diff options
Diffstat (limited to 'debian/patches/75_18-update-doc.patch')
-rw-r--r-- | debian/patches/75_18-update-doc.patch | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/debian/patches/75_18-update-doc.patch b/debian/patches/75_18-update-doc.patch new file mode 100644 index 0000000..2edba69 --- /dev/null +++ b/debian/patches/75_18-update-doc.patch @@ -0,0 +1,154 @@ +From 77cc1ad3058e4ef7ae82adb914ccff0be9fe2c8b Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Sat, 3 Apr 2021 09:29:13 +0200 +Subject: [PATCH 18/23] update doc + +--- + doc/doc-docbook/spec.xfpt | 45 ++++++++++++++++++++++++++++++++++++++- + doc/NewStuff | 45 +++++++++++++++++++++++++++++++++++++++ + 2 files changed, 89 insertions(+), 1 deletion(-) + +--- a/doc/NewStuff ++++ b/doc/NewStuff +@@ -4,10 +4,55 @@ + This file contains descriptions of new features that have been added to Exim. + Before a formal release, there may be quite a lot of detail so that people can + test from the snapshots or the Git before the documentation is updated. Once + the documentation is updated, this file is reduced to a short list. + ++Version 4.95 ++------------ ++ ++ 1. The fast-ramp two phase queue run support, previously experimental, is ++ now supported by default. ++ ++ 2. The native SRS support, previously experimental, is now supported. It is ++ not built unless specified in the Local/Makefile. ++ ++ 3. TLS resumption support, previously experimental, is now supported and ++ included in default builds. ++ ++ 4. Single-key LMDB lookups, previously experimental, are now supported. ++ The support is not built unless specified in the Local/Makefile. ++ ++ 5. Option "message_linelength_limit" on the smtp transport to enforce (by ++ default) the RFC 998 character limit. ++ ++ 6. An option to ignore the cache on a lookup. ++ ++ 7. Quota checking during reception (i.e. at SMTP time) for appendfile- ++ transport-managed quotas. ++ ++ 8. Sqlite lookups accept a "file=<path>" option to specify a per-operation ++ db file, replacing the previous prefix to the SQL string (which had ++ issues when the SQL used tainted values). ++ ++ 9. Lsearch lookups accept a "ret=full" option, to return both the portion ++ of the line matching the key, and the remainder. ++ ++10. A command-line option to have a daemon not create a notifier socket. ++ ++11. Faster TLS startup. When various configuration options contain no ++ expandable elements, the information can be preloaded and cached rather ++ than the provious behaviour of always loading at startup time for every ++ connection. This helps particularly for the CA bundle. ++ ++12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout" ++ main config option. ++ ++13. Option "smtp_accept_msx_per_connection" is now expanded. ++ ++13. A main config option "allow_insecure_tainted_data" allows to turn ++ taint errors into warnings. ++ + Version 4.94 + ------------ + + 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec + file. +--- a/doc/spec.txt ++++ b/doc/spec.txt +@@ -8650,12 +8650,20 @@ + Whether a string is expanded depends upon the context. Usually this is solely + dependent upon the option for which a value is sought; in this documentation, + options for which string expansion is performed are marked with * after the + data type. ACL rules always expand strings. A couple of expansion conditions do + not expand some of the brace-delimited branches, for security reasons, and +-expansion of data deriving from the sender ("tainted data") is not permitted. +- ++expansion of data deriving from the sender ("tainted data") is not permitted ++(including acessing a file using a tainted name). The main config ++option allow_insecure_tainted_data can be used as mitigation during ++uprades to more secure configurations. ++ ++Common ways of obtaining untainted equivalents of variables with tainted ++values come down to using the tainted value as a lookup key in a trusted ++database. This database could be the filesystem structure, or the ++password file, or accessed via a DBMS. Specific methods are indexed ++under "de-tainting". + + 11.1 Literal text in expanded strings + ------------------------------------- + + An uninterpreted dollar can be included in an expanded string by putting a +@@ -12946,10 +12954,12 @@ + + + 14.1 Miscellaneous + ------------------ + ++add_environment environment variables ++allow_insecure_tainted_data turn taint errors into warnings + bi_command to run for -bi command line option + debug_store do extra internal checks + disable_ipv6 do no IPv6 processing + keep_malformed for broken files - should not happen + localhost_number for unique message ids in clusters +@@ -13553,10 +13563,20 @@ + true, and also to add "@[]" to the list of local domains (defined in the named + domain list local_domains in the default configuration). This "magic string" + matches the domain literal form of all the local host's IP addresses. + + +-----------------------------------------------------+ ++|allow_insecure_tainted_data main boolean false | +++-----------------------------------------------------+ ++ ++The handling of tainted data may break older (pre 4.94) configurations. ++Setting this option to "true" turns taint errors (which result in a temporary ++message rejection) into warnings. This option is meant as mitigation only ++and deprecated already today. Future releases of Exim may ignore it. ++The taint log selector can be used to suppress even the warnings. ++ +++-----------------------------------------------------+ + |allow_mx_to_ip|Use: main|Type: boolean|Default: false| + +-----------------------------------------------------+ + + It appears that more and more DNS zone administrators are breaking the rules + and putting domain names that look like IP addresses on the right hand side of +@@ -35316,10 +35336,11 @@ + smtp_mailauth AUTH argument to MAIL commands + smtp_no_mail session with no MAIL commands + smtp_protocol_error SMTP protocol errors + smtp_syntax_error SMTP syntax errors + subject contents of Subject: on <= lines ++*taint taint errors or warnings + *tls_certificate_verified certificate verification status + *tls_cipher TLS cipher suite on <= and => lines + tls_peerdn TLS peer DN on <= and => lines + tls_sni TLS SNI on <= lines + unknown_in_list DNS lookup failed in list match +@@ -35604,11 +35625,13 @@ + + * tls_certificate_verified: An extra item is added to <= and => log lines + when TLS is in use. The item is "CV=yes" if the peer's certificate was + verified using a CA trust anchor, "CA=dane" if using a DNS trust anchor, + and "CV=no" if not. +- ++ * taint: Log warnings about tainted data. This selector can't be ++ turned of if allow_insecure_tainted_data is false (which is the ++ default). + * tls_cipher: When a message is sent or received over an encrypted + connection, the cipher suite used is added to the log line, preceded by X=. + + * tls_peerdn: When a message is sent or received over an encrypted + connection, and a certificate is supplied by the remote host, the peer DN |