From 49971cad7f2f75df53d5a2615d979bcafb3e6040 Mon Sep 17 00:00:00 2001 From: CoprDistGit Date: Mon, 2 Feb 2026 03:05:29 +0000 Subject: automatic import of exim --- .gitignore | 1 + exim-4.96-pic.patch | 12 +- exim-4.98.2-config.patch | 816 ------------------------------------- exim-4.98.2-dlopen-localscan.patch | 270 ------------ exim-4.98.2-no-gsasl.patch | 15 - exim-4.99.1-config.patch | 799 ++++++++++++++++++++++++++++++++++++ exim-4.99.1-dlopen-localscan.patch | 259 ++++++++++++ exim-4.99.1-no-gsasl.patch | 15 + exim.spec | 19 +- sources | 2 +- 10 files changed, 1091 insertions(+), 1117 deletions(-) delete mode 100644 exim-4.98.2-config.patch delete mode 100644 exim-4.98.2-dlopen-localscan.patch delete mode 100644 exim-4.98.2-no-gsasl.patch create mode 100644 exim-4.99.1-config.patch create mode 100644 exim-4.99.1-dlopen-localscan.patch create mode 100644 exim-4.99.1-no-gsasl.patch diff --git a/.gitignore b/.gitignore index 446b424..831bda4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /exim-4.98.2.tar.xz +/exim-4.99.1.tar.xz diff --git a/exim-4.96-pic.patch b/exim-4.96-pic.patch index 0d15a95..50c5a10 100644 --- a/exim-4.96-pic.patch +++ b/exim-4.96-pic.patch @@ -1,13 +1,11 @@ -diff --git a/src/lookups/Makefile b/src/lookups/Makefile -index 19585bf..a0d355f 100644 ---- a/src/lookups/Makefile -+++ b/src/lookups/Makefile -@@ -24,7 +24,7 @@ lookups.a: $(OBJ) +--- exim-4.99.1.orig/src/lookups/Makefile 2026-01-30 14:11:02.707533592 +0800 ++++ exim-4.99.1/src/lookups/Makefile 2026-01-30 14:35:41.614342701 +0800 +@@ -26,7 +26,7 @@ $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c .c.so:; @echo "$(CC) -shared $*.c" - $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@ + $(FE)$(CC) $(LOOKUP_$*_INCLUDE) $(LOOKUP_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $(PIC) $*.c -o $@ - lf_check_file.o: $(HDRS) lf_check_file.c lf_functions.h - lf_quote.o: $(HDRS) lf_quote.c lf_functions.h + cdb.o cdb.so: $(HDRS) cdb.c + dbmdb.o dbmdb.so: $(HDRS) dbmdb.c diff --git a/exim-4.98.2-config.patch b/exim-4.98.2-config.patch deleted file mode 100644 index 12996b1..0000000 --- a/exim-4.98.2-config.patch +++ /dev/null @@ -1,816 +0,0 @@ -diff --git a/scripts/Configure-Makefile b/scripts/Configure-Makefile -index dc5015f..07f8c23 100755 ---- a/scripts/Configure-Makefile -+++ b/scripts/Configure-Makefile -@@ -319,7 +319,7 @@ if [ "${EXIM_PERL}" != "" ] ; then - - mv $mft $mftt - echo "PERL_CC=`$PERL_COMMAND -MConfig -e 'print $Config{cc}'`" >>$mft -- echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts`" >>$mft -+ echo "PERL_CCOPTS=`$PERL_COMMAND -MExtUtils::Embed -e ccopts` \$(CFLAGS)" >>$mft - echo "PERL_LIBS=`$PERL_COMMAND -MExtUtils::Embed -e ldopts`" >>$mft - echo "" >>$mft - cat $mftt >> $mft -diff --git a/src/EDITME b/src/EDITME -index ebfaf64..9e4e818 100644 ---- a/src/EDITME -+++ b/src/EDITME -@@ -103,7 +103,7 @@ - # /usr/local/sbin. The installation script will try to create this directory, - # and any superior directories, if they do not exist. - --BIN_DIRECTORY=/usr/exim/bin -+BIN_DIRECTORY=/usr/sbin - - - #------------------------------------------------------------------------------ -@@ -119,7 +119,7 @@ BIN_DIRECTORY=/usr/exim/bin - # don't exist. It will also install a default runtime configuration if this - # file does not exist. - --CONFIGURE_FILE=/usr/exim/configure -+CONFIGURE_FILE=/etc/exim/exim.conf - - # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. - # In this case, Exim will use the first of them that exists when it is run. -@@ -136,7 +136,7 @@ CONFIGURE_FILE=/usr/exim/configure - # deliveries. (Local deliveries run as various non-root users, typically as the - # owner of a local mailbox.) Specifying these values as root is not supported. - --EXIM_USER= -+EXIM_USER=93 - - # If you specify EXIM_USER as a name, this is looked up at build time, and the - # uid number is built into the binary. However, you can specify that this -@@ -157,7 +157,7 @@ EXIM_USER= - # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless - # you want to use a group other than the default group for the given user. - --# EXIM_GROUP= -+EXIM_GROUP=93 - - # Many sites define a user called "exim", with an appropriate default group, - # and use -@@ -214,10 +214,10 @@ SPOOL_DIRECTORY=/var/spool/exim - # If you are building with TLS, the library configuration must be done: - - # Uncomment this if you are using OpenSSL --# USE_OPENSSL=yes -+USE_OPENSSL=yes - # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not - # and an optional location. --# USE_OPENSSL_PC=openssl -+USE_OPENSSL_PC=openssl - # TLS_LIBS=-lssl -lcrypto - # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto - -@@ -344,7 +344,7 @@ TRANSPORT_SMTP=yes - # This one is special-purpose, and commonly not required, so it is not - # included by default. - --# TRANSPORT_LMTP=yes -+TRANSPORT_LMTP=yes - - - #------------------------------------------------------------------------------ -@@ -353,9 +353,9 @@ TRANSPORT_SMTP=yes - # MBX, is included only when requested. If you do not know what this is about, - # leave these settings commented out. - --# SUPPORT_MAILDIR=yes --# SUPPORT_MAILSTORE=yes --# SUPPORT_MBX=yes -+SUPPORT_MAILDIR=yes -+SUPPORT_MAILSTORE=yes -+SUPPORT_MBX=yes - - - #------------------------------------------------------------------------------ -@@ -413,22 +413,28 @@ LOOKUP_DBM=yes - LOOKUP_LSEARCH=yes - LOOKUP_DNSDB=yes - --# LOOKUP_CDB=yes --# LOOKUP_DSEARCH=yes -+LOOKUP_CDB=yes -+LOOKUP_DSEARCH=yes - # LOOKUP_IBASE=yes - # LOOKUP_JSON=yes --# LOOKUP_LDAP=yes -+LOOKUP_LDAP=yes -+LDAP_LIB_TYPE=OPENLDAP2 -+LOOKUP_LIBS=-lldap -llber -lsqlite3 - # LOOKUP_LMDB=yes - --# LOOKUP_MYSQL=yes --# LOOKUP_MYSQL_PC=mariadb --# LOOKUP_NIS=yes --# LOOKUP_NISPLUS=yes -+LOOKUP_MYSQL=2 -+LOOKUP_MYSQL_PC=mariadb -+# LOOKUP_NIS=yes -+# LOOKUP_NISPLUS=yes -+CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc -+LIBS+=-L/usr/$(_lib)/nsl -+ - # LOOKUP_ORACLE=yes --# LOOKUP_PASSWD=yes --# LOOKUP_PGSQL=yes -+LOOKUP_PASSWD=yes -+LOOKUP_PGSQL=2 -+LOOKUP_PGSQL_LIBS=-lpq - # LOOKUP_REDIS=yes --# LOOKUP_SQLITE=yes -+LOOKUP_SQLITE=yes - # LOOKUP_SQLITE_PC=sqlite3 - # LOOKUP_WHOSON=yes - -@@ -441,7 +447,7 @@ LOOKUP_DNSDB=yes - - - # Some platforms may need this for LOOKUP_NIS: --# LIBS += -lnsl -+LIBS += -lnsl - - #------------------------------------------------------------------------------ - # If you have set LOOKUP_LDAP=yes, you should set LDAP_LIB_TYPE to indicate -@@ -515,7 +521,7 @@ SUPPORT_DANE=yes - # files are defaulted in the OS/Makefile-Default file, but can be overridden in - # local OS-specific make files. - --# EXIM_MONITOR=eximon.bin -+EXIM_MONITOR=eximon.bin - - - #------------------------------------------------------------------------------ -@@ -525,7 +531,7 @@ SUPPORT_DANE=yes - # and the MIME ACL. Please read the documentation to learn more about these - # features. - --# WITH_CONTENT_SCAN=yes -+WITH_CONTENT_SCAN=yes - - # If you have content scanning you may wish to only include some of the scanner - # interfaces. Uncomment any of these lines to remove that code. -@@ -609,12 +615,12 @@ DISABLE_MAL_MKS=yes - - # Uncomment the following line to add DMARC checking capability, implemented - # using libopendmarc libraries. You must have SPF and DKIM support enabled also. --# SUPPORT_DMARC=yes -+SUPPORT_DMARC=yes - # CFLAGS += -I/usr/local/include --# LDFLAGS += -lopendmarc -+LDFLAGS += -lopendmarc - # Uncomment the following if you need to change the default. You can - # override it at runtime (main config option dmarc_tld_file) --# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds -+DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat - # - # Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; - # 1.3.2-3 works. It seems that the OpenDMARC project broke their API. -@@ -749,7 +755,7 @@ FIXED_NEVER_USERS=root - # CONFIGURE_OWNER setting, to specify a configuration file which is listed in - # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. - --# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs -+TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs - - - #------------------------------------------------------------------------------ -@@ -794,18 +800,18 @@ FIXED_NEVER_USERS=root - # included in the Exim binary. You will then need to set up the run time - # configuration to make use of the mechanism(s) selected. - --# AUTH_CRAM_MD5=yes --# AUTH_CYRUS_SASL=yes --# AUTH_DOVECOT=yes -+AUTH_CRAM_MD5=yes -+AUTH_CYRUS_SASL=yes -+AUTH_DOVECOT=yes - # AUTH_EXTERNAL=yes --# AUTH_GSASL=yes --# AUTH_GSASL_PC=libgsasl -+AUTH_GSASL=yes -+AUTH_GSASL_PC=libgsasl - # AUTH_HEIMDAL_GSSAPI=yes - # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi - # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 --# AUTH_PLAINTEXT=yes --# AUTH_SPA=yes --# AUTH_TLS=yes -+AUTH_PLAINTEXT=yes -+AUTH_SPA=yes -+AUTH_TLS=yes - - # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 - # requires multiple pkg-config files to work with Exim, so the second example -@@ -832,7 +838,7 @@ FIXED_NEVER_USERS=root - # one that is set in the headers_charset option. The default setting is - # defined by this setting: - --HEADERS_CHARSET="ISO-8859-1" -+HEADERS_CHARSET="UTF-8" - - # If you are going to make use of $header_xxx expansions in your configuration - # file, or if your users are going to use them in filter files, and the normal -@@ -852,7 +858,7 @@ HEADERS_CHARSET="ISO-8859-1" - # the Sieve filter support. For those OS where iconv() is known to be installed - # as standard, the file in OS/Makefile-xxxx contains - # --# HAVE_ICONV=yes -+HAVE_ICONV=yes - # - # If you are not using one of those systems, but have installed iconv(), you - # need to uncomment that line above. In some cases, you may find that iconv() -@@ -928,7 +934,7 @@ HEADERS_CHARSET="ISO-8859-1" - # Once