| 1 | $Cambridge: exim/doc/doc-txt/ChangeLog,v 1.29 2004/11/17 14:32:25 ph10 Exp $ |
| 2 | |
| 3 | Change log file for Exim from version 4.21 |
| 4 | ------------------------------------------- |
| 5 | |
| 6 | |
| 7 | Exim version 4.44 |
| 8 | ----------------- |
| 9 | |
| 10 | 1. Minor wording change to the doc/README.SIEVE file. |
| 11 | |
| 12 | 2. Change 4.43/35 introduced a bug: if quota_filecount was set, the |
| 13 | computation of the current number of files was incorrect. |
| 14 | |
| 15 | 3. Closing a stable door: arrange to panic-die if setitimer() ever fails. The |
| 16 | bug fixed in 4.43/37 would have been diagnosed quickly if this had been in |
| 17 | place. |
| 18 | |
| 19 | 4. Give more explanation in the error message when the command for a transport |
| 20 | filter fails to execute. |
| 21 | |
| 22 | 5. There are several places where Exim runs a non-Exim command in a |
| 23 | subprocess. The SIGUSR1 signal should be disabled for these processes. This |
| 24 | was being done only for the command run by the queryprogram router. It is |
| 25 | now done for all such subprocesses. The other cases are: ${run, transport |
| 26 | filters, and the commands run by the lmtp and pipe transports. |
| 27 | |
| 28 | 6. Added CONFIGURE_GROUP build-time option. |
| 29 | |
| 30 | 7. Some older OS have a limit of 256 on the maximum number of file |
| 31 | descriptors. Exim was using setrlimit() to set 1000 as a large value |
| 32 | unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these |
| 33 | systems. I've change it so that if it can't get 1000, it tries for 256. |
| 34 | |
| 35 | 8. "control=submission" was allowed, but had no effect, in a DATA ACL. This |
| 36 | was an oversight, and furthermore, ever since the addition of extra |
| 37 | controls (e.g. 4.43/32), the checks on when to allow different forms of |
| 38 | "control" were broken. There should now be diagnostics for all cases when a |
| 39 | control that does not make sense is encountered. |
| 40 | |
| 41 | 9. Added the /retain_sender option to "control=submission". |
| 42 | |
| 43 | 10. $recipients is now available in the predata ACL (oversight). |
| 44 | |
| 45 | 11. Tidy the search cache before the fork to do a delivery from a message |
| 46 | received from the command line. Otherwise the child will trigger a lookup |
| 47 | failure and thereby defer the delivery if it tries to use (for example) a |
| 48 | cached ldap connection that the parent has called unbind on. |
| 49 | |
| 50 | 12. If verify=recipient was followed by verify=sender in a RCPT ACL, the value |
| 51 | of $address_data from the recipient verification was clobbered by the |
| 52 | sender verification. |
| 53 | |
| 54 | 13. The value of address_data from a sender verification is now available in |
| 55 | $sender_address_data in subsequent conditions in the ACL statement. |
| 56 | |
| 57 | 14. Added forbid_sieve_filter and forbid_exim_filter to the redirect router. |
| 58 | |
| 59 | 15. Added a new option "connect=<time>" to callout options, to set a different |
| 60 | connection timeout. |
| 61 | |
| 62 | 16. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0 |
| 63 | was its contents. (It was OK if the option was not defined at all.) |
| 64 | |
| 65 | 17. A "Completed" log line is now written for messages that are removed from |
| 66 | the spool by the -Mrm option. |
| 67 | |
| 68 | 18. New variables $sender_verify_failure and $recipient_verify_failure contain |
| 69 | information about exactly what failed. |
| 70 | |
| 71 | 19. Added -dd to debug only the daemon process. |
| 72 | |
| 73 | 20. Incorporated Michael Haardt's patch to ldap.c for improving the way it |
| 74 | handles timeouts, both on the server side and network timeouts. Renamed the |
| 75 | CONNECT parameter as NETTIMEOUT (but kept the old name for compatibility). |
| 76 | |
| 77 | 21. The rare case of EHLO->STARTTLS->HELO was setting the protocol to "smtp". |
| 78 | It is now set to "smtps". |
| 79 | |
| 80 | 22. $host_address is now set to the target address during the checking of |
| 81 | ignore_target_hosts. |
| 82 | |
| 83 | 23. When checking ignore_target_hosts for an ipliteral router, no host name was |
| 84 | being passed; this would have caused $sender_host_name to have been used if |
| 85 | matching the list had actually called for a host name (not very likely, |
| 86 | since this list is usually IP addresses). A host name is now passed as |
| 87 | "[x.x.x.x]". |
| 88 | |
| 89 | 24. Changed the calls that set up the SIGCHLD handler in the daemon to use the |
| 90 | code that specifies a non-restarting handler (typically sigaction() in |
| 91 | modern systems) in an attempt to fix a rare and obscure crash bug. |
| 92 | |
| 93 | 25. Narrowed the window for a race in the daemon that could cause it to ignore |
| 94 | SIGCHLD signals. This is not a major problem, because they are used only to |
| 95 | wake it up if nothing else does. |
| 96 | |
| 97 | 26. A malformed maildirsize file could cause Exim to calculate negative values |
| 98 | for the mailbox size or file count. Odd effects could occur as a result. |
| 99 | The maildirsize information is now recalculated if the size or filecount |
| 100 | end up negative. |
| 101 | |
| 102 | 27. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this |
| 103 | support for a long time. Removed HAVE_SYS_VFS_H. |
| 104 | |
| 105 | 28. Installed the latest version of exipick from John Jetmore. |
| 106 | |
| 107 | 29. In an address list, if the pattern was not a regular expression, an empty |
| 108 | subject address (from a bounce message) matched only if the pattern was an |
| 109 | empty string. Non-empty patterns were not even tested. This was the wrong |
| 110 | because it is perfectly reasonable to use an empty address as part of a |
| 111 | database query. An empty address is now tested by patterns that are |
| 112 | lookups. However, all the other forms of pattern expect the subject to |
| 113 | contain a local part and a domain, and therefore, for them, an empty |
| 114 | address still always fails if the pattern is not itself empty. |
| 115 | |
| 116 | 30. Exim went into a mad DNS loop when attempting to do a callout where the |
| 117 | host was specified on an smtp transport, and looking it up yielded more |
| 118 | than one IP address. |
| 119 | |
| 120 | 31. Re-factored the code for checking spool and log partition space into a |
| 121 | function that finds that data and another that does the check. The former |
| 122 | is then used to implement four new variables: $spool_space, $log_space, |
| 123 | $spool_inodes, and $log_inodes. |
| 124 | |
| 125 | |
| 126 | Exim version 4.43 |
| 127 | ----------------- |
| 128 | |
| 129 | 1. Fixed a longstanding but relatively impotent bug: a long time ago, before |
| 130 | PIPELINING, the function smtp_write_command() used to return TRUE or FALSE. |
| 131 | Now it returns an integer. A number of calls were still expecting a T/F |
| 132 | return. Fortuitously, in all cases, the tests worked in OK situations, |
| 133 | which is the norm. However, things would have gone wrong on any write |
| 134 | failures on the smtp file descriptor. This function is used when sending |
| 135 | messages over SMTP and also when doing verify callouts. |
| 136 | |
| 137 | 2. When Exim is called to do synchronous delivery of a locally submitted |
| 138 | message (the -odf or -odi options), it no longer closes stderr before doing |
| 139 | the delivery. |
| 140 | |
| 141 | 3. Implemented the mua_wrapper option. |
| 142 | |
| 143 | 4. Implemented mx_fail_domains and srv_fail_domains for the dnslookup router. |
| 144 | |
| 145 | 5. Implemented the functions header_remove(), header_testname(), |
| 146 | header_add_at_position(), and receive_remove_recipient(), and exported them |
| 147 | to local_scan(). |
| 148 | |
| 149 | 6. If an ACL "warn" statement specified the addition of headers, Exim already |
| 150 | inserted X-ACL-Warn: at the start if there was no header name. However, it |
| 151 | was not making this test for the second and subsequent header lines if |
| 152 | there were newlines in the string. This meant that an invalid header could |
| 153 | be inserted if Exim was badly configured. |
| 154 | |
| 155 | 7. Allow an ACL "warn" statement to add header lines at the start or after all |
| 156 | the Received: headers, as well as at the end. |
| 157 | |
| 158 | 8. Added the rcpt_4xx retry error code. |
| 159 | |
| 160 | 9. Added postmaster_mailfrom=xxx to callout verification option. |
| 161 | |
| 162 | 10. Added mailfrom=xxxx to the callout verification option, for verify= |
| 163 | header_sender only. |
| 164 | |
| 165 | 11. ${substr_1_:xxxx} and ${substr__3:xxxx} are now diagnosed as syntax errors |
| 166 | (they previously behaved as ${substr_1_0:xxxx} and ${substr:_0_3:xxxx}). |
| 167 | |
| 168 | 12. Inserted some casts to stop certain compilers warning when using pointer |
| 169 | differences as field lengths or precisions in printf-type calls (mostly |
| 170 | affecting debugging statements). |
| 171 | |
| 172 | 13. Added optional readline() support for -be (dynamically loaded). |
| 173 | |
| 174 | 14. Obscure bug fix: if a message error (e.g. 4xx to MAIL) happened within the |
| 175 | same clock tick as a message's arrival, so that its received time was the |
| 176 | same as the "first fail" time on the retry record, and that message |
| 177 | remained on the queue past the ultimate address timeout, every queue runner |
| 178 | would try a delivery (because it was past the ultimate address timeout) but |
| 179 | after another failure, the ultimate address timeout, which should have then |
| 180 | bounced the address, did not kick in. This was a "< instead of <=" error; |
| 181 | in most cases the first failure would have been in the next clock tick |
| 182 | after the received time, and all would be well. |
| 183 | |
| 184 | 15. The special items beginning with @ in domain lists (e.g. @mx_any) were not |
| 185 | being recognized when the domain list was tested by the match_domain |
| 186 | condition in an expansion string. |
| 187 | |
| 188 | 16. Added the ${str2b64: operator. |
| 189 | |
| 190 | 17. Exim was always calling setrlimit() to set a large limit for the number of |
| 191 | processes, without checking whether the existing limit was already |
| 192 | adequate. (It did check for the limit on file descriptors.) Furthermore, |
| 193 | errors from getrlimit() and setrlimit() were being ignored. Now they are |
| 194 | logged to the main and panic logs, but Exim does carry on, to try to do its |
| 195 | job under whatever limits there are. |
| 196 | |
| 197 | 18. Imported PCRE 5.0. |
| 198 | |
| 199 | 19. Trivial typo in log message " temporarily refused connection" (the leading |
| 200 | space). |
| 201 | |
| 202 | 20. If the log selector return_path_on_delivery was set and an address was |
| 203 | redirected to /dev/null, the delivery process crashed because it assumed |
| 204 | that a return path would always be set for a "successful" delivery. In this |
| 205 | case, the whole delivery is bypassed as an optimization, and therefore no |
| 206 | return path is set. |
| 207 | |
| 208 | 21. Internal re-arrangement: the function for sending a challenge and reading |
| 209 | a response while authentication was assuming a zero-terminated challenge |
| 210 | string. It's now changed to take a pointer and a length, to allow for |
| 211 | binary data in such strings. |
| 212 | |
| 213 | 22. Added the cyrus_sasl authenticator (code supplied by MBM). |
| 214 | |
| 215 | 23. Exim was not respecting finduser_retries when seeking the login of the |
| 216 | uid under which it was called; it was always trying 10 times. (The default |
| 217 | setting of finduser_retries is zero.) Also, it was sleeping after the final |
| 218 | failure, which is pointless. |
| 219 | |
| 220 | 24. Implemented tls_on_connect_ports. |
| 221 | |
| 222 | 25. Implemented acl_smtp_predata. |
| 223 | |
| 224 | 26. If the domain in control=submission is set empty, Exim assumes that the |
| 225 | authenticated id is a complete email address when it generates From: or |
| 226 | Sender: header lines. |
| 227 | |
| 228 | 27. Added "#define SOCKLEN_T int" to OS/os.h-SCO and OS/os.h-SCO_SV. Also added |
| 229 | definitions to OS/Makefile-SCO and OS/Makefile-SCO_SV that put basename, |
| 230 | chown and chgrp in /bin and hostname in /usr/bin. |
| 231 | |
| 232 | 28. Exim was keeping the "process log" file open after each use, just as it |
| 233 | does for the main log. This opens the possibility of it remaining open for |
| 234 | long periods when the USR1 signal hits a daemon. Occasional processlog |
| 235 | errors were reported, that could have been caused by this. Anyway, it seems |
| 236 | much more sensible not to leave this file open at all, so that is what now |
| 237 | happens. |
| 238 | |
| 239 | 29. The long-running daemon process does not normally write to the log once it |
| 240 | has entered its main loop, and it closes the log before doing so. This is |
| 241 | so that log files can straightforwardly be renamed and moved. However, |
| 242 | there are a couple of unusual error situations where the daemon does write |
| 243 | log entries, and I had neglected to close the log afterwards. |
| 244 | |
| 245 | 30. The text of an SMTP error response that was received during a remote |
| 246 | delivery was being truncated at 512 bytes. This is too short for some of |
| 247 | the long messages that one sometimes sees. I've increased the limit to |
| 248 | 1024. |
| 249 | |
| 250 | 31. It is now possible to make retry rules that apply only when a message has a |
| 251 | specific sender, in particular, an empty sender. |
| 252 | |
| 253 | 32. Added "control = enforce_sync" and "control = no_enforce_sync". This makes |
| 254 | it possible to be selective about when SMTP synchronization is enforced. |
| 255 | |
| 256 | 33. Added "control = caseful_local_part" and "control = "caselower_local_part". |
| 257 | |
| 258 | 32. Implemented hosts_connection_nolog. |
| 259 | |
| 260 | 33. Added an ACL for QUIT. |
| 261 | |
| 262 | 34. Setting "delay_warning=" to disable warnings was not working; it gave a |
| 263 | syntax error. |
| 264 | |
| 265 | 35. Added mailbox_size and mailbox_filecount to appendfile. |
| 266 | |
| 267 | 36. Added control = no_multiline_responses to ACLs. |
| 268 | |
| 269 | 37. There was a bug in the logic of the code that waits for the clock to tick |
| 270 | in the case where the clock went backwards by a substantial amount such |
| 271 | that the microsecond fraction of "now" was more than the microsecond |
| 272 | fraction of "then" (but the whole seconds number was less). |
| 273 | |
| 274 | 38. Added support for the libradius Radius client library this is found on |
| 275 | FreeBSD (previously only the radiusclient library was supported). |
| 276 | |
| 277 | |
| 278 | Exim version 4.42 |
| 279 | ----------------- |
| 280 | |
| 281 | 1. When certain lookups returned multiple values in the form name=value, the |
| 282 | quoting of the values was not always being done properly. Specifically: |
| 283 | (a) If the value started with a double quote, but contained no whitespace, |
| 284 | it was not quoted. |
| 285 | (b) If the value contained whitespace other than a space character (i.e. |
| 286 | tabs or newlines or carriage returns) it was not quoted. |
| 287 | This fix has been applied to the mysql and pgsql lookups by writing a |
| 288 | separate quoting function and calling it from the lookup code. The fix |
