where iconv() is known to be installed # as standard, the file in OS/Makefile-xxxx contains # @@ -222,7 +208,7 @@ index ebfaf64..9e4e818 100644 # # If you are not using one of those systems, but have installed iconv(), you # need to uncomment that line above. In some cases, you may find that iconv() -@@ -928,7 +934,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -1013,7 +1019,7 @@ # Once you have done this, "make install" will build the info files and # install them in the directory you have defined. @@ -231,7 +217,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -941,7 +947,7 @@ HEADERS_CHARSET="ISO-8859-1" +@@ -1026,7 +1032,7 @@ # %s. This will be replaced by one of the strings "main", "panic", or "reject" # to form the final file names. Some installations may want something like this: @@ -240,16 +226,16 @@ index ebfaf64..9e4e818 100644 # which results in files with names /var/log/exim_mainlog, etc. The directory # in which the log files are placed must exist; Exim does not try to create -@@ -1013,7 +1019,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded +@@ -1099,7 +1105,7 @@ # Perl costs quite a lot of resources. Only do this if you really need it. + # -# EXIM_PERL=perl.o +EXIM_PERL=perl.o - - #------------------------------------------------------------------------------ -@@ -1023,7 +1029,7 @@ ZCAT_COMMAND=/usr/bin/zcat + # For a dynamic module build add also SUPPORT_PERL=2 and SUPPORT_PAM_(INCLUED,LIBS) + #SUPPORT_PERL=2 +@@ -1114,7 +1120,7 @@ # that the local_scan API is made available by the linker. You may also need # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. @@ -258,16 +244,16 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -1033,7 +1039,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # support, which is intended for use in conjunction with the SMTP AUTH - # facilities, is included only when requested by the following setting: +@@ -1126,7 +1132,7 @@ + # + # For a dynamic module build add SUPPORT_PAM=2 and SUPPORT_PAM_LIBS=-lpam -# SUPPORT_PAM=yes +SUPPORT_PAM=yes # You probably need to add -lpam to EXTRALIBS, and in some releases of # GNU/Linux -ldl is also needed. -@@ -1045,12 +1051,12 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -1138,12 +1144,12 @@ # If you may want to use outbound (client-side) proxying, using Socks5, # uncomment the line below. @@ -282,9 +268,9 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -1074,9 +1080,9 @@ ZCAT_COMMAND=/usr/bin/zcat - # installed on your system (www.libspf2.org). Depending on where it is installed - # you may have to edit the CFLAGS and LDFLAGS lines. +@@ -1176,9 +1182,9 @@ + # is historic). The same rules as for other module builds apply; use + # SUPPORT_SPF_{INCLUDE,LIBS}. -# SUPPORT_SPF=yes +SUPPORT_SPF=yes @@ -294,7 +280,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -1141,7 +1147,7 @@ ZCAT_COMMAND=/usr/bin/zcat +@@ -1246,7 +1252,7 @@ # group. Once you have installed saslauthd, you should arrange for it to be # started by root at boot time. @@ -303,18 +289,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -1155,8 +1161,8 @@ ZCAT_COMMAND=/usr/bin/zcat - # library for TCP wrappers, so you probably need something like this: - # - # USE_TCP_WRAPPERS=yes --# CFLAGS=-O -I/usr/local/include --# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap -+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) -+EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic - # - # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM - # as well. -@@ -1208,7 +1214,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1288,7 +1294,7 @@ # is "yes", as well as supporting line editing, a history of input lines in the # current run is maintained. @@ -323,7 +298,7 @@ index