Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: dev

Exim 4.80 RC7 uploaded

 

 

exim dev RSS feed   Index | Next | Previous | View Threaded


pdp at exim

May 29, 2012, 6:19 AM

Post #1 of 3 (288 views)
Permalink
Exim 4.80 RC7 uploaded

I have uploaded Exim 4.80 RC7 to:
ftp://ftp.exim.org/pub/exim/exim4/test/

There have been no bug-fixes since the last release! It appears we're
getting very close. (Okay, typos in comments are bugs, I suppose).

Unfortunately, I realised that one change which was supposed to be in
the new release was sitting in a non-integrated branch. This is my
fault entirely. It's a very trivial *code* change, so I'm confident in
the code, but it is a change, so a new RC.

We now disable SSLv2 by default, for OpenSSL. GnuTLS does not support
SSLv2 (and never has), so this only affects OpenSSL. This brings us
into compliance with RFC 6176 and improves the default security of the
install by finally getting rid of the possibility of a bunch of attacks
fixed many years ago in SSLv3. Some informal surveys I did suggested
that there is *no* SSLv2 used for talking SMTP any more.

If you grep your logs for "X=SSLv2:" and find something, you may wish to
override the default (and work hard to fix the affected broken client,
as OpenSSL is edging closer to dropping support for SSLv2; it's already
a build option).

Kurt Jaeger wrote a script for analysing Exim logs to report a breakdown
of SSL/TLS protocols/ciphers in use, which may help reassure the nervous:
http://opsec.eu/src/tlstype

Other than this feature, almost all reports are coming back that RC6
works great. There's one complaint, so far singularly lacking in
credible detail, so I'm going to hold a couple of days longer, just in
case anything comes of that. I currently expect to release Exim 4.80
this coming Thursday.

Thank you for your patience with this stream of Release Candidates. I
opened a large can of worms by delving into the SSL/TLS support; it
needed to be opened, but that hasn't made the resulting situation
pleasant.


The ChangeLog/NewStuff/README.UPDATING can be reviewed at:

http://git.exim.org/exim.git/blob/exim-4_80_RC6:/src/README.UPDATING
http://git.exim.org/exim.git/blob/exim-4_80_RC6:/doc/doc-txt/NewStuff
http://git.exim.org/exim.git/blob/exim-4_80_RC6:/doc/doc-txt/ChangeLog

The files are signed with the PGP key 0x3903637F, which has a uid
"Phil Pennock <pdp [at] exim>". Please use your own discretion in
assessing what trust paths you might have to this uid.

Checksums below. Detached PGP signatures in .asc files are available
alongside the tarballs.

Please report issues in reply to this email, on exim-users.

Thank you for your testing and feedback,
-Phil Pennock, pp The Exim Maintainers.

SHA256(exim-4.80_RC7.tar.bz2)= 4a0127158e7be3b45dd72f827298cd334dfaedf5f0602eba64aaf45d9764ddd2
SHA256(exim-4.80_RC7.tar.gz)= dc765d480fe3d208703fbb4fbc12bbe25caec8e6777f411c370a62cc68d6a631
SHA256(exim-html-4.80_RC7.tar.bz2)= d02a7ca2ec1e4bba51f9c53eea8475418a9424cb0804d7c714257d6e3fddd1f4
SHA256(exim-html-4.80_RC7.tar.gz)= c792bc6f54b4c1a0a14f7d12a1c1ed0b67725f33ffb78d0ab72379241fc9188d
SHA256(exim-pdf-4.80_RC7.tar.bz2)= 4ecb5081b8a58ddbb8e85fe195e6fbc3837f42faa99e20cdec6787489e46b9ea
SHA256(exim-pdf-4.80_RC7.tar.gz)= fac1df49945a8c6ad398e4408eb4cb2511673230eb0a805100c4da7304f42b11
SHA256(exim-postscript-4.80_RC7.tar.bz2)= 07ca522ff96e27460263d31a6135c05478faa94a5e6770c0793f654c9e6abfff
SHA256(exim-postscript-4.80_RC7.tar.gz)= 32195c294b33b6b064a07ee621f7b4aedbdd6b4047d822d710b697492377fb48