| 289 | should probably also be applied to nisplus, ibase and oracle lookups, but |
| 290 | since I cannot test any of those, I have not disturbed their existing code. |
| 291 | |
| 292 | 2. A hit in the callout cache for a specific address caused a log line with no |
| 293 | reason for rejecting RCPT. Now it says "Previous (cached) callout |
| 294 | verification failure". |
| 295 | |
| 296 | 3. There was an off-by-one bug in the queryprogram router. An over-long |
| 297 | return line was truncated at 256 instead of 255 characters, thereby |
| 298 | overflowing its buffer with the terminating zero. As well as fixing this, I |
| 299 | have increased the buffer size to 1024 (and made a note to document this). |
| 300 | |
| 301 | 4. If an interrupt, such as the USR1 signal that is send by exiwhat, arrives |
| 302 | when Exim is waiting for an SMTP response from a remote server, Exim |
| 303 | restarts its select() call on the socket, thereby resetting its timeout. |
| 304 | This is not a problem when such interrupts are rare. Somebody set up a cron |
| 305 | job to run exiwhat every 2 minutes, which is less than the normal select() |
| 306 | timeout (5 or 10 minutes). This meant that the select() timeout never |
| 307 | kicked in because it was always reset. I have fixed this by comparing the |
| 308 | time when an interrupt arrives with the time at the start of the first call |
| 309 | to select(). If more time than the timeout has elapsed, the interrupt is |
| 310 | treated as a timeout. |
| 311 | |
| 312 | 5. Some internal re-factoring in preparation for the addition of Sieve |
| 313 | extensions (by MH). In particular, the "personal" test is moved to a |
| 314 | separate function, and given an option for scanning Cc: and Bcc: (which is |
| 315 | not set for Exim filters). |
| 316 | |
| 317 | 6. When Exim created an email address using the login of the caller as the |
| 318 | local part (e.g. when creating a From: or Sender: header line), it was not |
| 319 | quoting the local part when it contained special characters such as @. |
| 320 | |
| 321 | 7. Installed new OpenBSD configuration files. |
| 322 | |
| 323 | 8. Reworded some messages for syntax errors in "and" and "or" conditions to |
| 324 | try to make them clearer. |
| 325 | |
| 326 | 9. Callout options, other than the timeout value, were being ignored when |
| 327 | verifying sender addresses in header lines. For example, when using |
| 328 | |
| 329 | verify = header_sender/callout=no_cache |
| 330 | |
| 331 | the cache was (incorrectly) being used. |
| 332 | |
| 333 | 10. Added a missing instance of ${EXE} to the exim_install script; this affects |
| 334 | only the Cygwin environment. |
| 335 | |
| 336 | 11. When return_path_on_delivery was set as a log selector, if different remote |
| 337 | addresses in the same message used different return paths and parallel |
| 338 | remote delivery occurred, the wrong values would sometimes be logged. |
| 339 | (Whenever a remote delivery process finished, the return path value from |
| 340 | the most recently started remote delivery process was logged.) |
| 341 | |
| 342 | 12. RFC 3848 specifies standard names for the "with" phrase in Received: header |
| 343 | lines when AUTH and/or TLS are in use. This is the "received protocol" |
| 344 | field. Exim used to use "asmtp" for authenticated SMTP, without any |
| 345 | indication (in the protocol name) for TLS use. Now it follows the RFC and |
| 346 | uses "esmtpa" if the connection is authenticated, "esmtps" if it is |
| 347 | encrypted, and "esmtpsa" if it is both encrypted and authenticated. These |
| 348 | names appear in log lines as well as in Received: header lines. |
| 349 | |
| 350 | 13. Installed MH's patches for Sieve to add the "copy" and "vacation" |
| 351 | extensions, and comparison tests, and to fix some bugs. |
| 352 | |
| 353 | 14. Changes to the "personal" filter test: |
| 354 | |
| 355 | (1) The test was buggy in that it was just doing the equivalent of |
| 356 | "contains" tests on header lines. For example, if a user's address was |
| 357 | anne@some.where, the "personal" test would incorrectly be true for |
| 358 | |
| 359 | To: susanne@some.where |
| 360 | |
| 361 | This test is now done by extracting each address from the header in turn, |
| 362 | and checking the entire address. Other tests that are part of "personal" |
| 363 | are now done using regular expressions (for example, to check local parts |
| 364 | of addresses in From: header lines). |
| 365 | |
| 366 | (2) The list of non-personal local parts in From: addresses has been |
| 367 | extended to include "listserv", "majordomo", "*-request", and "owner-*", |
| 368 | taken from the Sieve specification recommendations. |
| 369 | |
| 370 | (3) If the message contains any header line starting with "List-" it is |
| 371 | treated as non-personal. |
| 372 | |
| 373 | (4) The test for "circular" in the Subject: header line has been removed |
| 374 | because it now seems ill-conceived. |
| 375 | |
| 376 | 15. Minor typos in src/EDITME comments corrected. |
| 377 | |
| 378 | 16. Installed latest exipick from John Jetmore. |
| 379 | |
| 380 | 17. If headers_add on a router specified a text string that was too long for |
| 381 | string_sprintf() - that is, longer than 8192 bytes - Exim panicked. The use |
| 382 | of string_sprintf() is now avoided. |
| 383 | |
| 384 | 18. $message_body_size was not set (it was always zero) when running the DATA |
| 385 | ACL and the local_scan() function. |
| 386 | |
| 387 | 19. For the "mail" command in an Exim filter, no default was being set for |
| 388 | the once_repeat time, causing a random time value to be used if "once" was |
| 389 | specified. (If the value happened to be <= 0, no repeat happened.) The |
| 390 | default is now 0s, meaning "never repeat". The "vacation" command was OK |
| 391 | (its default is 7d). It's somewhat surprising nobody ever noticed this bug |
| 392 | (I found it when inspecting the code). |
| 393 | |
| 394 | 20. There is now an overall timeout for performing a callout verification. It |
| 395 | defaults to 4 times the callout timeout, which applies to individual SMTP |
| 396 | commands during the callout. The overall timeout applies when there is more |
| 397 | than one host that can be tried. The timeout is checked before trying the |
| 398 | next host. This prevents very long delays if there are a large number of |
| 399 | hosts and all are timing out (e.g. when the network connections are timing |
| 400 | out). The value of the overall timeout can be changed by specifying an |
| 401 | additional sub-option for "callout", called "maxwait". For example: |
| 402 | |
| 403 | verify = sender/callout=5s,maxwait=20s |
| 404 | |
| 405 | 21. Add O_APPEND to the open() call for maildirsize files (Exim already seeks |
| 406 | to the end before writing, but this should make it even safer). |
| 407 | |
| 408 | 22. Exim was forgetting that it had advertised PIPELINING for the second and |
| 409 | subsequent messages on an SMTP connection. It was also not resetting its |
| 410 | memory on STARTTLS and an internal HELO. |
| 411 | |
| 412 | 23. When Exim logs an SMTP synchronization error within a session, it now |
| 413 | records whether PIPELINING has been advertised or not. |
| 414 | |
| 415 | 24. Added 3 instances of "(long int)" casts to time_t variables that were being |
| 416 | formatted using %ld, because on OpenBSD (and perhaps others), time_t is int |
| 417 | rather than long int. |
| 418 | |
| 419 | 25. Installed the latest Cygwin configuration files from the Cygwin maintainer. |
| 420 | |
| 421 | 26. Added the never_mail option to autoreply. |
| 422 | |
| 423 | |
| 424 | Exim version 4.41 |
| 425 | ----------------- |
| 426 | |
| 427 | 1. A reorganization of the code in order to implement 4.40/8 caused a daemon |
| 428 | crash if the getsockname() call failed; this can happen if a connection is |
| 429 | closed very soon after it is established. The problem was simply in the |
| 430 | order in which certain operations were done, causing Exim to try to write |
| 431 | to the SMTP stream before it had set up the file descriptor. The bug has |
| 432 | been fixed by making things happen in the correct order. |
| 433 | |
| 434 | |
| 435 | Exim version 4.40 |
| 436 | ----------------- |
| 437 | |
| 438 | 1. If "drop" was used in a DATA ACL, the SMTP output buffer was not flushed |
| 439 | before the connection was closed, thus losing the rejection response. |
| 440 | |
| 441 | 2. Commented out the definition of SOCKLEN_T in os.h-SunOS5. It is needed for |
| 442 | some early Solaris releases, but causes trouble in current releases where |
| 443 | socklen_t is defined. |
| 444 | |
| 445 | 3. When std{in,out,err} are closed, re-open them to /dev/null so that they |
| 446 | always exist. |
| 447 | |
| 448 | 4. Minor refactoring of os.c-Linux to avoid compiler warning when IPv6 is not |
| 449 | configured. |
| 450 | |
| 451 | 5. Refactoring in expand.c to improve memory usage. Pre-allocate a block so |
| 452 | that releasing the top of it at the end releases what was used for sub- |
| 453 | expansions (unless the block got too big). However, discard this block if |
| 454 | the first thing is a variable or header, so that we can use its block when |
| 455 | it is dynamic (useful for very large $message_headers, for example). |
| 456 | |
| 457 | 6. Lookups now cache *every* query, not just the most recent. A new, separate |
| 458 | store pool is used for this. It can be recovered when all lookup caches are |
| 459 | flushed. Lookups now release memory at the end of their result strings. |
| 460 | This has involved some general refactoring of the lookup sources. |
| 461 | |
| 462 | 7. Some code has been added to the store_xxx() functions to reduce the amount |
| 463 | of flapping under certain conditions. |
| 464 | |
| 465 | 8. log_incoming_interface used to affect only the <= reception log lines. Now |
| 466 | it causes the local interface and port to be added to several more SMTP log |
| 467 | lines, for example "SMTP connection from", and rejection lines. |
| 468 | |
| 469 | 9. The Sieve author supplied some patches for the doc/README.SIEVE file. |
| 470 | |
| 471 | 10. Added a conditional definition of _BSD_SOCKLEN_T to os.h-Darwin. |
| 472 | |
| 473 | 11. If $host_data was set by virtue of a hosts lookup in an ACL, its value |
| 474 | could be overwritten at the end of the current message (or the start of a |
| 475 | new message if it was set in a HELO ACL). The value is now preserved for |
| 476 | the duration of the SMTP connection. |
| 477 | |
| 478 | 12. If a transport had a headers_rewrite setting, and a matching header line |
| 479 | contained an unqualified address, that address was qualified, even if it |
| 480 | did not match any rewriting rules. The underlying bug was that the values |
| 481 | of the flags that permit the existence of unqualified sender and recipient |
| 482 | addresses in header lines (set by {sender,recipient}_unqualified_hosts for |
| 483 | non-local messages, and by -bnq for local messages) were not being |
| 484 | preserved with the message after it was received. |
| 485 | |
| 486 | 13. When Exim was logging an SMTP synchronization error, it could sometimes log |
| 487 | "next input=" as part of the text comprising the host identity instead of |
| 488 | the correct text. The code was using the same buffer for two different |
| 489 | strings. However, depending on which order the printing function evaluated |
| 490 | its arguments, the bug did not always show up. Under Linux, for example, my |
| 491 | test suite worked just fine. |
| 492 | |
| 493 | 14. Exigrep contained a use of Perl's "our" scoping after change 4.31/70. This |
| 494 | doesn't work with some older versions of Perl. It has been changed to "my", |
| 495 | which in any case is probably the better facility to use. |
| 496 | |
| 497 | 15. A really picky compiler found some instances of statements for creating |
| 498 | error messages that either had too many or two few arguments for the format |
| 499 | string. |
| 500 | |
| 501 | 16. The size of the buffer for calls to the DNS resolver has been increased |
| 502 | from 1024 to 2048. A larger buffer is needed when performing PTR lookups |
| 503 | for addresses that have a lot of PTR records. This alleviates a problem; it |
| 504 | does not fully solve it. |
| 505 | |
| 506 | 17. A dnsdb lookup for PTR records that receives more data than will fit in the |
| 507 | buffer now truncates the list and logs the incident, which is the same |
| 508 | action as happens when Exim is looking up a host name and its aliases. |
| 509 | Previously in this situation something unpredictable would happen; |
| 510 | sometimes it was "internal error: store_reset failed". |
| 511 | |
| 512 | 18. If a server dropped the connection unexpectedly when an Exim client was |
| 513 | using GnuTLS and trying to read a response, the client delivery process |
| 514 | crashed while trying to generate an error log message. |
| 515 | |
| 516 | 19. If a "warn" verb in an ACL added multiple headers to a message in a single |
| 517 | string, for example: |
| 518 | |
| 519 | warn message = H1: something\nH2: something |
| 520 | |
| 521 | the text was added as a single header line from Exim's point of view |
| 522 | though it ended up OK in the delivered message. However, searching for the |
| 523 | second and subsequent header lines using $h_h2: did not work. This has been |
| 524 | fixed. Similarly, if a system filter added multiple headers in this way, |
| 525 | the routers could not see them. |
| 526 | |
| 527 | 20. Expanded the error message when iplsearch is called with an invalid key to |
| 528 | suggest using net-iplsearch in a host list. |
| 529 | |
| 530 | 21. When running tests using -bh, any delays imposed by "delay" modifiers in |
| 531 | ACLs are no longer actually imposed (and a message to that effect is |
| 532 | output). |
| 533 | |
| 534 | 22. If a "gecos" field in a passwd entry contained escaped characters, in |
| 535 | particular, if it contained a \" sequence, Exim got it wrong when building |
| 536 | a From: or a Sender: header from that name. A second bug also caused |
| 537 | incorrect handling when an unquoted " was present following a character |
| 538 | that needed quoting. |
| 539 | |
| 540 | 23. "{crypt}" as a password encryption mechanism for a "crypteq" expansion item |
| 541 | was not being matched caselessly. |
| 542 | |
| 543 | 24. Arranged for all hyphens in the exim.8 source to be escaped with |
| 544 | backslashes. |
| 545 | |
| 546 | 25. Change 16 of 4.32, which reversed 71 or 4.31 didn't quite do the job |
| 547 | properly. Recipient callout cache records were still being keyed to include |
| 548 | the sender, even when use_sender was set false. This led to far more |
| 549 | callouts that were necessary. The sender is no longer included in the key |
| 550 | when use_sender is false. |
| 551 | |
| 552 | 26. Added "control = submission" modifier to ACLs. |
| 553 | |
| 554 | 27. Added the ${base62d: operator to decode base 62 numbers. |
| 555 | |
| 556 | 28. dnsdb lookups can now access SRV records. |
| 557 | |
| 558 | 29. CONFIGURE_OWNER can be set at build time to define an alternative owner for |
| 559 | the configuration file. |
| 560 | |
| 561 | 30. The debug message "delivering xxxxxx-xxxxxx-xx" is now output in verbose |
| 562 | (-v) mode. This makes the output for a verbose queue run more intelligible. |
| 563 | |
| 564 | 31. Added a use_postmaster feature to recipient callouts. |
| 565 | |