ebfaf64..9e4e818 100644 # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. # Note that this option adds to the size of the Exim binary, because the -@@ -1225,7 +1231,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1305,7 +1311,7 @@ #------------------------------------------------------------------------------ # Uncomment this setting to include IPv6 support. @@ -332,7 +307,7 @@ index ebfaf64..9e4e818 100644 ############################################################################### # THINGS YOU ALMOST NEVER NEED TO MENTION # -@@ -1246,13 +1252,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases +@@ -1326,13 +1332,13 @@ # haven't got Perl, Exim will still build and run; you just won't be able to # use those utilities. @@ -353,7 +328,7 @@ index ebfaf64..9e4e818 100644 #------------------------------------------------------------------------------ -@@ -1454,7 +1460,7 @@ EXIM_TMPDIR="/tmp" +@@ -1534,7 +1540,7 @@ # (process id) to a file so that it can easily be identified. The path of the # file can be specified here. Some installations may want something like this: @@ -362,10 +337,17 @@ index ebfaf64..9e4e818 100644 # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory # using the name "exim-daemon.pid". -diff --git a/src/configure.default b/src/configure.default -index 633c653..6379927 100644 ---- a/src/configure.default -+++ b/src/configure.default +@@ -1615,3 +1621,8 @@ + # DISABLE_CLIENT_CMD_LOG=yes + + # End of EDITME for Exim. ++ ++#------------------------------------------------------------------------------ ++# RPM build configuration ++CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) ++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic +--- exim-4.99.1.orig/src/configure.default 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/configure.default 2026-01-30 11:44:50.309870731 +0800 @@ -67,7 +67,7 @@ # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They # are all colon-separated lists: @@ -375,7 +357,7 @@ index 633c653..6379927 100644 domainlist relay_to_domains = hostlist relay_from_hosts = localhost # (We rely upon hostname resolution working for localhost, because the default -@@ -119,11 +119,13 @@ hostlist relay_from_hosts = localhost +@@ -119,11 +119,13 @@ # manual for details. The lists above are used in the access control lists for # checking incoming messages. The names of these ACLs are defined here: @@ -389,7 +371,7 @@ index 633c653..6379927 100644 # You should not change those settings until you understand how ACLs work. -@@ -136,7 +138,7 @@ acl_smtp_data = acl_check_data +@@ -136,7 +138,7 @@ # of what to set for other virus scanners. The second modification is in the # acl_check_data access control list (see below). @@ -398,7 +380,7 @@ index 633c653..6379927 100644 # For spam scanning, there is a similar option that defines the interface to -@@ -147,6 +149,12 @@ acl_smtp_data = acl_check_data +@@ -147,6 +149,12 @@ # spamd_address = 127.0.0.1 783 @@ -411,7 +393,7 @@ index 633c653..6379927 100644 # If Exim is compiled with support for TLS, you may want to change the # following option so that Exim disallows certain clients from makeing encrypted # connections. The default is to allow all. -@@ -157,7 +165,7 @@ acl_smtp_data = acl_check_data +@@ -157,7 +165,7 @@ # This is equivalent to the default. @@ -420,7 +402,7 @@ index 633c653..6379927 100644 # Specify the location of the Exim server's TLS certificate and private key. # The private key must not be encrypted (password protected). You can put -@@ -165,8 +173,8 @@ acl_smtp_data = acl_check_data +@@ -165,8 +173,8 @@ # need the first setting, or in separate files, in which case you need both # options. @@ -431,7 +413,7 @@ index 633c653..6379927 100644 # For