Commit | Line | Data |
---|---|---|
0e22dfd1 | 1 | $Cambridge: exim/doc/doc-txt/NewStuff,v 1.137 2007/02/06 11:11:39 ph10 Exp $ |
495ae4b0 PH |
2 | |
3 | New Features in Exim | |
4 | -------------------- | |
5 | ||
38a0a95f PH |
6 | This file contains descriptions of new features that have been added to Exim. |
7 | Before a formal release, there may be quite a lot of detail so that people can | |
8 | test from the snapshots or the CVS before the documentation is updated. Once | |
9 | the documentation is updated, this file is reduced to a short list. | |
10 | ||
b4ed4da0 PH |
11 | Version 4.67 |
12 | ------------ | |
13 | ||
14 | 1. There is a new log selector called smtp_no_mail, which is not included in | |
15 | the default setting. When it is set, a line is written to the main log | |
16 | whenever an accepted SMTP connection terminates without having issued a | |
17 | MAIL command. This includes both the case when the connection is dropped, | |
18 | and the case when QUIT is used. Note that it does not include cases where | |
19 | the connection is rejected right at the start (by an ACL, or because there | |
20 | are too many connections, or whatever). These cases already have their own | |
21 | log lines. | |
22 | ||
23 | The log line that is written contains the identity of the client in the | |
24 | usual way, followed by D= and a time, which records the duration of the | |
25 | connection. If the connection was authenticated, this fact is logged | |
26 | exactly as it is for an incoming message, with an A= item. If the | |
27 | connection was encrypted, CV=, DN=, and X= items may appear as they do for | |
28 | an incoming message, controlled by the same logging options. | |
29 | ||
30 | Finally, if any SMTP commands were issued during the connection, a C= item | |
31 | is added to the line, listing the commands that were used. For example, | |
32 | ||
33 | C=EHLO,QUIT | |
34 | ||
35 | shows that the client issued QUIT straight after EHLO. If there were fewer | |
36 | than 20 commands, they are all listed. If there were more than 20 commands, | |
37 | the last 20 are listed, preceded by "...". However, with the default | |
38 | setting of 10 for smtp_accep_max_nonmail, the connection will in any case | |
39 | be aborted before 20 non-mail commands are processed. | |
40 | ||
431b7361 PH |
41 | 2. When an item in a dnslists list is followed by = and & and a list of IP |
42 | addresses, in order to restrict the match to specific results from the DNS | |
43 | lookup, the behaviour was not clear when the lookup returned more than one | |
44 | IP address. For example, consider the condition | |
45 | ||
46 | dnslists = a.b.c=127.0.0.1 | |
47 | ||
48 | What happens if the DNS lookup for the incoming IP address yields both | |
49 | 127.0.0.1 and 127.0.0.2 by means of two separate DNS records? Is the | |
50 | condition true because at least one given value was found, or is it false | |
51 | because at least one of the found values was not listed? And how does this | |
52 | affect negated conditions? | |
53 | ||
54 | The behaviour of = and & has not been changed; however, the text below | |
55 | documents it more clearly. In addition, two new additional conditions (== | |
56 | and =&) have been added, to permit the "other" behaviour to be configured. | |
57 | ||
58 | A DNS lookup may yield more than one record. Thus, the result of the lookup | |
59 | for a dnslists check may yield more than one IP address. The question then | |
60 | arises as to whether all the looked up addresses must be listed, or whether | |
61 | just one is good enough. Both possibilities are provided for: | |
62 | ||
63 | . If = or & is used, the condition is true if any one of the looked up | |
64 | IP addresses matches one of the listed addresses. Consider: | |
65 | ||
66 | dnslists = a.b.c=127.0.0.1 | |
67 | ||
68 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
69 | true because 127.0.0.1 matches. | |
70 | ||
71 | . If == or =& is used, the condition is true only if every one of the | |
