Your message dated Sat, 27 Mar 2021 10:26:45 +0000 with message-id <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk> and subject line Closing p-u requests for fixes included in 10.9 point release has caused the Debian Bug report #985450, regarding buster-pu: package exim4/4.92-8+deb10u5 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 985450: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985450 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package exim4/4.92-8+deb10u5
- From: Andreas Metzler <ametzler@bebt.de>
- Date: Thu, 18 Mar 2021 13:53:27 +0100
- Message-id: <[🔎] YFNNR1Zsz5vcsejU@argenau.bebt.de>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu X-Debbugs-Cc: exim4@packages.debian.org, Jorrit Fahlke <jorrit@jorrit.de> Hello, [ Reason ] I would like to fix two issues in buster: #1 Fix use of concurrent TLS connections under GnuTLS. When a callout was done during a receiving connection, and both used TLS, global info was used rather than per-connection info for tracking the state of data queued for transmission. This could result in a connection hang. #2 Fix issues related to certificate checking: a) Cherry-pick a bugfix to get proper hostname checking with CNAMES. Without this patch when connecting to a CNAME the server provided cert is checked against the A record instead of the original cname. #985243 b) Document limitation/extent of server certificate checking that is done by default and how to change it. #985244 and #985344 2a and 2b are documented in the respective bug-reports, 2a actually might warant priority serious. #1 has popped up repeatedly on the exim-user mailing list, I would categorize it as important. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure'diff -Nru exim4-4.92/debian/changelog exim4-4.92/debian/changelog --- exim4-4.92/debian/changelog 2020-05-13 18:01:31.000000000 +0200 +++ exim4-4.92/debian/changelog 2021-03-18 09:10:15.000000000 +0100 @@ -1,3 +1,23 @@ +exim4 (4.92-8+deb10u5) buster; urgency=medium + + * Fix use of concurrent TLS connections under GnuTLS: + 80_01-GnuTLS-fix-hanging-callout-connections.patch + 80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch + 80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch + (Thanks, Heiko Schlittermann for the backport) + * Pull 82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch from + upstream git (already included in 4.94), on TLS connections to a CNAME + verify the certificate against the original CNAME instead of against + the A record. Closes: #985243 + * In README.Debian explicitly document the limitation/extent of server + certificate checking (authenticity not enforced) in the default + configuration (Thanks, Jö Fahlke). This Closes: #985244 (improved + documentation and Closes: #985344 (Yes, without required cert + checking MitM attacks are possible, but for a stable update documenting + this is the best compromise.) + + -- Andreas Metzler <ametzler@debian.org> Thu, 18 Mar 2021 09:10:15 +0100 + exim4 (4.92-8+deb10u4) buster-security; urgency=high * Fix authentication bypass in SPA authenticator due to out-of-bound buffer diff -Nru exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch --- exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/80_01-GnuTLS-fix-hanging-callout-connections.patch 2021-03-18 08:51:35.000000000 +0100 @@ -0,0 +1,83 @@ +From 97c5e07c220b55d1c506a1798c9ce3ae3105adea Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Thu, 13 Feb 2020 16:45:38 +0000 +Subject: [PATCH 4/6] GnuTLS: fix hanging callout connections + +Broken-by: 925ac8e4f1 +(cherry picked from commit bd95ffc2ba87fbd3c752df17bc8fd9c01586d45a) +--- + doc/ChangeLog | 81 ++++--------------------------------------- + src/tls-gnu.c | 24 +++++++------ + 2 files changed, 20 insertions(+), 85 deletions(-) + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -67,6 +67,11 @@ JH/41 Bug 2571: Fix SPA authenticator. + being used. A malicious client could thus cause an out-of-bounds read and + possibly gain authentication. Fix by adding the check. + ++JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was ++ done during a receiving connection, and both used TLS, global info was ++ used rather than per-connection info for tracking the state of data ++ queued for transmission. This