OpenSSL, prefer EC- over RSA-authenticated ciphers .ifdef _HAVE_OPENSSL -@@ -193,8 +201,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} +@@ -193,8 +201,8 @@ # them you should also allow TLS-on-connect on the traditional (and now # standard) port 465. @@ -442,7 +424,7 @@ index 633c653..6379927 100644 # Specify the domain you want to be added to all unqualified addresses -@@ -252,6 +260,24 @@ never_users = root +@@ -252,6 +260,24 @@ host_lookup = * @@ -467,7 +449,7 @@ index 633c653..6379927 100644 # The setting below causes Exim to try to initialize the system resolver # library with DNSSEC support. It has no effect if your library lacks -@@ -382,8 +408,8 @@ timeout_frozen_after = 7d +@@ -382,8 +408,8 @@ # Note that TZ is handled separately by the timezone runtime option # and TIMEZONE_DEFAULT buildtime option. @@ -478,7 +460,7 @@ index 633c653..6379927 100644 -@@ -394,6 +420,29 @@ timeout_frozen_after = 7d +@@ -394,6 +420,29 @@ begin acl @@ -508,7 +490,7 @@ index 633c653..6379927 100644 # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. -@@ -405,6 +454,7 @@ acl_check_rcpt: +@@ -405,6 +454,7 @@ accept hosts = : control = dkim_disable_verify @@ -516,7 +498,7 @@ index 633c653..6379927 100644 ############################################################################# # The following section of the ACL is concerned with local parts that contain -@@ -458,7 +508,8 @@ acl_check_rcpt: +@@ -458,7 +508,8 @@ accept local_parts = postmaster domains = +local_domains @@ -526,7 +508,7 @@ index 633c653..6379927 100644 require verify = sender -@@ -498,6 +549,7 @@ acl_check_rcpt: +@@ -498,6 +549,7 @@ accept hosts = +relay_from_hosts control = submission control = dkim_disable_verify @@ -534,7 +516,7 @@ index 633c653..6379927 100644 # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient -@@ -507,6 +559,7 @@ acl_check_rcpt: +@@ -507,6 +559,7 @@ accept authenticated = * control = submission control = dkim_disable_verify @@ -542,7 +524,7 @@ index 633c653..6379927 100644 # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow -@@ -527,7 +580,8 @@ acl_check_rcpt: +@@ -527,7 +580,8 @@ # There are no default checks on DNS black lists because the domains that # contain these lists are changing all the time. However, here are two # examples of how you can get Exim to perform a DNS black list lookup at this @@ -552,7 +534,7 @@ index 633c653..6379927 100644 # # deny dnslists = black.list.example # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text -@@ -535,6 +589,10 @@ acl_check_rcpt: +@@ -535,6 +589,10 @@ # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain # log_message = found in $dnslist_domain @@ -563,7 +545,7 @@ index 633c653..6379927 100644 ############################################################################# ############################################################################# -@@ -561,6 +619,10 @@ acl_check_rcpt: +@@ -561,6 +619,10 @@ # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} ############################################################################# @@ -574,7 +556,7 @@ index 633c653..6379927 100644 # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. -@@ -610,21 +672,32 @@ acl_check_data: +@@ -610,21 +672,32 @@ message = header syntax log_message = header syntax ($acl_verify_message) @@ -603,19 +585,20 @@ index 633c653..6379927 100644 - # Add headers to a message if it is judged to be spam. Before enabling this, - # you must install SpamAssassin. You may also need to set the spamd_address - # option above. -+ # Bypass SpamAssassin checks if the message is too large. - # +- # - # warn spam = nobody - # add_header = X-Spam_score: $spam_score\n\ - # X-Spam_score_int: $spam_score_int\n\ - # X-Spam_bar: $spam_bar\n\ - # X-Spam_report: $spam_report ++ # Bypass SpamAssassin checks if the message is too large. ++ # + # accept condition = ${if >={$message_size}{100000} {1}} + # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size ############################################################################# # No more tests if PRDR was actively used. -@@ -638,11 +711,63 @@ acl_check_data: +@@ -638,11 +711,63 @@ # condition = ... ############################################################################# @@ -634,7 +617,8 @@ index 633c653..6379927 100644 + # + # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ + # X-Spam-Report: $spam_report -+ + +- # Accept the message. + # And reject if the SpamAssassin score is greater than ten + # + # deny condition = ${if >{$spam_score_int}{100} {1}} @@ -646,8 +630,7 @@ index 633c653..6379927 100644 + # warn condition = ${if >{$spam_score_int}{5} {1}} + # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons + - -- # Accept the message. ++ + # If you want to greylist _all_ mail rather than only mail which looks like there + # might be something wrong with it, then you can do this... + # @@ -680,7 +663,7 @@ index 633c653..6379927 100644 ###################################################################### -@@ -744,7 +869,7 @@ system_aliases: +@@ -744,7 +869,7 @@ driver = redirect allow_fail allow_defer @@ -689,7 +672,7 @@ index 633c653..6379927 100644 # user = exim file_transport = address_file pipe_transport = address_pipe -@@ -782,7 +907,7 @@ userforward: +@@ -782,7 +907,7 @@ # local_part_suffix = +* : -* # local_part_suffix_optional file = $home/.forward @@ -698,7 +681,7 @@ index 633c653..6379927 100644 no_verify no_expn check_ancestor -@@ -790,6 +915,12 @@ userforward: +@@ -790,6 +915,12 @@ pipe_transport = address_pipe reply_transport = address_reply @@ -711,7 +694,7 @@ index 633c653..6379927 100644 # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". -@@ -830,6 +961,25 @@ remote_smtp: +@@ -830,6 +961,25 @@ tls_resumption_hosts = * .endif @@ -737,7 +720,7 @@ index 633c653..6379927 100644 # This transport is used for delivering messages to a smarthost, if the # smarthost router is enabled. This starts from the same basis as -@@ -884,8 +1034,8 @@ local_delivery: +@@ -884,8 +1034,8 @@ delivery_date_add envelope_to_add return_path_add @@ -748,7 +731,7 @@ index 633c653..6379927 100644 # This transport is used for handling pipe deliveries generated by alias or -@@ -918,6 +1068,16 @@ address_reply: +@@ -918,6 +1068,16 @@ driver = autoreply @@ -765,7 +748,7 @@ index 633c653..6379927 100644 ###################################################################### # RETRY CONFIGURATION # -@@ -958,6 +1118,21 @@ begin rewrite +@@ -958,6 +1118,21 @@ # AUTHENTICATION CONFIGURATION # ###################################################################### @@ -787,7 +770,7 @@ index 633c653..6379927 100644 # The following authenticators support plaintext username/password # authentication using the standard PLAIN mechanism and the traditional # but non-standard LOGIN mechanism, with Exim acting as the server. -@@ -973,7 +1148,7 @@ begin rewrite +@@ -973,7 +1148,7 @@ # The default RCPT ACL checks for successful authentication, and will accept # messages from authenticated users from anywhere on the Internet. @@ -796,7 +779,7 @@ index 633c653..6379927 100644 # PLAIN authentication has no server prompts. The client sends its # credentials in one lump, containing an authorization ID (which we do not -@@ -987,7 +1162,7 @@ begin authenticators +@@ -987,7 +1162,7 @@ # driver = plaintext # server_set_id = $auth2 # server_prompts = : @@ -805,7 +788,7 @@ index 633c653..6379927 100644 # server_advertise_condition = ${if def:tls_in_cipher } # LOGIN authentication has traditional