| 1 | Change log file for Exim from version 3.951 to 4.20 |
| 2 | --------------------------------------------------- |
| 3 | |
| 4 | |
| 5 | Exim version 4.20 |
| 6 | ----------------- |
| 7 | |
| 8 | 1. If data for an authentication interaction was just the string "=", |
| 9 | indicating an empty string, Exim was not setting up the numerical variable |
| 10 | correctly. In some situations, this could cause a crash - in others, it |
| 11 | might have passed unnoticed. |
| 12 | |
| 13 | 2. Changed signal(SIGTERM, command_sigterm_handler) in smtp_in.c to use |
| 14 | os_non_restarting_signal() for tidiness; in practice this doesn't actually |
| 15 | matter because the handler terminates the process. |
| 16 | |
| 17 | 3. Refactoring: |
| 18 | |
| 19 | (a) In some (but not all) places where Exim applies timers using alarm(), |
| 20 | it was resetting the SIGALRM handler afterwards, but sometimes to |
| 21 | SIG_IGN and sometimes to SIG_DFL. In other words, it was a mess. In |
| 22 | fact, this reset is not necessary, because after alarm(0) there is no |
| 23 | possibility of receiving a SIGLARM signal. So I've just removed them |
| 24 | all. |
| 25 | |
| 26 | (b) The daemon.c module had its own SIGALRM handler, which was unnecessary. |
| 27 | I changed it to use the handler that is used (almost) everywhere else. |
| 28 | |
| 29 | (c) Almost all uses of SIGALRM use the same handler, but it was being set |
| 30 | by signal() all over the place. Now it is set at the start, and it |
| 31 | resets itself every time it is called, so it remains enabled |
| 32 | throughout. The few places that use a different handler reset to the |
| 33 | "standard" one afterwards. |
| 34 | |
| 35 | (d) The setting of the SIGTERM handler while reading SMTP commands was done |
| 36 | somwhat untidily. I have re-arranged the code. |
| 37 | |
| 38 | 4. If the building process was interrupted during the MakeLinks script, a |
| 39 | subsequent run of 'make' gave misleading errors. I've made it a bit more |
| 40 | robust against this case. If there appears to be a half-made set of links, |
| 41 | an error message suggests that the user should remove the build directory |
| 42 | and start again. |
| 43 | |
| 44 | 5. For compatibility with other MTAs, -f "" is now accepted as synonymous with |
| 45 | -f "<>". |
| 46 | |
| 47 | 6. Upgraded to PCRE 4.1. |
| 48 | |
| 49 | 7. If a domain list contained @mx_any, or @mx_secondary, and the DNS contained |
| 50 | secondary MX records for a domain, but all the other MX (higher priority) |
| 51 | records pointed to non-existent hosts, Exim was behaving as if the domain |
| 52 | did not match the list item. This has been fixed. |
| 53 | |
| 54 | 8. Upgraded eximstats to 1.27. |
| 55 | |
| 56 | 9. It was reported that change 4.14/46(b) caused problems on some systems with |
| 57 | older libraries. There is now an option that can be set in Local/Makefile |
| 58 | (or in a operating system Makefile): |
| 59 | |
| 60 | IPV6_USE_INET_PTON=yes |
| 61 | |
| 62 | If this is done, Exim reverts to using inet_pton() to convert a textual |
| 63 | IPv6 address for actual use, instead of getaddrinfo(), as it did in |
| 64 | versions before 4.14. Of course, this means that the additional |
| 65 | functionality of getaddrinfo() - recognizing scoped addresses - is lost. |
| 66 | |
| 67 | 10. Update for PostgreSQL to match 4.14/14: after an insert, delete, or update |
| 68 | command, the result is the number of rows affected. |
| 69 | |
| 70 | 11. If smtp_banner expanded to an empty string, no greeting line was sent, thus |
| 71 | causing the client to time out. An empty 220 response is now sent. |
| 72 | |
| 73 | 12. An empty argument was logged as a null string by the "arguments" log |
| 74 | selector. Now empty strings and arguments that contain whitespace are |
| 75 | surrounded by quotes. |
| 76 | |
| 77 | 13. The "arguments" log selector now also logs the current working directory |
| 78 | when Exim is called. |
| 79 | |
| 80 | 14. Added a couple more debugging calls to tls-openssl. |
| 81 | |
| 82 | 15. Changed the name of the global variable ldap_version because some LDAP |
| 83 | library uses the same name, which causes a clash. It's now called |
| 84 | eldap_version. While I was at it, I changed the other two global variables, |
| 85 | ldap_default_servers and ldap_dn. |
| 86 | |
| 87 | 16. If an address that is verified in an ACL is redirected to a single address, |
| 88 | Exim verifies the child (this is not new). However, the value of $address_ |
| 89 | data that was being returned was the value from the parent. It is now the |
| 90 | value from the child. |
| 91 | |
| 92 | 17. Re-arranged the code for rda_is_filter() to make it easier to add other |
| 93 | filter types in future. |
| 94 | |
| 95 | 18. Removed the filter test function from filter.c and put it into its own |
| 96 | source file, again to make things easier for multiple filter types. |
| 97 | |
| 98 | 19. To help those people who are maintaining a patch for dynamically loaded |
| 99 | local_scan() functions, I have added |
| 100 | |
| 101 | #define LOCAL_SCAN_ABI_VERSION_MAJOR 1 |
| 102 | #define LOCAL_SCAN_ABI_VERSION_MINOR 0 |
| 103 | |
| 104 | to the local_scan.h file. |
| 105 | |
| 106 | 20. The variables $tls_certificate_verified, $tls_cipher, and $tls_peerdn now |
| 107 | exist even when Exim is not compiled with TLS support. |
| 108 | |
| 109 | 21. If an empty user name was sent by a client for a LOGIN authentication, it |
| 110 | was not put into $1; instead, the password ended up in $1 (instead of in |
| 111 | $2). |
| 112 | |
| 113 | 22. When creating a temporary file in the appendfile transport for a per-file |
| 114 | delivery not in maildir or mailstore format (that is, in the old Smail |
| 115 | format - I wonder if anyone uses this?), Exim was opening the file without |
| 116 | O_EXCL, which is a bit unsafe. |
| 117 | |
| 118 | 23. The output from the ${stat: expansion operator was being formatted using %d |
| 119 | which expects an integer; in many (most) systems size_t is off_t, which |
| 120 | is actually a long or even a longlong, and in some cases this caused |
| 121 | incorrect data to be output. The formatting is now done using %ld, with the |
| 122 | values all explicitly cast to (long). |
| 123 | |
| 124 | 24. Callout caching was failing to cache a negative response to a "random" |
| 125 | address check. |
| 126 | |
| 127 | 25. If a daemon was started with -qsomething and not -bd, and deliver_drop_ |
| 128 | privilege was set, and a pid file was specified with -oP, and the pid file |
| 129 | did not previously exist, it was created with owner exim instead of owner |
| 130 | root. |
| 131 | |
| 132 | 26. verify=sender was not being allowed in a non-SMTP ACL. |
| 133 | |
| 134 | 27. Under some error conditions, the socket used for ident calls could be left |
| 135 | open. |
| 136 | |
| 137 | 28. Added acl_smtp_helo, because some people seem to want it. |
| 138 | |
| 139 | 29. For hosts that match helo_verify_hosts, the error given when a MAIL command |
| 140 | is received without HELO or EHLO has been changed from 550 to 503 (which |
| 141 | means "bad sequence of commands"). |
| 142 | |
| 143 | 30. Installed PCRE 4.2. |
| 144 | |
| 145 | 31. The quota_size_regex option for the appendfile transport was broken in that |
| 146 | a terminating zero was omitted from the string that was extracted for the |
| 147 | size. If it happened that digits followed in the memory to which it was |
| 148 | copied, an incorrect (too large) size was then used. |
| 149 | |
| 150 | 32. Change 4.14/32 (iv) introduced a bug in the case when the "phrase" part of |
| 151 | a rewritten address did *not* contain any special characters. The |
