implement `listen on' Listening by default on all the addresses is so bad I don't know why I haven't changed this before. Anyway. Add a `listen on $hostname port $port' syntax to the config file and deprecate the old "port" and "ipv6" global setting. Still try to honour them when no "listen on" directive is used for backward compatibily, but this will go away in the next next version hopefully. At the moment the `listen on' in server context don't filter the host, i.e. one can still reach a host from a address not specified in the corresponding `liste on', this will be added later.

load_ca: get a buffer instead of a fd We dup(1) the ca fd and send it to various processes, so they fail loading it. Instead, use load_file to get a buffer with the file content and pass that to load_ca which then loads via BIO.

fixes for -Wpointer-sign

add a privsep crypto engine Incorporate the OpenSMTPD' privsep crypto engine. The idea behind it is to never load the certificate' private keys in a networked process, instead they are loaded in a separate process (the `crypto' one) which signs payloads on the behalf of the server processes. This way, we greatly reduce the risk of leaking the certificate' private key should the server process be compromised. This currently compiles only on LibreSSL (portable fix is in the way).

use fatal/fatalx instead of err/errx in daemon code

readd proxy certs and `require client ca' support Was temporarly disabled during the transition to real privsep. While here, fix a memory leak when using `require client ca'. Also, avoid leaking info about the parent address space layout to server processes by not sending pointer values.

move some new_* functions from parse.y to utils.c

drop now unused dispatch_imsg

switch to the more usual log.c

rename log.[ch] to logger.[ch]

provide a more usual fatal fatal usually appends the error string. Add 'fatalx' that doesn't. Fix callers and move the prototypes to log.h

log when the certificate was successfully generated

fmt

certificate generation (bugfix and improvement) don't add gmid as organisation when generating the certificate, and set the version to 3, so it's compatible with java/android clients. Found by Gnuserland, thanks!

list instead of fixed-size array for vhosts and locations saves some bytes of memory and removes the limit on the maximum number of vhosts and location blocks.