you have done this, "make install" will build the info files and - # install them in the directory you have defined. - --# INFO_DIRECTORY=/usr/share/info -+INFO_DIRECTORY=/usr/share/info - - - #------------------------------------------------------------------------------ -@@ -941,7 +947,7 @@ HEADERS_CHARSET="ISO-8859-1" - # %s. This will be replaced by one of the strings "main", "panic", or "reject" - # to form the final file names. Some installations may want something like this: - --# LOG_FILE_PATH=/var/log/exim_%slog -+LOG_FILE_PATH=/var/log/exim/%s.log - - # which results in files with names /var/log/exim_mainlog, etc. The directory - # in which the log files are placed must exist; Exim does not try to create -@@ -1013,7 +1019,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # (version 5.004 or later) installed, set EXIM_PERL to perl.o. Using embedded - # Perl costs quite a lot of resources. Only do this if you really need it. - --# EXIM_PERL=perl.o -+EXIM_PERL=perl.o - - - #------------------------------------------------------------------------------ -@@ -1023,7 +1029,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # that the local_scan API is made available by the linker. You may also need - # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. - --# EXPAND_DLFUNC=yes -+EXPAND_DLFUNC=yes - - - #------------------------------------------------------------------------------ -@@ -1033,7 +1039,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # support, which is intended for use in conjunction with the SMTP AUTH - # facilities, is included only when requested by the following setting: - --# SUPPORT_PAM=yes -+SUPPORT_PAM=yes - - # You probably need to add -lpam to EXTRALIBS, and in some releases of - # GNU/Linux -ldl is also needed. -@@ -1045,12 +1051,12 @@ ZCAT_COMMAND=/usr/bin/zcat - # If you may want to use outbound (client-side) proxying, using Socks5, - # uncomment the line below. - --# SUPPORT_SOCKS=yes -+SUPPORT_SOCKS=yes - - # If you may want to use inbound (server-side) proxying, using Proxy Protocol, - # uncomment the line below. - --# SUPPORT_PROXY=yes -+SUPPORT_PROXY=yes - - - #------------------------------------------------------------------------------ -@@ -1074,9 +1080,9 @@ ZCAT_COMMAND=/usr/bin/zcat - # installed on your system (www.libspf2.org). Depending on where it is installed - # you may have to edit the CFLAGS and LDFLAGS lines. - --# SUPPORT_SPF=yes -+SUPPORT_SPF=yes - # CFLAGS += -I/usr/local/include --# LDFLAGS += -lspf2 -+LDFLAGS += -lspf2 - - - #------------------------------------------------------------------------------ -@@ -1141,7 +1147,7 @@ ZCAT_COMMAND=/usr/bin/zcat - # group. Once you have installed saslauthd, you should arrange for it to be - # started by root at boot time. - --# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux -+CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux - - - #------------------------------------------------------------------------------ -@@ -1155,8 +1161,8 @@ ZCAT_COMMAND=/usr/bin/zcat - # library for TCP wrappers, so you probably need something like this: - # - # USE_TCP_WRAPPERS=yes --# CFLAGS=-O -I/usr/local/include --# EXTRALIBS_EXIM=-L/usr/local/lib -lwrap -+CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) -+EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic - # - # but of course there may need to be other things in CFLAGS and EXTRALIBS_EXIM - # as well. -@@ -1208,7 +1214,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases - # is "yes", as well as supporting line editing, a history of input lines in the - # current run is maintained. - --# USE_READLINE=yes -+USE_READLINE=yes - - # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. - # Note that this option adds to the size of the Exim binary, because the -@@ -1225,7 +1231,7 @@ SYSTEM_ALIASES_FILE=/etc/aliases - #------------------------------------------------------------------------------ - # Uncomment this setting to include IPv6 support. - --# HAVE_IPV6=yes -+HAVE_IPV6=yes - - ############################################################################### - # THINGS YOU ALMOST NEVER NEED TO MENTION # -@@ -1246,13 +1252,13 @@ SYSTEM_ALIASES_FILE=/etc/aliases - # haven't got Perl, Exim will still build and run; you just won't be able to - # use those utilities. - --# CHOWN_COMMAND=/usr/bin/chown --# CHGRP_COMMAND=/usr/bin/chgrp --# CHMOD_COMMAND=/usr/bin/chmod --# MV_COMMAND=/bin/mv --# RM_COMMAND=/bin/rm --# TOUCH_COMMAND=/usr/bin/touch --# PERL_COMMAND=/usr/bin/perl -+CHOWN_COMMAND=/usr/bin/chown -+CHGRP_COMMAND=/usr/bin/chgrp -+CHMOD_COMMAND=/usr/bin/chmod -+MV_COMMAND=/usr/bin/mv -+RM_COMMAND=/usr/bin/rm -+TOUCH_COMMAND=/usr/bin/touch -+PERL_COMMAND=/usr/bin/perl - - - #------------------------------------------------------------------------------ -@@ -1454,7 +1460,7 @@ EXIM_TMPDIR="/tmp" - # (process id) to a file so that it can easily be identified. The path of the - # file can be specified here. Some installations may want something like this: - --# PID_FILE_PATH=/var/lock/exim.pid -+PID_FILE_PATH=/var/run/exim.pid - - # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory - # using the name "exim-daemon.pid". -diff --git a/src/configure.default b/src/configure.default -index 633c653..6379927 100644 ---- a/src/configure.default -+++ b/src/configure.default -@@ -67,7 +67,7 @@ - # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They - # are all colon-separated lists: - --domainlist local_domains = @ -+domainlist local_domains = @ : localhost : localhost.localdomain - domainlist relay_to_domains = - hostlist relay_from_hosts = localhost - # (We rely upon hostname resolution working for localhost, because the default -@@ -119,11 +119,13 @@ hostlist relay_from_hosts = localhost - # manual for details. The lists above are used in the access control lists for - # checking incoming messages. The names of these ACLs are defined here: - -+acl_smtp_mail = acl_check_mail - acl_smtp_rcpt = acl_check_rcpt - .ifdef _HAVE_PRDR - acl_smtp_data_prdr = acl_check_prdr - .endif - acl_smtp_data = acl_check_data -+acl_smtp_mime = acl_check_mime - - # You should not change those settings until you understand how ACLs work. - -@@ -136,7 +138,7 @@ acl_smtp_data = acl_check_data - # of what to set for other virus scanners. The second modification is in the - # acl_check_data access control list (see below). - --# av_scanner = clamd:/tmp/clamd -+av_scanner = clamd:/var/run/clamd.exim/clamd.sock - - - # For spam scanning, there is a similar option that defines the interface to -@@ -147,6 +149,12 @@ acl_smtp_data = acl_check_data - # spamd_address = 127.0.0.1 783 - - -+# Set the default sqlite database file for greylisting. Uncomment this -+# if you use the greylisting ACLs defined below. -+ -+# sqlite_dbfile = /var/spool/exim/db/greylist.db -+ -+ - # If Exim is compiled with support for TLS, you may want to change the - # following option so that Exim disallows certain clients from makeing encrypted - # connections. The default is to allow all. -@@ -157,7 +165,7 @@ acl_smtp_data = acl_check_data - - # This is equivalent to the default. - --# tls_advertise_hosts = * -+tls_advertise_hosts = * - - # Specify the location of the Exim server's TLS certificate and private key. - # The private key must not be encrypted (password protected). You can put -@@ -165,8 +173,8 @@ acl_smtp_data = acl_check_data - # need the first setting, or in separate files, in which case you need both - # options. - --# tls_certificate = /etc/ssl/exim.crt --# tls_privatekey = /etc/ssl/exim.pem -+tls_certificate = /etc/pki/tls/certs/exim.pem -+tls_privatekey = /etc/pki/tls/private/exim.pem - - # For OpenSSL, prefer EC- over RSA-authenticated ciphers - .ifdef _HAVE_OPENSSL -@@ -193,8 +201,8 @@ tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}} - # them you should also allow TLS-on-connect on the traditional (and now - # standard) port 465. - --# daemon_smtp_ports = 25 : 465 : 587 --# tls_on_connect_ports = 465 -+daemon_smtp_ports = 25 : 465 : 587 -+tls_on_connect_ports = 465 - - - # Specify the domain you want to be added to all unqualified addresses -@@ -252,6 +260,24 @@ never_users = root - - host_lookup = * - -+# This setting, if uncommented, allows users to authenticate using -+# their system passwords against saslauthd if they connect over a -+# secure connection. If you have network logins such as NIS or -+# Kerberos rather than only local users, then you possibly also want -+# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism -+# too. Once a user is authenticated, the acl_check_rcpt ACL then -+# allows them to relay through the system. -+# -+# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} -+# -+# By default, we set this option to allow SMTP AUTH from nowhere -+# (Exim's default would be to allow it from anywhere, even on an -+# unencrypted connection). -+# -+# Comment this one out if you uncomment the above. Did you make sure -+# saslauthd is actually running first? -+# -+auth_advertise_hosts = - - # The setting below causes Exim to try to initialize the system resolver - # library with DNSSEC support. It has no effect if your library lacks -@@ -382,8 +408,8 @@ timeout_frozen_after = 7d - # Note that TZ is handled separately by the timezone runtime option - # and TIMEZONE_DEFAULT buildtime option. - --# keep_environment = ^LDAP --# add_environment = PATH=/usr/bin::/bin -+keep_environment = ^LDAP -+add_environment = PATH=/usr/bin::/bin - - - -@@ -394,6 +420,29 @@ timeout_frozen_after = 7d - - begin acl - -+ -+# This access control list is used for the MAIL command in an incoming -+# SMTP message. -+ -+acl_check_mail: -+ -+ # Hosts are required to say HELO (or EHLO) before sending mail. -+ # So don't allow them to use the MAIL command if they haven't -+ # done so. -+ -+ deny condition = ${if eq{$sender_helo_name}{} {1}} -+ message = Nice boys say HELO first -+ -+ # Use the lack of reverse DNS to trigger greylisting. Some people -+ # even reject for it but that would be a little excessive. -+ -+ warn condition = ${if eq{$sender_host_name}{} {1}} -+ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons -+ -+ accept -+ -+ -+ - # This access control list is used for every RCPT command in an incoming - # SMTP message. The tests are run in order until the address is either - # accepted or denied. -@@ -405,6 +454,7 @@ acl_check_rcpt: - - accept hosts = : - control = dkim_disable_verify -+ control = dmarc_disable_verify - - ############################################################################# - # The following section of the ACL is concerned with local parts that contain -@@ -458,7 +508,8 @@ acl_check_rcpt: - accept local_parts = postmaster - domains = +local_domains - -- # Deny unless the sender address can be verified. -+ # Deny unless the sender address can be routed. For proper verification of the -+ # address, read the documentation on callouts and add the /callout modifier. - - require verify = sender - -@@ -498,6 +549,7 @@ acl_check_rcpt: - accept hosts = +relay_from_hosts - control = submission - control = dkim_disable_verify -+ control = dmarc_disable_verify - - # Accept if the message arrived over an authenticated connection, from - # any host. Again, these messages are usually from MUAs, so recipient -@@ -507,6 +559,7 @@ acl_check_rcpt: - accept authenticated = * - control = submission - control = dkim_disable_verify -+ control = dmarc_disable_verify - - # Insist that any other recipient address that we accept is either in one of - # our local domains, or is in a domain for which we explicitly allow -@@ -527,7 +580,8 @@ acl_check_rcpt: - # There are no default checks on DNS black lists because the domains that - # contain these lists are changing all the time. However, here are two - # examples of how you can get Exim to perform a DNS black list lookup at this -- # point. The first one denies, whereas the second just warns. -+ # point. The first one denies, whereas the second just warns. The third -+ # triggers greylisting for any host in the blacklist. - # - # deny dnslists = black.list.example - # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text -@@ -535,6 +589,10 @@ acl_check_rcpt: - # warn dnslists = black.list.example - # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain - # log_message = found in $dnslist_domain -+ # -+ # warn dnslists = black.list.example -+ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons -+ # - ############################################################################# - - ############################################################################# -@@ -561,6 +619,10 @@ acl_check_rcpt: - # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} - ############################################################################# - -+ # Alternatively, greylist for it: -+ # warn !verify = csa -+ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons -+ - # At this point, the address has passed all the checks that have been - # configured, so we accept it unconditionally. - -@@ -610,21 +672,32 @@ acl_check_data: - message = header syntax - log_message = header syntax ($acl_verify_message) - -+ # Put simple tests first. A good one is to check for the presence of a -+ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken -+ # or misconfigured mailer software occasionally omits this from genuine -+ # messages too, though -- although it's not hard for the offender to fix -+ # after they receive a bounce because of it. -+ # -+ # deny condition = ${if !def:h_Message-ID: {1}} -+ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ -+ # Most messages without it are spam, so your mail has been rejected. -+ # -+ # Alternatively if we're feeling more lenient we could just use it to -+ # trigger greylisting instead: -+ -+ warn condition = ${if !def:h_Message-ID: {1}} -+ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons -+ - # Deny if the message contains a virus. Before enabling this check, you - # must install a virus scanner and set the av_scanner option above. - # - # deny malware = * - # message = This message contains a virus ($malware_name). - -- # Add headers to a message if it is judged to be spam. Before enabling this, -- # you must install SpamAssassin. You may also need to set the spamd_address -- # option above. -+ # Bypass SpamAssassin checks if the message is too large. - # -- # warn spam = nobody -- # add_header = X-Spam_score: $spam_score\n\ -- # X-Spam_score_int: $spam_score_int\n\ -- # X-Spam_bar: $spam_bar\n\ -- # X-Spam_report: $spam_report -+ # accept condition = ${if >={$message_size}{100000} {1}} -+ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size - - ############################################################################# - # No more tests if PRDR was actively used. -@@ -638,11 +711,63 @@ acl_check_data: - # condition = ... - ############################################################################# - -+ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message -+ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA -+ # score exceeds the SA system threshold. -+ # -+ # warn spam = nobody/defer_ok -+ # add_header = X-Spam-Flag: YES -+ # -+ # accept condition = ${if !def:spam_score_int {1}} -+ # add_header = X-Spam-Note: SpamAssassin invocation failed -+ # -+ -+ # Unconditionally add score and report headers -+ # -+ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ -+ # X-Spam-Report: $spam_report -+ -+ # And reject if the SpamAssassin score is greater than ten -+ # -+ # deny condition = ${if >{$spam_score_int}{100} {1}} -+ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ -+ # $spam_report -+ -+ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 -+ # -+ # warn condition = ${if >{$spam_score_int}{5} {1}} -+ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons -+ - -- # Accept the message. -+ # If you want to greylist _all_ mail rather than only mail which looks like there -+ # might be something wrong with it, then you can do this... -+ # -+ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons -+ -+ # Now, invoke the greylisting. For this you need to have installed the exim-greylist -+ # package which contains this subroutine, and you need to uncomment the bit below -+ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, -+ # greylisting will kick in and will defer the mail to check if the sender is a -+ # proper mail which which retries, or whether it's a zombie. For more details, see -+ # the exim-greylist.conf.inc file itself. -+ # -+ # require acl = greylist_mail - - accept - -+# To enable the greylisting, also uncomment this line: -+# .include /etc/exim/exim-greylist.conf.inc -+ -+acl_check_mime: -+ -+ # File extension filtering. -+ deny message = Blacklisted file extension detected -+ condition = ${if match \ -+ {${lc:$mime_filename}} \ -+ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ -+ {1}{0}} -+ -+ accept - - - ###################################################################### -@@ -744,7 +869,7 @@ system_aliases: - driver = redirect - allow_fail - allow_defer -- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} -+ data = ${lookup{$local_part}lsearch{/etc/aliases}} - # user = exim - file_transport = address_file - pipe_transport = address_pipe -@@ -782,7 +907,7 @@ userforward: - # local_part_suffix = +* : -* - # local_part_suffix_optional - file = $home/.forward --# allow_filter -+ allow_filter - no_verify - no_expn - check_ancestor -@@ -790,6 +915,12 @@ userforward: - pipe_transport = address_pipe - reply_transport = address_reply - -+procmail: -+ driver = accept -+ check_local_user -+ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail -+ transport = procmail -+ no_verify - - # This router matches local user mailboxes. If the router fails, the error - # message is "Unknown user". -@@ -830,6 +961,25 @@ remote_smtp: - tls_resumption_hosts = * - .endif - -+# This transport is used for delivering messages over SMTP using the -+# "message submission" port (RFC4409). -+ -+remote_msa: -+ driver = smtp -+ port = 587 -+ hosts_require_auth = * -+ -+ -+# This transport invokes procmail to deliver mail -+procmail: -+ driver = pipe -+ command = "/usr/bin/procmail -d $local_part" -+ return_path_add -+ delivery_date_add -+ envelope_to_add -+ user = $local_part -+ initgroups -+ return_output - - # This transport is used for delivering messages to a smarthost, if the - # smarthost router is enabled. This starts from the same basis as -@@ -884,8 +1034,8 @@ local_delivery: - delivery_date_add - envelope_to_add - return_path_add --# group = mail --# mode = 0660 -+ group = mail -+ mode = 0660 - - - # This transport is used for handling pipe deliveries generated by alias or -@@ -918,6 +1068,16 @@ address_reply: - driver = autoreply - - -+# This transport is used to deliver local mail to cyrus IMAP server via UNIX -+# socket. You'll need to configure the 'localuser' router above to use it. -+# -+#lmtp_delivery: -+# home_directory = /var/spool/imap -+# driver = lmtp -+# command = "/usr/lib/cyrus-imapd/deliver -l" -+# batch_max = 20 -+# user = cyrus -+ - - ###################################################################### - # RETRY CONFIGURATION # -@@ -958,6 +1118,21 @@ begin rewrite - # AUTHENTICATION CONFIGURATION # - ###################################################################### - -+begin authenticators -+ -+# This authenticator supports CRAM-MD5 username/password authentication -+# with Exim acting as a _client_, as it might when sending its outgoing -+# mail to a smarthost rather than directly to the final