| 152 | generated address was mangled. |
| 153 | |
| 154 | 33. Several items of refactoring from Michael Haardt: |
| 155 | |
| 156 | . Introduction of "const" in a number of places |
| 157 | . Use memcpy() instead of strncpy() in string_cat() |
| 158 | . Add HAVE_ICONV to Linux file, for external users (Exim doesn't use it) |
| 159 | [Later: From 4.21, Exim *does* use it.] |
| 160 | . Preparation for adding additional types of filter file |
| 161 | |
| 162 | 34. Changed (incompatibly, but hopefully not so it affects anyone) the |
| 163 | appendfile transport in the case when it is called directly as a result of |
| 164 | a .forward or a filter file requesting a delivery to a file. Previously, |
| 165 | any settings of "file" or "directory" were ignored in this case. Now they |
| 166 | are used. The path received from the router is in $address_file (as |
| 167 | before) and can therefore be included in the expansion. |
| 168 | |
| 169 | 35. If a "save" command in a filter specifies a non-absolute path, the value of |
| 170 | $home/ is pre-pended. This no longer happens if $home is unset or is an |
| 171 | empty string. It is expected that the transport will complete the path (see |
| 172 | 34 above). If there is an error before the path is complete, the local part |
| 173 | is logged as "save xxxx". |
| 174 | |
| 175 | 36. If multiple "to file" deliveries are routed to the same transport, no |
| 176 | batching ever takes place, whatever the value of batch_max. |
| 177 | |
| 178 | 37. If an address was redirected to an unqualified local part preceded by a |
| 179 | backslash, Exim was qualifying it with the qualify_domain, instead of with |
| 180 | the incoming domain. |
| 181 | |
| 182 | 38. Minor rewording: header lines can be added by MAIL as well as RCPT: the |
| 183 | debug line mentioned only RCPT. |
| 184 | |
| 185 | 39. DESTDIR is the more common variable that ROOT for use when installing |
| 186 | software under a different root filing system. The Exim install script now |
| 187 | recognizes DESTDIR first; if it is not set, ROOT is used. |
| 188 | |
| 189 | 40. If DESTDIR is set when installing Exim, it no longer prepends its value to |
| 190 | the path of the system aliases file that appears in the default |
| 191 | configuration (when a default configuration is installed). If an aliases |
| 192 | file is actually created, its name *does* use the prefix. |
| 193 | |
| 194 | 41. If an item in log_file_path was an empty string, Exim wrote the log to the |
| 195 | log directory in the spool directory. Now it takes notice of the |
| 196 | setting of LOG_FILE_PATH in Local/Makefile, and uses the first non-empty, |
| 197 | non-"syslog" item from that list. If there are none, it uses the ultimate |
| 198 | default of the spool directory. |
| 199 | |
| 200 | 42. If there is a Reply-to: header line, but it is empty, $reply_address now |
| 201 | contains the From: address instead of being empty. |
| 202 | |
| 203 | 43. Added -no-cpp-precomp to CFLAGS in OS/Makefile-Darwin. Without this, the |
| 204 | compiler provides a string for __DATE__ that does not conform to the |
| 205 | specification in the C standard. The option disables precompiled headers, |
| 206 | which should not have any bad effects, as pre-compiled headers are |
| 207 | supposedly just a performance enhancement at compile time. |
| 208 | |
| 209 | 44. Refactoring: as there is now a flag that specifies whether or not a home |
| 210 | directory that is passed with an address is already expanded, we no longer |
| 211 | need the \N...\N fudge for home directories extracted from the password |
| 212 | data. |
| 213 | |
| 214 | 45. Fixed an infelicity introduced by 4.14/71: The defaulting of the prefix, |
| 215 | suffix, and check string stuff in appendfile was happening when no |
| 216 | directory was supplied. Now it happens if no directory is supplied AND |
| 217 | maildir has not been specified. |
| 218 | |
| 219 | 46. If expansion of the serverpassword in a spa authenticator or expansion of |
| 220 | server_condition in a plaintext authenticator is forced to fail, |
| 221 | authentication now fails (previously it gave a temporary error, which is |
| 222 | what happens for other expansion failures). This brings these |
| 223 | authenticators into line with cram_md5, where expansion of server_secret |
| 224 | has always behaved like this. |
| 225 | |
| 226 | 46. Added new syslog facilities (courtesy Oliver Gorwits): |
| 227 | |
| 228 | (i) SYSLOG_LOGS_PID and LONG_SYSLOG_LINES in src/EDITME. |
| 229 | (ii) syslog_facility and syslog_processname main options. |
| 230 | |
| 231 | 47. Callout was using only the hosts from the router, ignoring the transport. |
| 232 | This has been changed. If (a) the router does not set up hosts (e.g. it's |
| 233 | an accept router) or (b) the smtp transport that is routed to has |
| 234 | hosts_override set, then the transport's hosts are used for callout |
| 235 | checking. |
| 236 | |
| 237 | 48. When named lists were nested, and an inner list was resolved by a lookup |
| 238 | that saved data for, e.g. $domain_data, the data was associated with just |
| 239 | the outer list, though both were cached, so if a subsequent test was done |
| 240 | for the inner list, there was no domain data. Example: |
| 241 | domainlist A = lsearch;/a/b |
| 242 | domainlist B = lsearch;/c/d |
| 243 | domainlist C = +A : +B |
| 244 | A test on +C that matched, followed by a test on +A or +B would provoke |
| 245 | this bug. Now the data is saved with both the inner and the outer lists. |
| 246 | |
| 247 | 49. When the log selector +address_rewrite is turned on, the log lines now |
| 248 | show where the rewritten address came from (which header line, envelope |
| 249 | field, or an SMTP command). |
| 250 | |
| 251 | 50. If an integer or fixed point configuration value is too big to fit in |
| 252 | a 32-bit int, Exim now writes an error to the panic log and dies. |
| 253 | |
| 254 | 51. Unknown SMTP commands are now assumed to be ones that need synchronization; |
| 255 | this means that a packet that contains more than one of them will cause the |
| 256 | connection to be dropped as soon as the first one is encountered. |
| 257 | |
| 258 | 52. The "control" feature of ACLs was not permitted for the MAIL ACL (an |
| 259 | oversight). It now is allowed. |
| 260 | |
| 261 | 53. Added the "discard" verb to ACLs. |
| 262 | |
| 263 | 54. Fixed a theoretical bug observed by reading the code: if local_scan() |
| 264 | changed the number of recipients, output from the received_recipients log |
| 265 | selector would be incorrect. |
| 266 | |
| 267 | 55. Added HAVE_ICONV to the os.h files for Linux, Solaris, HP-UX. This is for |
| 268 | use in the forthcoming Sieve addition to Exim. |
| 269 | |
| 270 | 56. The behaviour of -t in the presence of Resent- headers has been changed, |
| 271 | for compability with Sendmail and other MTAs. Previously, Exim gave an |
| 272 | error, because it is not clear from RFC 2822 how this might be handled. It |
| 273 | turns out that MUAs don't seem to follow what RFC 2822 says, and any MUA |
| 274 | that uses -t with Resent- ensures that there is only one set of Resent- |
| 275 | header lines (usually by renaming others to X-Resent-xxx). So now Exim will |
| 276 | take recipients from all the Resent- header lines instead of the usual |
| 277 | ones. |
| 278 | |
| 279 | |
| 280 | Exim version 4.14 |
| 281 | ----------------- |
| 282 | |
| 283 | 1. Found another case where SIGCHLD is being ignored (a child process for |
| 284 | handling a filter file) and so the wait() doesn't find the subprocess. This |
| 285 | came to light as a result of extra logging introduced as part of the |
| 286 | 4.12/14 fix. Now Exim is careful to set SIGCHLD handling to its default |