72 | looked up IP addresses matches one of the listed addresses. Consider: | |
73 | ||
74 | dnslists = a.b.c==127.0.0.1 | |
75 | ||
76 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
77 | false because 127.0.0.2 is not listed. You would need to have | |
78 | ||
79 | dnslists = a.b.c==127.0.0.1,127.0.0.2 | |
80 | ||
81 | for the condition to be true. | |
82 | ||
83 | When ! is used to negate IP address matching, it inverts the result, giving | |
84 | the precise opposite of the behaviour above. Thus: | |
85 | ||
86 | . If != or !& is used, the condition is true if none of the looked up IP | |
87 | addresses matches one of the listed addresses. Consider: | |
88 | ||
89 | dnslists = a.b.c!&0.0.0.1 | |
90 | ||
91 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
92 | false because 127.0.0.1 matches. | |
93 | ||
94 | . If !== or !=& is used, the condition is true there is at least one looked | |
95 | up IP address that does not match. Consider: | |
96 | ||
97 | dnslists = a.b.c!=&0.0.0.1 | |
98 | ||
99 | If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is | |
100 | true, because 127.0.0.2 does not match. You would need to have | |
101 | ||
102 | dnslists = a.b.c!=&0.0.0.1,0.0.0.2 | |
103 | ||
104 | for the condition to be false. | |
105 | ||
106 | When the DNS lookup yields only a single IP address, there is no difference | |
107 | between = and == and between & and =&. | |
108 | ||
83da1223 PH |
109 | 3. Up till now, the only control over which cipher suites GnuTLS uses has been |
110 | for the cipher algorithms. New options have been added to allow some of the | |
111 | other parameters to be varied. Here is complete documentation for the | |
112 | available features: | |
113 | ||
114 | GnuTLS allows the caller to specify separate lists of permitted key | |
115 | exchange methods, main cipher algorithms, and MAC algorithms. These may be | |
116 | used in any combination to form a specific cipher suite. This is unlike | |
117 | OpenSSL, where complete cipher names can be passed to its control function. | |
118 | GnuTLS also allows a list of acceptable protocols to be supplied. | |
119 | ||
120 | For compatibility with OpenSSL, the tls_require_ciphers option can be set | |
121 | to complete cipher suite names such as RSA_ARCFOUR_SHA, but for GnuTLS this | |
122 | option controls only the cipher algorithms. Exim searches each item in the | |
123 | list for the name of an available algorithm. For example, if the list | |
124 | contains RSA_AES_SHA, then AES is recognized, and the behaviour is exactly | |
125 | the same as if just AES were given. | |
126 | ||
127 | There are additional options called gnutls_require_kx, gnutls_require_mac, | |
128 | and gnutls_require_protocols that can be used to restrict the key exchange | |
129 | methods, MAC algorithms, and protocols, respectively. These options are | |
130 | ignored if OpenSSL is in use. | |
131 | ||
132 | All four options are available as global options, controlling how Exim | |
133 | behaves as a server, and also as options of the smtp transport, controlling | |
134 | how Exim behaves as a client. All the values are string expanded. After | |
135 | expansion, the values must be colon-separated lists, though the separator | |
136 | can be changed in the usual way. | |
137 | ||
138 | Each of the four lists starts out with a default set of algorithms. If the | |
139 | first item in one of the "require" options does _not_ start with an | |
140 | exclamation mark, all the default items are deleted. In this case, only | |
141 | those that are explicitly specified can be used. If the first item in one | |
142 | of the "require" items _does_ start with an exclamation mark, the defaults | |
143 | are left on the list. | |
144 | ||
145 | Then, any item that starts with an exclamation mark causes the relevant | |
146 | entry to be removed from the list, and any item that does not start with an | |
147 | exclamation mark causes a new entry to be added to the list. Unrecognized | |
148 | items in the list are ignored. Thus: | |
149 | ||
150 | tls_require_ciphers = !ARCFOUR | |
151 | ||
