Commit | Line | Data |
---|---|---|
54fc8428 | 1 | $Cambridge: exim/doc/doc-txt/NewStuff,v 1.129 2007/01/22 16:29:54 ph10 Exp $ |
495ae4b0 PH |
2 | |
3 | New Features in Exim | |
4 | -------------------- | |
5 | ||
38a0a95f PH |
6 | This file contains descriptions of new features that have been added to Exim. |
7 | Before a formal release, there may be quite a lot of detail so that people can | |
8 | test from the snapshots or the CVS before the documentation is updated. Once | |
9 | the documentation is updated, this file is reduced to a short list. | |
10 | ||
b4ed4da0 PH |
11 | Version 4.67 |
12 | ------------ | |
13 | ||
14 | 1. There is a new log selector called smtp_no_mail, which is not included in | |
15 | the default setting. When it is set, a line is written to the main log | |
16 | whenever an accepted SMTP connection terminates without having issued a | |
17 | MAIL command. This includes both the case when the connection is dropped, | |
18 | and the case when QUIT is used. Note that it does not include cases where | |
19 | the connection is rejected right at the start (by an ACL, or because there | |
20 | are too many connections, or whatever). These cases already have their own | |
21 | log lines. | |
22 | ||
23 | The log line that is written contains the identity of the client in the | |
24 | usual way, followed by D= and a time, which records the duration of the | |
25 | connection. If the connection was authenticated, this fact is logged | |
26 | exactly as it is for an incoming message, with an A= item. If the | |
27 | connection was encrypted, CV=, DN=, and X= items may appear as they do for | |
28 | an incoming message, controlled by the same logging options. | |
29 | ||
30 | Finally, if any SMTP commands were issued during the connection, a C= item | |
31 | is added to the line, listing the commands that were used. For example, | |
32 | ||
33 | C=EHLO,QUIT | |
34 | ||
35 | shows that the client issued QUIT straight after EHLO. If there were fewer | |
36 | than 20 commands, they are all listed. If there were more than 20 commands, | |
37 | the last 20 are listed, preceded by "...". However, with the default | |
38 | setting of 10 for smtp_accep_max_nonmail, the connection will in any case | |
39 | be aborted before 20 non-mail commands are processed. | |
40 | ||
431b7361 PH |
41 | 2. When an item in a dnslists list is followed by = and & and a list of IP |
42 | addresses, in order to restrict the match to specific results from the DNS | |
43 | lookup, the behaviour was not clear when the lookup returned more than one | |
44 | IP address. For example, consider the condition | |
45 | ||
46 | dnslists = a.b.c=127.0.0.1 | |
47 | ||
48 | What happens if the DNS lookup for the incoming IP address yields both | |
49 | 127.0.0.1 and 127.0.0.2 by means of two separate DNS records? Is the | |
50 | condition true because at least one given value was found, or is it false | |
51 | because at least one of the found values was not listed? And how does this | |
52 | affect negated conditions? | |
53 | ||
54 | The behaviour of = and & has not been changed; however, the text below | |
55 | documents it more clearly. In addition, two new additional conditions (== | |
56 | and =&) have been added, to permit the "other" behaviour to be configured. | |
57 | ||
58 | A DNS lookup may yield more than one record. Thus, the result of the lookup | |
59 | for a dnslists check may yield more than one IP address. The question then | |
60 | arises as to whether all the looked up addresses must be listed, or whether | |
61 | just one is good enough. Both possibilities are provided for: | |
62 | ||
63 | . If = or & is used, the condition is true if any one of the looked up | |
64 | IP addresses matches one of the listed addresses. Consider: | |
65 | ||
66 | dnslists = a.b.c=127.0.0.1 | |
67 | ||
68 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
69 | true because 127.0.0.1 matches. | |
70 | ||
71 | . If == or =& is used, the condition is true only if every one of the | |
72 | looked up IP addresses matches one of the listed addresses. Consider: | |
73 | ||
74 | dnslists = a.b.c==127.0.0.1 | |
75 | ||
76 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
77 | false because 127.0.0.2 is not listed. You would need to have | |
78 | ||
79 | dnslists = a.b.c==127.0.0.1,127.0.0.2 | |
80 | ||
81 | for the condition to be true. | |
82 | ||
83 | When ! is used to negate IP address matching, it inverts the result, giving | |
84 | the precise opposite of the behaviour above. Thus: | |
85 | ||
86 | . If != or !& is used, the condition is true if none of the looked up IP | |
87 | addresses matches one of the listed addresses. Consider: | |