| 287 | (i.e. to be noticed) for this particular subprocess. (It already has this |
| 288 | code for other cases where it uses subprocesses.) |
| 289 | |
| 290 | 2. If ${run appeared in part of a conditional item that was being skipped, the |
| 291 | actual running of the command was not being skipped. |
| 292 | |
| 293 | 3. A bit of code tidying (refactoring): there were two functions that built |
| 294 | strings containing a host name and ident value for logging. There is now |
| 295 | only one. It is called in some additional places where previously just the |
| 296 | host name and address were given, so the wording of some log lines has |
| 297 | changed slightly. |
| 298 | |
| 299 | 4. Added support for Unix domain socket connection to PostgreSQL. |
| 300 | |
| 301 | 5. The number of unknown SMTP commands that Exim will accept before dropping |
| 302 | a connection can now be changed by smtp_max_unknown_commands. The default |
| 303 | value is 3. Previously, a fixed value of 5 was used. The final command is |
| 304 | now included in the log line. |
| 305 | |
| 306 | 6. The standard place for chown and chgrp in Linux is /bin, not /usr/bin, as |
| 307 | assumed by the exicyclog script. I've implemented a "look for it" feature |
| 308 | that makes exicyclog look in /bin, /usr/bin, /usr/sbin, and /usr/etc for |
| 309 | the commands chown, chgrp, mv, and rm if configured, and turned on this |
| 310 | feature for Linux. This should cope with old Linuxes that use /usr/bin. |
| 311 | |
| 312 | 7. Implemented .ifdef etc. |
| 313 | |
| 314 | 8. Installed signal handlers for SIGSEGV, SIGILL, SIGFPE, and SIGBUS while |
| 315 | running local_scan(), so that crashes therein get caught. A temporary error |
| 316 | response is sent for an SMTP message, and the spool is cleaned up. |
| 317 | Previously, a -D file was left lying around if there was a crash in |
| 318 | local_scan(). |
| 319 | |
| 320 | 9. The ${quote: operator has been changed so that it turns newline and |
| 321 | carriage return characters into \n and \r, respectively. |
| 322 | |
| 323 | 10. Added support for crypt16(). |
| 324 | |
| 325 | 11. Some restrictions on the use of "verify" in ACLs were too restrictive, and |
| 326 | have been relaxed. In particular, "verify = sender" is now permitted in the |
| 327 | ACL for the MAIL command, as well as those for RCPT and DATA. |
| 328 | |
| 329 | 12. If local_scan() sets up recipient or errors_to addresses that are |
| 330 | unqualified (local parts without a domain) Exim now qualifies them using |
| 331 | the qualify_recipient domain. |
| 332 | |
| 333 | 13. White space at the start of continuation lines in -be input was not being |
| 334 | ignored. |
| 335 | |
| 336 | 14. Previously, if a MySQL query was issued that did not request any data (an |
| 337 | insert, update, or delete command), Exim gave a lookup error and deferred. |
| 338 | This case is now recognized, and the result of the lookup is now the number |
| 339 | of rows affected. |
| 340 | |
| 341 | 15. A configuration error is given if tls_try_verify_hosts is set and |
| 342 | tls_verify_certificates is not set. (Exim already did this for |
| 343 | tls_verify_hosts.) |
| 344 | |
| 345 | 16. Exim was trying to create a non-existent hints database even when it was |
| 346 | just opening it for reading. It called the creating function with the |
| 347 | O_RDONLY and O_CREAT flags. This works with many DB libraries, but it |
| 348 | not with DB 1.85, where a subsequent attempt to use the database gave the |
| 349 | error "Inappropriate file type or format". Exim now creates hints databases |
| 350 | only when it wants to open them for writing. |
| 351 | |
| 352 | 17. If an ACL condition test set a default "message" value without a |
| 353 | "log_message" value, and there were no overriding messages in the ACL |
| 354 | itself, no message was logged. The user message is now logged. |
| 355 | |
| 356 | 18. If callout made a connection, but it was dropped before the initial |
| 357 | welcome response was received, Exim logged "response to initial connection |
| 358 | was" with no further text. It now logs that the connection was dropped. |
| 359 | The wording of the logging for callout defers has been slightly changed so |
| 360 | as to reduce duplication. |
| 361 | |
| 362 | 19. When multiple messages were sent using TLS over one connection, the |
| 363 | additional required EHLO that follows STARTTLS was being counted as a |
| 364 | nonmail command, and thus causing a problem if there were a lot of |
| 365 | messages. Similarly, a new AUTH that followed STARTTLS was being counted. |
| 366 | It is now possible to run with smtp_accept_max_nonmail set to zero in these |
| 367 | and other "normal" circumstances. |
| 368 | |
| 369 | 20. During verify=sender, global rewriting rules are applied to the sender |
| 370 | address, and if it changes, $sender_address becomes the rewritten version. |
| 371 | Unfortunately, it was not getting updated until after the routers had been |
| 372 | run, so that if a router referred to $sender_address while verifying a |
| 373 | sender, the unrewritten value was used. |
| 374 | |
| 375 | 21. The "random address" callout test was being done after the other tests. |
| 376 | This is silly, because if the host accepts all local parts, there isn't any |
| 377 | point in doing the other, more specific, tests. I changed things around so |
| 378 | that the "random" test (if configured) is done first. |
| 379 | |
| 380 | 22. Expanded the wording for callout failures when MAIL FROM:<> or RCPT TO the |
| 381 | a postmaster address are rejected. Also include these words when a |
| 382 | rejection happens because of caching (when there isn't an actual SMTP |
| 383 | command/result to reflect). |
| 384 | |
| 385 | 23. A new router condition called "address_test" (default true) can be used to |
| 386 | skip routers when testing addresses using -bt (compare no_verify). This can |
| 387 | be a convenience when your first router sends stuff to an external scanner. |
| 388 | |
| 389 | 24. Testing for deliver_queue_load_max was happening inside the delivery |
| 390 | sub-process, when it could have happened outside, in the queue runner (thus |
| 391 | saving one process). This was a hangover from Exim 3, where there were |
| 392 | other load tests to be done. The code has been tidied. |
| 393 | |
| 394 | 25. Code tidy: the driver_info generic structure contained a field that |
| 395 | might, on 64-bit systems, not have been compatible with the fields in the |
| 396 | structures of which it is supposed to be a subset. It turns out that this |
| 397 | field and another are not actually used generically, so removing them from |
| 398 | the structure solves the problem. |
| 399 | |
| 400 | 26. Added server_advertise_condition to authenticators. |
| 401 | |
| 402 | 27. The exim_checkaccess utility wasn't sending a HELO command; this matters |
| 403 | now that it's possible to have an ACL that checks HELO/EHLO. |
| 404 | |
| 405 | 27. Added the ldap_version option to force a specific LDAP version. |
| 406 | |
| 407 | 28. Renamed the variable verify_address in exim.c as verify_address_mode, |
| 408 | because it had the same name as the verify_address() function, which was |
| 409 | confusing. |
| 410 | |
| 411 | 29. Added authenticated_sender to the smtp transport. |
| 412 | |
| 413 | 30. When the skip_syntax_errors option is applied to a filter file, it covers |
| 414 | all filtering errors, some of which may not be strictly "syntax" (for |
| 415 | example, failure to open a log file). The wording of the message has been |
| 416 | changed to use "error" instead of "syntax error", to reduce confusion. Also |