prompts and responses. There is no -@@ -999,7 +1174,7 @@ begin authenticators +@@ -999,7 +1174,7 @@ # driver = plaintext # server_set_id = $auth1 # server_prompts = <| Username: | Password: diff --git a/exim-4.98.2-dlopen-localscan.patch b/exim-4.99.1-dlopen-localscan.patch index 21ca340..9396cf9 100644 --- a/exim-4.98.2-dlopen-localscan.patch +++ b/exim-4.99.1-dlopen-localscan.patch @@ -1,12 +1,9 @@ -diff --git a/src/EDITME b/src/EDITME -index 9e4e818..473010b 100644 ---- a/src/EDITME -+++ b/src/EDITME -@@ -918,6 +918,21 @@ HAVE_ICONV=yes - # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** +--- exim-4.99.1.orig/src/EDITME 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/EDITME 2026-01-30 11:15:31.410856126 +0800 +@@ -998,6 +998,21 @@ -+#------------------------------------------------------------------------------ + #------------------------------------------------------------------------------ +# On systems which support dynamic loading of shared libraries, Exim can +# load a local_scan function specified in its config file instead of having +# to be recompiled with the desired local_scan function. For a full @@ -21,14 +18,13 @@ index 9e4e818..473010b 100644 + +LFLAGS=-rdynamic -ldl -pie + - #------------------------------------------------------------------------------ ++#------------------------------------------------------------------------------ # The default distribution of Exim contains only the plain text form of the # documentation. Other forms are available separately. If you want to install -diff --git a/src/config.h.defaults b/src/config.h.defaults -index 13b203e..70be51d 100644 ---- a/src/config.h.defaults -+++ b/src/config.h.defaults -@@ -33,6 +33,8 @@ Do not put spaces between # and the 'define'. + # the documentation in "info" format, first fetch the Texinfo documentation +--- exim-4.99.1.orig/src/config.h.defaults 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/config.h.defaults 2026-01-30 11:15:31.410856126 +0800 +@@ -33,6 +33,8 @@ #define AUTH_VARS 4 @@ -37,11 +33,9 @@ index 13b203e..70be51d 100644 #define BIN_DIRECTORY #define CONFIGURE_FILE -diff --git a/src/globals.c b/src/globals.c -index c50b7a4..50d1d13 100644 ---- a/src/globals.c -+++ b/src/globals.c -@@ -152,6 +152,10 @@ time_t tls_watch_trigger_time = (time_t)0; +--- exim-4.99.1.orig/src/globals.c 2026-01-30 10:30:47.832924972 +0800 ++++ exim-4.99.1/src/globals.c 2026-01-30 11:15:31.410856126 +0800 +@@ -156,6 +156,10 @@ uschar *tls_advertise_hosts = NULL; #endif @@ -52,11 +46,9 @@ index c50b7a4..50d1d13 100644 #ifndef DISABLE_PRDR /* Per Recipient Data Response variables */ BOOL prdr_enable = FALSE; -diff --git a/src/globals.h b/src/globals.h -index dc9d384..d4eba50 100644 ---- a/src/globals.h -+++ b/src/globals.h -@@ -150,6 +150,11 @@ extern uschar *tls_verify_hosts; /* Mandatory client verification */ +--- exim-4.99.1.orig/src/globals.h 2026-01-30 10:30:47.832924972 +0800 ++++ exim-4.99.1/src/globals.h 2026-01-30 11:15:31.410856126 +0800 +@@ -157,6 +157,11 @@ extern int tls_watch_fd; /* for inotify of creds files */ extern time_t tls_watch_trigger_time; /* non-0: triggered */ #endif @@ -68,10 +60,8 @@ index dc9d384..d4eba50 100644 extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ extern uschar *dsn_envid; /* DSN envid string */ -diff --git a/src/local_scan.c b/src/local_scan.c -index da44cb7..5af46c6 100644 ---- a/src/local_scan.c -+++ b/src/local_scan.c +--- exim-4.99.1.orig/src/local_scan.c 2026-01-30 10:30:47.831924969 +0800 ++++ exim-4.99.1/src/local_scan.c 2026-01-30 11:15:31.410856126 +0800 @@ -7,59 +7,134 @@ /* See the file NOTICE for conditions of use and distribution. */ /* SPDX-License-Identifier: GPL-2.0-or-later */ @@ -83,10 +73,7 @@ index