88 | ||
89 | dnslists = a.b.c!&0.0.0.1 | |
90 | ||
91 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
92 | false because 127.0.0.1 matches. | |
93 | ||
94 | . If !== or !=& is used, the condition is true there is at least one looked | |
95 | up IP address that does not match. Consider: | |
96 | ||
97 | dnslists = a.b.c!=&0.0.0.1 | |
98 | ||
99 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
100 | true, because 127.0.0.2 does not match. You would need to have | |
101 | ||
102 | dnslists = a.b.c!=&0.0.0.1,0.0.0.2 | |
103 | ||
104 | for the condition to be false. | |
105 | ||
106 | When the DNS lookup yields only a single IP address, there is no difference | |
107 | between = and == and between & and =&. | |
108 | ||
83da1223 PH |
109 | 3. Up till now, the only control over which cipher suites GnuTLS uses has been |
110 | for the cipher algorithms. New options have been added to allow some of the | |
111 | other parameters to be varied. Here is complete documentation for the | |
112 | available features: | |
113 | ||
114 | GnuTLS allows the caller to specify separate lists of permitted key | |
115 | exchange methods, main cipher algorithms, and MAC algorithms. These may be | |
116 | used in any combination to form a specific cipher suite. This is unlike | |
117 | OpenSSL, where complete cipher names can be passed to its control function. | |
118 | GnuTLS also allows a list of acceptable protocols to be supplied. | |
119 | ||
120 | For compatibility with OpenSSL, the tls_require_ciphers option can be set | |
121 | to complete cipher suite names such as RSA_ARCFOUR_SHA, but for GnuTLS this | |
122 | option controls only the cipher algorithms. Exim searches each item in the | |
123 | list for the name of an available algorithm. For example, if the list | |
124 | contains RSA_AES_SHA, then AES is recognized, and the behaviour is exactly | |
125 | the same as if just AES were given. | |
126 | ||
127 | There are additional options called gnutls_require_kx, gnutls_require_mac, | |
128 | and gnutls_require_protocols that can be used to restrict the key exchange | |
129 | methods, MAC algorithms, and protocols, respectively. These options are | |
130 | ignored if OpenSSL is in use. | |
131 | ||
132 | All four options are available as global options, controlling how Exim | |
133 | behaves as a server, and also as options of the smtp transport, controlling | |
134 | how Exim behaves as a client. All the values are string expanded. After | |
135 | expansion, the values must be colon-separated lists, though the separator | |
136 | can be changed in the usual way. | |
137 | ||
138 | Each of the four lists starts out with a default set of algorithms. If the | |
139 | first item in one of the "require" options does _not_ start with an | |
140 | exclamation mark, all the default items are deleted. In this case, only | |
141 | those that are explicitly specified can be used. If the first item in one | |
142 | of the "require" items _does_ start with an exclamation mark, the defaults | |
143 | are left on the list. | |
144 | ||
145 | Then, any item that starts with an exclamation mark causes the relevant | |
146 | entry to be removed from the list, and any item that does not start with an | |
147 | exclamation mark causes a new entry to be added to the list. Unrecognized | |
148 | items in the list are ignored. Thus: | |
149 | ||
150 | tls_require_ciphers = !ARCFOUR | |
151 | ||
152 | allows all the defaults except ARCFOUR, whereas | |
153 | ||
154 | tls_require_ciphers = AES : 3DES | |
155 | ||
156 | allows only cipher suites that use AES or 3DES. For tls_require_ciphers | |
157 | the recognized names are AES_256, AES_128, AES (both of the preceding), | |
158 | 3DES, ARCFOUR_128, ARCFOUR_40, and ARCFOUR (both of the preceding). The | |
159 | default list does not contain all of these; it just has AES_256, AES_128, | |
160 | 3DES, and ARCFOUR_128. | |
161 | ||
162 | For gnutls_require_kx, the recognized names are DHE_RSA, RSA (which | |
163 | includes DHE_RSA), DHE_DSS, and DHE (which includes both DHE_RSA and | |
164 | DHE_DSS). The default list contains RSA, DHE_DSS, DHE_RSA. | |
165 | ||
166 | For gnutls_require_mac, the recognized names are SHA (synonym SHA1), and | |
167 | MD5. The default list contains SHA, MD5. | |
168 | ||
169 | For gnutls_require_protocols, the recognized names are TLS1 and SSL3. | |
170 | The default list contains TLS1, SSL3. | |
171 | ||
172 | In a server, the order of items in these lists is unimportant. The server | |
173 | will advertise the availability of all the relevant cipher suites. However, | |
174 | in a client, the order in the tls_require_ciphers list specifies a | |