| 417 | the subject of the message sent by syntax_errors_to is now "error(s) in |
| 418 | forwarding or filtering" instead of "syntax error(s) in address expansion". |
| 419 | |
| 420 | 31. Added -restore-times to the exim_lock utility. |
| 421 | |
| 422 | 32. Changes to the handling of the "phrase" parts of email addresses: |
| 423 | |
| 424 | (i) Re-organized the code to use a supplied instead of an implied buffer, |
| 425 | and a length instead of expecting a terminated string. |
| 426 | |
| 427 | (ii) Changed from using the macro mac_isprint() to an explicit test for |
| 428 | ASCII non-printing characters, because the macro pays attention to |
| 429 | print_topbitchars, which is not correct here. |
| 430 | |
| 431 | (iii) If a rewritten address contained a "phrase" (whether or not the "w" |
| 432 | flag was present on the rewrite rule), but the actual address was |
| 433 | unqualified (had no domain) and was expected to be qualified by the |
| 434 | "Q" flag, Exim screwed up and created an illegal address. |
| 435 | |
| 436 | (iv) When a header address is rewritten by a rule that includes the "w" |
| 437 | flag, the parts of the address outside <> are now encoded according |
| 438 | to RFC 2047 if necessary (assuming ISO-8859-1 encoding). |
| 439 | |
| 440 | 33. Added the ${rfc2047 and ${from_utf8 expansion operators. |
| 441 | |
| 442 | 34. The file names used for maildir deliveries have been changed, to accomodate |
| 443 | operating systems that may re-use a PID within one second. The file name |
| 444 | now include the microsecond time fraction, and the delivery process does |
| 445 | not exit until the clock is at least one microsecond after the time used in |
| 446 | the file name. The code copes with the clock going backwards (it waits |
| 447 | till time catches up). |
| 448 | |
| 449 | 35. The rules for creating message ids have been changed to allow for the fact |
| 450 | that a PID may be re-used within one second. As part of this change, the |
| 451 | range of localhost_number has been reduced to 0-16 for most systems, and |
| 452 | 0-10 for those with case-insensitive file systems (Cygwin, Darwin). |
| 453 | |
| 454 | 36. Code tidy: there was a local count of non-TCP/IP messages that duplicated |
| 455 | the global receive_messagecount (used for accept_queue_per_connection). |
| 456 | |
| 457 | 37. verify = header_syntax was allowing unqualified addresses in all cases. Now |
| 458 | it allows them only for locally generated messages and from hosts that |
| 459 | match sender_unqualified_hosts or recipient_unqualified_hosts, |
| 460 | respectively. |
| 461 | |
| 462 | 38. If PAM was called with an empty first string, it called the data function |
| 463 | to get the user name, thereby getting the second string by mistake. If this |
| 464 | was also null (empty passwords are permitted), there was an infinite loop. |
| 465 | An empty user name is not now passed to PAM; authentication is forcibly |
| 466 | failed instead. Also, if the end of the list of strings is reached, an |
| 467 | empty string is passed back just once; a subequent call for data provokes |
| 468 | an error response. |
| 469 | |
| 470 | 39. If a reverse DNS lookup yields an empty string, treat it as if the lookup |
| 471 | failed. (Apparently such records have been seen. Sigh.) |
| 472 | |
| 473 | 40. Added the -bnq command line option to suppress automatic qualification of |
| 474 | addresses in locally submitted messages. |
| 475 | |
| 476 | 41. Header texts supplied by options to the autoreply transport may now contain |
| 477 | newlines that are followed by whitespace. (This was allowed from a filter, |
| 478 | but not from the transport.) |
| 479 | |
| 480 | 42. Patch for < > problems in eximstats 1.23. |
| 481 | |
| 482 | 43. Re-arranged the code to make it easier in future to add additional filter |
| 483 | types. |
| 484 | |
| 485 | 44. Added support for changing the connection timeout in LDAP; this is |
| 486 | something that's available in Netscape SDK 4.1. Exim uses the given value |
| 487 | if LDAP_X_OPT_CONNECT_TIMEOUT is defined. |
| 488 | |
| 489 | 45. When Exim was setting a daemon listener on multiple interfaces, including |
| 490 | listening on "all IPv6" and "all IPv4" interfaces, it was binding all the |
| 491 | sockets, and then calling listen() for each of them. On some IP stacks, a |
| 492 | listen for "all IPv4" fails after listening for "all IPv6" because a single |
| 493 | socket catches both kinds of call. Exim coped with this, but it turns out |
| 494 | that on a USAGI-patched Linux, this logic doesn't work unless the "listen", |
| 495 | as well as the "bind" has been done for the IPv6 socket first. The order of |
| 496 | the functions has now been changed. Instead of "bind, bind ... listen, |
| 497 | listen..." it now does "bind, listen, bind, listen, ...". Also, the failure |
| 498 | happens in the bind() rather than in the listen(), so there are now two |
| 499 | checks, which hopefully will handle all kinds of IP stack. |
| 500 | |
| 501 | 46. IPv6 addresses have "scopes", and a host with multiple interfaces can, in |
| 502 | principle, have the same link-local addresses on different interfaces. |
| 503 | Thus, they need to be distinguished, and a convention of using a percent |
| 504 | sign followed by something (often the interface name) is being used, for |
| 505 | example: 3ffe:2101:12:1:a00:20ff:fe86:a061%eth0. Two changes have been made |
| 506 | to accommodate this: |
| 507 | |
| 508 | (a) A percent sign followed by an arbitrary string is allowed at the end of |
| 509 | an IPv6 address. |
| 510 | |
| 511 | (b) Exim calls getaddrinfo() instead of inet_pton() to convert a textual |
| 512 | IPv6 address for actual use. This function recognizes the percent |
| 513 | convention in some operating systems. |
| 514 | |
| 515 | 47. Additional debugging inserted for the case of forced failure when expanding |
| 516 | an item in a list. |
| 517 | |
| 518 | 48. A new debugging selector +expand has been added. This is not included in |
| 519 | the default set of selectors. It requests detailed debugging information |
| 520 | for string expansions. |
| 521 | |
| 522 | 49. Failure to open the main log results in a panic-die, but the original line |
| 523 | that was being logged could be lost. It is now output to stderr if there is |
| 524 | a stderr file. |
| 525 | |
| 526 | 50. When Exim starts, it checks for the existence of its spool directory, and |
| 527 | creates it if necessary. Unfortunately, it was doing this after the code |
| 528 | for logging arguments. Thus, if the spool did not exist, trouble ensued. |
| 529 | |
| 530 | 51. The log line for an ACL warning after a sender verify callout failure was |
| 531 | not showing the details, unlike the log line for a deny. They are now shown |
| 532 | in a similar way. |
| 533 | |
| 534 | 52. For reasons lost in the mists of time, when a pipe transport was run, the |
| 535 | environment variable MESSAGE_ID was set to the message ID preceded by 'E' |
| 536 | (the form used in Message-ID: header lines). The 'E' has been removed. |
| 537 | |
| 538 | 53. Updated the QNX configuration files for QNX 6.2.0. |
| 539 | |
| 540 | 54. The "*@" type partial matching for single-key lookups was broken in |
| 541 | releases after 4.10. Exim looked for *@xxx but, if that failed, it wasn't |
| 542 | going on to look for "*". |
| 543 | |
| 544 | 55. Included eximstats 1.25 in the source tree. |
| 545 | |
| 546 | 56. Changed log wording from "Authentication failed" to "<name> authenticator |
| 547 | failed", where <name> is the name of the authenticator. |
| 548 | |
| 549 | 57. gcc 3.2.2 warned about a selection of places where string casts were |
| 550 | needed. |
| 551 | |