recipient. -+# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. -+ -+#client_auth: -+# driver = cram_md5 -+# public_name = CRAM-MD5 -+# client_name = SMTPAUTH_USERNAME -+# client_secret = SMTPAUTH_PASSWORD -+ -+# -+ - # The following authenticators support plaintext username/password - # authentication using the standard PLAIN mechanism and the traditional - # but non-standard LOGIN mechanism, with Exim acting as the server. -@@ -973,7 +1148,7 @@ begin rewrite - # The default RCPT ACL checks for successful authentication, and will accept - # messages from authenticated users from anywhere on the Internet. - --begin authenticators -+# - - # PLAIN authentication has no server prompts. The client sends its - # credentials in one lump, containing an authorization ID (which we do not -@@ -987,7 +1162,7 @@ begin authenticators - # driver = plaintext - # server_set_id = $auth2 - # server_prompts = : --# server_condition = Authentication is not yet configured -+# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} - # server_advertise_condition = ${if def:tls_in_cipher } - - # LOGIN authentication has traditional prompts and responses. There is no -@@ -999,7 +1174,7 @@ begin authenticators - # driver = plaintext - # server_set_id = $auth1 - # server_prompts = <| Username: | Password: --# server_condition = Authentication is not yet configured -+# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} - # server_advertise_condition = ${if def:tls_in_cipher } - - diff --git a/exim-4.98.2-dlopen-localscan.patch b/exim-4.98.2-dlopen-localscan.patch deleted file mode 100644 index 21ca340..0000000 --- a/exim-4.98.2-dlopen-localscan.patch +++ /dev/null @@ -1,270 +0,0 @@ -diff --git a/src/EDITME b/src/EDITME -index 9e4e818..473010b 100644 ---- a/src/EDITME -+++ b/src/EDITME -@@ -918,6 +918,21 @@ HAVE_ICONV=yes - # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** - - -+#------------------------------------------------------------------------------ -+# On systems which support dynamic loading of shared libraries, Exim can -+# load a local_scan function specified in its config file instead of having -+# to be recompiled with the desired local_scan function. For a full -+# description of the API to this function, see the Exim specification. -+ -+DLOPEN_LOCAL_SCAN=yes -+HAVE_LOCAL_SCAN=yes -+ -+# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the -+# linker flags. Without it, the loaded .so won't be able to access any -+# functions from exim. -+ -+LFLAGS=-rdynamic -ldl -pie -+ - #------------------------------------------------------------------------------ - # The default distribution of Exim contains only the plain text form of the - # documentation. Other forms are available separately. If you want to install -diff --git a/src/config.h.defaults b/src/config.h.defaults -index 13b203e..70be51d 100644 ---- a/src/config.h.defaults -+++ b/src/config.h.defaults -@@ -33,6 +33,8 @@ Do not put spaces between # and the 'define'. - - #define AUTH_VARS 4 - -+#define DLOPEN_LOCAL_SCAN -+ - #define BIN_DIRECTORY - - #define CONFIGURE_FILE -diff --git a/src/globals.c b/src/globals.c -index c50b7a4..50d1d13 100644 ---- a/src/globals.c -+++ b/src/globals.c -@@ -152,6 +152,10 @@ time_t tls_watch_trigger_time = (time_t)0; - uschar *tls_advertise_hosts = NULL; - #endif - -+#ifdef DLOPEN_LOCAL_SCAN -+uschar *local_scan_path = NULL; -+#endif -+ - #ifndef DISABLE_PRDR - /* Per Recipient Data Response variables */ - BOOL prdr_enable = FALSE; -diff --git a/src/globals.h b/src/globals.h -index dc9d384..d4eba50 100644 ---- a/src/globals.h -+++ b/src/globals.h -@@ -150,6 +150,11 @@ extern uschar *tls_verify_hosts; /* Mandatory client verification */ - extern int tls_watch_fd; /* for inotify of creds files */ - extern time_t tls_watch_trigger_time; /* non-0: triggered */ - #endif -+ -+#ifdef DLOPEN_LOCAL_SCAN -+extern uschar *local_scan_path; /* Path to local_scan() library */ -+#endif -+ - extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ - - extern uschar *dsn_envid; /* DSN envid string */ -diff --git a/src/local_scan.c b/src/local_scan.c -index da44cb7..5af46c6 100644 ---- a/src/local_scan.c -+++ b/src/local_scan.c -@@ -7,59 +7,134 @@ - /* See the file NOTICE for conditions of use and distribution. */ - /* SPDX-License-Identifier: GPL-2.0-or-later */ - -+#include - --/****************************************************************************** --This file contains a template local_scan() function that just returns ACCEPT. --If you want to implement your own version, you should copy this file to, say --Local/local_scan.c, and edit the copy. To use your version instead of the --default, you must set -+#ifdef DLOPEN_LOCAL_SCAN -+extern uschar *local_scan_path; /* Path to local_scan() library */ -+#endif - --HAVE_LOCAL_SCAN=yes --LOCAL_SCAN_SOURCE=Local/local_scan.c -- --in your Local/Makefile. This makes it easy to copy your version for use with --subsequent Exim releases. -- --For a full description of the API to this function, see the Exim specification. --******************************************************************************/ -- -- --/* This is the only Exim header that you should include. The effect of --including any other Exim header is not defined, and may change from release to --release. Use only the documented interface! */ -- --#include "local_scan.h" -- -- --/* This is a "do-nothing" version of a local_scan() function. The arguments --are: -- -- fd The file descriptor of the open -D file, which contains the -- body of the message. The file is open for reading and -- writing, but modifying it is dangerous and not recommended. -- -- return_text A pointer to an unsigned char* variable which you can set in -- order to return a text string. It is initialized to NULL. -- --The return values of this function are: -- -- LOCAL_SCAN_ACCEPT -- The message is to be accepted. The return_text argument is -- saved in $local_scan_data. -- -- LOCAL_SCAN_REJECT -- The message is to be rejected. The returned text is used -- in the rejection message. -- -- LOCAL_SCAN_TEMPREJECT -- This specifies a temporary rejection. The returned text -- is used in the rejection message. --*/ -+#ifdef DLOPEN_LOCAL_SCAN -+#include -+#include -+static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; -+static int load_local_scan_library(void); -+#endif - - int - local_scan(int fd, uschar **return_text) - { --return LOCAL_SCAN_ACCEPT; -+#ifdef DLOPEN_LOCAL_SCAN -+/* local_scan_path is defined AND not the empty string */ -+if (local_scan_path && *local_scan_path) -+ { -+ if (!local_scan_fn) -+ { -+ if (!load_local_scan_library()) -+ { -+ char *base_msg , *error_msg , *final_msg ; -+ int final_length = -1 ; -+ -+ base_msg=US"Local configuration error - local_scan() library failure\n"; -+ error_msg = dlerror() ; -+ -+ final_length = strlen(base_msg) + strlen(error_msg) + 1 ; -+ final_msg = (char*)malloc( final_length*sizeof(char) ) ; -+ *final_msg = '\0' ; -+ -+ strcat( final_msg , base_msg ) ; -+ strcat( final_msg , error_msg ) ; -+ -+ *return_text = final_msg ; -+ return LOCAL_SCAN_TEMPREJECT; -+ } -+ } -+ return local_scan_fn(fd, return_text); -+ } -+else -+#endif -+ return LOCAL_SCAN_ACCEPT; -+ } -+ -+#ifdef DLOPEN_LOCAL_SCAN -+ -+static int load_local_scan_library(void) -+{ -+/* No point in keeping local_scan_lib since we'll never dlclose() anyway */ -+void *local_scan_lib = NULL; -+int (*local_scan_version_fn)(void); -+int vers_maj; -+int vers_min; -+ -+local_scan_lib = dlopen(local_scan_path, RTLD_NOW); -+if (!local_scan_lib) -+ { -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - " -+ "message temporarily rejected"); -+ return FALSE; -+ } -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_major() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The major number is increased when the ABI is changed in a non -+ backward compatible way. */ -+vers_maj = local_scan_version_fn(); -+ -+local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor"); -+if (!local_scan_version_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan_version_minor() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+/* The minor number is increased each time a new feature is added (in a -+ way that doesn't break backward compatibility) -- Marc */ -+vers_min = local_scan_version_fn(); -+ -+ -+if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR) -+ { -+ dlclose(local_scan_lib); -+ local_scan_lib = NULL; -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor" -+ "version number, you need to recompile your module for this version" -+ "of exim (The module was compiled for version %d.%d and this exim provides" -+ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, -+ LOCAL_SCAN_ABI_VERSION_MINOR); -+ return FALSE; -+ } -+ -+local_scan_fn = dlsym(local_scan_lib, "local_scan"); -+if (!local_scan_fn) -+ { -+ dlclose(local_scan_lib); -+ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " -+ "local_scan() function - message temporarily rejected"); -+ return FALSE; -+ } -+ -+return TRUE; - } - -+#endif /* DLOPEN_LOCAL_SCAN */ -+ - /* End of local_scan.c */ -diff --git a/src/readconf.c b/src/readconf.c -index 940c5d4..c2ddcf2 100644 ---- a/src/readconf.c -+++ b/src/readconf.c -@@ -219,6 +219,9 @@ static optionlist optionlist_config[] = { - { "local_from_prefix", opt_stringptr, {&local_from_prefix} }, - { "local_from_suffix", opt_stringptr, {&local_from_suffix} }, - { "local_interfaces", opt_stringptr, {&local_interfaces} }, -+#ifdef DLOPEN_LOCAL_SCAN -+ { "local_scan_path", opt_stringptr, &local_scan_path }, -+#endif - #ifdef HAVE_LOCAL_SCAN - { "local_scan_timeout", opt_time, {&local_scan_timeout} }, - #endif diff --git a/exim-4.98.2-no-gsasl.patch b/exim-4.98.2-no-gsasl.patch deleted file mode 100644 index 8ba9e1e..0000000 --- a/exim-4.98.2-no-gsasl.