175 | preference order for the cipher algorithms. The first one in the client's | |
176 | list that is also advertised by the server is tried first. | |
177 | ||
54fc8428 PH |
178 | 4. There is a new compile-time option called ENABLE_DISABLE_FSYNC. You must |
179 | not set this option unless you really, really, really understand what you | |
180 | are doing. No pre-compiled distributions of Exim should ever set this | |
181 | option. When it is set, Exim compiles a runtime option called | |
182 | disable_fsync. If this is set true, Exim no longer calls fsync() to force | |
183 | updated files' data to be written to disc. Unexpected events such as | |
184 | crashes and power outages may cause data to be lost or scrambled. Beware. | |
185 | ||
186 | When ENABLE_DISABLE_FSYNC is not set, a reference to disable_fsync in a | |
187 | runtime configuration generates an "unknown option" error. | |
188 | ||
b4ed4da0 PH |
189 | |
190 | Version 4.66 | |
191 | ------------ | |
192 | ||
193 | No new features were added to 4.66. | |
194 | ||
195 | ||
196 | Version 4.65 | |
197 | ------------ | |
198 | ||
199 | No new features were added to 4.65. | |
200 | ||
38a0a95f PH |
201 | |
202 | Version 4.64 | |
203 | ------------ | |
204 | ||
af561417 PH |
205 | 1. ACL variables can now be given arbitrary names, as long as they start with |
206 | "acl_c" or "acl_m" (for connection variables and message variables), are at | |
207 | least six characters long, with the sixth character being either a digit or | |
883335dc | 208 | an underscore. |
af561417 PH |
209 | |
210 | 2. There is a new ACL modifier called log_reject_target. It makes it possible | |
883335dc | 211 | to specify which logs are used for messages about ACL rejections. |
af561417 PH |
212 | |
213 | 3. There is a new authenticator called "dovecot". This is an interface to the | |
214 | authentication facility of the Dovecot POP/IMAP server, which can support a | |
883335dc | 215 | number of authentication methods. |
af561417 PH |
216 | |
217 | 4. The variable $message_headers_raw provides a concatenation of all the | |
218 | messages's headers without any decoding. This is in contrast to | |
219 | $message_headers, which does RFC2047 decoding on the header contents. | |
220 | ||
883335dc PH |
221 | 5. In a DNS black list, if two domain names, comma-separated, are given, the |
222 | second is used first to do an initial check, making use of any IP value | |
223 | restrictions that are set. If there is a match, the first domain is used, | |
224 | without any IP value restrictions, to get the TXT record. | |
af561417 | 225 | |
883335dc | 226 | 6. All authenticators now have a server_condition option. |
af561417 PH |
227 | |
228 | 7. There is a new command-line option called -Mset. It is useful only in | |
229 | conjunction with -be (that is, when testing string expansions). It must be | |
230 | followed by a message id; Exim loads the given message from its spool | |
883335dc | 231 | before doing the expansions. |
af561417 PH |
232 | |
233 | 8. Another similar new command-line option is called -bem. It operates like | |
883335dc PH |
234 | -be except that it must be followed by the name of a file that contains a |
235 | message. | |
af561417 PH |
236 | |
237 | 9. When an address is delayed because of a 4xx response to a RCPT command, it | |
238 | is now the combination of sender and recipient that is delayed in | |
883335dc | 239 | subsequent queue runs until its retry time is reached. |
af561417 PH |
240 | |
241 | 10. Unary negation and the bitwise logical operators and, or, xor, not, and | |
883335dc | 242 | shift, have been added to the eval: and eval10: expansion items. |
48c7f9e2 | 243 | |
194cc0e4 PH |
244 | 11. The variables $interface_address and $interface_port have been renamed |
245 | as $received_ip_address and $received_port, to make it clear that they | |
246 | relate to message reception rather than delivery. (The old names remain | |
247 | available for compatibility.) | |
248 | ||
883335dc PH |
249 | 12. The "message" modifier can now be used on "accept" and "discard" acl verbs |
250 | to vary the message that is sent when an SMTP command is accepted. | |
4e88a19f | 251 | |
495ae4b0 | 252 | |
4608d683 PH |
253 | Version 4.63 |
254 | ------------ | |
255 | ||
256 | 1. There is a new Boolean option called filter_prepend_home for the redirect | |
38a0a95f | 257 | router. |
4608d683 | 258 | |
45b91596 PH |
259 | 2. There is a new acl, set by acl_not_smtp_start, which is run right at the |
260 | start of receiving a non-SMTP message, before any of the message has been | |
38a0a95f | 261 | read. |
45b91596 | 262 | |
a5bd321b PH |
263 | 3. When an SMTP error message is specified in a "message" modifier in an ACL, |