| 566 | 32. Added the $body_zerocount variable, containing the number of binary zero |
| 567 | bytes in the message body. |
| 568 | |
| 569 | 33. The time of last modification of the "new" subdirectory is now used as the |
| 570 | "mailbox time last read" when there is a quota error for a maildir |
| 571 | delivery. |
| 572 | |
| 573 | 34. Added string comparison operators lt, lti, le, lei, gt, gti, ge, gei. |
| 574 | |
| 575 | 35. Added +ignore_unknown as a special item in host lists. |
| 576 | |
| 577 | 36. Code for decoding IPv6 addresses in host lists is now included, even if |
| 578 | IPv6 support is not being compiled. This fixes a bug in which an IPv6 |
| 579 | address was recognized as an IP address, but was then not correctly decoded |
| 580 | into binary, causing unexpected and incorrect effects when compared with |
| 581 | another IP address. |
| 582 | |
| 583 | |
| 584 | Exim version 4.34 |
| 585 | ----------------- |
| 586 | |
| 587 | 1. Very minor rewording of debugging text in manualroute to say "list of |
| 588 | hosts" instead of "hostlist". |
| 589 | |
| 590 | 2. If verify=header_syntax was set, and a header line with an unqualified |
| 591 | address (no domain) and a large number of spaces between the end of the |
| 592 | name and the colon was received, the reception process suffered a buffer |
| 593 | overflow, and (when I tested it) crashed. This was caused by some obsolete |
| 594 | code that should have been removed. The fix is to remove it! |
| 595 | |
| 596 | 3. When running in the test harness, delay a bit after writing a bounce |
| 597 | message to get a bit more predictability in the log output. |
| 598 | |
| 599 | 4. Added a call to search_tidyup() just before forking a reception process. In |
| 600 | theory, someone could use a lookup in the expansion of smtp_accept_max_ |
| 601 | per_host which, without the tidyup, could leave open a database connection. |
| 602 | |
| 603 | 5. Added the variables $recipient_data and $sender_data which get set from a |
| 604 | lookup success in an ACL "recipients" or "senders" condition, or a router |
| 605 | "senders" option, similar to $domain_data and $local_part_data. |
| 606 | |
| 607 | 6. Moved the writing of debug_print from before to after the "senders" test |
| 608 | for routers. |
| 609 | |
| 610 | 7. Change 4.31/66 (moving the time when the Received: is generated) caused |
| 611 | problems for message scanning, either using a data ACL, or using |
| 612 | local_scan() because the Received: header was not generated till after they |
| 613 | were called (in order to set the time as the time of reception completion). |
| 614 | I have revised the way this works. The header is now generated after the |
| 615 | body is received, but before the ACL or local_scan() are called. After they |
| 616 | are run, the timestamp in the header is updated. |
| 617 | |
| 618 | |
| 619 | Exim version 4.33 |
| 620 | ----------------- |
| 621 | |
| 622 | 1. Change 4.24/6 introduced a bug because the SIGALRM handler was disabled |
| 623 | before starting a queue runner without re-exec. This happened only when |
| 624 | deliver_drop_privilege was set or when the Exim user was set to root. The |
| 625 | effect of the bug was that timeouts during subsequent deliveries caused |
| 626 | crashes instead of being properly handled. The handler is now left at its |
| 627 | default (and expected) setting. |
| 628 | |
| 629 | 2. The other case in which a daemon avoids a re-exec is to deliver an incoming |
| 630 | message, again when deliver_drop_privilege is set or Exim is run as root. |
| 631 | The bug described in (1) was not present in this case, but the tidying up |
| 632 | of the other signals was missing. I have made the two cases consistent. |
| 633 | |
| 634 | 3. The ignore_target_hosts setting on a manualroute router was being ignored |
| 635 | for hosts that were looked up using the /MX notation. |
| 636 | |
| 637 | 4. Added /ignore=<ip list> feature to @mx_any, @mx_primary, and @mx_secondary |
| 638 | in domain lists. |
| 639 | |
| 640 | 5. Change 4.31/55 was buggy, and broke when there was a rewriting rule that |
| 641 | operated on the sender address. After changing the $sender_address to <> |
| 642 | for the sender address verify, Exim was re-instated it as the original |
| 643 | (before rewriting) address, but remembering that it had rewritten it, so it |
| 644 | wasn't rewriting it again. This bug also had the effect of breaking the |
| 645 | sender address verification caching when the sender address was rewritten. |
| 646 | |
| 647 | 6. The ignore_target_hosts option was being ignored by the ipliteral router. |
| 648 | This has been changed so that if the ip literal address matches |
| 649 | ignore_target_hosts, the router declines. |
| 650 | |
| 651 | 7. Added expansion conditions match_domain, match_address, and match_local_ |
| 652 | part (NOT match_host). |
| 653 | |
| 654 | 8. The placeholder for the Received: header didn't have a length field set. |
| 655 | |
| 656 | 9. Added code to Exim itself and to exim_lock to test for a specific race |
| 657 | condition that could lead to file corruption when using MBX delivery. The |
| 658 | issue is with the lockfile that is created in /tmp. If this file is removed |
| 659 | after a process has opened it but before that process has acquired a lock, |
| 660 | there is the potential for a second process to recreate the file and also |
| 661 | acquire a lock. This could lead to two Exim processes writing to the file |
| 662 | at the same time. The added code performs the same test as UW imapd; it |
| 663 | checks after acquiring the lock that its file descriptor still refers to |
| 664 | the same named file. |
| 665 | |
| 666 | 10. The buffer for building added header lines was of fixed size, 8192 bytes. |
| 667 | It is now parameterized by HEADER_ADD_BUFFER_SIZE and this can be adjusted |
| 668 | when Exim is built. |
| 669 | |
| 670 | 11. Added the smtp_active_hostname option. If used, this will typically be made |
| 671 | to depend on the incoming interface address. Because $interface_address is |
| 672 | not set up until the daemon has forked a reception process, error responses |
| 673 | that can happen earlier (such as "too many connections") no longer contain |
| 674 | a host name. |
| 675 | |
| 676 | 12. If an expansion in a condition on a "warn" statement fails because a lookup |
| 677 | defers, the "warn" statement is abandoned, and the next ACL statement is |
| 678 | processed. Previously this caused the whole ACL to be aborted. |
| 679 | |
| 680 | 13. Added the iplsearch lookup type. |
| 681 | |
| 682 | 14. Added ident_timeout as a log selector. |
| 683 | |
| 684 | 15. Added tls_certificate_verified as a log selector. |
| 685 | |
| 686 | 16. Added a global option tls_require_ciphers (compare the smtp transport |
| 687 | option of the same name). This controls incoming TLS connections. |
| 688 | |
| 689 | 17. I finally figured out how to make tls_require_ciphers do a similar thing |
| 690 | in GNUtls to what it does in OpenSSL, that is, set up an appropriate list |
| 691 | before starting the TLS session. |
| 692 | |
| 693 | 18. Tabs are now shown as \t in -bP output. |
| 694 | |
| 695 | 19. If the log selector return_path_on_delivery was set, Exim crashed when |
| 696 | bouncing a message because it had too many Received: header lines. |
| 697 | |
| 698 | 20. If two routers both had headers_remove settings, and the first one included |
| 699 | a superfluous trailing colon, the final name in the first list and the |
| 700 | first name in the second list were incorrectly joined into one item (with a |
| 701 | colon in the middle). |
| 702 | |
| 703 | |
| 704 | Exim version 4.32 |
| 705 | ----------------- |
| 706 | |
| 707 | 1. Added -C and -D options to the exinext utility, mainly to make it easier |
| 708 | to include in the automated testing, but these could be helpful when |
| 709 | multiple configurations are in use. |
| 710 | |
| 711 | 2. The exinext utility was not formatting the output nicely when there was |
| 712 | an alternate port involved in the retry record key, nor when there was a |
| 713 | message id as well (for retries that were specific to a specific message |
| 714 | and a specific host). It was also confused by IPv6 addresses, because of |
| 715 | the additional colons they contain. I have fixed the IPv4 problem, and |
| 716 | patched it up to do a reasonable job for IPv6. |
| 717 | |
| 718 | 3. When there is an error after a MAIL, RCPT, or DATA SMTP command during |
| 719 | delivery, the log line now contains "pipelined" if PIPELINING was used. |
| 720 | |
| 721 | 4. An SMTP transport process used to panic and die if the bind() call to set |
| 722 | an explicit outgoing interface failed. This has been changed; it is now |
| 723 | treated in the same way as a connect() failure. |
| 724 | |
| 725 | 5. A reference to $sender_host_name in the part of a conditional expansion |
| 726 | that was being skipped was still causing a DNS lookup. This no longer |
| 727 | occurs. |
| 728 | |
| 729 | 6. The def: expansion condition was not recognizing references to header lines |
| 730 | that used bh_ and bheader_. |
| 731 | |
| 732 | 7. Added the _cache feature to named lists. |
| 733 | |
| 734 | 8. The code for checking quota_filecount in the appendfile transport was |
| 735 | allowing one more file than it should have been. |
| 736 | |
| 737 | 9. For compatibility with Sendmail, the command line option |
| 738 | |
| 739 | -prval:sval |
| 740 | |
| 741 | is equivalent to |
| 742 | |
| 743 | -oMr rval -oMs sval |
| 744 | |
| 745 | and sets the incoming protocol and host name (for trusted callers). The |
| 746 | host name and its colon can be omitted when only the protocol is to be set. |
| 747 | Note the Exim already has two private options, -pd and -ps, that refer to |
| 748 | embedded Perl. It is therefore impossible to set a protocol value of "d" or |
| 749 | "s", but I don't think that's a major issue. |
| 750 | |
| 751 | 10. A number of refactoring changes to the code, none of which should affect |
| 752 | Exim's behaviour: |
| 753 | |
| 754 | (a) The number of logging options was getting close to filling up the |
| 755 | 32-bit word that was used as a bit map. I have split them into two classes: |
| 756 | those that are passed in the argument to log_write(), and those that are |
| 757 | only ever tested independently outside of that function. These are now in |
| 758 | separate 32-bit words, so there is plenty of room for expansion again. |
| 759 | There is no change in the user interface or the logging behaviour. |
| 760 | |
| 761 | (b) When building, for example, log lines, the code previously used a |
| 762 | macro that called string_cat() twice, in order to add two strings. This is |
| 763 | not really sufficiently general. Furthermore, there was one instance where |
| 764 | it was actually wrong because one of the argument was used twice, and in |
| 765 | one call a function was used. (As it happened, calling the function twice |
| 766 | did not affect the overall behaviour.) The macro has been replaced by a |
| 767 | function that can join an arbitrary number of extra strings onto a growing |
| 768 | string. |
| 769 | |
| 770 | (c) The code for expansion conditions now uses a table and a binary chop |
| 771 | instead of a serial search (which was left over from when there were very |
| 772 | few conditions). Also, it now recognizes conditions like "pam" even when |
| 773 | the relevant support is not compiled in: a suitably worded error message is |
| 774 | given if an attempt is made to use such a condition. |
| 775 | |
| 776 | 11. Added ${time_interval:xxxxx}. |
| 777 | |
| 778 | 12. A bug was causing one of the ddress fields not to be passed back correctly |
| 779 | from remote delivery subprocesses. The field in question was not being |
| 780 | subsequently used, so this caused to problems in practice. |
| 781 | |
| 782 | 13. Added new log selectors queue_time and deliver_time. |
| 783 | |
| 784 | 14. Might have fixed a bug in maildirsizefile handling that threw up |
| 785 | "unexpected character" debug warnings, and recalculated the data |
| 786 | unnecessarily. In any case, I expanded the warning message to give more |
| 787 | information. |
| 788 | |
| 789 | 15. Added the message "Restricted characters in address" to the statements in |
| 790 | the default ACL that block characters like @ and % in local parts. |
| 791 | |
| 792 | 16. Change 71 for release 4.31 proved to be much less benign that I imagined. |
| 793 | Three changes have been made: |
| 794 | |
| 795 | (a) There was a serious bug; a negative response to MAIL caused the whole |
| 796 | recipient domain to be cached as invalid, thereby blocking all messages |
| 797 | to all local parts at the same domain, from all senders. This bug has |
| 798 | been fixed. The domain is no longer cached after a negative response to |
| 799 | MAIL if the sender used is not empty. |
| 800 | |
| 801 | (b) The default behaviour of using MAIL FROM:<> for recipient callouts has |
| 802 | been restored. |
| 803 | |
| 804 | (c) A new callout option, "use_sender" has been added for people who want |
| 805 | the modified behaviour. |
| 806 | |
| 807 | |
| 808 | Exim version 4.31 |
| 809 | ----------------- |
| 810 | |
| 811 | 1. Removed "EXTRALIBS=-lwrap" from OS/Makefile-Unixware7 on the advice of |
| 812 | Larry Rosenman. |
| 813 | |
| 814 | 2. Removed "LIBS = -lresolv" from OS/Makefile-Darwin as it is not needed, and |
| 815 | indeed breaks things for older releases. |
| 816 | |
| 817 | 3. Added additional logging to the case where there is a problem reading data |
| 818 | from a filter that is running in a subprocess using a pipe, in order to |
| 819 | try to track down a specific problem. |
| 820 | |
| 821 | 4. Testing facility fudge: when running in the test harness and attempting |
| 822 | to connect to 10.x.x.x (expecting a connection timeout) I'm now sometimes |
| 823 | getting "No route to host". Convert this to a timeout. |
| 824 | |
| 825 | 5. Define ICONV_ARG2_TYPE as "char **" for Unixware7 to avoid compiler |
| 826 | warning. |
| 827 | |
| 828 | 6. Some OS don't have socklen_t but use size_t instead. This affects the |
| 829 | fifth argument of getsockopt() amongst other things. This is now |
| 830 | configurable by a macro called SOCKLEN_T which defaults to socklen_t, but |
| 831 | can be set for individual OS. I have set it for SunOS5, OSF1, and |
| 832 | Unixware7. Current versions of SunOS5 (aka Solaris) do have socklen_t, but |
| 833 | some earlier ones do not. |
| 834 | |
| 835 | 7. Change 4.30/15 was not doing the test caselessly. |
| 836 | |
| 837 | 8. The standard form for an IPv6 address literal was being rejected by address |
| 838 | parsing in, for example, MAIL and RCPT commands. An example of this kind of |
| 839 | address is [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts |
| 840 | this, as well as the form without the "IPv6" on the front (but only when |
| 841 | address literals are enabled, of course). |
| 842 | |
| 843 | 9. Added some casts to avoid compiler warnings in OS/os.c-Linux. |
| 844 | |
| 845 | 10. Exim crashed if a message with an empty sender address specified by -f |
| 846 | encountered a router with an errors_to setting. This could be provoked only |
| 847 | by a command such as |
| 848 | |
| 849 | exim -f "" ... |
| 850 | |
| 851 | where an empty string was supplied; "<>" did not hit this bug. |
| 852 | |
| 853 | 11. Installed PCRE release 4.5. |
| 854 | |