152 | allows all the defaults except ARCFOUR, whereas | |
153 | ||
154 | tls_require_ciphers = AES : 3DES | |
155 | ||
156 | allows only cipher suites that use AES or 3DES. For tls_require_ciphers | |
157 | the recognized names are AES_256, AES_128, AES (both of the preceding), | |
158 | 3DES, ARCFOUR_128, ARCFOUR_40, and ARCFOUR (both of the preceding). The | |
159 | default list does not contain all of these; it just has AES_256, AES_128, | |
160 | 3DES, and ARCFOUR_128. | |
161 | ||
162 | For gnutls_require_kx, the recognized names are DHE_RSA, RSA (which | |
163 | includes DHE_RSA), DHE_DSS, and DHE (which includes both DHE_RSA and | |
164 | DHE_DSS). The default list contains RSA, DHE_DSS, DHE_RSA. | |
165 | ||
166 | For gnutls_require_mac, the recognized names are SHA (synonym SHA1), and | |
167 | MD5. The default list contains SHA, MD5. | |
168 | ||
169 | For gnutls_require_protocols, the recognized names are TLS1 and SSL3. | |
170 | The default list contains TLS1, SSL3. | |
171 | ||
172 | In a server, the order of items in these lists is unimportant. The server | |
173 | will advertise the availability of all the relevant cipher suites. However, | |
174 | in a client, the order in the tls_require_ciphers list specifies a | |
175 | preference order for the cipher algorithms. The first one in the client's | |
176 | list that is also advertised by the server is tried first. | |
177 | ||
54fc8428 PH |
178 | 4. There is a new compile-time option called ENABLE_DISABLE_FSYNC. You must |
179 | not set this option unless you really, really, really understand what you | |
180 | are doing. No pre-compiled distributions of Exim should ever set this | |
181 | option. When it is set, Exim compiles a runtime option called | |
182 | disable_fsync. If this is set true, Exim no longer calls fsync() to force | |
183 | updated files' data to be written to disc. Unexpected events such as | |
184 | crashes and power outages may cause data to be lost or scrambled. Beware. | |
185 | ||
186 | When ENABLE_DISABLE_FSYNC is not set, a reference to disable_fsync in a | |
187 | runtime configuration generates an "unknown option" error. | |
188 | ||
b01dd148 PH |
189 | 5. There is a new variable called $smtp_count_at_connection_start. The name |
190 | is deliberately long, in order to emphasize what the contents are. This | |
191 | variable is set greater than zero only in processes spawned by the Exim | |
192 | daemon for handling incoming SMTP connections. When the daemon accepts a | |
193 | new connection, it increments this variable. A copy of the variable is | |
194 | passed to the child process that handles the connection, but its value is | |
195 | fixed, and never changes. It is only an approximation of how many incoming | |
196 | connections there actually are, because many other connections may come and | |
197 | go while a single connection is being processed. When a child process | |
198 | terminates, the daemon decrements the variable. | |
199 | ||
cf8b11a5 PH |
200 | 6. There's a new control called no_pipelining, which does what its name |
201 | suggests. It turns off the advertising of the PIPELINING extension to SMTP. | |
202 | To be useful, this control must be obeyed before Exim sends its response to | |
203 | an EHLO command. Therefore, it should normally appear in an ACL controlled | |
204 | by acl_smtp_connect or acl_smtp_helo. | |
205 | ||
41c7c167 PH |
206 | 7. There are two new variables called $sending_ip_address and $sending_port. |
207 | These are set whenever an SMTP connection to another host has been set up, | |
208 | and they contain the IP address and port of the local interface that is | |
209 | being used. They are of interest only on hosts that have more than on IP | |
210 | address that want to take on different personalities depending on which one | |
211 | is being used. | |
212 | ||
213 | 8. The expansion of the helo_data option in the smtp transport now happens | |
214 | after the connection to the server has been made. This means that it can | |