264 | or in a :fail: or :defer: message in a redirect router, Exim now checks the | |
38a0a95f | 265 | start of the message for an SMTP error code. |
a5bd321b | 266 | |
6ec97b1b | 267 | 4. There is a new parameter for LDAP lookups called "referrals", which takes |
38a0a95f | 268 | one of the settings "follow" (the default) or "nofollow". |
6ec97b1b | 269 | |
e22ca4ac JJ |
270 | 5. Version 20070721.2 of exipick now included, offering these new options: |
271 | --reverse | |
272 | After all other sorting options have bee processed, reverse order | |
273 | before displaying messages (-R is synonym). | |
274 | --random | |
275 | Randomize order of matching messages before displaying. | |
276 | --size | |
277 | Instead of displaying the matching messages, display the sum | |
278 | of their sizes. | |
279 | --sort <variable>[,<variable>...] | |
280 | Before displaying matching messages, sort the messages according to | |
281 | each messages value for each variable. | |
282 | --not | |
283 | Negate the value for every test (returns inverse output from the | |
284 | same criteria without --not). | |
285 | ||
4608d683 | 286 | |
1cce3af8 PH |
287 | Version 4.62 |
288 | ------------ | |
289 | ||
290 | 1. The ${readsocket expansion item now supports Internet domain sockets as well | |
291 | as Unix domain sockets. If the first argument begins "inet:", it must be of | |
292 | the form "inet:host:port". The port is mandatory; it may be a number or the | |
293 | name of a TCP port in /etc/services. The host may be a name, or it may be an | |
294 | IP address. An ip address may optionally be enclosed in square brackets. | |
295 | This is best for IPv6 addresses. For example: | |
296 | ||
297 | ${readsocket{inet:[::1]:1234}{<request data>}... | |
298 | ||
299 | Only a single host name may be given, but if looking it up yield more than | |
300 | one IP address, they are each tried in turn until a connection is made. Once | |
301 | a connection has been made, the behaviour is as for ${readsocket with a Unix | |
302 | domain socket. | |
303 | ||
f7fd3850 PH |
304 | 2. If a redirect router sets up file or pipe deliveries for more than one |
305 | incoming address, and the relevant transport has batch_max set greater than | |
306 | one, a batch delivery now occurs. | |
307 | ||
d6629cdc PH |
308 | 3. The appendfile transport has a new option called maildirfolder_create_regex. |
309 | Its value is a regular expression. For a maildir delivery, this is matched | |
310 | against the maildir directory; if it matches, Exim ensures that a | |
311 | maildirfolder file is created alongside the new, cur, and tmp directories. | |
312 | ||
1cce3af8 | 313 | |
7e66e54d PH |
314 | Version 4.61 |
315 | ------------ | |
316 | ||
4f578862 PH |
317 | The documentation is up-to-date for the 4.61 release. Major new features since |
318 | the 4.60 release are: | |
319 | ||
320 | . An option called disable_ipv6, to disable the use of IPv6 completely. | |
321 | ||
322 | . An increase in the number of ACL variables to 20 of each type. | |
323 | ||
324 | . A change to use $auth1, $auth2, and $auth3 in authenticators instead of $1, | |
325 | $2, $3, (though those are still set) because the numeric variables get used | |
326 | for other things in complicated expansions. | |
327 | ||
843a41e8 | 328 | . The default for rfc1413_query_timeout has been changed from 30s to 5s. |
4f578862 PH |
329 | |
330 | . It is possible to use setclassresources() on some BSD OS to control the | |
331 | resources used in pipe deliveries. | |
332 | ||
333 | . A new ACL modifier called add_header, which can be used with any verb. | |
334 | ||
335 | . More errors are detectable in retry rules. | |
336 | ||
337 | There are a number of other additions too. | |
71fafd95 | 338 | |
7e66e54d | 339 | |
425ae40f | 340 | Version 4.60 |
b5aea5e1 PH |
341 | ------------ |
342 | ||
425ae40f PH |
343 | The documentation is up-to-date for the 4.60 release. Major new features since |
344 | the 4.50 release are: | |
1a46a8c5 | 345 | |
425ae40f | 346 | . Support for SQLite. |
1a46a8c5 | 347 | |
425ae40f | 348 | . Support for IGNOREQUOTA in LMTP. |
1a46a8c5 | 349 | |
425ae40f | 350 | . Extensions to the "submission mode" features. |
1a46a8c5 | 351 | |
425ae40f | 352 | . Support for Client SMTP Authorization (CSA). |
1a46a8c5 | 353 | |
425ae40f | 354 | . Support for ratelimiting hosts and users. |
b5aea5e1 | 355 | |
425ae40f | 356 | . New expansion items to help with the BATV "prvs" scheme. |
b5aea5e1 | 357 | |
425ae40f | 358 | . A "match_ip" condition, that matches an IP address against a list. |
35edf2ff | 359 | |
425ae40f | 360 | There are many more minor changes. |
495ae4b0 PH |
361 | |
362 | **** |