SHA1(exim-4.80_RC7.tar.bz2)= 3744586866919182965300b1512bc02032c0df48
SHA1(exim-4.80_RC7.tar.gz)= 122e63902cc60be6c711745f8da8a66f804d8173
SHA1(exim-html-4.80_RC7.tar.bz2)= fe38c63ed195cd43a359f4c795c600ee7e092c2e
SHA1(exim-html-4.80_RC7.tar.gz)= 6d25c728ef62f5aba9df0792e3a9a02ddbb51389
SHA1(exim-pdf-4.80_RC7.tar.bz2)= 84a32228ba455401b301789722bc5f3f47fe1826
SHA1(exim-pdf-4.80_RC7.tar.gz)= 24aa09cd6e8b1043255cf2e8a28eb7209bf0d8f6
SHA1(exim-postscript-4.80_RC7.tar.bz2)= 7ec04c2bf5bad769433fa1e4a175ce5cad2f2b77
SHA1(exim-postscript-4.80_RC7.tar.gz)= c22b6552ecfb5fa2d14aa625395cc2dfd942122b


tlyons at ivenue

May 29, 2012, 8:05 AM

Post #2 of 3 (277 views)
Permalink
Re: Exim 4.80 RC7 uploaded [In reply to]

On Tue, May 29, 2012 at 6:19 AM, Phil Pennock <pdp [at] exim> wrote:
> I have uploaded Exim 4.80 RC7 to:
> Unfortunately, I realised that one change which was supposed to be in
> the new release was sitting in a non-integrated branch.  This is my
> fault entirely.  It's a very trivial *code* change, so I'm confident in
> the code, but it is a change, so a new RC.
> We now disable SSLv2 by default, for OpenSSL.  GnuTLS does not support

Running RC7 on a live customer server with OpenSSL on CentOS 5.x. So
far no issues to report. Looking good for my use case.

...Todd
--
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. -- Martin Golding

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##


marc at perkel

May 29, 2012, 2:56 PM

Post #3 of 3 (274 views)
Permalink
Re: [exim] Exim 4.80 RC7 uploaded [In reply to]

Yes - setting it at connect time. It's definitely set. Thus I'm confused.

