summaryrefslogtreecommitdiffstats
path: root/debian/patches/75_18-update-doc.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/75_18-update-doc.patch')
-rw-r--r--debian/patches/75_18-update-doc.patch154
1 files changed, 154 insertions, 0 deletions
diff --git a/debian/patches/75_18-update-doc.patch b/debian/patches/75_18-update-doc.patch
new file mode 100644
index 0000000..2edba69
--- /dev/null
+++ b/debian/patches/75_18-update-doc.patch
@@ -0,0 +1,154 @@
+From 77cc1ad3058e4ef7ae82adb914ccff0be9fe2c8b Mon Sep 17 00:00:00 2001
+From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de>
+Date: Sat, 3 Apr 2021 09:29:13 +0200
+Subject: [PATCH 18/23] update doc
+
+---
+ doc/doc-docbook/spec.xfpt | 45 ++++++++++++++++++++++++++++++++++++++-
+ doc/NewStuff | 45 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 89 insertions(+), 1 deletion(-)
+
+--- a/doc/NewStuff
++++ b/doc/NewStuff
+@@ -4,10 +4,55 @@
+ This file contains descriptions of new features that have been added to Exim.
+ Before a formal release, there may be quite a lot of detail so that people can
+ test from the snapshots or the Git before the documentation is updated. Once
+ the documentation is updated, this file is reduced to a short list.
+
++Version 4.95
++------------
++
++ 1. The fast-ramp two phase queue run support, previously experimental, is
++ now supported by default.
++
++ 2. The native SRS support, previously experimental, is now supported. It is
++ not built unless specified in the Local/Makefile.
++
++ 3. TLS resumption support, previously experimental, is now supported and
++ included in default builds.
++
++ 4. Single-key LMDB lookups, previously experimental, are now supported.
++ The support is not built unless specified in the Local/Makefile.
++
++ 5. Option "message_linelength_limit" on the smtp transport to enforce (by
++ default) the RFC 998 character limit.
++
++ 6. An option to ignore the cache on a lookup.
++
++ 7. Quota checking during reception (i.e. at SMTP time) for appendfile-
++ transport-managed quotas.
++
++ 8. Sqlite lookups accept a "file=<path>" option to specify a per-operation
++ db file, replacing the previous prefix to the SQL string (which had
++ issues when the SQL used tainted values).
++
++ 9. Lsearch lookups accept a "ret=full" option, to return both the portion
++ of the line matching the key, and the remainder.
++
++10. A command-line option to have a daemon not create a notifier socket.
++
++11. Faster TLS startup. When various configuration options contain no
++ expandable elements, the information can be preloaded and cached rather
++ than the provious behaviour of always loading at startup time for every
++ connection. This helps particularly for the CA bundle.
++
++12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout"
++ main config option.
++
++13. Option "smtp_accept_msx_per_connection" is now expanded.
++
++13. A main config option "allow_insecure_tainted_data" allows to turn
++ taint errors into warnings.
++
+ Version 4.94
+ ------------
+
+ 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec
+ file.
+--- a/doc/spec.txt
++++ b/doc/spec.txt
+@@ -8650,12 +8650,20 @@
+ Whether a string is expanded depends upon the context. Usually this is solely
+ dependent upon the option for which a value is sought; in this documentation,
+ options for which string expansion is performed are marked with * after the
+ data type. ACL rules always expand strings. A couple of expansion conditions do
+ not expand some of the brace-delimited branches, for security reasons, and
+-expansion of data deriving from the sender ("tainted data") is not permitted.
+-
++expansion of data deriving from the sender ("tainted data") is not permitted
++(including acessing a file using a tainted name). The main config
++option allow_insecure_tainted_data can be used as mitigation during
++uprades to more secure configurations.
++
++Common ways of obtaining untainted equivalents of variables with tainted
++values come down to using the tainted value as a lookup key in a trusted
++database. This database could be the filesystem structure, or the
++password file, or accessed via a DBMS. Specific methods are indexed
++under "de-tainting".
+
+ 11.1 Literal text in expanded strings
+ -------------------------------------
+
+ An uninterpreted dollar can be included in an expanded string by putting a
+@@ -12946,10 +12954,12 @@
+
+
+ 14.1 Miscellaneous
+ ------------------
+
++add_environment environment variables
++allow_insecure_tainted_data turn taint errors into warnings
+ bi_command to run for -bi command line option
+ debug_store do extra internal checks
+ disable_ipv6 do no IPv6 processing
+ keep_malformed for broken files - should not happen
+ localhost_number for unique message ids in clusters
+@@ -13553,10 +13563,20 @@
+ true, and also to add "@[]" to the list of local domains (defined in the named
+ domain list local_domains in the default configuration). This "magic string"
+ matches the domain literal form of all the local host's IP addresses.
+
+ +-----------------------------------------------------+
++|allow_insecure_tainted_data main boolean false |
+++-----------------------------------------------------+
++
++The handling of tainted data may break older (pre 4.94) configurations.
++Setting this option to "true" turns taint errors (which result in a temporary
++message rejection) into warnings. This option is meant as mitigation only
++and deprecated already today. Future releases of Exim may ignore it.
++The taint log selector can be used to suppress even the warnings.
++
+++-----------------------------------------------------+
+ |allow_mx_to_ip|Use: main|Type: boolean|Default: false|
+ +-----------------------------------------------------+
+
+ It appears that more and more DNS zone administrators are breaking the rules
+ and putting domain names that look like IP addresses on the right hand side of
+@@ -35316,10 +35336,11 @@
+ smtp_mailauth AUTH argument to MAIL commands
+ smtp_no_mail session with no MAIL commands
+ smtp_protocol_error SMTP protocol errors
+ smtp_syntax_error SMTP syntax errors
+ subject contents of Subject: on <= lines
++*taint taint errors or warnings
+ *tls_certificate_verified certificate verification status
+ *tls_cipher TLS cipher suite on <= and => lines
+ tls_peerdn TLS peer DN on <= and => lines
+ tls_sni TLS SNI on <= lines
+ unknown_in_list DNS lookup failed in list match
+@@ -35604,11 +35625,13 @@
+
+ * tls_certificate_verified: An extra item is added to <= and => log lines
+ when TLS is in use. The item is "CV=yes" if the peer's certificate was
+ verified using a CA trust anchor, "CA=dane" if using a DNS trust anchor,
+ and "CV=no" if not.
+-
++ * taint: Log warnings about tainted data. This selector can't be
++ turned of if allow_insecure_tainted_data is false (which is the
++ default).
+ * tls_cipher: When a message is sent or received over an encrypted
+ connection, the cipher suite used is added to the log line, preceded by X=.
+
+ * tls_peerdn: When a message is sent or received over an encrypted
+ connection, and a certificate is supplied by the remote host, the peer DN