| 552 | 58. Exim monitor: the use of one_time redirection could cause addresses to be |
| 553 | displayed with incorrect "parent" addresses after the one_time |
| 554 | re-arrangement had taken place. They should be shown with no parents, |
| 555 | because the parentage has been removed. |
| 556 | |
| 557 | 59. Arranged to keep independent timestamps for postmaster and random checks in |
| 558 | callouts, and not to do unnecessary tests for postmaster when testing |
| 559 | individual addresses. |
| 560 | |
| 561 | 60. Incorporated PCRE release 4.0. |
| 562 | |
| 563 | 61. Added ${hex2b64: operator. |
| 564 | |
| 565 | 62. Added $tod_zulu. |
| 566 | |
| 567 | 63. Added ${strlen: operator. |
| 568 | |
| 569 | 64. Added ${stat: operator. |
| 570 | |
| 571 | 65. When Exim is receiving multiple messages on a single connection, and |
| 572 | spinning off delivery processess, it sets the SIGCHLD signal handling to |
| 573 | SIG_IGN, because it doesn't want to wait for these processes. However, |
| 574 | because on some OS this didn't work, it also has a paranoid call to |
| 575 | waitpid() in the loop to reap any children that have finished. Some |
| 576 | versions of Linux now complain (to the system log) about this "illogical" |
| 577 | call to waitpid(). I have therefore put it inside a conditional |
| 578 | compilation, and arranged for it to be omitted for Linux. |
| 579 | |
| 580 | 66. Added settable variables $acl_c0 - $acl_c9 and $acl_m0 - $acl_m9 for use |
| 581 | during ACL processing. |
| 582 | |
| 583 | 67. Added "defer" command to system filter. |
| 584 | |
| 585 | 68. X options such as -bg or -geometry that were added to an eximon command |
| 586 | were being lost as a result of a bug introduced by 4.12/6. |
| 587 | |
| 588 | 69. The "more" and "unseen" generic router options can now be expanded strings. |
| 589 | |
| 590 | 70. The "once_repeat" option in the autoreply tranport is now an expanded |
| 591 | string. |
| 592 | |
| 593 | 71. If maildir_format is set on an appendfile transport that is referenced from |
| 594 | an file_transport setting in a redirect router, it forces maildir delivery, |
| 595 | even if the path given in the filter does not end with '/'. |
| 596 | |
| 597 | 72. Fixed three bugs in ${readsocket: |
| 598 | (i) If the operation failed, and a failure string was given, "}}" was |
| 599 | erroroneously added to it. |
| 600 | (ii) If the operation succeeded, but a failure string was present, "}" was |
| 601 | added to the expanded data. |
| 602 | (iii) The alarm for the timeout was set with signal() instead of with |
| 603 | os_non_restarting_signal(), which meant that it only worked on those |
| 604 | OS whose default is not to restart an interrupted system call. |
| 605 | |
| 606 | 73. A complete host name (no wildcards) in a host list causes a forward lookup |
| 607 | for the IP address. If this failed, Exim was behaving as if the host didn't |
| 608 | match the list, instead of giving an error (as it does when a reverse |
| 609 | lookup fails). |
| 610 | |
| 611 | 74. If router_home_directory was passed on as a home directory for a local |
| 612 | transport, it was being re-expanded in the transport. This has been changed |
| 613 | so that the expanded value is passed from the router to the transport, and |
| 614 | no re-expansion takes place. |
| 615 | |
| 616 | 75. When a redirect router generated a pipe, file, or autoreply, the values of |
| 617 | $domain_data and $localpart_data were not being propagated to the |
| 618 | transport. |
| 619 | |
| 620 | 76. The macros MESSAGE_ID_LENGTH and SPOOL_DATA_START_OFFSET are now defined in |
| 621 | local_scan.h so that they are available to local_scan() functions. |
| 622 | |
| 623 | 77. Changes to the SMTP PIPELINING support: |
| 624 | |
| 625 | (1) Exim used always to accept pipelined commands, even when it hadn't |
| 626 | advertised PIPELINING (i.e. when EHLO had not been received). Now it |
| 627 | objects unless PIPELINING has been advertised. |
| 628 | |
| 629 | (2) Advertising PIPELINING to specific hosts can be disabled via the new |
| 630 | option pipelining_advertise_hosts. |
| 631 | |
| 632 | 78. The acl_smtp_connect ACL was not being run for -bs input when no IP address |
| 633 | was supplied via -oMa. |
| 634 | |
| 635 | 79. A "mail" command in a filter could cause a crash if the list of recipients |
| 636 | for the "to:" line was excessively long - this showed up in a reply to |
| 637 | a message with a ridiculously long Reply_to: header line. |
| 638 | |
| 639 | 80. Added allow_utf8_domains. |
| 640 | |
| 641 | 81. Added $rh_ and $rheader for "raw" header expansion. |
| 642 | |
| 643 | 82. Added smtp_accept_max_nonmail_hosts. |
| 644 | |
| 645 | 83. Extended ${stat (see 64 above) to add smode=symbolic mode. |
| 646 | |
| 647 | 84. Added default logging for host and IP lookup failures, with a log selector |
| 648 | called host_lookup_failed to turn it off. |
| 649 | |
| 650 | 85. Added header_maxsize and header_line_maxsize. |
| 651 | |
| 652 | 86. If a RCPT ACL made use of "verify = sender" without callout, followed by |
| 653 | another use with callout, and the callout failed, the caching was broken |
| 654 | such that for a subsequent RCPT command, the first callout failed |
| 655 | incorrectly. The caching of sender verification has been fixed so that it |
| 656 | now remembers that the routing succeeded even when the callout fails. |
| 657 | |
| 658 | 87. Added errno and strerror(errno) to the log line for a failure to lock the |
| 659 | -D file when receiving a message. |
| 660 | |
| 661 | 88. If router with check_local_user set up a local delivery, and no user was |
| 662 | specified on the transport, and errors_to on the router specified an |
| 663 | address whose verification also invoked check_local_user, the wrong uid/gid |
| 664 | was used for the transport. It used the uid/gid of the errors_to address |
| 665 | instead of the uid/gid of the original local part. |
| 666 | |
| 667 | 89. If log_file_path=:syslog was set, to use the default log path and also |
| 668 | syslog, and check_log_space was also set, Exim was confused, and refused to |
| 669 | accept messages, giving the error "cannot find slash in ". |
| 670 | |
| 671 | 90. If a router stripped a prefix or a suffix from a local part, and then |
| 672 | routed that address to an smtp or lmtp transport, the address that was |
| 673 | sent in the RCPT command did not have the affixes stripped. |
| 674 | |
| 675 | 91. For BSMTP delivery by appendfile or pipe, the address given in the RCPT |
| 676 | command did not preserve the case of the envelope address, as it is |
| 677 | supposed to. |
| 678 | |
| 679 | |
| 680 | Exim version 4.13 |
| 681 | ----------------- |
| 682 | |
| 683 | There was no 4.13. I accidentally put out a fixed version of 4.12 (a typo was |
| 684 | discovered very soon after release) that verified itself as 4.13. This too was |
| 685 | hastily fixed, but it seems best not to use the number, to avoid confusion. |
| 686 | |
| 687 | |
| 688 | Exim version 4.12 |
| 689 | ----------------- |
| 690 | |
| 691 | 1. Update to change 4.11/82: for the max number of processes, set |
| 692 | RLIM_INFINITY if it is defined. |
| 693 | |
| 694 | 2. An expansion ${run{xxx}} where xxx was a successful command that produced |
| 695 | no output caused Exim to crash. |
| 696 | |
| 697 | 3. Some artificial delays of 1 second existed when running in the test |
| 698 | harness, to ensure repeatability of debugging output. Now that we have |
| 699 | the millisleep() function, these can be shorter. |
| 700 | |
| 701 | 4. Change 4.11/30 below overlooked the case when an address gets a 4xx |
| 702 | response from a server. Because this isn't a host problem, the host does |