On 5/29/2012 6:19 AM, Phil Pennock wrote:
> I have uploaded Exim 4.80 RC7 to:
> ftp://ftp.exim.org/pub/exim/exim4/test/
>
> There have been no bug-fixes since the last release! It appears we're
> getting very close. (Okay, typos in comments are bugs, I suppose).
>
> Unfortunately, I realised that one change which was supposed to be in
> the new release was sitting in a non-integrated branch. This is my
> fault entirely. It's a very trivial *code* change, so I'm confident in
> the code, but it is a change, so a new RC.
>
> We now disable SSLv2 by default, for OpenSSL. GnuTLS does not support
> SSLv2 (and never has), so this only affects OpenSSL. This brings us
> into compliance with RFC 6176 and improves the default security of the
> install by finally getting rid of the possibility of a bunch of attacks
> fixed many years ago in SSLv3. Some informal surveys I did suggested
> that there is *no* SSLv2 used for talking SMTP any more.
>
> If you grep your logs for "X=SSLv2:" and find something, you may wish to
> override the default (and work hard to fix the affected broken client,
> as OpenSSL is edging closer to dropping support for SSLv2; it's already
> a build option).
>
> Kurt Jaeger wrote a script for analysing Exim logs to report a breakdown
> of SSL/TLS protocols/ciphers in use, which may help reassure the nervous:
> http://opsec.eu/src/tlstype
>
> Other than this feature, almost all reports are coming back that RC6
> works great. There's one complaint, so far singularly lacking in
> credible detail, so I'm going to hold a couple of days longer, just in
> case anything comes of that. I currently expect to release Exim 4.80
> this coming Thursday.
>
> Thank you for your patience with this stream of Release Candidates. I
> opened a large can of worms by delving into the SSL/TLS support; it
> needed to be opened, but that hasn't made the resulting situation
> pleasant.
>
>
> The ChangeLog/NewStuff/README.UPDATING can be reviewed at:
>
> http://git.exim.org/exim.git/blob/exim-4_80_RC6:/src/README.UPDATING
> http://git.exim.org/exim.git/blob/exim-4_80_RC6:/doc/doc-txt/NewStuff
> http://git.exim.org/exim.git/blob/exim-4_80_RC6:/doc/doc-txt/ChangeLog
>
> The files are signed with the PGP key 0x3903637F, which has a uid
> "Phil Pennock<pdp [at] exim>". Please use your own discretion in
> assessing what trust paths you might have to this uid.
>
> Checksums below. Detached PGP signatures in .asc files are available
> alongside the tarballs.
>
> Please report issues in reply to this email, on exim-users.
>
> Thank you for your testing and feedback,
> -Phil Pennock, pp The Exim Maintainers.
>
> SHA256(exim-4.80_RC7.tar.bz2)= 4a0127158e7be3b45dd72f827298cd334dfaedf5f0602eba64aaf45d9764ddd2
> SHA256(exim-4.80_RC7.tar.gz)= dc765d480fe3d208703fbb4fbc12bbe25caec8e6777f411c370a62cc68d6a631
> SHA256(exim-html-4.80_RC7.tar.bz2)= d02a7ca2ec1e4bba51f9c53eea8475418a9424cb0804d7c714257d6e3fddd1f4
> SHA256(exim-html-4.80_RC7.tar.gz)= c792bc6f54b4c1a0a14f7d12a1c1ed0b67725f33ffb78d0ab72379241fc9188d
> SHA256(exim-pdf-4.80_RC7.tar.bz2)= 4ecb5081b8a58ddbb8e85fe195e6fbc3837f42faa99e20cdec6787489e46b9ea
> SHA256(exim-pdf-4.80_RC7.tar.gz)= fac1df49945a8c6ad398e4408eb4cb2511673230eb0a805100c4da7304f42b11
> SHA256(exim-postscript-4.80_RC7.tar.bz2)= 07ca522ff96e27460263d31a6135c05478faa94a5e6770c0793f654c9e6abfff
> SHA256(exim-postscript-4.80_RC7.tar.gz)= 32195c294b33b6b064a07ee621f7b4aedbdd6b4047d822d710b697492377fb48
>
> SHA1(exim-4.80_RC7.tar.bz2)= 3744586866919182965300b1512bc02032c0df48
> SHA1(exim-4.80_RC7.tar.gz)= 122e63902cc60be6c711745f8da8a66f804d8173
> SHA1(exim-html-4.80_RC7.tar.bz2)= fe38c63ed195cd43a359f4c795c600ee7e092c2e
> SHA1(exim-html-4.80_RC7.tar.gz)= 6d25c728ef62f5aba9df0792e3a9a02ddbb51389
> SHA1(exim-pdf-4.80_RC7.tar.bz2)= 84a32228ba455401b301789722bc5f3f47fe1826
> SHA1(exim-pdf-4.80_RC7.tar.gz)= 24aa09cd6e8b1043255cf2e8a28eb7209bf0d8f6
> SHA1(exim-postscript-4.80_RC7.tar.bz2)= 7ec04c2bf5bad769433fa1e4a175ce5cad2f2b77
> SHA1(exim-postscript-4.80_RC7.tar.gz)= c22b6552ecfb5fa2d14aa625395cc2dfd942122b
>
>
>

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

exim dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.