| 855 | 12. If EHLO/HELO was rejected by an ACL, the value of $sender_helo_name |
| 856 | remained set. It is now erased. |
| 857 | |
| 858 | 13. exiqgrep wasn't working on MacOS X because it didn't correctly compute |
| 859 | times from message ids (which are base 36 rather than the normal 62). |
| 860 | |
| 861 | 14. "Expected" SMTP protocol errors that can arise when PIPELINING is in use |
| 862 | were being counted as actual protocol errors, and logged if the log |
| 863 | selector +smtp_protocol_error was set. One cannot be perfect in this test, |
| 864 | but now, if PIPELINING has been advertised, RCPT following a rejected MAIL, |
| 865 | and DATA following a set of rejected RCPTs do not count as protocol errors. |
| 866 | In other words, Exim assumes they were pipelined, though this may not |
| 867 | actually be the case. Of course, in all cases the client gets an |
| 868 | appropriate error code. |
| 869 | |
| 870 | 15. If a lookup fails in an ACL condition, a message about the failure may |
| 871 | be available; it is used if testing the ACL cannot continue, because most |
| 872 | such messages specify what the cause of the deferral is. However, some |
| 873 | messages (e.g. "MYSQL: no data found") do not cause a defer. There was bug |
| 874 | that caused an old message to be retained and used if a later statement |
| 875 | caused a defer, replacing the real cause of the deferral. |
| 876 | |
| 877 | 16. If an IP address had so many PTR records that the DNS lookup buffer |
| 878 | was not large enough to hold them, Exim could crash while trying to process |
| 879 | the truncated data. It now detects and logs this case. |
| 880 | |
| 881 | 17. Further to 4.21/58, another change has been made: if (and only if) the |
| 882 | first line of a message (the first header line) ends with CRLF, a bare LF |
| 883 | in a subsequent header line has a space inserted after it, so as not to |
| 884 | terminate the header. |
| 885 | |
| 886 | 18. Refactoring: tidied an ugly bit of code in appendfile that copied data |
| 887 | unnecessarily, used atoi() instead of strtol(), and didn't check the |
| 888 | termination when getting file sizes from file names by regex. |
| 889 | |
| 890 | 19. Completely re-implemented the support for maildirsize files, in the light |
| 891 | of a number of problems with the previous contributed implementation |
| 892 | (4.30/29). In particular: |
| 893 | |
| 894 | . If the quota is zero, the maildirsize file is maintained, but no quota is |
| 895 | imposed. |
| 896 | |
| 897 | . If the maildir directory does not exist, it is created before any attempt |
| 898 | to write a maildirsize file. |
| 899 | |
| 900 | . The quota value in the file is just a cache; if the quota is changed in |
| 901 | the transport, the new value overrides. |
| 902 | |
| 903 | . A regular expression is available for excluding directories from the |
| 904 | count. |
| 905 | |
| 906 | 20. The autoreply transport checks the characters in options that define the |
| 907 | message's headers; it allows continued headers, but it was checking with |
| 908 | isspace() after an embedded newline instead of explicitly looking for a |
| 909 | space or a tab. |
| 910 | |
| 911 | 21. If all the "regular" hosts to which an address was routed had passed their |
| 912 | expiry times, and had not reached their retry times, the address was |
| 913 | bounced, even if fallback hosts were defined. Now Exim should go on to try |
| 914 | the fallback hosts. |
| 915 | |
| 916 | 22. Increased buffer sizes in the callout code from 1024 to 4096 to match the |
| 917 | equivalent code in the SMTP transport. Some hosts send humungous responses |
| 918 | to HELO/EHLO, more than 1024 it seems. |
| 919 | |
| 920 | 23. Refactoring: code in filter.c used (void *) for "any old type" but this |
| 921 | gives compiler warnings in some environments. I've now done it "properly", |
| 922 | using a union. |
| 923 | |
| 924 | 24. The replacement for inet_ntoa() that is used with gcc on IRIX systems |
| 925 | (because of problems with the built-in one) was declared to return uschar * |
| 926 | instead of char *, causing compiler failure. |
| 927 | |
| 928 | 25. Fixed a file descriptor leak when processing alias/forward files. |
| 929 | |
| 930 | 26. Fixed a minor format string issue in dbfn.c. |
| 931 | |
| 932 | 27. Typo in exim.c: ("dmbnz" for "dbmnz"). |
| 933 | |
| 934 | 28. If a filter file refered to $h_xxx or $message_headers, and the headers |
| 935 | contained RFC 2047 "words", Exim's memory could, under certain conditions, |
| 936 | become corrupted. |
| 937 | |
| 938 | 29. When a sender address is verified, it is cached, to save repeating the test |
| 939 | when there is more than one recipient in a message. However, when the |
| 940 | verification involves a callout, it is possible for different callout |
| 941 | options to be set for different recipients. It is too complicated to keep |
| 942 | track of this in the cache, so now Exim always runs a verification when a |
| 943 | callout is required, relying on the callout cache for the optimization. |
| 944 | The overhead is duplication of the address routing, but this should not be |
| 945 | too great. |
| 946 | |
| 947 | 30. Fixed a bug in callout caching. If a RCPT command caused the sender address |
| 948 | to be verified with callout=postmaster, and the main callout worked but the |
| 949 | postmaster check failed, the verification correctly failed. However, if a |
| 950 | subsequent RCPT command asked for sender verification *without* the |
| 951 | postmaster check, incorrect caching caused this verification also to fail, |
| 952 | incorrectly. |
| 953 | |
| 954 | 31. Exim caches DNS lookup failures so as to avoid multiple timeouts; however, |
| 955 | it was not caching the DNS options (qualify_single, search_parents) that |
| 956 | were used when the lookup failed. A subsequent lookup with different |
| 957 | options therefore always gave the same answer, though there were cases |
| 958 | where it should not have. (Example: a "domains = !$mx_any" option on a |
| 959 | dnslookup router: the "domains" option is always processed without any |
| 960 | widening, but the router might have qualify_single set.) Now Exim uses the |
| 961 | cached value only when the same options are set. |
| 962 | |
| 963 | 32. Added John Jetmore's "exipick" utility to the distribution. |
| 964 | |
| 965 | 33. GnuTLS: When an attempt to start a TLS session fails for any reason other |
| 966 | than a timeout (e.g. a certificate is required, and is not provided), an |
| 967 | Exim server now closes the connection immediately. Previously it waited for |
| 968 | the client to close - but if the client is SSL, it seems that they each |
| 969 | wait for each other, leading to a delay before one of them times out. |
| 970 | |
| 971 | 34: GnuTLS: Updated the code to use the new GnuTLS 1.0.0 API. I have not |
| 972 | maintained 0.8.x compatibility because I don't think many are using it, and |
| 973 | it is clearly obsolete. |
| 974 | |
| 975 | 35. Added TLS support for CRLs: a tls_crl global option and one for the smtp |
| 976 | transport. |
| 977 | |
| 978 | 36. OpenSSL: $tls_certificate_verified was being set to 1 even if the |
| 979 | client certificate was expired. A simple patch fixes this, though I don't |
| 980 | understand the full logic of why the verify callback is called multiple |
| 981 | times. |
| 982 | |
| 983 | 37. OpenSSL: a patch from Robert Roselius: "Enable client-bug workaround. |
| 984 | Versions of OpenSSL as of 0.9.6d include a 'CBC countermeasure' feature, |
| 985 | which causes problems with some clients (such as the Certicom SSL Plus |
| 986 | library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, |
| 987 | disables the coutermeasure allowing Eudora to connect." |
| 988 | |
| 989 | 38. Exim was not checking that a write() to a log file succeeded. This could |
| 990 | lead to Bad Things if a log got too big, in particular if it hit a file |
| 991 | size limit. Exim now panics and dies if it cannot write to a log file, just |
| 992 | as it does if it cannot open a log file. |
| 993 | |
| 994 | 39. Modified OS/Makefile-Linux so that it now contains |
| 995 | |
| 996 | CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE |
| 997 | |
| 998 | The two -D definitions ensure that Exim is compiled with large file |
| 999 | support, which makes it possible to handle log files that are bigger than |
| 1000 | 2^31. |
| 1001 | |
| 1002 | 40. Fixed a subtle caching bug: if (in an ACL or a set of routers, for |
| 1003 | instance) a domain was checked against a named list that involved a lookup, |
| 1004 | causing $domain_data to be set, then another domain was checked against the |
| 1005 | same list, then the first domain was re-checked, the value of $domain_data |
| 1006 | after the final check could be wrong. In particular, if the second check |
| 1007 | failed, it could be set empty. This bug probably also applied to |
| 1008 | $localpart_data. |
| 1009 | |
| 1010 | 41. The strip_trailing_dot option was not being applied to the address given |
| 1011 | with the -f command-line option. |
| 1012 | |
| 1013 | 42. The code for reading a message's header from the spool was incrementing |
| 1014 | $received_count, but never initializing it. This meant that the value was |
| 1015 | incorrect (doubled) while delivering a message in the same process in which |
| 1016 | it was received. In the most common configuration of Exim, this never |
| 1017 | happens - a fresh exec is done - but it can happen when |
| 1018 | deliver_drop_privilege is set. |
| 1019 | |
| 1020 | 43. When Exim logs an SMTP synchronization error - client data sent too soon - |
| 1021 | it now includes up to 150 characters of the unexpected data in the log |
| 1022 | line. |
| 1023 | |
| 1024 | 44. The exim_dbmbuild utility uses fixed size buffers for reading input lines |
| 1025 | and building data strings. The size of both of these buffers was 10 000 |
| 1026 | bytes - far larger than anybody would *ever* want, thought I. Needless to |
| 1027 | say, somebody hit the limit. I have increased the maximum line length to |
| 1028 | 20 000 and the maximum data length of concatenated lines to 100 000. I have |
| 1029 | also fixed two bugs, because there was no checking on these buffers. Tsk, |
| 1030 | tsk. Now exim_dbmbuild gives a message and exits with an error code if a |
| 1031 | buffer is too small. |
| 1032 | |
| 1033 | 45. The exim_dbmbuild utility did not support quoted keys, as Exim does in |
| 1034 | lsearch lookups. Now it does. |
| 1035 | |
| 1036 | 46. When parsing a route_list item in a manualroute router, a fixed-length |
| 1037 | buffer was used for the list of hosts. I made this 1024 bytes long, |
| 1038 | thinking that nobody would ever have a list of hosts that long. Wrong. |
| 1039 | Somebody had a whole pile of complicated expansion conditions, and the |
| 1040 | string was silently truncated, leading to an expansion error. It turns out |
| 1041 | that it is easier to change to an unlimited length (owing to other changes |
| 1042 | that have happened since this code was originally written) than to build |
| 1043 | structure for giving a limitation error. The length of the item that |
| 1044 | expands into the list of hosts is now unlimited. |
| 1045 | |
| 1046 | 47. The lsearch lookup could not handle data where the length of text line was |
| 1047 | more than 4095 characters. Such lines were truncated, leading to shortened |
| 1048 | data being returned. It should now handle lines of any length. |
| 1049 | |
| 1050 | 48. Minor wording revision: "cannot test xxx in yyy ACL" becomes "cannot test |
| 1051 | xxx condition in yyy ACL" (e.g. "cannot test domains condition in DATA |
| 1052 | ACL"). |
| 1053 | |
| 1054 | 49. Cosmetic tidy to scripts like exicyclog that are generated by globally |
| 1055 | replacing strings such as BIN_DIRECTORY in a source file: the replacement |
| 1056 | no longer happens in comment lines. A list of replacements is now placed |
| 1057 | at the head of all of the source files, except those whose only change is |
| 1058 | to replace PERL_COMMAND in the very first #! line. |
| 1059 | |
| 1060 | 50. Replaced the slow insertion sort in queue.c, for sorting the list of |
| 1061 | messages on the queue, with a bottom-up merge sort, using code contributed |
| 1062 | by Michael Haardt. This should make operations like -bp somewhat faster on |
| 1063 | large queues. It won't affect queue runners, except when queue_run_in_order |
| 1064 | is set. |
| 1065 | |
| 1066 | 51. Installed eximstats 1.31 in the distribution. |
| 1067 | |
| 1068 | 52. Added support for SRV lookups to the dnslookup router. |
| 1069 | |
| 1070 | 53. If an ACL referred to $message_body or $message_body_end, the value was not |
| 1071 | reset for any messages that followed in the same SMTP session. |
| 1072 | |
| 1073 | 54. The store-handling optimization for building very long strings was not |
| 1074 | differentiating between the different store pools. I don't think this |
| 1075 | actually made any difference in practice, but I've tidied it. |
| 1076 | |
| 1077 | 55. While running the routers to verify a sender address, $sender_address |
| 1078 | was still set to the sender address. This is wrong, because when routing to |
| 1079 | send a bounce to the sender, it would be empty. Therefore, I have changed |
| 1080 | it so that, while verifying a sender address, $sender_address is set to <>. |
| 1081 | (There is no change to what happens when verifying a recipient address.) |
| 1082 | |
| 1083 | 56. After finding MX (or SRV) records, Exim was doing a DNS lookup for the |
| 1084 | target A or AAAA records (if not already returned) without resetting the |
| 1085 | qualify_single or search_parents options of the DNS resolver. These are |
| 1086 | inappropriate in this case because the targets of MX and SRV records must |
| 1087 | be FQDNs. A broken DNS record could cause trouble if it happened to have a |
| 1088 | target that, when qualified, matched something in the local domain. These |
| 1089 | two options are now turned off when doing these lookups. |
| 1090 | |
| 1091 | 57. It seems that at least some releases of Reiserfs (which does not have the |
| 1092 | concept of a fixed number of inodes) returns zero and not -1 for the |
| 1093 | number of available inodes. This interacted badly with check_spool_inodes, |
| 1094 | which assumed that -1 was the "no such thing" setting. What I have done is |
| 1095 | to check that the total number of inodes is greater than zero before doing |
| 1096 | the test of how many are available. |
| 1097 | |
| 1098 | 58. When a "warn" ACL statement has a log_message modifier, the message is |
| 1099 | remembered, and not repeated. This is to avoid a lot of repetition when a |
| 1100 | message has many recipients that cause the same warning to be written. |
| 1101 | Howewer, Exim was preserving the list of already written lines for an |
| 1102 | entire SMTP session, which doesn't seem right. The memory is now reset if a |
| 1103 | new message is started. |
| 1104 | |
| 1105 | 59. The "rewrite" debugging flag was not showing the result of rewriting in the |
| 1106 | debugging output unless log_rewrite was also set. |
| 1107 | |
| 1108 | 60. Avoid a compiler warning on 64-bit systems in dsearch.c by avoiding the use |
| 1109 | of (int)(handle) when we know that handle contains (void *)(-1). |
| 1110 | |
| 1111 | 61. The Exim daemon panic-logs an error return when it closes the incoming |