215 | use the value of $sending_ip_address (see 7 above) to vary the text of the | |
216 | message. For example, if you want the string that is used for helo_data to | |
217 | be obtained by a DNS lookup of the interface address, you could use this: | |
218 | ||
219 | helo_data = ${lookup dnsdb{ptr=$sending_ip_address}{$value}\ | |
220 | {$primary_hostname}} | |
221 | ||
222 | The use of helo_data applies both to sending messages and when doing | |
223 | callouts. | |
224 | ||
9c57cbc0 PH |
225 | 9. There is a new expansion operator ${rfc2047d: that decodes strings that |
226 | are encoded as per RFC 2047. Binary zero bytes are replaced by question | |
227 | marks. Characters are converted into the character set defined by | |
228 | headers_charset. Overlong RFC 2047 "words" are not recognized unless | |
229 | check_rfc2047_length is set false. | |
230 | ||
f3f065bb PH |
231 | 10. There is a new log selector called "pid", which causes the current process |
232 | id to be added to every log line, in square brackets, immediately after the | |
233 | time and date. | |
234 | ||
047bdd8c PH |
235 | 11. Exim has been modified so that it flushes SMTP output before implementing |
236 | a delay in an ACL. This behaviour can be disabled by obeying control = | |
237 | no_delay_flush at some earlier point. | |
238 | ||
0ce9abe6 PH |
239 | 12. There are two new expansion conditions that iterate over a list. They are |
240 | called forany and forall, and they are used like this: | |
241 | ||
242 | ${if forany{<a list>}{<a condition>}{<yes-string>}{<no-string>}} | |
243 | ${if forall{<a list>}{<a condition>}{<yes-string>}{<no-string>}} | |
244 | ||
245 | The first argument is expanded, and the result is treated as a list. By | |
246 | default, the list separator is a colon, but it can be changed by the normal | |
247 | method. The second argument is interpreted as a condition that is to be | |
248 | applied to each item in the list in turn. During the interpretation of the | |
249 | condition, the current list item is placed in a variable called $item. | |
250 | ||
251 | - For forany, interpretation stops if the condition is true for any item, | |
252 | and the yes-string is then expanded. If the condition is false for all | |
253 | items in the list, the no-string is expanded. | |
254 | ||
255 | - For forall, interpration stops if the condition is false for any item, | |
256 | and the no-string is then expanded. If the condition is true for all | |
257 | items in the list, the yes-string is expanded. | |
258 | ||
259 | Note that negation of forany means that the condition must be false for all | |
260 | items for the overall condition to succeed, and negation of forall means | |
261 | that the condition must be false for at least one item. | |
262 | ||
263 | In this example, the list separator is changed to a comma: | |
264 | ||
265 | ${if forany{<, $recipients}{match{$item}{^user3@}}{yes}{no}} | |
266 | ||
267 | Outside a forany/forall condition, the value of $item is an empty string. | |
268 | Its value is saved and restored while forany/forall is being processed, to | |
269 | enable these expansion items to be nested. | |
270 | ||
0e22dfd1 PH |
271 | 13. There's a new global option called dsn_from that can be used to vary the |
272 | contents of From: lines in bounces and other automatically generated | |
273 | messages ("delivery status notifications" - hence the name of the option). | |
274 | The default setting is: | |
275 | ||
276 | dsn_from = Mail Delivery System <Mailer-Daemon@$qualify_domain> | |
277 | ||
278 | The value is expanded every time it is needed. If the expansion fails, a | |
279 | panic is logged, and the default setting is used. | |
280 | ||
b4ed4da0 PH |
281 | |
282 | Version 4.66 | |
283 | ------------ | |
284 | ||
285 | No new features were added to 4.66. | |
286 | ||
287 | ||
288 | Version 4.65 | |
289 | ------------ | |
290 | ||
291 | No new features were added to 4.65. | |
292 | ||
38a0a95f PH |
293 | |
294 | Version 4.64 | |
295 | ------------ | |
296 | ||
af561417 PH |
297 | 1. ACL variables can now be given arbitrary names, as long as they start with |