could result in a connection hang. ++ + + Exim version 4.92 + ----------------- +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -124,10 +124,17 @@ typedef struct exim_gnutls_state { + enum peer_verify_requirement verify_requirement; + int fd_in; + int fd_out; +- BOOL peer_cert_verified; +- BOOL peer_dane_verified; +- BOOL trigger_sni_changes; +- BOOL have_set_peerdn; ++ ++ BOOL peer_cert_verified:1; ++ BOOL peer_dane_verified:1; ++ BOOL trigger_sni_changes:1; ++ BOOL have_set_peerdn:1; ++ BOOL xfer_eof:1; /*XXX never gets set! */ ++ BOOL xfer_error:1; ++#ifdef SUPPORT_CORK ++ BOOL corked:1; ++#endif ++ + const struct host_item *host; /* NULL if server */ + gnutls_x509_crt_t peercert; + uschar *peerdn; +@@ -160,8 +167,6 @@ typedef struct exim_gnutls_state { + uschar *xfer_buffer; + int xfer_buffer_lwm; + int xfer_buffer_hwm; +- BOOL xfer_eof; /*XXX never gets set! */ +- BOOL xfer_error; + } exim_gnutls_state_st; + + static const exim_gnutls_state_st exim_gnutls_state_init = { +@@ -2790,9 +2795,8 @@ ssize_t outbytes; + size_t left = len; + exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server; + #ifdef SUPPORT_CORK +-static BOOL corked = FALSE; + +-if (more && !corked) gnutls_record_cork(state->session); ++if (more && !state->corked) gnutls_record_cork(state->session); + #endif + + DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__, +@@ -2833,10 +2837,10 @@ if (len > INT_MAX) + } + + #ifdef SUPPORT_CORK +-if (more != corked) ++if (more != state->corked) + { + if (!more) (void) gnutls_record_uncork(state->session, 0); +- corked = more; ++ state->corked = more; + } + #endif + diff -Nru exim4-4.92/debian/patches/80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch exim4-4.92/debian/patches/80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch --- exim4-4.92/debian/patches/80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch 2021-03-18 08:51:35.000000000 +0100 @@ -0,0 +1,73 @@ +From 783cb0301d9ceef2748956c3f91762275b7b45e5 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Tue, 18 Feb 2020 18:59:49 +0100 +Subject: [PATCH 5/6] GnuTLS: tls_write(): wait after uncorking the session + +(cherry picked from commit 8f9adfd36222d4e9e730734e00dffe874073e5b4) +--- + src/tls-gnu.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/src/tls-gnu.c b/src/tls-gnu.c +index 822ad89c6..94a718673 100644 +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -2835,9 +2835,14 @@ tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more) + ssize_t outbytes; + size_t left = len; + exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server; +-#ifdef SUPPORT_CORK + +-if (more && !state->corked) gnutls_record_cork(state->session); ++#ifdef SUPPORT_CORK ++if (more && !state->corked) ++ { ++ DEBUG(D_tls) debug_printf("gnutls_record_cork(session=%p)\n", state->session); ++ gnutls_record_cork(state->session); ++ state->corked = TRUE; ++ } + #endif + + DEBUG(D_tls) debug_printf("%s(%p, " SIZE_T_FMT "%s)\n", __FUNCTION__, +@@ -2853,6 +2858,7 @@ while (left > 0) + while (outbytes == GNUTLS_E_AGAIN); + + DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes); ++ + if (outbytes < 0) + { + DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__); +@@ -2878,10 +2884,26 @@ if (len > INT_MAX) + } + + #ifdef SUPPORT_CORK +-if (more != state->corked) +- { +- if (!more) (void) gnutls_record_uncork(state->session, 0); +- state->corked = more; ++if (!more && state->corked) ++ { ++ DEBUG(D_tls) debug_printf("gnutls_record_uncork(session=%p)\n", state->session); ++ do { ++ do ++ /* We can't use GNUTLS_RECORD_WAIT here, as it retries on ++ GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm(). ++ The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway. ++ But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN ++ match the EINTR and EAGAIN errno values.) */ ++ outbytes = gnutls_record_uncork(state->session, 0); ++ while (outbytes == GNUTLS_E_AGAIN); ++ ++ if (outbytes < 0) ++ { ++ record_io_error(state, len, US"uncork", NULL); ++ return -1; ++ } ++ } while (gnutls_record_check_corked(state->session) > 0); ++ state->corked = FALSE; + } + #endif + +-- +2.28.0 + diff -Nru exim4-4.92/debian/patches/80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch exim4-4.92/debian/patches/80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch --- exim4-4.92/debian/patches/80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch 2021-03-18 08:51:35.000000000 +0100 @@ -0,0 +1,55 @@ +From 3afb07f2c63fb6dc3983b28e7cdaf11fceb741d1 Mon Sep 17 00:00:00 2001 +From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> +Date: Mon, 2 Mar 2020 22:56:32 +0100 +Subject: [PATCH 6/6] GnuTLS: Do not care about corked data when uncorking + +(cherry picked from commit d8d7e3a4162b52382daf8319f221c085c76c5b8f) +--- + src/tls-gnu.c | 31 +++++++++++++++---------------- + 1 file changed, 15 insertions(+), 16 deletions(-) + +diff --git a/src/tls-gnu.c b/src/tls-gnu.c +index 94a718673..2091e44db 100644 +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -2887,22 +2887,21 @@ if (len > INT_MAX) + if (!more && state->corked) + { + DEBUG(D_tls) debug_printf("gnutls_record_uncork(session=%p)\n", state->session); +- do { +- do +- /* We can't use GNUTLS_RECORD_WAIT here, as it retries on +- GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm(). +- The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway. +- But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN +- match the EINTR and EAGAIN errno values.) */ +- outbytes = gnutls_record_uncork(state->session, 0); +- while (outbytes == GNUTLS_E_AGAIN); +- +- if (outbytes < 0) +- { +- record_io_error(state, len, US"uncork", NULL); +- return -1; +- } +- } while (gnutls_record_check_corked(state->session) > 0); ++ do ++ /* We can't use GNUTLS_RECORD_WAIT here, as it retries on ++ GNUTLS_E_AGAIN || GNUTLS_E_INTR, which would break our timeout set by alarm(). ++ The GNUTLS_E_AGAIN should not happen ever, as our sockets are blocking anyway. ++ But who knows. (That all relies on the fact that GNUTLS_E_INTR and GNUTLS_E_AGAIN ++ match the EINTR and EAGAIN errno values.) */ ++ outbytes = gnutls_record_uncork(state->session, 0); ++ while (outbytes == GNUTLS_E_AGAIN); ++ ++ if (outbytes < 0) ++ { ++ record_io_error(state, len, US"uncork", NULL); ++ return -1; ++ } ++ + state->corked = FALSE; + } + #endif +-- +2.28.0 + diff -Nru exim4-4.92/debian/patches/82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch exim4-4.92/debian/patches/82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch --- exim4-4.92/debian/patches/82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch 1970-01-01 01:00:00.000000000 +0100 +++ exim4-4.92/debian/patches/82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch 2021-03-18 08:51:35.000000000 +0100 @@ -0,0 +1,188 @@ +Description: TLS: use RFC 6125 rules for certificate name checks when + CNAMES are present. Bug 2594 +Origin: upstream https://git.exim.org/exim.git/commit/0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6 +Bug: https://bugs.exim.org/show_bug.cgi?id=2594 +Forwarded: not-needed +Last-Update: 2021-03-02 + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -41,10 +41,15 @@ JH/10 OpenSSL: Fix aggregation of messag + + JH/11 Harden plaintext authenticator against a badly misconfigured client-send + string. Previously it was possible to cause undefined behaviour in a + library routine (usually a crash). Found by "zerons". + ++JH/06 Bug 2594: Change the name used for certificate name checks in the smtp ++ transport. Previously it was the name on the DNS A-record; use instead ++ the head of the CNAME chain leading there (if there is one). This seems ++ to align better with RFC 6125. ++ + + JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the + verification result was not updated unless hosts_require_ocsp applied. + + JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in +--- a/src/host.c ++++ b/src/host.c +@@ -1966,10 +1966,17 @@ host_item *last = NULL; + BOOL temp_error = FALSE; + #if HAVE_IPV6 + int af; + #endif + ++#ifndef DISABLE_TLS ++/* Copy the host name at this point to the value which is used for ++TLS certificate name checking, before anything modifies it. */ ++ ++host->certname = host->name; ++#endif ++ + /* Make sure DNS options are set as required. This appears to be necessary in + some circumstances when the get..byname() function actually calls the DNS. */ + + dns_init((flags & HOST_FIND_QUALIFY_SINGLE) != 0, + (flags & HOST_FIND_SEARCH_PARENTS) != 0, +@@ -2132,10 +2139,13 @@ for (i = 1; i <= times; + + else + { + host_item *next = store_get(sizeof(host_item)); + next->name = host->name; ++#ifndef DISABLE_TLS ++ next->certname = host->certname; ++#endif + next->mx = host->mx; + next->address = text_address; + next->port = PORT_NONE; + next->status = hstatus_unknown; + next->why = hwhy_unknown; +@@ -2150,16 +2160,16 @@ for (i = 1; i <= times; + + /* If no hosts were found, the address field in the original host block will be + NULL. If temp_error is set, at least one of the lookups gave a temporary error, + so we pass that back. */ + +-if (host->address == NULL) ++if (!host->address) + { + uschar *msg = + #ifndef STAND_ALONE +- (message_id[0] == 0 && smtp_in != NULL)? +- string_sprintf("no IP address found for host %s (during %s)", host->name, ++ message_id[0] == 0 && smtp_in ++ ? string_sprintf("no IP address found for host %s (during %s)", host->name, + smtp_get_connection_info()) : + #endif + string_sprintf("no IP address found for host %s", host->name); + + HDEBUG(D_host_lookup) debug_printf("%s\n", msg); +@@ -2277,10 +2287,17 @@ dns_record *rr; + host_item *thishostlast = NULL; /* Indicates not yet filled in anything */ + BOOL v6_find_again = FALSE; + BOOL dnssec_fail = FALSE; + int i; + ++#ifndef DISABLE_TLS ++/* Copy the host name at this point to the value which is used for ++TLS certificate name checking, before any CNAME-following modifies it. */ ++ ++host->certname = host->name; ++#endif ++ + /* If allow_ip is set, a name which is an IP address returns that value + as its address. This is used for MX records when allow_mx_to_ip is set, for + those sites that feel they have to flaunt the RFC rules. */ + + if (allow_ip && string_is_ip_address(host->name, NULL) != 0) +--- a/src/structs.h ++++ b/src/structs.h +@@ -77,18 +77,21 @@ host addresses is done using this struct + + typedef enum {DS_UNK=-1, DS_NO, DS_YES} dnssec_status_t; + + typedef struct host_item { + struct host_item *next; +- const uschar *name; /* Host name */ +- const uschar *address; /* IP address in text form */ +- int port; /* port value in host order (if SRV lookup) */ +- int mx; /* MX value if found via MX records */ +- int sort_key; /* MX*1000 plus random "fraction" */ +- int status; /* Usable, unusable, or unknown */ +- int why; /* Why host is unusable */ +- int last_try; /* Time of last try if known */ ++ const uschar *name; /* Host name */ ++#ifndef DISABLE_TLS ++ const uschar *certname; /* Name used for certificate checks */ ++#endif ++ const uschar *address; /* IP address in text form */ ++ int port; /* port value in host order (if SRV lookup) */ ++ int mx; /* MX value if found via MX records */ ++ int sort_key; /* MX*1000 plus random "fraction" */ ++ int status; /* Usable, unusable, or unknown */ ++ int why; /* Why host is unusable */ ++ int last_try; /* Time of last try if known */ + dnssec_status_t dnssec; + } host_item; + + /* Chain of rewrite rules, read from the rewrite config, or parsed from the + rewrite_headers field of a transport. */ +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -2191,13 +2191,13 @@ tls_client_setup_hostname_checks(host_it + { + if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) + { + state->exp_tls_verify_cert_hostnames = + #ifdef SUPPORT_I18N +- string_domain_utf8_to_alabel(host->name, NULL); ++ string_domain_utf8_to_alabel(host->certname, NULL); + #else +- host->name; ++ host->certname; + #endif + DEBUG(D_tls) + debug_printf("TLS: server cert verification includes hostname: \"%s\".\n", + state->exp_tls_verify_cert_hostnames); + } +--- a/src/tls-openssl.c ++++ b/src/tls-openssl.c +@@ -309,18 +309,18 @@ typedef struct tls_ext_ctx_cb { + X509_STORE *verify_store; /* non-null if status requested */ + BOOL verify_required; + } client; + } u_ocsp; + #endif +- uschar *dhparam; ++ uschar * dhparam; + /* these are cached from first expand */ +- uschar *server_cipher_list; ++ uschar * server_cipher_list; + /* only passed down to tls_error: */ +- host_item *host; ++ host_item * host; + const uschar * verify_cert_hostnames; + #ifndef DISABLE_EVENT +- uschar * event_action; ++ uschar * event_action; + #endif + } tls_ext_ctx_cb; + + /* should figure out a cleanup of API to handle state preserved per + implementation, for various reasons, which can be void * in the APIs. +@@ -2359,13 +2359,13 @@ if ((rc = setup_certs(ctx, ob->tls_verif + + if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK) + { + cbinfo->verify_cert_hostnames = + #ifdef SUPPORT_I18N +- string_domain_utf8_to_alabel(host->name, NULL); ++ string_domain_utf8_to_alabel(host->certname, NULL); + #else +- host->name; ++ host->certname; + #endif + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + cbinfo->verify_cert_hostnames); + } + return OK; diff -Nru exim4-4.92/debian/patches/series exim4-4.92/debian/patches/series --- exim4-4.92/debian/patches/series 2020-05-13 18:01:31.000000000 +0200 +++ exim4-4.92/debian/patches/series 2021-03-18 08:51:35.000000000 +0100 @@ -26,4 +26,8 @@ 78_02-Fix-buffer-overflow-in-string_vformat.-Bug-2449.patch 79_01-Fix-SPA-authenticator-checking-client-supplied-data-.patch 79_02-Rework-SPA-fix-to-avoid-overflows.-Bug-2571.patch +80_01-GnuTLS-fix-hanging-callout-connections.patch +80_02-GnuTLS-tls_write-wait-after-uncorking-the-session.patch +80_03-GnuTLS-Do-not-care-about-corked-data-when-uncorking.patch +82_TLS-use-RFC-6125-rules-for-certifucate-name-checks-w.patch 90_localscan_dlopen.dpatch diff -Nru exim4-4.92/debian/README.Debian.xml exim4-4.92/debian/README.Debian.xml --- exim4-4.92/debian/README.Debian.xml 2020-05-13 18:01:31.000000000 +0200 +++ exim4-4.92/debian/README.Debian.xml 2021-03-18 09:10:15.000000000 +0100 @@ -1084,17 +1084,38 @@ </para> <para> This means that you will not need any special configuration if - you want to use TLS for outgoing mail. However, if your + you want to use TLS for outgoing mail. However, to enforce + TLS and successful certificate verification, a few things + need to be configured. + </para> + <para> + To enforce TLS and prevent fallback to unencrypted + connections, ensure that hosts_require_tls = * is in effect on + the respective transport. For the remote_smtp_smarthost + transport, this setting can be controlled via the + REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS macro. + </para> + <para> + The certificate presented by the remote host is checked + against the system CA certificate store + (<filename>/etc/ssl/certs/</filename>) and the verification + result is logged (CV=...). However successful certificate + verification is <emphasis>not enforced</emphasis> by default. + This can be changed by setting tls_verify_hosts = * on the + respective transport. + </para> + <para> + Another possibility would be to use DANE for certificate + verification. This requires support on the server side and + a resolver with DNSSEC support on the client side. + </para> + <para> + If your server setup mandates the use of client certificates, you need to amend your remote_smtp and/or remote_smtp_smarthost transports with a tls_certificate option. This is not commonly needed. </para> - <para> - The certificate - presented by the remote host is not checked unless you - specify a tls_verify_certificate option on the transport. - </para> <para id="tls_client_certicate"> To make exim send a TLS certificate to the remote host set REMOTE_SMTP_TLS_CERTIFICATE/REMOTE_SMTP_PRIVATEKEY or forAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 981453-done@bugs.debian.org, 981664-done@bugs.debian.org, 982002-done@bugs.debian.org, 982311-done@bugs.debian.org, 982571-done@bugs.debian.org, 982669-done@bugs.debian.org, 982796-done@bugs.debian.org, 983051-done@bugs.debian.org, 983113-done@bugs.debian.org, 983134-done@bugs.debian.org, 983485-done@bugs.debian.org, 983527-done@bugs.debian.org, 983918-done@bugs.debian.org, 984790-done@bugs.debian.org, 984886-done@bugs.debian.org, 984896-done@bugs.debian.org, 984899-done@bugs.debian.org, 985115-done@bugs.debian.org, 985359-done@bugs.debian.org, 985371-done@bugs.debian.org, 985450-done@bugs.debian.org, 985466-done@bugs.debian.org, 985472-done@bugs.debian.org, 985545-done@bugs.debian.org, 985609-done@bugs.debian.org, 985624-done@bugs.debian.org
- Subject: Closing p-u requests for fixes included in 10.9 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 27 Mar 2021 10:26:45 +0000
- Message-id: <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.9 Hi, Each of the updates referenced in these bugs was included in the 10.9 point release today. Regards, Adam
--- End Message ---