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/src/EDITME b/src/EDITME -index 473010b..1976437 100644 ---- a/src/EDITME -+++ b/src/EDITME -@@ -804,8 +804,8 @@ AUTH_CRAM_MD5=yes - AUTH_CYRUS_SASL=yes - AUTH_DOVECOT=yes - # AUTH_EXTERNAL=yes --AUTH_GSASL=yes --AUTH_GSASL_PC=libgsasl -+# AUTH_GSASL=yes -+# AUTH_GSASL_PC=libgsasl - # AUTH_HEIMDAL_GSSAPI=yes - # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi - # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 diff --git a/exim-4.99.1-config.patch b/exim-4.99.1-config.patch new file mode 100644 index 0000000..bec3580 --- /dev/null +++ b/exim-4.99.1-config.patch @@ -0,0 +1,799 @@ +--- exim-4.99.1.orig/scripts/Configure-Makefile 2026-01-30 10:30:47.834924979 +0800 ++++ exim-4.99.1/scripts/Configure-Makefile 2026-01-30 11:52:29.722378196 +0800 +@@ -367,7 +367,7 @@ + + mv $mft $mftt + echo "PERL_CC=${perl_cc}" >>$mft +- echo "PERL_CCOPTS=${perl_ccopts}" >>$mft ++ echo "PERL_CCOPTS=${perl_ccopts} \$(CFLAGS)" >>$mft + echo "PERL_LIBS=${perl_libs}" >>$mft + echo "PERL_CFLAGS=${perl_cflags}" >>$mft + echo "PERL_LFLAGS=${perl_lflags}" >>$mft +--- exim-4.99.1.orig/src/EDITME 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/EDITME 2026-01-30 11:52:59.213474957 +0800 +@@ -104,7 +104,7 @@ + # /usr/local/sbin. The installation script will try to create this directory, + # and any superior directories, if they do not exist. + +-BIN_DIRECTORY=/usr/exim/bin ++BIN_DIRECTORY=/usr/sbin + + + #------------------------------------------------------------------------------ +@@ -120,7 +120,7 @@ + # don't exist. It will also install a default runtime configuration if this + # file does not exist. + +-CONFIGURE_FILE=/usr/exim/configure ++CONFIGURE_FILE=/etc/exim/exim.conf + + # It is possible to specify a colon-separated list of files for CONFIGURE_FILE. + # In this case, Exim will use the first of them that exists when it is run. +@@ -137,7 +137,7 @@ + # deliveries. (Local deliveries run as various non-root users, typically as the + # owner of a local mailbox.) Specifying these values as root is not supported. + +-EXIM_USER= ++EXIM_USER=93 + + # If you specify EXIM_USER as a name, this is looked up at build time, and the + # uid number is built into the binary. However, you can specify that this +@@ -158,7 +158,7 @@ + # for EXIM_USER (e.g. EXIM_USER=exim), you don't need to set EXIM_GROUP unless + # you want to use a group other than the default group for the given user. + +-# EXIM_GROUP= ++EXIM_GROUP=93 + + # Many sites define a user called "exim", with an appropriate default group, + # and use +@@ -215,10 +215,10 @@ + # If you are building with TLS, the library configuration must be done: + + # Uncomment this if you are using OpenSSL +-# USE_OPENSSL=yes ++USE_OPENSSL=yes + # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not + # and an optional location. +-# USE_OPENSSL_PC=openssl ++USE_OPENSSL_PC=openssl + # TLS_LIBS=-lssl -lcrypto + # TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto + +@@ -362,7 +362,7 @@ + # This one is special-purpose, and commonly not required, so it is not + # included by default. + +-# TRANSPORT_LMTP=yes ++TRANSPORT_LMTP=yes + + + #------------------------------------------------------------------------------ +@@ -371,9 +371,9 @@ + # MBX, is included only when requested. If you do not know what this is about, + # leave these settings commented out. + +-# SUPPORT_MAILDIR=yes +-# SUPPORT_MAILSTORE=yes +-# SUPPORT_MBX=yes ++SUPPORT_MAILDIR=yes ++SUPPORT_MAILSTORE=yes ++SUPPORT_MBX=yes + + + #------------------------------------------------------------------------------ +@@ -434,22 +434,28 @@ + LOOKUP_LSEARCH=yes + LOOKUP_DNSDB=yes + +-# LOOKUP_CDB=yes +-# LOOKUP_DSEARCH=yes ++LOOKUP_CDB=yes ++LOOKUP_DSEARCH=yes + # LOOKUP_IBASE=yes + # LOOKUP_JSON=yes +-# LOOKUP_LDAP=yes ++LOOKUP_LDAP=yes ++LDAP_LIB_TYPE=OPENLDAP2 ++LOOKUP_LIBS=-lldap -llber -lsqlite3 + # LOOKUP_LMDB=yes + +-# LOOKUP_MYSQL=yes +-# LOOKUP_MYSQL_PC=mariadb ++LOOKUP_MYSQL=2 ++LOOKUP_MYSQL_PC=mysqlclient + # LOOKUP_NIS=yes + # LOOKUP_NISPLUS=yes ++CFLAGS+=-I/usr/include/nsl -I/usr/include/tirpc ++LIBS+=-L/usr/$(_lib)/nsl ++ + # LOOKUP_ORACLE=yes +-# LOOKUP_PASSWD=yes +-# LOOKUP_PGSQL=yes ++LOOKUP_PASSWD=yes ++LOOKUP_PGSQL=2 ++LOOKUP_PGSQL_LIBS=-lpq + # LOOKUP_REDIS=yes +-# LOOKUP_SQLITE=yes ++LOOKUP_SQLITE=yes + # LOOKUP_SQLITE_PC=sqlite3 + # LOOKUP_WHOSON=yes + +@@ -551,7 +557,7 @@ + # files are defaulted in the OS/Makefile-Default file, but can be overridden in + # local OS-specific make files. + +-# EXIM_MONITOR=eximon.bin ++EXIM_MONITOR=eximon.bin + + + #------------------------------------------------------------------------------ +@@ -583,7 +589,7 @@ + # and the MIME ACL. Please read the documentation to learn more about these + # features. + +-# WITH_CONTENT_SCAN=yes ++WITH_CONTENT_SCAN=yes + + # If you have content scanning you may wish to only include some of the scanner + # interfaces. Uncomment any of these lines to remove that code. +@@ -677,13 +683,13 @@ + # is historic). The same rules as for other module builds apply; use + # SUPPORT_DMARC_{INCLUDE,LIBS}. + # +-# SUPPORT_DMARC=yes ++SUPPORT_DMARC=yes + # CFLAGS += -I/usr/local/include +-# LDFLAGS += -lopendmarc ++LDFLAGS += -lopendmarc + # + # Uncomment the following if you need to change the default. You can + # override it at runtime (main config option dmarc_tld_file) +-# DMARC_TLD_FILE=/etc/exim/opendmarc.tlds ++DMARC_TLD_FILE=/usr/share/publicsuffix/public_suffix_list.dat + # + # Library version libopendmarc-1.4.1-1.fc33.x86_64 (on Fedora 33) is known broken; + # 1.3.2-3 works. It seems that the OpenDMARC project broke their API. +@@ -821,7 +827,7 @@ + # CONFIGURE_OWNER setting, to specify a configuration file which is listed in + # the TRUSTED_CONFIG_LIST file, then root privileges are not dropped by Exim. + +-# TRUSTED_CONFIG_LIST=/usr/exim/trusted_configs ++TRUSTED_CONFIG_LIST=/etc/exim/trusted-configs + + + #------------------------------------------------------------------------------ +@@ -879,18 +885,18 @@ + # core exim build. This gets them linked with the module instead. + # The heimdal does build but we have no test coverage so it is not know to work. + +-# AUTH_CRAM_MD5=yes +-# AUTH_CYRUS_SASL=yes +-# AUTH_DOVECOT=yes ++AUTH_CRAM_MD5=yes ++AUTH_CYRUS_SASL=yes ++AUTH_DOVECOT=yes + # AUTH_EXTERNAL=yes +-# AUTH_GSASL=yes +-# AUTH_GSASL_PC=libgsasl ++AUTH_GSASL=yes ++AUTH_GSASL_PC=libgsasl + # AUTH_HEIMDAL_GSSAPI=yes + # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi + # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 +-# AUTH_PLAINTEXT=yes +-# AUTH_SPA=yes +-# AUTH_TLS=yes ++AUTH_PLAINTEXT=yes ++AUTH_SPA=yes ++AUTH_TLS=yes + + # Heimdal through 1.5 required pkg-config 'heimdal-gssapi'; Heimdal 7.1 + # requires multiple pkg-config files to work with Exim, so the second example +@@ -917,7 +923,7 @@ + # one that is set in the headers_charset option. The default setting is + # defined by this setting: + +-HEADERS_CHARSET="ISO-8859-1" ++HEADERS_CHARSET="UTF-8" + + # If you are going to make use of $header_xxx expansions in your configuration + # file, or if your users are going to use them in filter files, and the normal +@@ -937,7 +943,7 @@ + # the Sieve filter support. For those OS where iconv() is known to be installed + # as standard, the file in OS/Makefile-xxxx contains + # +-# HAVE_ICONV=yes ++HAVE_ICONV=yes + # + # If you are not using one of those systems, but have installed iconv(), you + # need to uncomment that line above. In some cases, you may find that iconv() +@@ -1013,7 +1019,7 @@ + # Once you have done this, "make install" will build the info files and + # install them in the directory you have defined. + +-# INFO_DIRECTORY=/usr/share/info ++INFO_DIRECTORY=/usr/share/info + + + #------------------------------------------------------------------------------ +@@ -1026,7 +1032,7 @@ + # %s. This will be replaced by one of the strings "main", "panic", or "reject" + # to form the final file names. Some installations may want something like this: + +-# LOG_FILE_PATH=/var/log/exim_%slog ++LOG_FILE_PATH=/var/log/exim/%s.log + + # which results in files with names /var/log/exim_mainlog, etc. The directory + # in which the log files are placed must exist; Exim does not try to create +@@ -1099,7 +1105,7 @@ + # Perl costs quite a lot of resources. Only do this if you really need it. + # + +-# EXIM_PERL=perl.o ++EXIM_PERL=perl.o + + # For a dynamic module build add also SUPPORT_PERL=2 and SUPPORT_PAM_(INCLUED,LIBS) + #SUPPORT_PERL=2 +@@ -1114,7 +1120,7 @@ + # that the local_scan API is made available by the linker. You may also need + # to add -ldl to EXTRALIBS so that dlopen() is available to Exim. + +-# EXPAND_DLFUNC=yes ++EXPAND_DLFUNC=yes + + + #------------------------------------------------------------------------------ +@@ -1126,7 +1132,7 @@ + # + # For a dynamic module build add SUPPORT_PAM=2 and SUPPORT_PAM_LIBS=-lpam + +-# SUPPORT_PAM=yes ++SUPPORT_PAM=yes + + # You probably need to add -lpam to EXTRALIBS, and in some releases of + # GNU/Linux -ldl is also needed. +@@ -1138,12 +1144,12 @@ + # If you may want to use outbound (client-side) proxying, using Socks5, + # uncomment the line below. + +-# SUPPORT_SOCKS=yes ++SUPPORT_SOCKS=yes + + # If you may want to use inbound (server-side) proxying, using Proxy Protocol, + # uncomment the line below. + +-# SUPPORT_PROXY=yes ++SUPPORT_PROXY=yes + + + #------------------------------------------------------------------------------ +@@ -1176,9 +1182,9 @@ + # is historic). The same rules as for other module builds apply; use + # SUPPORT_SPF_{INCLUDE,LIBS}. + +-# SUPPORT_SPF=yes ++SUPPORT_SPF=yes + # CFLAGS += -I/usr/local/include +-# LDFLAGS += -lspf2 ++LDFLAGS += -lspf2 + + + #------------------------------------------------------------------------------ +@@ -1246,7 +1252,7 @@ + # group. Once you have installed saslauthd, you should arrange for it to be + # started by root at boot time. + +-# CYRUS_SASLAUTHD_SOCKET=/var/state/saslauthd/mux ++CYRUS_SASLAUTHD_SOCKET=/var/run/saslauthd/mux + + + #------------------------------------------------------------------------------ +@@ -1288,7 +1294,7 @@ + # is "yes", as well as supporting line editing, a history of input lines in the + # current run is maintained. + +-# USE_READLINE=yes ++USE_READLINE=yes + + # You may need to add -ldl to EXTRALIBS when you set USE_READLINE=yes. + # Note that this option adds to the size of the Exim binary, because the +@@ -1305,7 +1311,7 @@ + #------------------------------------------------------------------------------ + # Uncomment this setting to include IPv6 support. + +-# HAVE_IPV6=yes ++HAVE_IPV6=yes + + ############################################################################### + # THINGS YOU ALMOST NEVER NEED TO MENTION # +@@ -1326,13 +1332,13 @@ + # haven't got Perl, Exim will still build and run; you just won't be able to + # use those utilities. + +-# CHOWN_COMMAND=/usr/bin/chown +-# CHGRP_COMMAND=/usr/bin/chgrp +-# CHMOD_COMMAND=/usr/bin/chmod +-# MV_COMMAND=/bin/mv +-# RM_COMMAND=/bin/rm +-# TOUCH_COMMAND=/usr/bin/touch +-# PERL_COMMAND=/usr/bin/perl ++CHOWN_COMMAND=/usr/bin/chown ++CHGRP_COMMAND=/usr/bin/chgrp ++CHMOD_COMMAND=/usr/bin/chmod ++MV_COMMAND=/usr/bin/mv ++RM_COMMAND=/usr/bin/rm ++TOUCH_COMMAND=/usr/bin/touch ++PERL_COMMAND=/usr/bin/perl + + + #------------------------------------------------------------------------------ +@@ -1534,7 +1540,7 @@ + # (process id) to a file so that it can easily be identified. The path of the + # file can be specified here. Some installations may want something like this: + +-# PID_FILE_PATH=/var/lock/exim.pid ++PID_FILE_PATH=/var/run/exim.pid + + # If PID_FILE_PATH is not defined, Exim writes a file in its spool directory + # using the name "exim-daemon.pid". +@@ -1615,3 +1621,8 @@ + # DISABLE_CLIENT_CMD_LOG=yes + + # End of EDITME for Exim. ++ ++#------------------------------------------------------------------------------ ++# RPM build configuration ++CFLAGS+=$(RPM_OPT_FLAGS) $(PIE) ++EXTRALIBS_EXIM=-lpam -ldl -export-dynamic -rdynamic +--- exim-4.99.1.orig/src/configure.default 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/configure.default 2026-01-30 11:44:50.309870731 +0800 +@@ -67,7 +67,7 @@ + # +local_domains, +relay_to_domains, and +relay_from_hosts, respectively. They + # are all colon-separated lists: + +-domainlist local_domains = @ ++domainlist local_domains = @ : localhost : localhost.localdomain + domainlist relay_to_domains = + hostlist relay_from_hosts = localhost + # (We rely upon hostname resolution working for localhost, because the default +@@ -119,11 +119,13 @@ + # manual for details. The lists above are used in the access control lists for + # checking incoming messages. The names of these ACLs are defined here: + ++acl_smtp_mail = acl_check_mail + acl_smtp_rcpt = acl_check_rcpt + .ifdef _HAVE_PRDR + acl_smtp_data_prdr = acl_check_prdr + .endif + acl_smtp_data = acl_check_data ++acl_smtp_mime = acl_check_mime + + # You should not change those settings until you understand how ACLs work. + +@@ -136,7 +138,7 @@ + # of what to set for other virus scanners. The second modification is in the + # acl_check_data access control list (see below). + +-# av_scanner = clamd:/tmp/clamd ++av_scanner = clamd:/var/run/clamd.exim/clamd.sock + + + # For spam scanning, there is a similar option that defines the interface to +@@ -147,6 +149,12 @@ + # spamd_address = 127.0.0.1 783 + + ++# Set the default sqlite database file for greylisting. Uncomment this ++# if you use the greylisting ACLs defined below. ++ ++# sqlite_dbfile = /var/spool/exim/db/greylist.db ++ ++ + # If Exim is compiled with support for TLS, you may want to change the + # following option so that Exim disallows certain clients from makeing encrypted + # connections. The default is to allow all. +@@ -157,7 +165,7 @@ + + # This is equivalent to the default. + +-# tls_advertise_hosts = * ++tls_advertise_hosts = * + + # Specify the location of the Exim server's TLS certificate and private key. + # The private key must not be encrypted (password protected). You can put +@@ -165,8 +173,8 @@ + # need the first setting, or in separate files, in which case you need both + # options. + +-# tls_certificate = /etc/ssl/exim.crt +-# tls_privatekey = /etc/ssl/exim.pem ++tls_certificate = /etc/pki/tls/certs/exim.pem ++tls_privatekey = /etc/pki/tls/private/exim.pem + + # For OpenSSL, prefer EC- over RSA-authenticated ciphers + .ifdef _HAVE_OPENSSL +@@ -193,8 +201,8 @@ + # them you should also allow TLS-on-connect on the traditional (and now + # standard) port 465. + +-# daemon_smtp_ports = 25 : 465 : 587 +-# tls_on_connect_ports = 465 ++daemon_smtp_ports = 25 : 465 : 587 ++tls_on_connect_ports = 465 + + + # Specify the domain you want to be added to all unqualified addresses +@@ -252,6 +260,24 @@ + + host_lookup = * + ++# This setting, if uncommented, allows users to authenticate using ++# their system passwords against saslauthd if they connect over a ++# secure connection. If you have network logins such as NIS or ++# Kerberos rather than only local users, then you possibly also want ++# to configure /etc/sysconfig/saslauthd to use the 'pam' mechanism ++# too. Once a user is authenticated, the acl_check_rcpt ACL then ++# allows them to relay through the system. ++# ++# auth_advertise_hosts = ${if eq {$tls_cipher}{}{}{*}} ++# ++# By default, we set this option to allow SMTP AUTH from nowhere ++# (Exim's default would be to allow it from anywhere, even on an ++# unencrypted connection). ++# ++# Comment this one out if you uncomment the above. Did you make sure ++# saslauthd is actually running first? ++# ++auth_advertise_hosts = + + # The setting below causes Exim to try to initialize the system resolver + # library with DNSSEC support. It has no effect if your library lacks +@@ -382,8 +408,8 @@ + # Note that TZ is handled separately by the timezone runtime option + # and TIMEZONE_DEFAULT buildtime option. + +-# keep_environment = ^LDAP +-# add_environment = PATH=/usr/bin::/bin ++keep_environment = ^LDAP ++add_environment = PATH=/usr/bin::/bin + + + +@@ -394,6 +420,29 @@ + + begin acl + ++ ++# This access control list is used for the MAIL command in an incoming ++# SMTP message. ++ ++acl_check_mail: ++ ++ # Hosts are required to say HELO (or EHLO) before sending mail. ++ # So don't allow them to use the MAIL command if they haven't ++ # done so. ++ ++ deny condition = ${if eq{$sender_helo_name}{} {1}} ++ message = Nice boys say HELO first ++ ++ # Use the lack of reverse DNS to trigger greylisting. Some people ++ # even reject for it but that would be a little excessive. ++ ++ warn condition = ${if eq{$sender_host_name}{} {1}} ++ set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons ++ ++ accept ++ ++ ++ + # This access control list is used for every RCPT command in an incoming + # SMTP message. The tests are run in order until the address is either + # accepted or denied. +@@ -405,6 +454,7 @@ + + accept hosts = : + control = dkim_disable_verify ++ control = dmarc_disable_verify + + ############################################################################# + # The following section of the ACL is concerned with local parts that contain +@@ -458,7 +508,8 @@ + accept local_parts = postmaster + domains = +local_domains + +- # Deny unless the sender address can be verified. ++ # Deny unless the sender address can be routed. For proper verification of the ++ # address, read the documentation on callouts and add the /callout modifier. + + require verify = sender + +@@ -498,6 +549,7 @@ + accept hosts = +relay_from_hosts + control = submission + control = dkim_disable_verify ++ control = dmarc_disable_verify + + # Accept if the message arrived over an authenticated connection, from + # any host. Again, these messages are usually from MUAs, so recipient +@@ -507,6 +559,7 @@ + accept authenticated = * + control = submission + control = dkim_disable_verify ++ control = dmarc_disable_verify + + # Insist that any other recipient address that we accept is either in one of + # our local domains, or is in a domain for which we explicitly allow +@@ -527,7 +580,8 @@ + # There are no default checks on DNS black lists because the domains that + # contain these lists are changing all the time. However, here are two + # examples of how you can get Exim to perform a DNS black list lookup at this +- # point. The first one denies, whereas the second just warns. ++ # point. The first one denies, whereas the second just warns. The third ++ # triggers greylisting for any host in the blacklist. + # + # deny dnslists = black.list.example + # message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text +@@ -535,6 +589,10 @@ + # warn dnslists = black.list.example + # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain + # log_message = found in $dnslist_domain ++ # ++ # warn dnslists = black.list.example ++ # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons ++ # + ############################################################################# + + ############################################################################# +@@ -561,6 +619,10 @@ + # set acl_m_content_filter = ${lookup PER_RCPT_CONTENT_FILTER} + ############################################################################# + ++ # Alternatively, greylist for it: ++ # warn !verify = csa ++ # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons ++ + # At this point, the address has passed all the checks that have been + # configured, so we accept it unconditionally. + +@@ -610,21 +672,32 @@ + message = header syntax + log_message = header syntax ($acl_verify_message) + ++ # Put simple tests first. A good one is to check for the presence of a ++ # Message-Id: header, which RFC2822 says SHOULD be present. Some broken ++ # or misconfigured mailer software occasionally omits this from genuine ++ # messages too, though -- although it's not hard for the offender to fix ++ # after they receive a bounce because of it. ++ # ++ # deny condition = ${if !def:h_Message-ID: {1}} ++ # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ ++ # Most messages without it are spam, so your mail has been rejected. ++ # ++ # Alternatively if we're feeling more lenient we could just use it to ++ # trigger greylisting instead: ++ ++ warn condition = ${if !def:h_Message-ID: {1}} ++ set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons ++ + # Deny if the message contains a virus. Before enabling this check, you + # must install a virus scanner and set the av_scanner option above. + # + # deny malware = * + # message = This message contains a virus ($malware_name). + +- # Add headers to a message if it is judged to be spam. Before enabling this, +- # you must install SpamAssassin. You may also need to set the spamd_address +- # option above. +- # +- # warn spam = nobody +- # add_header = X-Spam_score: $spam_score\n\ +- # X-Spam_score_int: $spam_score_int\n\ +- # X-Spam_bar: $spam_bar\n\ +- # X-Spam_report: $spam_report ++ # Bypass SpamAssassin checks if the message is too large. ++ # ++ # accept condition = ${if >={$message_size}{100000} {1}} ++ # add_header = X-Spam-Note: SpamAssassin run bypassed due to message size + + ############################################################################# + # No more tests if PRDR was actively used. +@@ -638,11 +711,63 @@ + # condition = ... + ############################################################################# + ++ # Run SpamAssassin, but allow for it to fail or time out. Add a warning message ++ # and accept the mail if that happens. Add an X-Spam-Flag: header if the SA ++ # score exceeds the SA system threshold. ++ # ++ # warn spam = nobody/defer_ok ++ # add_header = X-Spam-Flag: YES ++ # ++ # accept condition = ${if !def:spam_score_int {1}} ++ # add_header = X-Spam-Note: SpamAssassin invocation failed ++ # ++ ++ # Unconditionally add score and report headers ++ # ++ # warn add_header = X-Spam-Score: $spam_score ($spam_bar)\n\ ++ # X-Spam-Report: $spam_report + +- # Accept the message. ++ # And reject if the SpamAssassin score is greater than ten ++ # ++ # deny condition = ${if >{$spam_score_int}{100} {1}} ++ # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ ++ # $spam_report ++ ++ # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 ++ # ++ # warn condition = ${if >{$spam_score_int}{5} {1}} ++ # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons ++ ++ ++ # If you want to greylist _all_ mail rather than only mail which looks like there ++ # might be something wrong with it, then you can do this... ++ # ++ # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons ++ ++ # Now, invoke the greylisting. For this you need to have installed the exim-greylist ++ # package which contains this subroutine, and you need to uncomment the bit below ++ # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, ++ # greylisting will kick in and will defer the mail to check if the sender is a ++ # proper mail which which retries, or whether it's a zombie. For more details, see ++ # the exim-greylist.conf.inc file itself. ++ # ++ # require acl = greylist_mail + + accept + ++# To enable the greylisting, also uncomment this line: ++# .include /etc/exim/exim-greylist.conf.inc ++ ++acl_check_mime: ++ ++ # File extension filtering. ++ deny message = Blacklisted file extension detected ++ condition = ${if match \ ++ {${lc:$mime_filename}} \ ++ {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com)$\N} \ ++ {1}{0}} ++ ++ accept + + + ###################################################################### +@@ -744,7 +869,7 @@ + driver = redirect + allow_fail + allow_defer +- data = ${lookup{$local_part}lsearch{SYSTEM_ALIASES_FILE}} ++ data = ${lookup{$local_part}lsearch{/etc/aliases}} + # user = exim + file_transport = address_file + pipe_transport = address_pipe +@@ -782,7 +907,7 @@ + # local_part_suffix = +* : -* + # local_part_suffix_optional + file = $home/.forward +-# allow_filter ++ allow_filter + no_verify + no_expn + check_ancestor +@@ -790,6 +915,12 @@ + pipe_transport = address_pipe + reply_transport = address_reply + ++procmail: ++ driver = accept ++ check_local_user ++ require_files = ${local_part}:+${home}/.procmailrc:/usr/bin/procmail ++ transport = procmail ++ no_verify + + # This router matches local user mailboxes. If the router fails, the error + # message is "Unknown user". +@@ -830,6 +961,25 @@ + tls_resumption_hosts = * + .endif + ++# This transport is used for delivering messages over SMTP using the ++# "message submission" port (RFC4409). ++ ++remote_msa: ++ driver = smtp ++ port = 587 ++ hosts_require_auth = * ++ ++ ++# This transport invokes procmail to deliver mail ++procmail: ++ driver = pipe ++ command = "/usr/bin/procmail -d $local_part" ++ return_path_add ++ delivery_date_add ++ envelope_to_add ++ user = $local_part ++ initgroups ++ return_output + + # This transport is used for delivering messages to a smarthost, if the + # smarthost router is enabled. This starts from the same basis as +@@ -884,8 +1034,8 @@ + delivery_date_add + envelope_to_add + return_path_add +-# group = mail +-# mode = 0660 ++ group = mail ++ mode = 0660 + + + # This transport is used for handling pipe deliveries generated by alias or +@@ -918,6 +1068,16 @@ + driver = autoreply + + ++# This transport is used to deliver local mail to cyrus IMAP server via UNIX ++# socket. You'll need to configure the 'localuser' router above to use it. ++# ++#lmtp_delivery: ++# home_directory = /var/spool/imap ++# driver = lmtp ++# command = "/usr/lib/cyrus-imapd/deliver -l" ++# batch_max = 20 ++# user = cyrus ++ + + ###################################################################### + # RETRY CONFIGURATION # +@@ -958,6 +1118,21 @@ + # AUTHENTICATION CONFIGURATION # + ###################################################################### + ++begin authenticators ++ ++# This authenticator supports CRAM-MD5 username/password authentication ++# with Exim acting as a _client_, as it might when sending its outgoing ++# mail to a smarthost rather than directly to the final recipient. ++# Replace SMTPAUTH_USERNAME and SMTPAUTH_PASSWORD as appropriate. ++ ++#client_auth: ++# driver = cram_md5 ++# public_name = CRAM-MD5 ++# client_name = SMTPAUTH_USERNAME ++# client_secret = SMTPAUTH_PASSWORD ++ ++# ++ + # The following authenticators support plaintext username/password + # authentication using the standard PLAIN mechanism and the traditional + # but non-standard LOGIN mechanism, with Exim acting as the server. +@@ -973,7 +1148,7 @@ + # The default RCPT ACL checks for successful authentication, and will accept + # messages from authenticated users from anywhere on the Internet. + +-begin authenticators ++# + + # PLAIN authentication has no server prompts. The client sends its + # credentials in one lump, containing an authorization ID (which we do not +@@ -987,7 +1162,7 @@ + # driver = plaintext + # server_set_id = $auth2 + # server_prompts = : +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$2}{$3}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + # LOGIN authentication has traditional prompts and responses. There is no +@@ -999,7 +1174,7 @@ + # driver = plaintext + # server_set_id = $auth1 + # server_prompts = <| Username: | Password: +-# server_condition = Authentication is not yet configured ++# server_condition = ${if saslauthd{{$1}{$2}{smtp}} {1}} + # server_advertise_condition = ${if def:tls_in_cipher } + + diff --git a/exim-4.99.1-dlopen-localscan.patch b/exim-4.99.1-dlopen-localscan.patch new file mode 100644 index 0000000..9396cf9 --- /dev/null +++ b/exim-4.99.1-dlopen-localscan.patch @@ -0,0 +1,259 @@ +--- exim-4.99.1.orig/src/EDITME 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/EDITME 2026-01-30 11:15:31.410856126 +0800 +@@ -998,6 +998,21 @@ + + + #------------------------------------------------------------------------------ ++# On systems which support dynamic loading of shared libraries, Exim can ++# load a local_scan function specified in its config file instead of having ++# to be recompiled with the desired local_scan function. For a full ++# description of the API to this function, see the Exim specification. ++ ++DLOPEN_LOCAL_SCAN=yes ++HAVE_LOCAL_SCAN=yes ++ ++# If you set DLOPEN_LOCAL_SCAN, then you need to include -rdynamic in the ++# linker flags. Without it, the loaded .so won't be able to access any ++# functions from exim. ++ ++LFLAGS=-rdynamic -ldl -pie ++ ++#------------------------------------------------------------------------------ + # The default distribution of Exim contains only the plain text form of the + # documentation. Other forms are available separately. If you want to install + # the documentation in "info" format, first fetch the Texinfo documentation +--- exim-4.99.1.orig/src/config.h.defaults 2026-01-30 10:30:47.833924976 +0800 ++++ exim-4.99.1/src/config.h.defaults 2026-01-30 11:15:31.410856126 +0800 +@@ -33,6 +33,8 @@ + + #define AUTH_VARS 4 + ++#define DLOPEN_LOCAL_SCAN ++ + #define BIN_DIRECTORY + + #define CONFIGURE_FILE +--- exim-4.99.1.orig/src/globals.c 2026-01-30 10:30:47.832924972 +0800 ++++ exim-4.99.1/src/globals.c 2026-01-30 11:15:31.410856126 +0800 +@@ -156,6 +156,10 @@ + uschar *tls_advertise_hosts = NULL; + #endif + ++#ifdef DLOPEN_LOCAL_SCAN ++uschar *local_scan_path = NULL; ++#endif ++ + #ifndef DISABLE_PRDR + /* Per Recipient Data Response variables */ + BOOL