298 | "acl_c" or "acl_m" (for connection variables and message variables), are at | |
299 | least six characters long, with the sixth character being either a digit or | |
883335dc | 300 | an underscore. |
af561417 PH |
301 | |
302 | 2. There is a new ACL modifier called log_reject_target. It makes it possible | |
883335dc | 303 | to specify which logs are used for messages about ACL rejections. |
af561417 PH |
304 | |
305 | 3. There is a new authenticator called "dovecot". This is an interface to the | |
306 | authentication facility of the Dovecot POP/IMAP server, which can support a | |
883335dc | 307 | number of authentication methods. |
af561417 PH |
308 | |
309 | 4. The variable $message_headers_raw provides a concatenation of all the | |
310 | messages's headers without any decoding. This is in contrast to | |
311 | $message_headers, which does RFC2047 decoding on the header contents. | |
312 | ||
883335dc PH |
313 | 5. In a DNS black list, if two domain names, comma-separated, are given, the |
314 | second is used first to do an initial check, making use of any IP value | |
315 | restrictions that are set. If there is a match, the first domain is used, | |
316 | without any IP value restrictions, to get the TXT record. | |
af561417 | 317 | |
883335dc | 318 | 6. All authenticators now have a server_condition option. |
af561417 PH |
319 | |
320 | 7. There is a new command-line option called -Mset. It is useful only in | |
321 | conjunction with -be (that is, when testing string expansions). It must be | |
322 | followed by a message id; Exim loads the given message from its spool | |
883335dc | 323 | before doing the expansions. |
af561417 PH |
324 | |
325 | 8. Another similar new command-line option is called -bem. It operates like | |
883335dc PH |
326 | -be except that it must be followed by the name of a file that contains a |
327 | message. | |
af561417 PH |
328 | |
329 | 9. When an address is delayed because of a 4xx response to a RCPT command, it | |
330 | is now the combination of sender and recipient that is delayed in | |
883335dc | 331 | subsequent queue runs until its retry time is reached. |
af561417 PH |
332 | |
333 | 10. Unary negation and the bitwise logical operators and, or, xor, not, and | |
883335dc | 334 | shift, have been added to the eval: and eval10: expansion items. |
48c7f9e2 | 335 | |
194cc0e4 PH |
336 | 11. The variables $interface_address and $interface_port have been renamed |
337 | as $received_ip_address and $received_port, to make it clear that they | |
338 | relate to message reception rather than delivery. (The old names remain | |
339 | available for compatibility.) | |
340 | ||
883335dc PH |
341 | 12. The "message" modifier can now be used on "accept" and "discard" acl verbs |
342 | to vary the message that is sent when an SMTP command is accepted. | |
4e88a19f | 343 | |
495ae4b0 | 344 | |
4608d683 PH |
345 | Version 4.63 |
346 | ------------ | |
347 | ||
348 | 1. There is a new Boolean option called filter_prepend_home for the redirect | |
38a0a95f | 349 | router. |
4608d683 | 350 | |
45b91596 PH |
351 | 2. There is a new acl, set by acl_not_smtp_start, which is run right at the |
352 | start of receiving a non-SMTP message, before any of the message has been | |
38a0a95f | 353 | read. |
45b91596 | 354 | |
a5bd321b PH |
355 | 3. When an SMTP error message is specified in a "message" modifier in an ACL, |
356 | or in a :fail: or :defer: message in a redirect router, Exim now checks the | |
38a0a95f | 357 | start of the message for an SMTP error code. |
a5bd321b | 358 | |
6ec97b1b | 359 | 4. There is a new parameter for LDAP lookups called "referrals", which takes |
38a0a95f | 360 | one of the settings "follow" (the default) or "nofollow". |
6ec97b1b | 361 | |
e22ca4ac JJ |
362 | 5. Version 20070721.2 of exipick now included, offering these new options: |
363 | --reverse | |
364 | After all other sorting options have bee processed, reverse order | |
365 | before displaying messages (-R is synonym). | |
366 | --random | |
