1
/* $Cambridge: exim/src/src/readconf.c,v 1.45 2010/06/12 17:56:32 jetmore Exp $ */
3
1
/*************************************************
4
2
* Exim - an Internet mail transport agent *
5
3
*************************************************/
7
/* Copyright (c) University of Cambridge 1995 - 2009 */
5
/* Copyright (c) University of Cambridge 1995 - 2012 */
8
6
/* See the file NOTICE for conditions of use and distribution. */
10
8
/* Functions for reading the configuration file, and for displaying
237
235
{ "gecos_pattern", opt_stringptr, &gecos_pattern },
238
236
#ifdef SUPPORT_TLS
239
237
{ "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
238
/* These three gnutls_require_* options stopped working in Exim 4.80 */
240
239
{ "gnutls_require_kx", opt_stringptr, &gnutls_require_kx },
241
240
{ "gnutls_require_mac", opt_stringptr, &gnutls_require_mac },
242
241
{ "gnutls_require_protocols", opt_stringptr, &gnutls_require_proto },
419
418
{ "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts },
420
419
{ "tls_certificate", opt_stringptr, &tls_certificate },
421
420
{ "tls_crl", opt_stringptr, &tls_crl },
421
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
422
422
{ "tls_dhparam", opt_stringptr, &tls_dhparam },
423
#if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS)
424
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
423
426
{ "tls_on_connect_ports", opt_stringptr, &tls_on_connect_ports },
424
427
{ "tls_privatekey", opt_stringptr, &tls_privatekey },
425
428
{ "tls_remember_esmtp", opt_bool, &tls_remember_esmtp },
526
529
if (namelen >= sizeof(name) - 1)
527
530
log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
528
"macro name too long (maximum is %d characters)", sizeof(name) - 1);
531
"macro name too long (maximum is " SIZE_T_FMT " characters)", sizeof(name) - 1);
529
532
name[namelen++] = *s++;
531
534
name[namelen] = 0;
2775
2778
/*************************************************
2779
* Drop privs for checking TLS config *
2780
*************************************************/
2782
/* We want to validate TLS options during readconf, but do not want to be
2783
root when we call into the TLS library, in case of library linkage errors
2784
which cause segfaults; before this check, those were always done as the Exim
2785
runtime user and it makes sense to continue with that.
2787
Assumes: tls_require_ciphers has been set, if it will be
2788
exim_user has been set, if it will be
2789
exim_group has been set, if it will be
2791
Returns: bool for "okay"; false will cause caller to immediately exit.
2796
tls_dropprivs_validate_require_cipher(void)
2798
const uschar *errmsg;
2801
void (*oldsignal)(int);
2803
oldsignal = signal(SIGCHLD, SIG_DFL);
2806
if ((pid = fork()) < 0)
2807
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check");
2811
/* in some modes, will have dropped privilege already */
2813
exim_setugid(exim_uid, exim_gid, FALSE,
2814
US"calling tls_validate_require_cipher");
2816
errmsg = tls_validate_require_cipher();
2819
log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
2820
"tls_require_ciphers invalid: %s", errmsg);
2827
rc = waitpid(pid, &status, 0);
2828
} while (rc < 0 && errno == EINTR);
2831
debug_printf("tls_validate_require_cipher child %d ended: status=0x%x\n",
2834
signal(SIGCHLD, oldsignal);
2838
#endif /* SUPPORT_TLS */
2843
/*************************************************
2776
2844
* Read main configuration options *
2777
2845
*************************************************/
3116
3184
pid_file_path = s;
3187
/* Set default value of process_log_path */
3189
if (process_log_path == NULL || *process_log_path =='\0')
3190
process_log_path = string_sprintf("%s/exim-process.info", spool_directory);
3119
3192
/* Compile the regex for matching a UUCP-style "From_" line in an incoming
3190
3263
if (host_number_string != NULL)
3193
3267
uschar *s = expand_string(host_number_string);
3194
long int n = Ustrtol(s, &end, 0);
3269
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3270
"failed to expand localhost_number \"%s\": %s",
3271
host_number_string, expand_string_message);
3272
n = Ustrtol(s, &end, 0);
3195
3273
while (isspace(*end)) end++;
3197
3275
log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
3212
3290
"tls_%sverify_hosts is set, but tls_verify_certificates is not set",
3213
3291
(tls_verify_hosts != NULL)? "" : "try_");
3293
/* This also checks that the library linkage is working and we can call
3294
routines in it, so call even if tls_require_ciphers is unset */
3295
if (!tls_dropprivs_validate_require_cipher())
3298
/* Magic number: at time of writing, 1024 has been the long-standing value
3299
used by so many clients, and what Exim used to use always, that it makes
3300
sense to just min-clamp this max-clamp at that. */
3301
if (tls_dh_max_bits < 1024)
3302
log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
3303
"tls_dh_max_bits is too small, must be at least 1024 for interop");
3215
3305
/* If openssl_options is set, validate it */
3216
3306
if (openssl_options != NULL)
3607
3697
*basic_errno = ERRNO_TLSREQUIRED;
3609
3699
else if (len != 1 || Ustrncmp(pp, "*", 1) != 0)
3610
return string_sprintf("unknown or malformed retry error \"%.*s\"", p-pp, pp);
3700
return string_sprintf("unknown or malformed retry error \"%.*s\"", (int) (p-pp), pp);