| 703 | not get delayed, and it gets tried every time the address is OK'd for |
| 704 | routing, with the same reponse. However, if hosts_max_try is set, because |
| 705 | not all the hosts were tried, the address does not time out. I've changed |
| 706 | things so that if there is a 4xx response to a RCPT command, the host in |
| 707 | question does not count towards hosts_max_try if the message is older than |
| 708 | the host's maximum retry time. This means that other hosts are always tried |
| 709 | in this circumstance; if the address gets 4xx errors from all of them, it |
| 710 | will eventually time out. |
| 711 | |
| 712 | 5. If a retry rule for a host had no actual retry times specified, it could |
| 713 | cause a crash when checking the ultimate address timeout. (Very old bug, |
| 714 | spotted in passing, so probably never bothered anybody.) |
| 715 | |
| 716 | 6. Change 135 below broke the following scripts when a list of configuration |
| 717 | files was given: exicyclog, exim_checkaccess, eximon, exinext, and exiwhat. |
| 718 | In practice, if exim_path was not specified in the configuration file (a |
| 719 | common case), things would probably work OK. However, the use of |
| 720 | CONFIGURE_FILE_USE_NODE definitely did not work. These scripts have now |
| 721 | been updated to fix this problem. They now search for the configuration |
| 722 | file in the same way Exim itself does: for each name in the list, the |
| 723 | "noded" file is tried first, then the unsuffixed file. |
| 724 | |
| 725 | 7. If a WARN verb in an ACL did not specify an explicit "message" modifier, |
| 726 | and was triggered by a failing sender or recipient verification, the |
| 727 | response that would have been sent as an SMTP message for a DENY verb was |
| 728 | incorrectly being added to the message's headers. |
| 729 | |
| 730 | 8. I screwed up change 4.11/155. For lookup types whose names were prefixes of |
| 731 | other lookup types (e.g. nis and nisplus, dbm and dbmnz), the new search |
| 732 | function didn't do the correct comparison, meaning that the wrong lookup |
| 733 | type could be found. |
| 734 | |
| 735 | 9. Solaris seems to be one of the LDAPs that doesn't have the lud_scheme |
| 736 | member of the LDAPURLDesc structure. Since the check that is made on it |
| 737 | is only to double check that a path is given for ldapi, I've just removed |
| 738 | the test in the Solaris case. |
| 739 | |
| 740 | 10. The modified TextPop.c source in the Exim monitor had declarations of errno |
| 741 | and sys_nerr which never were actually referenced. The second of these |
| 742 | caused trouble on Darwin, so I've removed both of them. Why were they |
| 743 | there? Who knows? This is ancient X code... |
| 744 | |
| 745 | 11. The DEFER ACL verb crashed if no "message" modifier was set. |
| 746 | |
| 747 | 12. The check on incoming messages that gives the error "too many non-mail |
| 748 | commands" was too strict. In the case of Exim sending to Exim, when the |
| 749 | client has queued messages for the server and is using TLS, it will close |
| 750 | and re-initialize TLS between messages (because the client has to hand the |
| 751 | SMTP connection to a new process). STARTTLS was being counted as a non-mail |
| 752 | command, and therefore could cause the limit to be hit. The revised code |
| 753 | now allows for one RSET, one HELO or EHLO, and one STARTTLS between each |
| 754 | message without counting them as non-mail commands. (One RSET was |
| 755 | previously allowed - I *had* spotted that case.) |
| 756 | |
| 757 | 13. Some log lines for rejections by ACL were putting ident values in |
| 758 | parentheses instead of using U= after H=. (There are some other lines that |
| 759 | do use parens, typically when the host name appears without H= within a |
| 760 | message. This whole area could perhaps do with tidying up.) |
| 761 | |
| 762 | 14. When processing a redirection file happens in a subprocess (typically so |
| 763 | that a .forward file is processed as the user), Exim was assuming that a |
| 764 | call to wait() would always reap the subprocess, and it was failing to |
| 765 | check the result. In theory, a signal of some sort occurring at the wrong |
| 766 | time could break this assumption - the process was then left unreaped, and |
| 767 | could possibly be picked up later during deliveries, thus confusing that |
| 768 | code ("processes got out of step"). This is conjecture - I haven't got a |
| 769 | definite test of this. However, I have fixed the code to repeat the wait |
| 770 | after a signal. |
| 771 | |
| 772 | 15. When Exim was waiting for a remote delivery subprocess, and the waitpid() |
| 773 | call found a process that was not in the list of remote delivery processes, |
| 774 | Exim gave up waiting for remote processes. It is probably better just to |
| 775 | ignore the unexpected process (though, of course, write to the main and |
| 776 | panic logs) and to wait for another process, and so that is what now |
| 777 | happens. If the error situation is caused by failed waiting logic for |
| 778 | routing or local delivery processes, this approach will minimize bad |
| 779 | behaviour, I hope. |
| 780 | |
| 781 | |
| 782 | Exim version 4.11 |
| 783 | ----------------- |
| 784 | |
| 785 | 1. Ignore trailing spaces after numbers in expansion comparisons such as |
| 786 | ${if > { 5 } { 4 } ... (leading spaces were already ignored). |
| 787 | |
| 788 | 2. Two variables, $warnmsg_delay, and $warnmsg_recipients, had got left with |
| 789 | their old Exim 3 names, when I meant to change to "warn_message", along |
| 790 | with the warn_message_file option. They have now been changed. The old |
| 791 | names remain as synonyms, but will be undocumented in due course. |
| 792 | |
| 793 | 3. The message "This message was created automatically by mail delivery |
| 794 | software (Exim)." still confuses people. If they are sufficiently Internet- |
| 795 | ignorant, they think the message has come from exim.org. At first, I |
| 796 | changed thw wording to "This message was created automatically by mail |
| 797 | delivery software (Exim) running on a mail server handling mail for <the |
| 798 | qualify domain>." in the hope that that might be better. However, in |
| 799 | testing that still proved confusing on servers handling multiple domains. |
| 800 | The message has now reverted to the original, simple wording: "This message |
| 801 | was created automatically by mail delivery software." |
| 802 | |
| 803 | 4. It has been discovered that, under Linux, when a process and its children |
| 804 | are being traced by "strace -f", the children are stolen from the parent |
| 805 | while they are being traced. A call to waitpid(-1,&x,NOHANG), which Exim |
| 806 | uses to test for the completion of "any of my children" in a non-blocking |
| 807 | manner, returns as if there are no children in existence. Exim used treat |
| 808 | this as a serious unexpected error state. What it does now is to use |
| 809 | kill(pid,0) to check explicitly for the continued existence of any of its |
| 810 | children. If it finds any, it assumes it is being traced, and proceeds as |
| 811 | if the return from waitpid() had been "none of your children have finished |
| 812 | yet". If it can't find any children, it gives the error as before. |
| 813 | |
| 814 | 5. When Exim creates hints databases and their lock files as root, it needs to |
| 815 | change their ownership to exim. In Exim 3, the function to open a hints |
| 816 | database wasn't called as root very often, and the check "are we running as |
| 817 | root?" would usually fail. However, because Exim 4 eschews the use of |
| 818 | seteuid(), it runs all its routing as root, and this always calls the hints |