da44cb7..5af46c6 100644 -If you want to implement your own version, you should copy this file to, say -Local/local_scan.c, and edit the copy. To use your version instead of the -default, you must set -+#ifdef DLOPEN_LOCAL_SCAN -+extern uschar *local_scan_path; /* Path to local_scan() library */ -+#endif - +- -HAVE_LOCAL_SCAN=yes -LOCAL_SCAN_SOURCE=Local/local_scan.c - @@ -129,6 +116,10 @@ index da44cb7..5af46c6 100644 - is used in the rejection message. -*/ +#ifdef DLOPEN_LOCAL_SCAN ++extern uschar *local_scan_path; /* Path to local_scan() library */ ++#endif ++ ++#ifdef DLOPEN_LOCAL_SCAN +#include <dlfcn.h> +#include <stdlib.h> +static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; @@ -254,11 +245,9 @@ index da44cb7..5af46c6 100644 +#endif /* DLOPEN_LOCAL_SCAN */ + /* End of local_scan.c */ -diff --git a/src/readconf.c b/src/readconf.c -index 940c5d4..c2ddcf2 100644 ---- a/src/readconf.c -+++ b/src/readconf.c -@@ -219,6 +219,9 @@ static optionlist optionlist_config[] = { +--- exim-4.99.1.orig/src/readconf.c 2026-01-30 10:30:47.830924966 +0800 ++++ exim-4.99.1/src/readconf.c 2026-01-30 11:15:31.411856129 +0800 +@@ -218,6 +218,9 @@ { "local_from_prefix", opt_stringptr, {&local_from_prefix} }, { "local_from_suffix", opt_stringptr, {&local_from_suffix} }, { "local_interfaces", opt_stringptr, {&local_interfaces} }, diff --git a/exim-4.98.2-no-gsasl.patch b/exim-4.99.1-no-gsasl.patch index 8ba9e1e..8ba9e1e 100644 --- a/exim-4.98.2-no-gsasl.patch +++ b/exim-4.99.1-no-gsasl.patch @@ -3,7 +3,7 @@ Summary: The exim mail transfer agent Name: exim -Version: 4.98.2 +Version: 4.99.1 Release: 1 License: GPLv2+ Url: https://www.exim.org/ @@ -35,11 +35,11 @@ Source10: exim.service Source11: exim-gen-cert Source12: clamd.exim.service -Patch0: exim-4.98.2-config.patch +Patch0: exim-4.99.1-config.patch Patch1: exim-4.94-libdir.patch -Patch2: exim-4.98.2-dlopen-localscan.patch +Patch2: exim-4.99.1-dlopen-localscan.patch Patch3: exim-4.96-pic.patch -Patch4: exim-4.98.2-no-gsasl.patch +Patch4: exim-4.99.1-no-gsasl.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private @@ -57,7 +57,7 @@ BuildRequires: sqlite-devel BuildRequires: cyrus-sasl-devel BuildRequires: libspf2-devel BuildRequires: libopendmarc-devel -BuildRequires: mariadb-connector-c-devel +BuildRequires: greatsql-devel BuildRequires: libpq-devel BuildRequires: libXaw-devel BuildRequires: libXmu-devel @@ -73,7 +73,6 @@ BuildRequires: libXt-devel BuildRequires: perl(ExtUtils::Embed) BuildRequires: systemd-units BuildRequires: libgsasl-devel -BuildRequires: mariadb-devel BuildRequires: libnsl2-devel BuildRequires: libtirpc-devel BuildRequires: gnupg2 @@ -203,7 +202,7 @@ install -m 4775 exim $RPM_BUILD_ROOT%{_sbindir} for i in eximon eximon.bin exim_dumpdb exim_fixdb exim_tidydb \ exinext exiwhat exim_dbmbuild exicyclog exim_lock \ exigrep eximstats exipick exiqgrep exiqsumm \ - exim_checkaccess convert4r4 + exim_checkaccess do install -m 0755 $i $RPM_BUILD_ROOT%{_sbindir} done @@ -383,7 +382,6 @@ fi %{_sbindir}/exiqsumm %{_sbindir}/exim_lock %{_sbindir}/exim_checkaccess -%{_sbindir}/convert4r4 %{_sbindir}/sendmail.exim %{_bindir}/mailq.exim %{_bindir}/runq.exim @@ -480,6 +478,11 @@ fi %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Fri Jan 30 2026 zhuchao <tom_toworld@163.com> - 4.99.1-1 +- Upgrade to 4.99.1 to fix CVE-2025-67896 (Remote heap corruption) +- Adapted all patches for 4.99.1 compatibility +- Removed exim-4.98.2-no-gsasl.patch (no longer needed in 4.99.1) + * Sun May 25 2025 zhuchao <tom_toworld@163.com> - 4.98.2-1 - DESC: upgrade to 4.98.2 to resolve the to CVE-2025-26794 to CVE-2025-30232 @@ -1 +1 @@ -7ed3e24c1eef44824b79b4c442f99f0b exim-4.98.2.tar.xz +281df763c79f1d68cb4f9ee9c9d8a2e1 exim-4.99.1.tar.xz |