| 1112 | connection. However "connection reset by peer" seems to be common, and |
| 1113 | isn't really an error worthy of noting specially, so that particular error |
| 1114 | is no long logged. |
| 1115 | |
| 1116 | 62. When Exim is trying to find all the local interfaces, it used to panic and |
| 1117 | die if the ioctl to get the interface flags failed. However, it seems that |
| 1118 | on at least one OS (Solaris 9) it is possible to have an interface that is |
| 1119 | included in the list of interfaces, but for which you get a failure error |
| 1120 | for this call. This happens when the interface is not "plumbed" into a |
| 1121 | protocol (i.e. neither IPv4 nor IPv6). I've changed the code so that a |
| 1122 | failure of the "get flags" call assumes that the interface is down. |
| 1123 | |
| 1124 | 63. Added a ${eval10: operator, which assumes all numbers are decimal. This |
| 1125 | makes life easier for people who are doing arithmetic on fields extracted |
| 1126 | from dates, where you often get leading zeros that should not be |
| 1127 | interpreted as octal. |
| 1128 | |
| 1129 | 64. Added qualify_domain to the redirect router, to override the global |
| 1130 | setting. |
| 1131 | |
| 1132 | 65. If a pathologically long header line contained very many addresses (the |
| 1133 | report of this problem mentioned 10 000) and each of them was rewritten, |
| 1134 | Exim could use up a very large amount of memory. (It kept on making new |
| 1135 | copies of the header line as it rewrote, and never released the old ones.) |
| 1136 | At the expense of a bit more processing, the header rewriting function has |
| 1137 | been changed so that it no longer eats memory in this way. |
| 1138 | |
| 1139 | 66. The generation of the Received: header has been moved from the time that a |
| 1140 | message starts to be received, to the time that it finishes. The timestamp |
| 1141 | in the Received: header should now be very close to that of the <= log |
| 1142 | line. There are two side-effects of this change: |
| 1143 | |
| 1144 | (a) If a message is rejected by a DATA or non-SMTP ACL or local_scan(), the |
| 1145 | logged header lines no longer include the local Received: line, because |
| 1146 | it has not yet been created. The same applies to a copy of the message |
| 1147 | that is returned to a non-SMTP sender when a message is rejected. |
| 1148 | |
| 1149 | (b) When a filter file is tested using -bf, no additional Received: header |
| 1150 | is added to the test message. After some thought, I decided that this |
| 1151 | is a bug fix. |
| 1152 | |
| 1153 | This change does not affect the value of $received_for. It is still set |
| 1154 | after address rewriting, but before local_scan() is called. |
| 1155 | |
| 1156 | 67. Installed the latest Cygwin-specific files from the Cygwin maintainer. |
| 1157 | |
| 1158 | 68. GnuTLS: If an empty file is specified for tls_verify_certificates, GnuTLS |
| 1159 | gave an unhelpful panic error message, and a defer error. I have managed to |
| 1160 | change this behaviour so that it now rejects any supplied certificate, |
| 1161 | which seems right, as the list of acceptable certificates is empty. |
| 1162 | |
| 1163 | 69. OpenSSL: If an empty file is specified for tls_verify_certificates, OpenSSL |
| 1164 | gave an unhelpful defer error. I have not managed to make this reject any |
| 1165 | supplied certificates, but the error message it gives is "no certificate |
| 1166 | supplied", which is not helpful. |
| 1167 | |
| 1168 | 70. exigrep's output now also includes lines that are not associated with any |
| 1169 | message, but which match the given pattern. Implemented by a patch from |
| 1170 | Martin Sluka, which also tidied up the Perl a bit. |
| 1171 | |
| 1172 | 71. Recipient callout verification, like sender verification, was using <> in |
| 1173 | the MAIL FROM command. This isn't really the right thing, since the actual |
| 1174 | sender may affect whether the remote host accepts the recipient or not. I |
| 1175 | have changed it to use the actual sender in the callout; this means that |
| 1176 | the cache record is now keyed on a recipient/sender pair, not just the |
| 1177 | recipient address. There doesn't seem to be a real danger of callout loops, |
| 1178 | since a callout by the remote host to check the sender would use <>. |
| 1179 | [SEE ABOVE: changed after hitting problems.] |
| 1180 | |
| 1181 | 72. Exim treats illegal SMTP error codes that do not begin with 4 or 5 as |
| 1182 | temporary errors. However, in the case of such a code being given after |
| 1183 | the end of a data transmission (i.e. after ".") Exim was failing to write |
| 1184 | a retry record for the message. (Yes, there was some broken host that was |
| 1185 | actually sending 8xx at this point.) |
| 1186 | |
| 1187 | 73. An unknown lookup type in a host list could cause Exim to panic-die when |
| 1188 | the list was checked. (An example that provoked this was putting <; in the |
| 1189 | middle of a list instead of at the start.) If this happened during a DATA |
| 1190 | ACL check, a -D file could be left lying around. This kind of configuration |
| 1191 | error no longer causes Exim to die; instead it causes a defer errror. The |
| 1192 | incident is still logged to the main and panic logs. |
| 1193 | |
| 1194 | 74. Buglet left over from Exim 3 conversion. The message "too many messages |
| 1195 | in one connection" was written to the rejectlog but not the mainlog, except |
| 1196 | when address rewriting (yes!) was being logged. |
| 1197 | |
| 1198 | 75. Added write_rejectlog option. |
| 1199 | |
| 1200 | 76. When a system filter was run not as root (that is, when system_filter_user |
| 1201 | was set), the values of the $n variables were not being returned to the |
| 1202 | main process; thus, they were not subsequently available in the $sn |
| 1203 | variables. |
| 1204 | |
| 1205 | 77. Added +return_path_on_delivery log selector. |
| 1206 | |
| 1207 | 78. A connection timeout was being treated differently from recipients deferred |
| 1208 | when testing hosts_max_try with a message that was older than the host's |
| 1209 | retry timeout. (The host should not be counted, thus allowing all hosts to |
| 1210 | be tried at least once before bouncing.) This may have been the cause of an |
| 1211 | occasionally reported bug whereby a message would remain on the queue |
| 1212 | longer than the retry timeout, but would be bounced if a delivery was |
| 1213 | forced. I say "may" because I never totally pinned down the problem; |
| 1214 | setting up timeout/retry tests is difficult. See also the next item. |
| 1215 | |
| 1216 | 79. The ultimate address timeout was not being applied to errors that involved |
| 1217 | a combination of host plus message (for example, a timeout on a MAIL |
| 1218 | command). When an address resolved to a number of possible hosts, and they |
| 1219 | were not all tried for each delivery (e.g. because of hosts_max_try), a |
| 1220 | message could remain on the queue longer than the retry timeout. |
| 1221 | |
| 1222 | 80. Sieve bug: "stop" inside "elsif" was broken. Applied a patch from Michael |
| 1223 | Haardt. |
| 1224 | |
| 1225 | 81. Fixed an obscure SMTP outgoing bug which required at least the following |
| 1226 | conditions: (a) there was another message waiting for the same server; |
| 1227 | (b) the server returned 5xx to all RCPT commands in the first message so |
| 1228 | that the message was not completed; (c) the server dropped the connection |
| 1229 | or gave a negative response to the RSET that Exim sends to abort the |
| 1230 | transaction. The observed case was a dropped connection after DATA that had |
| 1231 | been sent in pipelining mode. That is, the server had advertised PIPELINING |
| 1232 | but was not implementing it correctly. The effect of the bug was incorrect |
| 1233 | behaviour, such as trying another host, and this could lead to a crash. |
| 1234 | |
| 1235 | |
| 1236 | Exim version 4.30 |
| 1237 | ----------------- |
| 1238 | |
| 1239 | 1. The 3rd arguments to getsockname(), getpeername(), and accept() in exim.c |
| 1240 | and daemon.c were passed as pointers to ints; they should have been |
| 1241 | pointers to socklen_t variables (which are typically unsigned ints). |
| 1242 | |
| 1243 | 2. Some signed/unsigned type warnings in the os.c file for Linux have been |
| 1244 | fixed. |
| 1245 | |
| 1246 | 3. Fixed a really odd bug that affected only the testing scheme; patching a |
| 1247 | certain fixed string in the binary changed the value of another string that |
| 1248 | happened to be identical to the end of the original first string. |
| 1249 | |
| 1250 | 4. When gethostbyname() (or equivalent) is passed an IP address as a "host |
| 1251 | name", it returns that address as the IP address. On some operating |
| 1252 | systems (e.g. Solaris), it also passes back the IP address string as the |
| 1253 | "host name". However, on others (e.g. Linux), it passes back an empty |
| 1254 | string. Exim wasn't checking for this, and was changing the host name to an |
| 1255 | empty string, assuming it had been canonicized. |
| 1256 | |
| 1257 | 5. Although rare, it is permitted to have more than one PTR record for a given |
| 1258 | IP address. I thought that gethostbyaddr() or getipnodebyaddr() always gave |
| 1259 | all the names associated with an address, because they do in Solaris. |
| 1260 | However, it seems that they do not in Linux for data that comes from the |
| 1261 | DNS. If an address in /etc/hosts has multiple names, they _are_ all given. |
| 1262 | I found this out when I moved to a new Linux workstation and tried to run |
| 1263 | the Exim test suite. |
| 1264 | |
| 1265 | To get round this problem I have changed the code so that it now does its |
| 1266 | own call to the DNS to look up PTR records when searching for a host name. |
| 1267 | If nothing can be found in the DNS, it tries gethostbyaddr(), so that |
| 1268 | addresses that are only in /etc/hosts are still found. |
| 1269 | |
| 1270 | This behaviour is, however, controlled by an option called host_lookup_ |
| 1271 | order, which defaults to "bydns:byaddr". If people want to use the other |
| 1272 | order, or indeed, just use one or the other means of lookup, they can |
| 1273 | specify it in this variable. |
| 1274 | |
| 1275 | 6. If a PTR record yields an empty name, Exim treats it as non-existent. In |
| 1276 | some operating systems, this comes back from gethostbyaddr() as an empty |
| 1277 | string, and this is what Exim used to test for. However, it seems that in |
| 1278 | other systems, "." is yielded. Exim now tests for this case too. |
| 1279 | |
| 1280 | 7. The values of check_spool_space and check_log_space are now held internally |
| 1281 | as a number of kilobytes instead of an absolute number of bytes. If a |
| 1282 | numbers is specified without 'K' or 'M', it is rounded up to the nearest |
| 1283 | kilobyte. This means that much larger values can be stored. |
| 1284 | |
| 1285 | 8. Exim monitor: an attempt to get the action menu when not actually pointing |
| 1286 | at a message produces an empty menu entitled "No message selected". This |
| 1287 | works on Solaris (OpenWindows). However, XFree86 does not like a menu with |
| 1288 | no entries in it ("Shell widget menu has zero width and/or height"). So I |
| 1289 | have added a single, blank menu entry in this case. |
| 1290 | |
| 1291 | 9. Added ${quote_local_part. |
| 1292 | |
| 1293 | 10. MIME decoding is now applied to the contents of Subject: header lines when |
| 1294 | they are logged. |
| 1295 | |
| 1296 | 11. Now that a reference to $sender_host_address automatically causes a reverse |
| 1297 | lookup to occur if necessary (4.13/18), there is no need to arrange for a |
| 1298 | host lookup before query-style lookups in lists that might use this |
| 1299 | variable. This has therefore been abolished, and the "net-" prefix is no |
| 1300 | longer necessary for query-style lookups. |
| 1301 | |
| 1302 | 12. The Makefile for SCO_SV contained a setting of LDFLAGS. This appears to |
| 1303 | have been a typo for LFLAGS, so it has been changed. |
| 1304 | |
| 1305 | 13. The install script calls Exim with "-C /dev/null" in order to find the |
| 1306 | version number. If ALT_CONFIG_PREFIX was set, this caused an error message |
| 1307 | to be output. Howeve, since Exim outputs its version number before the |
| 1308 | error, it didn't break the script. It just looked ugly. I fixed this by |
| 1309 | always allowing "-C /dev/null" if the caller is root. |
| 1310 | |
| 1311 | 14. Ignore overlarge ACL variable number when reading spool file - insurance |
| 1312 | against a later release with more variables having written the file. |
| 1313 | |
| 1314 | 15. The standard form for an IPv6 address literal was being rejected by EHLO. |
| 1315 | Example: [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts |
| 1316 | this, as well as the form without the "IPv6" on the front. |
| 1317 | |
| 1318 | 16. Added CHOWN_COMMAND=/usr/sbin/chown and LIBS=-lresolv to the |
| 1319 | OS/Makefile-Darwin file. |
| 1320 | |
| 1321 | 17. Fixed typo in lookups/ldap.c: D_LOOKUP should be D_lookup. This applied |
| 1322 | only to LDAP libraries that do not have LDAP_OPT_DEREF. |
| 1323 | |
| 1324 | 18. After change 4.21/52, "%ld" was used to format the contents of the $inode |
| 1325 | variable. However, some OS use ints for inodes. I've added cast to long int |
| 1326 | to get rid of the compiler warning. |
| 1327 | |
| 1328 | 19. I had forgotten to lock out "/../" in configuration file names when |
| 1329 | ALT_CONFIG_PREFIX was set. |
| 1330 | |
| 1331 | 20. Routers used for verification do not need to specify transports. However, |
| 1332 | if such a router generated a host list, and callout was configured, Exim |
| 1333 | crashed, because it could not find a port number from the (non-existent) |
| 1334 | transport. It now assumes port 25 in this circumstance. |
| 1335 | |
| 1336 | 21. Added the -t option to exigrep. |
| 1337 | |
| 1338 | 22. If LOOKUP_LSEARCH is defined, all three linear search methods (lsearch, |
| 1339 | wildlsearch, nwildlsearch) are compiled. LOOKUP_WILDLSEARCH and LOOKUP_ |
| 1340 | NWILDLSEARCH are now obsolete, but retained for compatibility. If either of |
| 1341 | them is set, LOOKUP_LSEARCH is forced. |
| 1342 | |
| 1343 | 23. "exim -bV" now outputs a list of lookups that are included in the binary. |
| 1344 | |
| 1345 | 24. Added sender and host information to the "rejected by local_scan()" log |
| 1346 | line; previously there was no indication of these. |
| 1347 | |
| 1348 | 25. Added .include_if_exists. |
| 1349 | |
| 1350 | 26. Change 3.952/11 added an explicit directory sync on top of a file sync for |
| 1351 | Linux. It turns out that not all file systems support this. Apparently some |
| 1352 | versions of NFS do not. (It's rare to put Exim's spool on NFS, but people |
| 1353 | do it.) To cope with this, the error EINVAL, which means that sync-ing is |
| 1354 | not supported on the file descriptor, is now ignored when Exim is trying to |
| 1355 | sync a directory. This applies only to Linux. |
| 1356 | |
| 1357 | 27. Added -DBIND_8_COMPAT to the CLFAGS setting for Darwin. |
| 1358 | |
| 1359 | 28. In Darwin (MacOS X), the PAM headers are in /usr/include/pam and not in |
| 1360 | /usr/include/security. There's now a flag in OS/os.h-Darwin to cope with |
| 1361 | this. |
| 1362 | |
| 1363 | 29. Added support for maildirsize files from supplied patch (modified a bit). |
| 1364 | |