| 819 | database opening function. It wasn't noticing when it was actually creating |
| 820 | the database, and so it was running chmod() on all the files in the db |
| 821 | directory every time. This does no harm, of course, but wastes resources. |
| 822 | Exim now detects when the database was already in existence by opening |
| 823 | without O_CREAT at first. If this succeeds, it doesn't do the root test. |
| 824 | |
| 825 | 6. The line in MakeLinks that creates a link for direct.c had been |
| 826 | accidentally left in (cf 4.03/6). |
| 827 | |
| 828 | 7. The value of $0 in the replacement in a rewriting rule was being corrupted, |
| 829 | leading to incorrect results or error diagnostics. |
| 830 | |
| 831 | 8. Added support for ldapi:// URLs to the LDAP lookups (OpenLDAP only). Also, |
| 832 | re-organized the code to use ldap_initialize() with OpenLDAP in all cases |
| 833 | (it seems to be preferred). |
| 834 | |
| 835 | 9. With OpenLDAP 2.0.25, ldaps:// doesn't seem to work unless the LDAP |
| 836 | protocol level is set to 3. This is now standard in the Exim code, as v3 |
| 837 | has been around for 5 years now. Testing ldaps:// is now included in the |
| 838 | Exim test suite. Although earlier versions claimed to support it, I rather |
| 839 | suspect that it never worked. |
| 840 | |
| 841 | 10. Inserted some checking of the syntax of the IP address given as the first |
| 842 | argument to the exim_checkaccess utility. This gives a better error |
| 843 | message, especially in the case when somebody gets the arguments in the |
| 844 | wrong order. |
| 845 | |
| 846 | 11. Improved the panic log entry if an unsupported format type is passed to |
| 847 | string_vformat() (now gives the whole format string, not just the little |
| 848 | bit that's wrong). |
| 849 | |
| 850 | 12. Ever since its early days, Exim has checked the syntax of non-SMTP |
| 851 | addresses according to RFC [2]822 rules, rather than the stricter RFC |
| 852 | [2]821 rules that it uses for SMTP. This allows for a wider set of |
| 853 | characters in domains. This has now caused a problem, because I forgot |
| 854 | about it when making some changes to the format of spool files (see |
| 855 | 3.953/44, 4.03/10, and 4.04/1). I can't believe that anybody actually makes |
| 856 | use of this feature (which isn't documented), so I have removed it. All |
| 857 | domains must now conform to RFC [2]821 rules. A non-SMTP message with a |
| 858 | domain that would previously have been accepted will now be bounced. |
| 859 | |
| 860 | 13. If widening a domain in a dnslookup router made it syntactically invalid, |
| 861 | the error message quoted the original domains instead of the widened |
| 862 | domain. |
| 863 | |
| 864 | 14. During a queue run initiated by -R or -S (or by -i when the use of message |
| 865 | logs is disabled), if Exim encountered a message with certain |
| 866 | characteristics (including text for $local_scan_data, and the setting of |
| 867 | the "manually thawed" flag), this data was not correctly reset for |
| 868 | subsequent messages. So if they didn't have those settings themselves, |
| 869 | strange things could occur. |
| 870 | |
| 871 | 15. With the "percent hack" enabled for percenthack.domain, if a message had |
| 872 | two addresses such as X%some.domain@percenthack.domain and X@some.domain, |
| 873 | Exim was not recognizing the duplication, and was making two deliveries |
| 874 | instead of one. |
| 875 | |
| 876 | 16. The output from verification (for -bv and VRFY) used to list a child |
| 877 | address when verification was applied to children (this happens, for |
| 878 | example, for aliases that generate just a single child). Now it lists only |
| 879 | the original address. |
| 880 | |
| 881 | 17. Changes 34 and 35 of 4.10 did not wholly solve problems with widened |
| 882 | domains. The following bug still existed: |
| 883 | |
| 884 | . A recipient address was abbreviated (e.g. one component). |
| 885 | . A dnslookup router caused it to be widened. |
| 886 | . The new domain was a local domain. |
| 887 | . The address was redirected to itself. |
| 888 | |
| 889 | At this point, Exim thought it was a duplicate, and discarded it. |
| 890 | |
| 891 | This whole thing turned out to be a large can of worms, so I have reworked |
| 892 | the address widening code. This should get rid of all these problems. |
| 893 | Widening now appears similar to redirection, with the unwidened address |
| 894 | becoming a proper parent address. As part of this, there has been some |
| 895 | general re-organization of the way addresses are handled. |
| 896 | |
| 897 | 18. When a filter generated only "unseen" deliveries, the normal delivery that |
| 898 | happened subsequently lost any value of address_data that was previously |
| 899 | set. The handling of values like that that are propagated from parents to |
| 900 | children has been reworked. |
| 901 | |
| 902 | 19. Added smtp_return_error_details and the check_postmaster option for address |
| 903 | verification callouts. |
| 904 | |
| 905 | 20. Long SMTP responses (from ACL messages or wherever) are now automatically |
| 906 | split up into multi-line responses if possible. The split happens at an |
| 907 | occurrence of ": " if present after 40 characters. Otherwise it happens at |
| 908 | the last space before 75 characters. Existing newlines in the message are |
| 909 | taken into account. |
| 910 | |
| 911 | 21. When verify = header_sender is set, a different error message is now given |
| 912 | if a syntax is detected, as opposed to failure to verify. |
| 913 | |
| 914 | 22. Extended the general mechanism for ${quote_lookuptype:...} expansions by |
| 915 | allowing for an option to be given after the lookup name, for example |
| 916 | ${quote_ldap_dn:...}. Unrecognized options cause errors. |
| 917 | |
| 918 | 23. Re-worked the quote_ldap expansion items to provide two different kinds of |
| 919 | quoting, since the requirements of filter strings and DNs are different. |
| 920 | Sigh. Arranged for the DN given in the USER= setting to be de-URL-quoted |
| 921 | because not all libraries do it themselves. |
| 922 | |
| 923 | 24. The handling of responses from LDAP searches wasn't right. It was detecting |
| 924 | situations of the form "ldap_result failed internally or couldn't provide |
| 925 | you with a message" but not "the server has reported a problem with your |
| 926 | search". This has now been tidied up (thanks, Brian). Problems of the |
| 927 | latter kind are now handled as follows: |
| 928 | |
| 929 | (1) For LDAP_SIZELIMIT_EXCEEDED, the truncated list of results is |
| 930 | returned. This is what happened before. |
| 931 | |
| 932 | (2) For a small set of errors that, in effect, mean "that object does |
| 933 | not, or cannot, exist in the database", the lookup fails. This is |
| 934 | also as before. |
| 935 | |
| 936 | (3) For other problems, the lookup defers, giving the LDAP error. |
| 937 | |
| 938 | 25. Added $ldap_dn to hold the DN of the last entry retrieved in the most |
| 939 | recent LDAP lookup. |
| 940 | |
| 941 | 26. Exim was not checking for the LDAP_INVALID_CREDENTIALS error when |
| 942 | ldap_bind() failed during an ldapauth call. With (at least) OpenLDAP2, the |
| 943 | connection to the server doesn't happen until ldap_bind(), so failures to |
| 944 | connect were being treated as authentication failures, and given hard |
| 945 | errors. Now, all errors other than LDAP_INVALID_CREDENTIALS are treated the |
| 946 | same way for all calls to ldap_bind(), whether ldaputh or otherwise. They |
| 947 | lead to temporary errors - if there are more servers, they will be tried. |
| 948 | |
| 949 | 27. If there was a reference to a non-existent named list, for example, a |