367 | Randomize order of matching messages before displaying. | |
368 | --size | |
369 | Instead of displaying the matching messages, display the sum | |
370 | of their sizes. | |
371 | --sort <variable>[,<variable>...] | |
372 | Before displaying matching messages, sort the messages according to | |
373 | each messages value for each variable. | |
374 | --not | |
375 | Negate the value for every test (returns inverse output from the | |
376 | same criteria without --not). | |
377 | ||
4608d683 | 378 | |
1cce3af8 PH |
379 | Version 4.62 |
380 | ------------ | |
381 | ||
382 | 1. The ${readsocket expansion item now supports Internet domain sockets as well | |
383 | as Unix domain sockets. If the first argument begins "inet:", it must be of | |
384 | the form "inet:host:port". The port is mandatory; it may be a number or the | |
385 | name of a TCP port in /etc/services. The host may be a name, or it may be an | |
386 | IP address. An ip address may optionally be enclosed in square brackets. | |
387 | This is best for IPv6 addresses. For example: | |
388 | ||
389 | ${readsocket{inet:[::1]:1234}{<request data>}... | |
390 | ||
391 | Only a single host name may be given, but if looking it up yield more than | |
392 | one IP address, they are each tried in turn until a connection is made. Once | |
393 | a connection has been made, the behaviour is as for ${readsocket with a Unix | |
394 | domain socket. | |
395 | ||
f7fd3850 PH |
396 | 2. If a redirect router sets up file or pipe deliveries for more than one |
397 | incoming address, and the relevant transport has batch_max set greater than | |
398 | one, a batch delivery now occurs. | |
399 | ||
d6629cdc PH |
400 | 3. The appendfile transport has a new option called maildirfolder_create_regex. |
401 | Its value is a regular expression. For a maildir delivery, this is matched | |
402 | against the maildir directory; if it matches, Exim ensures that a | |
403 | maildirfolder file is created alongside the new, cur, and tmp directories. | |
404 | ||
1cce3af8 | 405 | |
7e66e54d PH |
406 | Version 4.61 |
407 | ------------ | |
408 | ||
4f578862 PH |
409 | The documentation is up-to-date for the 4.61 release. Major new features since |
410 | the 4.60 release are: | |
411 | ||
412 | . An option called disable_ipv6, to disable the use of IPv6 completely. | |
413 | ||
414 | . An increase in the number of ACL variables to 20 of each type. | |
415 | ||
416 | . A change to use $auth1, $auth2, and $auth3 in authenticators instead of $1, | |
417 | $2, $3, (though those are still set) because the numeric variables get used | |
418 | for other things in complicated expansions. | |
419 | ||
843a41e8 | 420 | . The default for rfc1413_query_timeout has been changed from 30s to 5s. |
4f578862 PH |
421 | |
422 | . It is possible to use setclassresources() on some BSD OS to control the | |
423 | resources used in pipe deliveries. | |
424 | ||
425 | . A new ACL modifier called add_header, which can be used with any verb. | |
426 | ||
427 | . More errors are detectable in retry rules. | |
428 | ||
429 | There are a number of other additions too. | |
71fafd95 | 430 | |
7e66e54d | 431 | |
425ae40f | 432 | Version 4.60 |
b5aea5e1 PH |
433 | ------------ |
434 | ||
425ae40f PH |
435 | The documentation is up-to-date for the 4.60 release. Major new features since |
436 | the 4.50 release are: | |
1a46a8c5 | 437 | |
425ae40f | 438 | . Support for SQLite. |
1a46a8c5 | 439 | |
425ae40f | 440 | . Support for IGNOREQUOTA in LMTP. |
1a46a8c5 | 441 | |
425ae40f | 442 | . Extensions to the "submission mode" features. |
1a46a8c5 | 443 | |
425ae40f | 444 | . Support for Client SMTP Authorization (CSA). |
1a46a8c5 | 445 | |
425ae40f | 446 | . Support for ratelimiting hosts and users. |
b5aea5e1 | 447 | |
425ae40f | 448 | . New expansion items to help with the BATV "prvs" scheme. |
b5aea5e1 | 449 | |
425ae40f | 450 | . A "match_ip" condition, that matches an IP address against a list. |
35edf2ff | 451 | |
425ae40f | 452 | There are many more minor changes. |
495ae4b0 PH |
453 | |
454 | **** |