| 1365 | 30. The use of :fail: followed by an empty string could lead Exim to respond to |
| 1366 | sender verification failures with (e.g.): |
| 1367 | |
| 1368 | 550 Verification failed for <xxx> |
| 1369 | 550 Sender verify failed |
| 1370 | |
| 1371 | where the first response line was missing the '-' that indicates it is not |
| 1372 | the final line of the response. |
| 1373 | |
| 1374 | 31. The loop for finding the name of the user that called Exim had a hardwired |
| 1375 | limit of 10; it now uses the value of finduser_retries, which is used for |
| 1376 | all other user lookups. |
| 1377 | |
| 1378 | 32. Added $received_count variable, available in data and not_smtp ACLs, and at |
| 1379 | delivery time. |
| 1380 | |
| 1381 | 33. Exim was neglecting to zero errno before one call of strtol() when |
| 1382 | expanding a string and expecting an integer value. On some systems this |
| 1383 | resulted in spurious "integer overflow" errors. Also, it was casting the |
| 1384 | result into an int without checking. |
| 1385 | |
| 1386 | 34. Testing for a connection timeout using "timeout_connect" in the retry rules |
| 1387 | did not work. The code looks as if it has *never* worked, though it appears |
| 1388 | to have been documented since at least releast 1.62. I have made it work. |
| 1389 | |
| 1390 | 35. The "timeout_DNS" error in retry rules, also documented since at least |
| 1391 | 1.62, also never worked. As it isn't clear exactly what this means, and |
| 1392 | clearly it isn't a major issue, I have abolished the feature by treating it |
| 1393 | as "timeout", and writing a warning to the main and panic logs. |
| 1394 | |
| 1395 | 36. The display of retry rules for -brt wasn't always showing the error code |
| 1396 | correctly. |
| 1397 | |
| 1398 | 37. Added new error conditions to retry rules: timeout_A, timeout_MX, |
| 1399 | timeout_connect_A, timeout_connect_MX. |
| 1400 | |
| 1401 | 38. Rewriting the envelope sender at SMTP time did not allow it to be rewritten |
| 1402 | to the empty sender. |
| 1403 | |
| 1404 | 39. The daemon was not analysing the content of -oX till after it had closed |
| 1405 | stderr and disconnected from the controlling terminal. This meant that any |
| 1406 | syntax errors were only noted on the panic log, and the return code from |
| 1407 | the command was 0. By re-arranging the code a little, I've made the |
| 1408 | decoding happen first, so such errors now appear on stderr, and the return |
| 1409 | code is 1. However, the actual setting up of the sockets still happens in |
| 1410 | the disconnected process, so errors there are still only recorded on the |
| 1411 | panic log. |
| 1412 | |
| 1413 | 40. A daemon listener on a wildcard IPv6 socket that also accepts IPv4 |
| 1414 | connections (as happens on some IP stacks) was logged at start up time as |
| 1415 | just listening for IPv6. It now logs "IPv6 with IPv4". This differentiates |
| 1416 | it from "IPv6 and IPv4", which means that two separate sockets are being |
| 1417 | used. |
| 1418 | |
| 1419 | 41. The debug output for gethostbyname2() or getipnodebyname() failures now |
| 1420 | says whether AF_INET or AF_INET6 was passed as an argument. |
| 1421 | |
| 1422 | 42. Exiwhat output was messed up when time zones were included in log |
| 1423 | timestamps. |
| 1424 | |
| 1425 | 43. Exiwhat now gives more information about the daemon's listening ports, |
| 1426 | and whether -tls-on-connect was used. |
| 1427 | |
| 1428 | 44. The "port" option of the smtp transport is now expanded. |
| 1429 | |
| 1430 | 45. A "message" modifier in a "warn" statement in a non-message ACL was being |
| 1431 | silently ignored. Now an error message is written to the main and panic |
| 1432 | logs. |
| 1433 | |
| 1434 | 46. There's a new ACL modifier called "logwrite" which writes to a log file |
| 1435 | as soon as it is encountered. |
| 1436 | |
| 1437 | 47. Added $local_user_uid and $local_user_gid at routing time. |
| 1438 | |
| 1439 | 48. Exim crashed when trying to verify a sender address that was being |
| 1440 | rewritten to "<>". |
| 1441 | |
| 1442 | 49. Exim was recognizing only a space character after ".include". It now also |
| 1443 | recognizes a tab character. |
| 1444 | |
| 1445 | 50. Fixed several bugs in the Perl script that creates the exim.8 man page by |
| 1446 | extracting the relevant information from the specification. The man page no |
| 1447 | longer contains scrambled data for the -d option, and I've added a section |
| 1448 | at the front about calling Exim under different names. |
| 1449 | |
| 1450 | 51. Added "extra_headers" argument to the "mail" command in filter files. |
| 1451 | |
| 1452 | 52. Redirecting mail to an unqualified address in a Sieve filter caused Exim to |
| 1453 | crash. |
| 1454 | |
| 1455 | 53. Installed eximstats 1.29. |
| 1456 | |
| 1457 | 54. Added transport_filter_timeout as a generic transport option. |
| 1458 | |
| 1459 | 55. Exim no longer adds an empty Bcc: header to messages that have no To: or |
| 1460 | Cc: header lines. This was required by RFC 822, but it not required by RFC |
| 1461 | 2822. |
| 1462 | |
| 1463 | 56. Exim used to add From:, Date:, and Message-Id: header lines to any |
| 1464 | incoming messages that did not have them. Now it does so only if the |
| 1465 | message originates locally, that is, if there is no associated remote host |
| 1466 | address. When Resent- header lines are present, this applies to the Resent- |
| 1467 | lines rather than the non-Resent- lines. |
| 1468 | |
| 1469 | 57. Drop incoming SMTP connection after too many syntax or protocol errors. The |
| 1470 | limit is controlled by smtp_max_synprot_errors, defaulting to 3. |
| 1471 | |
| 1472 | 58. Messages for configuration errors now include the name of the main |
| 1473 | configuration file - useful now that there may be more than one file in a |
| 1474 | list (.included file names were always shown). |
| 1475 | |
| 1476 | 59. Change 4.21/82 (run initgroups() when starting the daemon) causes problems |
| 1477 | for those rare installations that do not start the daemon as root or run it |
| 1478 | setuid root. I've cut out the call to initgroups() if the daemon is not |
| 1479 | root at that time. |
| 1480 | |
| 1481 | 60. The Exim user and group can now be bound into the binary as text strings |
| 1482 | that are looked up at the start of Exim's processing. |
| 1483 | |
| 1484 | 61. Applied a small patch for the Interbase code, supplied by Ard Biesheuvel. |
| 1485 | |
| 1486 | 62. Added $mailstore_basename variable. |
| 1487 | |
| 1488 | 63. Installed patch to sieve.c from Michael Haardt. |
| 1489 | |
| 1490 | 64. When Exim failed to open the panic log after failing to open the main log, |
| 1491 | the original message it was trying to log was written to stderr and debug |
| 1492 | output, but if they were not available (the usual case in production), it |
| 1493 | was lost. Now it is written to syslog before the two lines that record the |
| 1494 | failures to open the logs. |
| 1495 | |
| 1496 | 65. Users' Exim filters run in subprocesses under the user's uid. It is |
| 1497 | possible for a "deliver" command or an alias in a "personal" command to |
| 1498 | provoke an address rewrite. If logging of address rewriting is configured, |
| 1499 | this fails because the process is not running as root or exim. There may be |
| 1500 | a better way of dealing with this, but for the moment (because 4.30 needs |
| 1501 | to be released), I have disabled address rewrite logging when running a |
| 1502 | filter in a non-root, non-exim process. |
| 1503 | |
| 1504 | |
| 1505 | Exim version 4.24 |
| 1506 | ----------------- |
| 1507 | |
| 1508 | 1. The buildconfig auxiliary program wasn't quoting the value set for |
| 1509 | HEADERS_CHARSET. This caused a compilation error complaining that 'ISO' was |
| 1510 | not defined. This bug was masked in 4.22 by the effect that was fixed in |
| 1511 | change 4.23/1. |
| 1512 | |
| 1513 | 2. Some messages that were rejected after a message id was allocated were |
| 1514 | shown as "incomplete" by exigrep. It no longer does this for messages that |
| 1515 | are rejected by local_scan() or the DATA or non-SMTP ACLs. |
| 1516 | |
| 1517 | 3. If a Message-ID: header used a domain literal in the ID, and Exim did not |
| 1518 | have allow_domain_literals set, the ID did not get logged in the <= line. |
| 1519 | Domain literals are now always recognized in Message-ID: header lines. |
| 1520 | |
| 1521 | 4. The first argument for a ${extract expansion item is the key name or field |
| 1522 | number. Leading and trailing spaces in this item were not being ignored, |
| 1523 | causing some misleading effects. |
| 1524 | |
| 1525 | 5. When deliver_drop_privilege was set, single queue runner processes started |
| 1526 | manually (i.e. by the command "exim -q") or by the daemon (which uses the |
| 1527 | same command in the process it spins off) were not dropping privilege. |
| 1528 | |
| 1529 | 6. When the daemon running as "exim" started a queue runner, it always |
| 1530 | re-executed Exim in the spun-off process. This is a waste of effort when |
| 1531 | deliver_drop_privilege is set. The new process now just calls the |
| 1532 | queue-runner function directly. |
| 1533 | |
| 1534 | |
| 1535 | Exim version 4.23 |
| 1536 | ----------------- |
| 1537 | |
| 1538 | 1. Typo in the src/EDITME file: it referred to HEADERS_DECODE_TO instead of |
| 1539 | HEADERS_CHARSET. |
| 1540 | |
| 1541 | 2. Change 4.21/73 introduced a bug. The pid file path set by -oP was being |
| 1542 | ignored. Though the use of -oP was forcing the writing of a pid file, it |
| 1543 | was always written to the default place. |
| 1544 | |
| 1545 | 3. If the message "no IP address found for host xxxx" is generated during |
| 1546 | incoming verification, it is now followed by identification of the incoming |
| 1547 | connection (so you can more easily find what provoked it). |
| 1548 | |
| 1549 | 4. Bug fix for Sieve filters: "stop" inside a block was not working properly. |
| 1550 | |
| 1551 | 5. Added some features to "harden" Exim a bit more against certain attacks: |
| 1552 | |
| 1553 | (a) There is now a build-time option called FIXED_NEVER_USERS that can |
| 1554 | be put in Local/Makefile. This is like the never_users runtime option, |
| 1555 | but it cannot be overridden. The default setting is "root". |
| 1556 | |
| 1557 | (b) If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a |
| 1558 | prefix string with which any file named in a -C command line option |
| 1559 | must start. |
| 1560 | |
| 1561 | (c) If ALT_CONFIG_ROOT_ONLY is defined in Local/Makefile, root privilege |
| 1562 | is retained for -C and -D only if the caller of Exim is root. Without |
| 1563 | it, the exim user may also use -C and -D and retain privilege. |
| 1564 | |
| 1565 | (d) If DISABLE_D_OPTION is defined in Local/Makefile, the use of the -D |
| 1566 | command line option is disabled. |
| 1567 | |
| 1568 | 6. Macro names set by the -D option must start with an upper case letter, just |
| 1569 | like macro names defined in the configuration file. |
| 1570 | |
| 1571 | 7. Added "dereference=" facility to LDAP. |
| 1572 | |
| 1573 | 8. Two instances of the typo "uknown" in the source files are fixed. |
| 1574 | |
| 1575 | 9. If a PERL_COMMAND setting in Local/Makefile was not at the start of a line, |
| 1576 | the Configure-Makefile script screwed up while processing it. |
| 1577 | |
| 1578 | 10. Incorporated PCRE 4.4. |
| 1579 | |
| 1580 | 11. The SMTP synchronization check was not operating right at the start of an |
| 1581 | SMTP session. For example, it could not catch a HELO sent before the client |
| 1582 | waited for the greeting. There is now a check for outstanding input at the |
| 1583 | point when the greeting is written. Because of the duplex, asynchronous |
| 1584 | nature of TCP/IP, it cannot be perfect - the incorrect input may be on its |
| 1585 | way, but not yet received, when the check is performed. |
| 1586 | |
| 1587 | 12. Added tcp_nodelay to make it possible to turn of the setting of TCP_NODELAY |
| 1588 | on TCP/IP sockets, because this apparently causes some broken clients to |
| 1589 | timeout. |
| 1590 | |
| 1591 | 13. Installed revised OS/Makefile-CYGWIN and OS/os.c-cygwin (the .h file was |
| 1592 | unchanged) from the Cygwin maintainer. |
| 1593 | |
| 1594 | 14. The code for -bV that shows what is in the binary showed "mbx" when maildir |
| 1595 | was supported instead of testing for mbx. Effectively a typo. |
| 1596 | |
| 1597 | 15. The spa authenticator server code was not checking that the input it |
| 1598 | received was valid base64. |
| 1599 | |
| 1600 | 16. The debug output line for the "set" modifier in ACLs was not showing the |
| 1601 | name of the variable that was being set. |
| 1602 | |
| 1603 | 17. Code tidy: the variable type "vtype_string" was never used. Removed it. |
| 1604 | |
| 1605 | 18. Previously, a reference to $sender_host_name did not cause a DNS reverse |
| 1606 | lookup on its own. Something else was needed to trigger the lookup. For |
| 1607 | example, a match in host_lookup or the need for a host name in a host list. |
| 1608 | Now, if $sender_host_name is referenced and the host name has not yet been |
| 1609 | looked up, a lookup is performed. If the lookup fails, the variable remains |
| 1610 | empty, and $host_lookup_failed is set to "1". |
| 1611 | |
| 1612 | 19. Added "eqi" as a case-independent comparison operator. |
| 1613 | |
| 1614 | 20. The saslauthd authentication condition could segfault if neither service |
| 1615 | nor realm was specified. |
| 1616 | |
| 1617 | 21. If an overflowing value such as "2048M" was set for message_size_limit, the |
| 1618 | error message that was logged was misleading, and incoming SMTP |
| 1619 | connections were dropped. The message is now more accurate, and temporary |
| 1620 | errors are given to SMTP connections. |
| 1621 | |
| 1622 | 22. In some error situations (such as 21 above) Exim rejects all SMTP commands |
| 1623 | (except RSET) with a 421 error, until QUIT is received. However, it was |
| 1624 | failing to send a response to QUIT. |
| 1625 | |
| 1626 | 23. The HELO ACL was being run before the code for helo_try_verify_hosts, |
| 1627 | which made it impossible to use "verify = helo" in the HELO ACL. The HELO |
| 1628 | ACL is now run after the helo_try_verify_hosts code. |
| 1629 | |
| 1630 | 24. "{MD5}" and "{SHA1}" are now recognized as equivalent to "{md5"} and |
| 1631 | "{sha1}" in the "crypteq" expansion condition (in fact the comparison is |
| 1632 | case-independent, so other case variants are also recognized). Apparently |
| 1633 | some systems use these upper case variants. |
| 1634 | |
| 1635 | 25. If more than two messages were waiting for the same host, and a transport |
| 1636 | filter was specified for the transport, Exim sent two messages over the |
| 1637 | same TCP/IP connection, and then failed with "socket operation on non- |
| 1638 | socket" when it tried to send the third. |
| 1639 | |
| 1640 | 26. Added Exim::debug_write and Exim::log_write for embedded Perl use. |
| 1641 | |
| 1642 | 27. The extern definition of crypt16() in expand.c was not being excluded when |
| 1643 | the OS had its own crypt16() function. |
| 1644 | |
| 1645 | 28. Added bounce_return_body as a new option, and bounce_return_size_limit |
| 1646 | as a preferred synonym for return_size_limit, both as an option and as an |
| 1647 | expansion variable. |
| 1648 | |
| 1649 | 29. Added LIBS=-liconv to OS/Makefile-OSF1. |
| 1650 | |