prdr_enable = FALSE; +--- exim-4.99.1.orig/src/globals.h 2026-01-30 10:30:47.832924972 +0800 ++++ exim-4.99.1/src/globals.h 2026-01-30 11:15:31.410856126 +0800 +@@ -157,6 +157,11 @@ + extern int tls_watch_fd; /* for inotify of creds files */ + extern time_t tls_watch_trigger_time; /* non-0: triggered */ + #endif ++ ++#ifdef DLOPEN_LOCAL_SCAN ++extern uschar *local_scan_path; /* Path to local_scan() library */ ++#endif ++ + extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ + + extern uschar *dsn_envid; /* DSN envid string */ +--- exim-4.99.1.orig/src/local_scan.c 2026-01-30 10:30:47.831924969 +0800 ++++ exim-4.99.1/src/local_scan.c 2026-01-30 11:15:31.410856126 +0800 +@@ -7,59 +7,134 @@ + /* See the file NOTICE for conditions of use and distribution. */ + /* SPDX-License-Identifier: GPL-2.0-or-later */ + ++#include + +-/****************************************************************************** +-This file contains a template local_scan() function that just returns ACCEPT. +-If you want to implement your own version, you should copy this file to, say +-Local/local_scan.c, and edit the copy. To use your version instead of the +-default, you must set +- +-HAVE_LOCAL_SCAN=yes +-LOCAL_SCAN_SOURCE=Local/local_scan.c +- +-in your Local/Makefile. This makes it easy to copy your version for use with +-subsequent Exim releases. +- +-For a full description of the API to this function, see the Exim specification. +-******************************************************************************/ +- +- +-/* This is the only Exim header that you should include. The effect of +-including any other Exim header is not defined, and may change from release to +-release. Use only the documented interface! */ +- +-#include "local_scan.h" +- +- +-/* This is a "do-nothing" version of a local_scan() function. The arguments +-are: +- +- fd The file descriptor of the open -D file, which contains the +- body of the message. The file is open for reading and +- writing, but modifying it is dangerous and not recommended. +- +- return_text A pointer to an unsigned char* variable which you can set in +- order to return a text string. It is initialized to NULL. +- +-The return values of this function are: +- +- LOCAL_SCAN_ACCEPT +- The message is to be accepted. The return_text argument is +- saved in $local_scan_data. +- +- LOCAL_SCAN_REJECT +- The message is to be rejected. The returned text is used +- in the rejection message. +- +- LOCAL_SCAN_TEMPREJECT +- This specifies a temporary rejection. The returned text +- is used in the rejection message. +-*/ ++#ifdef DLOPEN_LOCAL_SCAN ++extern uschar *local_scan_path; /* Path to local_scan() library */ ++#endif ++ ++#ifdef DLOPEN_LOCAL_SCAN ++#include ++#include ++static int (*local_scan_fn)(int fd, uschar **return_text) = NULL; ++static int load_local_scan_library(void); ++#endif + + int + local_scan(int fd, uschar **return_text) + { +-return LOCAL_SCAN_ACCEPT; ++#ifdef DLOPEN_LOCAL_SCAN ++/* local_scan_path is defined AND not the empty string */ ++if (local_scan_path && *local_scan_path) ++ { ++ if (!local_scan_fn) ++ { ++ if (!load_local_scan_library()) ++ { ++ char *base_msg , *error_msg , *final_msg ; ++ int final_length = -1 ; ++ ++ base_msg=US"Local configuration error - local_scan() library failure\n"; ++ error_msg = dlerror() ; ++ ++ final_length = strlen(base_msg) + strlen(error_msg) + 1 ; ++ final_msg = (char*)malloc( final_length*sizeof(char) ) ; ++ *final_msg = '\0' ; ++ ++ strcat( final_msg , base_msg ) ; ++ strcat( final_msg , error_msg ) ; ++ ++ *return_text = final_msg ; ++ return LOCAL_SCAN_TEMPREJECT; ++ } ++ } ++ return local_scan_fn(fd, return_text); ++ } ++else ++#endif ++ return LOCAL_SCAN_ACCEPT; ++ } ++ ++#ifdef DLOPEN_LOCAL_SCAN ++ ++static int load_local_scan_library(void) ++{ ++/* No point in keeping local_scan_lib since we'll never dlclose() anyway */ ++void *local_scan_lib = NULL; ++int (*local_scan_version_fn)(void); ++int vers_maj; ++int vers_min; ++ ++local_scan_lib = dlopen(local_scan_path, RTLD_NOW); ++if (!local_scan_lib) ++ { ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library open failed - " ++ "message temporarily rejected"); ++ return FALSE; ++ } ++ ++local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_major"); ++if (!local_scan_version_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan_version_major() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++/* The major number is increased when the ABI is changed in a non ++ backward compatible way. */ ++vers_maj = local_scan_version_fn(); ++ ++local_scan_version_fn = dlsym(local_scan_lib, "local_scan_version_minor"); ++if (!local_scan_version_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan_version_minor() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++/* The minor number is increased each time a new feature is added (in a ++ way that doesn't break backward compatibility) -- Marc */ ++vers_min = local_scan_version_fn(); ++ ++ ++if (vers_maj != LOCAL_SCAN_ABI_VERSION_MAJOR) ++ { ++ dlclose(local_scan_lib); ++ local_scan_lib = NULL; ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible major" ++ "version number, you need to recompile your module for this version" ++ "of exim (The module was compiled for version %d.%d and this exim provides" ++ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, ++ LOCAL_SCAN_ABI_VERSION_MINOR); ++ return FALSE; ++ } ++else if (vers_min > LOCAL_SCAN_ABI_VERSION_MINOR) ++ { ++ dlclose(local_scan_lib); ++ local_scan_lib = NULL; ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() has an incompatible minor" ++ "version number, you need to recompile your module for this version" ++ "of exim (The module was compiled for version %d.%d and this exim provides" ++ "ABI version %d.%d)", vers_maj, vers_min, LOCAL_SCAN_ABI_VERSION_MAJOR, ++ LOCAL_SCAN_ABI_VERSION_MINOR); ++ return FALSE; ++ } ++ ++local_scan_fn = dlsym(local_scan_lib, "local_scan"); ++if (!local_scan_fn) ++ { ++ dlclose(local_scan_lib); ++ log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() library doesn't contain " ++ "local_scan() function - message temporarily rejected"); ++ return FALSE; ++ } ++ ++return TRUE; + } + ++#endif /* DLOPEN_LOCAL_SCAN */ ++ + /* End of local_scan.c */ +--- exim-4.99.1.orig/src/readconf.c 2026-01-30 10:30:47.830924966 +0800 ++++ exim-4.99.1/src/readconf.c 2026-01-30 11:15:31.411856129 +0800 +@@ -218,6 +218,9 @@ + { "local_from_prefix", opt_stringptr, {&local_from_prefix} }, + { "local_from_suffix", opt_stringptr, {&local_from_suffix} }, + { "local_interfaces", opt_stringptr, {&local_interfaces} }, ++#ifdef DLOPEN_LOCAL_SCAN ++ { "local_scan_path", opt_stringptr, &local_scan_path }, ++#endif + #ifdef HAVE_LOCAL_SCAN + { "local_scan_timeout", opt_time, {&local_scan_timeout} }, + #endif diff --git a/exim-4.99.1-no-gsasl.patch b/exim-4.99.1-no-gsasl.patch new file mode 100644 index 0000000..8ba9e1e --- /dev/null +++ b/exim-4.99.1-no-gsasl.patch @@ -0,0 +1,15 @@ +diff --git a/src/EDITME b/src/EDITME +index 473010b..1976437 100644 +--- a/src/EDITME ++++ b/src/EDITME +@@ -804,8 +804,8 @@ AUTH_CRAM_MD5=yes + AUTH_CYRUS_SASL=yes + AUTH_DOVECOT=yes + # AUTH_EXTERNAL=yes +-AUTH_GSASL=yes +-AUTH_GSASL_PC=libgsasl ++# AUTH_GSASL=yes ++# AUTH_GSASL_PC=libgsasl + # AUTH_HEIMDAL_GSSAPI=yes + # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi + # AUTH_HEIMDAL_GSSAPI_PC=heimdal-gssapi heimdal-krb5 diff --git a/exim.spec b/exim.spec index b8398d6..87cc5d9 100644 --- a/exim.spec +++ b/exim.spec @@ -3,7 +3,7 @@ Summary: The exim mail transfer agent Name: exim -Version: 4.98.2 +Version: 4.99.1 Release: 1 License: GPLv2+ Url: https://www.exim.org/ @@ -35,11 +35,11 @@ Source10: exim.service Source11: exim-gen-cert Source12: clamd.exim.service -Patch0: exim-4.98.2-config.patch +Patch0: exim-4.99.1-config.patch Patch1: exim-4.94-libdir.patch -Patch2: exim-4.98.2-dlopen-localscan.patch +Patch2: exim-4.99.1-dlopen-localscan.patch Patch3: exim-4.96-pic.patch -Patch4: exim-4.98.2-no-gsasl.patch +Patch4: exim-4.99.1-no-gsasl.patch Requires: /etc/pki/tls/certs /etc/pki/tls/private @@ -57,7 +57,7 @@ BuildRequires: sqlite-devel BuildRequires: cyrus-sasl-devel BuildRequires: libspf2-devel BuildRequires: libopendmarc-devel -BuildRequires: mariadb-connector-c-devel +BuildRequires: greatsql-devel BuildRequires: libpq-devel BuildRequires: libXaw-devel BuildRequires: libXmu-devel @@ -73,7 +73,6 @@ BuildRequires: libXt-devel BuildRequires: perl(ExtUtils::Embed) BuildRequires: systemd-units BuildRequires: libgsasl-devel -BuildRequires: mariadb-devel BuildRequires: libnsl2-devel BuildRequires: libtirpc-devel BuildRequires: gnupg2 @@ -203,7 +202,7 @@ install -m 4775 exim $RPM_BUILD_ROOT%{_sbindir} for i in eximon eximon.bin exim_dumpdb exim_fixdb exim_tidydb \ exinext exiwhat exim_dbmbuild exicyclog exim_lock \ exigrep eximstats exipick exiqgrep exiqsumm \ - exim_checkaccess convert4r4 + exim_checkaccess do install -m 0755 $i $RPM_BUILD_ROOT%{_sbindir} done @@ -383,7 +382,6 @@ fi %{_sbindir}/exiqsumm %{_sbindir}/exim_lock %{_sbindir}/exim_checkaccess -%{_sbindir}/convert4r4 %{_sbindir}/sendmail.exim %{_bindir}/mailq.exim %{_bindir}/runq.exim @@ -480,6 +478,11 @@ fi %{_sysconfdir}/cron.daily/greylist-tidy.sh %changelog +* Fri Jan 30 2026 zhuchao - 4.99.1-1 +- Upgrade to 4.99.1 to fix CVE-2025-67896 (Remote heap corruption) +- Adapted all patches for 4.99.1 compatibility +- Removed exim-4.98.2-no-gsasl.patch (no longer needed in 4.99.1) + * Sun May 25 2025 zhuchao - 4.98.2-1 - DESC: upgrade to 4.98.2 to resolve the to CVE-2025-26794 to CVE-2025-30232 diff --git a/sources b/sources index 2d0b336..8164580 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7ed3e24c1eef44824b79b4c442f99f0b exim-4.98.2.tar.xz +281df763c79f1d68cb4f9ee9c9d8a2e1 exim-4.99.1.tar.xz -- cgit v1.2.3