| 1651 | 30. Changed the default configuration ACL to relax the local part checking rule |
| 1652 | for addresses that are not in any local domains. For these addresses, |
| 1653 | slashes and pipe symbols are allowed within local parts, but the sequence |
| 1654 | /../ is explicitly forbidden. |
| 1655 | |
| 1656 | 31. SPA server authentication was not clearing the challenge buffer before |
| 1657 | using it. |
| 1658 | |
| 1659 | 32. log_message in a "warn" ACL statement was writing to the reject log as |
| 1660 | well as to the main log, which contradicts the documentation and doesn't |
| 1661 | seem right (because no rejection is happening). So I have stopped it. |
| 1662 | |
| 1663 | 33. Added Ard Biesheuvel's lookup code for accessing an Interbase database. |
| 1664 | However, I am unable to do any testing of this. |
| 1665 | |
| 1666 | 34. Fixed an infelicity in the appendfile transport. When checking directories |
| 1667 | for a mailbox, to see if any needed to be created, it was accidentally |
| 1668 | using path names with one or more superfluous leading slashes; tracing |
| 1669 | would show up entries such as stat("///home/ph10", 0xFFBEEA48). |
| 1670 | |
| 1671 | 35. If log_message is set on a "discard" verb in a MAIL or RCPT ACL, its |
| 1672 | contents are added to the log line that is written for every discarded |
| 1673 | recipient. (Previously a log_message setting was ignored.) |
| 1674 | |
| 1675 | 36. The ${quote: operator now quotes the string if it is empty. |
| 1676 | |
| 1677 | 37. The install script runs exim in order to find its version number. If for |
| 1678 | some reason other than non-existence or emptiness, which it checks, it |
| 1679 | could not run './exim', it was installing it with an empty version number, |
| 1680 | i.e. as "exim-". This error state is now caught, and the installation is |
| 1681 | aborted. |
| 1682 | |
| 1683 | 38. An argument was missing from the function that creates an error message |
| 1684 | when Exim fails to connect to the socket for saslauthd authentication. |
| 1685 | This could cause Exim to crash, or give a corrupted message. |
| 1686 | |
| 1687 | 39. Added isip, isip4, and isip6 to ${if conditions. |
| 1688 | |
| 1689 | 40. The ACL variables $acl_xx are now saved with the message, and can be |
| 1690 | accessed later in routers, transports, and filters. |
| 1691 | |
| 1692 | 41. The new lookup type nwildlsearch is like wildlsearch, except that the key |
| 1693 | strings in the file are not string-expanded. |
| 1694 | |
| 1695 | 42. If a MAIL command specified a SIZE value that was too large to fit into an |
| 1696 | int variable, the check against message_size_limit failed. Such values are |
| 1697 | now forced to INT_MAX, which is around 2Gb for a 32-bit variable. Maybe one |
| 1698 | day this will have to be increased, but I don't think I want to be around |
| 1699 | when emails are that large. |
| 1700 | |
| 1701 | |
| 1702 | |
| 1703 | Exim version 4.22 |
| 1704 | ----------------- |
| 1705 | |
| 1706 | 1. Removed HAVE_ICONV=yes from OS/Makefile-FreeBSD, since it seems that |
| 1707 | iconv() is not standard in FreeBSD. |
| 1708 | |
| 1709 | 2. Change 4.21/17 was buggy and could cause stack overwriting on a system with |
| 1710 | IPv6 enabled. The observed symptom was a segmentation fault on return from |
| 1711 | the function os_common_find_running_interfaces() in src/os.c. |
| 1712 | |
| 1713 | 3. In the check_special_case() function in daemon.c I had used "errno" as an |
| 1714 | argument name, which causes warnings on some systems. This was basically a |
| 1715 | typo, since it was named "eno" in the comments! |
| 1716 | |
| 1717 | 4. The code that waits for the clock to tick (at a resolution of some fraction |
| 1718 | of a second) so as to ensure message-id uniqueness was always waiting for |
| 1719 | at least one whole tick, when it could have waited for less. [This is |
| 1720 | almost certainly not relevant at current processor speeds, where it is |
| 1721 | unlikely to ever wait at all. But we try to future-proof.] |
| 1722 | |
| 1723 | 5. The function that sleeps for a time interval that includes fractions of a |
| 1724 | second contained a race. It did not block SIGALRM between setting the |
| 1725 | timer, and suspending (a couple of lines later). If the interval was short |
| 1726 | and the sigsuspend() was delayed until after it had expired, the suspension |
| 1727 | never ended. On busy systems this could lead to processes getting stuck for |
| 1728 | ever. |
| 1729 | |
| 1730 | 6. Some uncommon configurations may cause a lookup to happen in a queue runner |
| 1731 | process, before it forks any delivery processes. The open lookup caching |
| 1732 | mechanism meant that the open file or database connection was passed into |
| 1733 | the delivery process. The problem was that delivery processes always tidy |
| 1734 | up cached lookup data. This could cause a problem for the next delivery |
| 1735 | process started by the queue runner, because the external queue runner |
| 1736 | process does not know about the closure. So the next delivery process |
| 1737 | still has data in the lookup cache. In the case of a file lookup, there was |
| 1738 | no problem because closing a file descriptor in a subprocess doesn't affect |
| 1739 | the parent. However, if the lookup was caching a connection to a database, |
| 1740 | the connection was closed, and the second delivery process was likely to |
| 1741 | see errors such as "PGSQL: query failed: server closed the connection |
| 1742 | unexpectedly". The problem has been fixed by closing all cached lookups |
| 1743 | in a queue runner before running a delivery process. |
| 1744 | |
| 1745 | 7. Compiler warning on Linux for the second argument of iconv(), which doesn't |
| 1746 | seem to have the "const" qualifier which it has on other OS. I've |
| 1747 | parameterised it. |
| 1748 | |
| 1749 | 8. Change 4.21/2 was too strict. It is only if there are two authenticators |
| 1750 | *of the same type* (client or server) with the same public name that an |
| 1751 | error should be diagnosed. |
| 1752 | |
| 1753 | 9. When Exim looked up a host name for an IP address, but failed to find the |
| 1754 | original IP address when looking up the host name (a safety check), it |
| 1755 | output the message "<ip address> does not match any IP for NULL", which was |
| 1756 | confusing, to say the least. The bug was that the host name should have |
| 1757 | appeared instead of "NULL". |
| 1758 | |
| 1759 | 10. Since release 3.03, if Exim is called by a uid other than root or the Exim |
| 1760 | user that is built into the binary, and the -C or -D options is used, root |
| 1761 | privilege is dropped before the configuration file is read. In addition, |
| 1762 | logging is switched to stderr instead of the normal log files. If the |
| 1763 | configuration then re-defines the Exim user, the unprivileged environment |
| 1764 | is probably not what is expected, so Exim logs a panic warning message (but |
| 1765 | proceeds). |
| 1766 | |
| 1767 | However, if deliver_drop_privilege is set, the unprivileged state may well |
| 1768 | be exactly what is intended, so the warning has been cut out in that case, |
| 1769 | and Exim is allowed to try to write to its normal log files. |
| 1770 | |
| 1771 | |
| 1772 | Exim version 4.21 |
| 1773 | ----------------- |
| 1774 | |
| 1775 | 1. smtp_return_error_details was not giving details for temporary sender |
| 1776 | or receiver verification errors. |
| 1777 | |
| 1778 | 2. Diagnose a configuration error if two authenticators have the same public |
| 1779 | name. |
| 1780 | |
| 1781 | 3. Exim used not to create the message log file for a message until the first |
| 1782 | delivery attempt. This could be confusing when incoming messages were held |
| 1783 | for policy or load reasons. The message log file is now created at the time |
| 1784 | the message is received, and an initial "Received" line is written to it. |
| 1785 | |
| 1786 | 4. The automatically generated man page for command line options had a minor |
| 1787 | bug that caused no ill effects; however, a more serious problem was that |
| 1788 | the procedure for building the man page automatically didn't always |
| 1789 | operate. Consequently, release 4.20 contains an out-of-date version. This |
| 1790 | shouldn't happen again. |
| 1791 | |
| 1792 | 5. When building Exim with embedded Perl support, the script that builds the |
| 1793 | Makefile was calling 'perl' to find its compile-time parameters, ignoring |
| 1794 | any setting of PERL_COMMAND in Local/Makefile. This is now fixed. |
| 1795 | |
| 1796 | 6. The freeze_tell option was not being used for messages that were frozen on |
| 1797 | arrival, either by an ACL or by local_scan(). |
| 1798 | |
| 1799 | 7. Added the smtp_incomplete_transaction log selector. |
| 1800 | |
| 1801 | 8. After STARTTLS, Exim was not forgetting that it had advertised AUTH, so it |
| 1802 | was accepting AUTH without a new EHLO. |
| 1803 | |
| 1804 | 9. Added tls_remember_esmtp to cope with YAEB. This allows AUTH and other |
| 1805 | ESMTP extensions after STARTTLS without a new EHLO, in contravention of the |
| 1806 | RFC. |
| 1807 | |
| 1808 | 10. Logging of TCP/IP connections (when configured) now happens in the main |
| 1809 | daemon process instead of the child process, so that the TCP/IP connection |
| 1810 | count is more accurate (but it can never be perfect). |
| 1811 | |
| 1812 | 11. The use of "drop" in a nested ACL was not being handled correctly in the |
| 1813 | outer ACL. Now, if condition failure induced by the nested "drop" causes |
| 1814 | the outer ACL verb to deny access ("accept" or "discard" after "endpass", |
| 1815 | or "require"), the connection is dropped. |
| 1816 | |
| 1817 | 12. Similarly, "discard" in a nested ACL wasn't being handled. A nested ACL |
| 1818 | that yield "discard" can now be used with an "accept" or a "discard" verb, |
| 1819 | but an error is generated for any others (because I can't see a useful way |
| 1820 | to define what should happen). |
| 1821 | |
| 1822 | 13. When an ACL is read dynamically from a file (or anywhere else), the lines |
| 1823 | are now processed in the same way as lines in the Exim configuration file. |
| 1824 | In particular, continuation lines are supported. |
| 1825 | |
| 1826 | 14. Added the "dnslists = a.b.c!=n.n.n.n" feature. |
| 1827 | |
| 1828 | 15. Added -ti meaning -t -i. |
| 1829 | |
| 1830 | 16. Check for letters, digits, hyphens, and dots in the names of dnslist |
| 1831 | domains, and warn by logging if others are found. |
| 1832 | |
| 1833 | 17. At least on BSD, alignment is not guarenteed for the array of ifreq's |
| 1834 | returned from GIFCONF when Exim is trying to find the list of interfaces on |
| 1835 | a host. The code in os.c has been modified to copy each ifreq to an aligned |
| 1836 | structure in all cases. |
| 1837 | |
| 1838 | Also, in some cases, the returned ifreq's were being copied to a 'struct |
| 1839 | ifreq' on the stack, which was subsequently passed to host_ntoa(). That |
| 1840 | means the last couple of bytes of an IPv6 address could be chopped if the |
| 1841 | ifreq contained only a normal sockaddr (14 bytes storage). |
| 1842 | |
| 1843 | 18. Named domain lists were not supported in the hosts_treat_as_local option. |
| 1844 | An entry such as +xxxx was not recognized, and was treated as a literal |
| 1845 | domain name. |
| 1846 | |
| 1847 | 19. Ensure that header lines added by a DATA ACL are included in the reject log |
| 1848 | if the ACL subsequently rejects the message. |
| 1849 | |
| 1850 | 20. Upgrade the cramtest.pl utility script to use Digest::MD5 instead of just |
| 1851 | MD5 (which is deprecated). |
| 1852 | |
| 1853 | 21. When testing a filter file using -bf, Exim was writing a message when it |
| 1854 | took the sender from a "From " line in the message, but it was not doing so |
| 1855 | when it took $return_path from a Return-Path: header line. It now does. |
| 1856 | |
| 1857 | 22. If the contents of a "message" modifier for a "warn" ACL verb do not begin |
| 1858 | with a valid header line field name (a series of printing characters |
| 1859 | terminated by a colon, Exim now inserts X-ACL-Warn: at the beginning. |
| 1860 | |
| 1861 | 23. Changed "disc" in the source to "disk" to conform to the documentation and |
| 1862 | the book and for uniformity. |
| 1863 | |
| 1864 | 24. Ignore Sendmail's -Ooption=value command line item. |
| 1865 | |
| 1866 | 25. When execve() failed while trying to run a command in a pipe transport, |
| 1867 | Exim was returning EX_UNAVAILBLE (69) from the subprocess. However, this |
| 1868 | could be confused with a return value of 69 from the command itself. This |
| 1869 | has been changed to 127, the value the shell returns if it is asked to run |
| 1870 | a non-existent command. The wording for the related log line suggests a |
| 1871 | non-existent command as the problem. |
| 1872 | |
| 1873 | 26. If received_header_text expands to an empty string, do not add a Received: |
| 1874 | header line to the message. (Well, it adds a token one on the spool, but |
| 1875 | marks it "old" so that it doesn't get used or transmitted.) |
| 1876 | |
| 1877 | 27. Installed eximstats 1.28 (addition of -nt option). |
| 1878 | |
| 1879 | 28. There was no check for failure on the call to getsockname() in the daemon |
| 1880 | code. This can fail if there is a shortage of resources on the system, with |
| 1881 | ENOMEM, for example. A temporary error is now given on failure. |
| 1882 | |
| 1883 | 29. Contrary to the C standard, it seems that in some environments, the |
| 1884 | equivalent of setlocale(LC_ALL, "C") is not obeyed at the start of a C |
| 1885 | program. Exim now does this explicitly; it affects the formatting of |
| 1886 | timestamps using strftime(). |
| 1887 | |
| 1888 | 30. If exiqsumm was given junk data, it threw up some uninitialized variable |
| 1889 | complaints. I've now initialized all the variables, to avoid this. |
| 1890 | |
| 1891 | 32. Header lines added by a system filter were not being "seen" during |
| 1892 | transport-time rewrites. |
| 1893 | |
| 1894 | 33. The info_callback() function passed to OpenSSL is set up with type void |
| 1895 | (*)(SSL *, int, int), as described somewhere. However, when calling the |
| 1896 | function (actually a macro) that sets it up, the type void(*)() is |
| 1897 | expected. I've put in a cast to prevent warnings from picky compilers. |
| 1898 | |
| 1899 | 34. If a DNS black list lookup found a CNAME record, but there were no A |
| 1900 | records associated with the domain it pointed at, Exim crashed. |
| 1901 | |
| 1902 | 35. If a DNS black list lookup returned more than one A record, Exim ignored |
| 1903 | all but the first. It now scans all returned addresses if a particular IP |
| 1904 | value is being sought. In this situation, the contents of the |
| 1905 | $dnslist_value variable are a list of all the addresses, separated by a |
| 1906 | comma and a space. |
| 1907 | |
| 1908 | 36. Tightened up the rules for host name lookups using reverse DNS. Exim used |
| 1909 | to accept a host name and all its aliases if the forward lookup for any of |
| 1910 | them yielded the IP address of the incoming connection. Now it accepts only |
| 1911 | those names whose forward lookup yields the correct IP address. Any other |
| 1912 | names are discarded. This closes a loophole whereby a rogue DNS |
| 1913 | administrator could create reverse DNS records to break through a |
| 1914 | wildcarded host restriction in an ACL. |
| 1915 | |
| 1916 | 37. If a user filter or a system filter that ran in a subprocess used any of |
| 1917 | the numerical variables ($1, $2 etc), or $thisaddress, in a pipe command, |
| 1918 | the wrong values were passed to the pipe command ($thisaddress had the |
| 1919 | value of $0, $0 had the value of $1, etc). This bug was introduced by |
| 1920 | change 4.11/101, and not discovered because I wrote an inadequate test. :-( |
| 1921 | |
| 1922 | 38. Improved the line breaking for long SMTP error messages from ACLs. |
| 1923 | Previously, if there was no break point between 40 and 75 characters, Exim |
| 1924 | left the rest of the message alone. Two changes have been made: (a) I've |
| 1925 | reduced the minimum length to 35 characters; (b) if it can't find a break |
| 1926 | point between 35 and 75 characters, it looks ahead and uses the first one |
| 1927 | that it finds. This may give the occasional overlong line, but at least the |
| 1928 | remaining text gets split now. |
| 1929 | |
| 1930 | 39. Change 82 of 4.11 was unimaginative. It assumed the limit on the number of |
| 1931 | file descriptors might be low, and that setting 1000 would always raise it. |
| 1932 | It turns out that in some environments, the limit is already over 1000 and |
| 1933 | that lowering it causes trouble. So now Exim takes care not to decrease it. |
| 1934 | |
| 1935 | 40. When delivering a message, the value of $return_path is set to $sender_ |
| 1936 | address at the start of routing (routers may change the value). By an |
| 1937 | oversight, this default was not being set up when an address was tested by |
| 1938 | -bt or -bv, which affected the outcome if any router or filter referred to |
| 1939 | $return_path. |
| 1940 | |
| 1941 | 41. The idea of the "warn" ACL verb is that it adds a header or writes to the |
| 1942 | log only when "message" or "log_message" are set. However, if one of the |
| 1943 | conditions was an address verification, or a call to a nested ACL, the |
| 1944 | messages generated by the underlying test were being passed through. This |
| 1945 | no longer happens. The underlying message is available in $acl_verify_ |
| 1946 | message for both "message" and "log_message" expansions, so it can be |
| 1947 | passed through if needed. |
| 1948 | |
| 1949 | 42. Added RFC 2047 interpretation of header lines for $h_ expansions, with a |
| 1950 | new expansion $bh_ to give the encoded byte string without charset |
| 1951 | translation. Translation happens only if iconv() is available; HAVE_ICONV |
| 1952 | indicates this at build time. HEADERS_CHARSET gives the charset to |
| 1953 | translate to; headers_charset can change it in the configuration, and |
| 1954 | "headers charset" can change it in an individual filter file. |
| 1955 | |
| 1956 | 43. Now that we have a default RFC 2047 charset (see above), the code in Exim |
| 1957 | that creates RFC 2047 encoded "words" labels them as that charset instead |
| 1958 | of always using iso-8859-1. The cases are (i) the explicit ${rfc2047: |
| 1959 | expansion operator; (ii) when Exim creates a From: line for a local |
| 1960 | message; (iii) when a header line is rewritten to include a "phrase" part. |
| 1961 | |
| 1962 | 44. Nasty bug in exiqsumm: the regex to skip already-delivered addresses was |
| 1963 | buggy, causing it to skip the first lines of messages whose message ID |
| 1964 | ended in 'D'. This would not have bitten before Exim release 4.14, because |
| 1965 | message IDs were unlikely to end in 'D' before then. The effect was to have |
| 1966 | incorrect size information for certain domains. |
| 1967 | |
| 1968 | 45. #include "config.h" was missing at the start of the crypt16.c module. This |
| 1969 | caused trouble on Tru64 (aka OSF1) systems, because HAVE_CRYPT16 was not |
| 1970 | noticed. |
| 1971 | |
| 1972 | 46. If there was a timeout during a "random" callout check, Exim treated it as |
| 1973 | a failure of the random address, and carried on sending RSET and the real |
| 1974 | address. If the delay was just some slowness somewhere, the response to the |
| 1975 | original RCPT would be taken as a response to RSET and so on, causing |
| 1976 | mayhem of various kinds. |
| 1977 | |
| 1978 | 47. Change 50 for 4.20 was a heap of junk. I don't know what I was thinking |
| 1979 | when I implemented it. It didn't allow for the fact that some option values |
| 1980 | may legitimatetly be negative (e.g. size_addition), and it didn't even do |
| 1981 | the right test for positive values. |
| 1982 | |
| 1983 | 48. Domain names in DNS records are case-independent. Exim always looks them up |
| 1984 | in lower case. Some resolvers return domain names in exactly the case they |
| 1985 | appear in the zone file, that is, they may contain uppercase letters. Not |
| 1986 | all resolvers do this - some return always lower case. Exim was treating a |
| 1987 | change of case by a resolver as a change of domain, similar to a widening |
| 1988 | of a domain abbreviation. This triggered its re-routing code and so it was |
| 1989 | trying to route what was effectively the same domain again. This normally |
| 1990 | caused routing to fail (because the router wouldn't handle the domain |
| 1991 | twice). Now Exim checks for this case specially, and just changes the |
| 1992 | casing of the domain that it ultimately uses when it transmits the message |
| 1993 | envelope. |
| 1994 | |
| 1995 | 49. Added Sieve (RFC 3028) support, courtesy of Michael Haardt's contributed |
| 1996 | module. |
| 1997 | |
| 1998 | 50. If a filter generated a file delivery with a non-absolute name (possible if |
| 1999 | no home directory exists for the router), the forbid_file option was not |
| 2000 | forbidding it. |
| 2001 | |
| 2002 | 51. Added '&' feature to dnslists, to provide bit mask matching in addition to |
| 2003 | the existing equality matching. |
| 2004 | |
| 2005 | 52. Exim was using ints instead of ino_t variables in some places where it was |
| 2006 | dealing with inode numbers. |
| 2007 | |
| 2008 | 53. If TMPDIR is defined in Local/Makefile (default in src/EDITME is |
| 2009 | TMPDIR="/tmp"), Exim checks for the presence of an environment variable |
| 2010 | called TMPDIR, and if it finds it is different, it changes its value. |
| 2011 | |
| 2012 | 54. The smtp_printf() function is now made available to local_scan() so |
| 2013 | additional output lines can be written before returning. There is also an |
| 2014 | smtp_fflush() function to enable the detection of a dropped connection. |
| 2015 | The variables smtp_input and smtp_batched_input are exported to |
| 2016 | local_scan(). |
| 2017 | |
| 2018 | 55. Changed the default runtime configuration: the message "Unknown user" |
| 2019 | has been removed from the ACL, and instead placed on the localuser router, |
| 2020 | using the cannot_route_message feature. This means that any verification |
| 2021 | failures that generate their own messages won't get overridden. Similarly, |
| 2022 | the "Unrouteable address" message that was in the ACL for unverifiable |
| 2023 | relay addresses has also been removed. |
| 2024 | |
| 2025 | 56. Added hosts_avoid_esmtp to the smtp transport. |
| 2026 | |
| 2027 | 57. The exicyclog script was not checking for the esoteric option |
| 2028 | CONFIGURE_FILE_USE_EUID in the Local/Makefile. It now does this, but it |
| 2029 | will work only if exicyclog is run under the appropriate euid. |
| 2030 | |
| 2031 | 58. Following a discussion on the list, the rules by which Exim recognises line |
| 2032 | endings on incoming messages have been changed. The -dropcr and drop_cr |
| 2033 | options are now no-ops, retained only for backwards compatibility. The |
| 2034 | following line terminators are recognized: LF CRLF CR. However, special |
| 2035 | processing applies to CR: |
| 2036 | |
| 2037 | (i) The sequence CR . CR does *not* terminate an incoming SMTP message, |
| 2038 | nor a local message in the state where . is a terminator. |
| 2039 | |
| 2040 | (ii) If a bare CR is encountered in a header line, an extra space is added |
| 2041 | after the line terminator so as not to end the header. The reasoning |
| 2042 | behind this is that bare CRs in header lines are most likely either |
| 2043 | to be mistakes, or people trying to play silly games. |
| 2044 | |
| 2045 | 59. The size of a message, as listed by "-bp" or in the Exim monitor window, |
| 2046 | was being incorrectly given as 18 bytes larger than it should have been. |
| 2047 | This is a VOB (very old bug). |
| 2048 | |
| 2049 | 60. This may never have affected anything current, but just in case it has: |
| 2050 | When the local host is found other than at the start of a list of hosts, |
| 2051 | the local host, those with the same MX, and any that follow, are discarded. |
| 2052 | When the list in question was part of a longer list of hosts, the following |
| 2053 | hosts (not currently being processed) were also being discarded. This no |
| 2054 | longer happens. I'm not sure if this situation could ever has previously |
| 2055 | arisen. |
| 2056 | |
| 2057 | 61. Added the "/MX" feature to lists of hosts in the manualroute and query |
| 2058 | program routers. |
| 2059 | |
| 2060 | 62. Whenever Exim generates a new message, it now adds an Auto-Submitted: |
| 2061 | header. This is something that is recommended in a new Internet Draft, and |
| 2062 | is something that is documented as being done by Sendmail. There are two |
| 2063 | possible values. For messages generated by the autoreply transport, Exim |
| 2064 | adds: |
| 2065 | |
| 2066 | Auto-Submitted: auto-replied |
| 2067 | |
| 2068 | whereas for all other generated messages (e.g. bounces) it adds |
| 2069 | |
| 2070 | Auto-Submitted: auto-generated |
| 2071 | |
| 2072 | 63. The "personal" condition in filters now includes a test for the |
| 2073 | Auto-Submitted: header. If it contains the string "auto-" the message it |
| 2074 | not considered personal. |
| 2075 | |
| 2076 | 64. Added rcpt_include_affixes as a generic transport option. |
| 2077 | |
| 2078 | 65. Added queue_only_override (default true). |
| 2079 | |
| 2080 | 66. Added the syslog_duplication option. |
| 2081 | |
| 2082 | 67. If what should have been the first header line of a message consisted of |
| 2083 | a space followed by a colon, Exim was mis-interpreting it as a header line. |
| 2084 | It isn't of course - it is syntactically invalid and should therefore be |
| 2085 | treated as the start of the message body. The misbehaviour could have |
| 2086 | caused a number of strange effects, including loss of data in subsequent |
| 2087 | header lines, and spool format errors. |
| 2088 | |
| 2089 | 68. Formerly, the AUTH parameter on a MAIL command was trusted only if the |
| 2090 | client host had authenticated. This control can now be exercised by an ACL |
| 2091 | for more flexibility. |
| 2092 | |
| 2093 | 69. By default, callouts do not happen when testing with -bh. There is now a |
| 2094 | variant, -bhc, which does actually run the callout code, including |
| 2095 | consulting and updating the callout cache. |
| 2096 | |
| 2097 | 70. Added support for saslauthd authentication, courtesy of Alexander |
| 2098 | Sabourenkov. |
| 2099 | |
| 2100 | 71. If statvfs() failed on the spool or log directories while checking their |
| 2101 | size for availability, Exim confusingly gave the error "space shortage". |
| 2102 | Furthermore, in debugging mode it crashed with a floating point exception. |
| 2103 | These checks are done if check_{spool,log}_{space,inodes} are set, and when |
| 2104 | an SMTP message arrives with SIZE= on the MAIL command. As this is a really |
| 2105 | serious problem, Exim now writes to the main and panic logs when this |
| 2106 | happens, with details of the failure. It then refuses to accept the |
| 2107 | incoming message, giving the message "spool directory problem" or "log |
| 2108 | directory problem" with a 421 code for SMTP messages. |
| 2109 | |
| 2110 | 72. When Exim is about to re-exec itself, it ensures that the file descriptors |
| 2111 | 0, 1, and 2 exist, because some OS complain for execs without them (see |
| 2112 | ChangeLog 4.05/30). If necessary, Exim opens /dev/null to use for these |
| 2113 | descriptors. However, the code omitted to check that the open succeeded, |
| 2114 | causing mysterious errors if for some reason the permissions on /dev/null |
| 2115 | got screwed. Now Exim writes a message to the main and panic logs, and |
| 2116 | bombs out if it can't open /dev/null. |
| 2117 | |
| 2118 | 73. Re-vamped the way daemon_smtp_port, local_interfaces, and -oX work and |
| 2119 | interact so that it is all more flexible. It is supposed to remain |
| 2120 | backwards compatible. Also added extra_local_interfaces. |
| 2121 | |
| 2122 | 74. Invalid data sent to a SPA (NTLM) server authenticator could cause the code |
| 2123 | to bomb out with an assertion failure - to the client this appears as a |
| 2124 | connection drop. This problem occurs in the part of the code that was taken |
| 2125 | from the Samba project. Fortunately, the assertion is in a very simple |
| 2126 | function, so I have fixed this by reproducing the function inline in the |
| 2127 | one place where it is called, and arranging for authentication to fail |
| 2128 | instead of killing the process with assert(). |
| 2129 | |
| 2130 | 75. The SPA client code was not working when the server requested OEM rather |
| 2131 | than Unicode encoding. |
| 2132 | |
| 2133 | 76. Added code to make require_files with a specific uid setting more usable in |
| 2134 | the case where statting the file as root fails - usually a non-root-mounted |
| 2135 | NFS file system. When this happens and the failure is EACCES, Exim now |
| 2136 | forks a subprocess and does the per-uid checking as the relevant uid. |
| 2137 | |
| 2138 | 77. Added process_log_path. |
| 2139 | |
| 2140 | 78. If log_file_path was not explicitly set, a setting of check_log_space or |
| 2141 | check_log_inodes was ignored. |
| 2142 | |
| 2143 | 79. If a space check for the spool or log partitions fails, the incident is now |
| 2144 | logged. Of course, in the latter case the data may get lost... |
| 2145 | |
| 2146 | 80. Added the %p formatting code to string_format() so that it can be used to |
| 2147 | print addresses in debug_print(). Adjusted all the address printing in the |
| 2148 | debugging in store.c to use %p rather than %d. |
| 2149 | |
| 2150 | 81. There was a concern that a line of code in smtp_in.c could overflow a |
| 2151 | buffer if a HELO/EHLO command was given followed by 500 or so spaces. As |
| 2152 | initially expressed, the concern was not well-founded, because trailing |
| 2153 | spaces are removed early. However, if the trailing spaces were followed by |
| 2154 | a NULL, they did not get removed, so the overflow was possible. Two fixes |
| 2155 | were applied: |
| 2156 | |
| 2157 | (a) I re-wrote the offending code in a cleaner fashion. |
| 2158 | (b) If an incoming SMTP command contains a NULL character, it is rejected |
| 2159 | as invalid. |
| 2160 | |
| 2161 | 82. When Exim changes uid/gid to the Exim user at daemon start time, it now |
| 2162 | runs initgroups(), so that if the Exim user is in any additional groups, |
| 2163 | they will be used during message reception. |
| 2164 | |
| 2165 | |
| 2166 | Exim version 4.20 |
| 2167 | ----------------- |
| 2168 | |
| 2169 | The change log for 4.20 and earlier releases has been archived. |
| 2170 | |
| 2171 | **** |