| 950 | setting such as "senders = +something", but no lists of that type were |
| 951 | actually defined, Exim misbehaved. For an address list, it treated the name |
| 952 | as a domain list. For a domain list, it just didn't match. Now it gives a |
| 953 | panic error about a non-existent named list (as it always did if there were |
| 954 | named lists of the appropriate type). The error now tells you what type of |
| 955 | list it thought it was looking for. |
| 956 | |
| 957 | 28. When -bt or -bv is used by a non-admin user, and there is some kind of |
| 958 | DEFER (e.g. database unreachable), details of the failure are no longer |
| 959 | given, because they may include private data such as the password for an |
| 960 | LDAP lookup. |
| 961 | |
| 962 | 29. The logic for using a remote host name as a key for looking up retry rules |
| 963 | in preference to the domain of the email address was broken. It wouldn't |
| 964 | find such retry rules. |
| 965 | |
| 966 | 30. There were some problems with the action of hosts_max_try in the smtp |
| 967 | transport where there were indeed more hosts available than the limit. |
| 968 | |
| 969 | (a) Exim used to time out an address out if all the hosts that were tried |
| 970 | were past their retry limits, ignoring the state of any hosts that were |
| 971 | not tried because the hosts_max_try limit was reached. Now it won't |
| 972 | time out an address unless all its hosts are actually considered and |
| 973 | are past their retry limits. |
| 974 | |
| 975 | (b) Hosts that are past their retry limits are no longer counted for |
| 976 | hosts_max_try. This means that when some hosts are in this state, a |
| 977 | greater number of hosts are tried than before, but this is the only way |
| 978 | to ensure that all hosts are considered before timing out an address. |
| 979 | |
| 980 | (c) When the hosts_max_try limit is reached, Exim now looks down the host |
| 981 | list to see if there is a subsequent host with a different MX. If there |
| 982 | is, that host is used next, and the current host is not counted. More |
| 983 | details in NewStuff. |
| 984 | |
| 985 | 31. The source for spa authentication (taken from the Samba project) used the |
| 986 | type "int16". This has caused compilation problems in some systems that |
| 987 | happen to have a different definition of it. (Naughty, naughty, non- |
| 988 | standard.) I've renamed all the defined types by adding "x" on the end. |
| 989 | |
| 990 | 32. When a delivery that used authentication was run with -v (which an |
| 991 | unprivileged user can use) it included the authentication data when it |
| 992 | showed the SMTP transaction. Such data is now replaced by asterisks in any |
| 993 | reflection of the SMTP commands. This also applies if the command is logged |
| 994 | as a result of an error response. |
| 995 | |
| 996 | 33. Some little problems in queue runs: |
| 997 | |
| 998 | (a) The reading end of the synchronising pipe was being left open in the |
| 999 | delivery subprocess. This caused no harm, but used up a file |
| 1000 | descriptor till that series of deliveries was done. |
| 1001 | |
| 1002 | (b) If the load level got high enough to abandon a queue run, the |
| 1003 | synchronizing pipe was accidentally not closed. Normally, this wouldn't |
| 1004 | matter, because the queue runner process would finish any way, but... |
| 1005 | |
| 1006 | (c) If split_spool_directory was set without queue_run_in_order, the code |
| 1007 | for abandoning a queue run because of too high load didn't stop |
| 1008 | cleanly. Instead, it went on to look at the remaining subdirectories. |
| 1009 | Each one would then notice the high load, and abort. Not only was this |
| 1010 | a waste of time, but because of (b) above, it used up one file |
| 1011 | descriptor per subdirectory. With up to 62 subdirectories, this could |
| 1012 | hit the limit of file descriptors if it was as low as 64 (which it |
| 1013 | sometimes is). |
| 1014 | |
| 1015 | 34. Added SYSTEM_ALIASES_FILE to the build-time configuration, and the ability |
| 1016 | to set ROOT= when installing. Removed installation instructions for the |
| 1017 | info version of the overview document, because that document no longer |
| 1018 | exists for Exim 4. |
| 1019 | |
| 1020 | 35. Added a total line to exiqsumm. |
| 1021 | |
| 1022 | 36. convert4r4 can now handle "optional" for single-key lookups in aliasfile |
| 1023 | directors. |
| 1024 | |
| 1025 | 37. Change 4.03/25 (making convert4r4 double colons in require_files lists) was |
| 1026 | incomplete. It worked for routers, but not for directors. |
| 1027 | |
| 1028 | 38. After verify=recipient in an ACL, the value of $address_data is the last |
| 1029 | value that was set while routing the address. |
| 1030 | |
| 1031 | 39. Included eximstats 1.22. |
| 1032 | |
| 1033 | 40. If a delivery of another message over an existing SMTP connection yields |
| 1034 | DEFER, we do NOT set up retry data for the host. This covers the case when |
| 1035 | there are delays in routing the addresses in the second message that are so |
| 1036 | long that the server times out. This is alleviated by not routing addresses |
| 1037 | that previously had routing defers when handling an existing connection, |
| 1038 | but even so, this case may occur (e.g. if a previously happily routed |
| 1039 | address starts giving routing defers). If the host is genuinely down, |
| 1040 | another non-continued message delivery will notice it soon enough. |
| 1041 | |
| 1042 | 41. Added quota_directory to appendfile. |
| 1043 | |
| 1044 | 42. Changed the order of processing configuration input lines. Previously, it |
| 1045 | was comment, .include, continuation, macro expansion, comment again (in |
| 1046 | case a macro turned a logical line into a comment). This meant that macros |
| 1047 | could not be used in .include lines. The order is now macro, comment, |
| 1048 | .include, continuation. That is, macro expansion is done on physical lines, |
| 1049 | not on logical lines. |
| 1050 | |
| 1051 | 43. Improved the error message if an option-setting line in the configuration |
| 1052 | does not start with a letter. (It used to say 'option "" unknown'.) |
| 1053 | |
| 1054 | 44. Allow -D to set a macro to the empty string. Previously it would have |
| 1055 | moved on to the next commandline item. This seems pointless. Either -DXX or |
| 1056 | -DXX= sets an empty string. |
| 1057 | |
| 1058 | 45. Changed OS/Makefile-FreeBSD thus: |
| 1059 | |
| 1060 | EXIWHAT_MULTIKILL_CMD='killall -m' |
| 1061 | EXIWHAT_MULTIKILL_ARG='^exim($$|-[0-9.]+-[0-9]+$$)' |
| 1062 | |
| 1063 | This is because, with the Exim standard installation using a symbolic link, |
| 1064 | the name of the running program is not "exim" but (e.g.) "exim-4.10-1". |
| 1065 | |
| 1066 | 46. An Exim server now accepts AUTH or STARTTLS commands only if their |
| 1067 | availability has been advertised in response to EHLO. |
| 1068 | |
| 1069 | 47. A few source changes to avoid warnings from very picky compilers that don't |
| 1070 | complain about unset variables when the only setting is by passing the |
| 1071 | address to another function. |
| 1072 | |
| 1073 | 48. Added -d+pid to force the adding of the pid to all debug lines. Default it |
| 1074 | on when the daemon is run with any debugging turned on. (Pids are still |
| 1075 | automatically added when multiple deliveries are run in parallel.) |
| 1076 | |
| 1077 | 49. Included Matt Hubbard's exiqgrep utility. |
| 1078 | |
| 1079 | 50. Give error for two routers, transports, or authenticators with the same |
| 1080 | name. (It already caught duplicate ACLs.) |
| 1081 | |
| 1082 | 51. If a host has more than MAX_INTERFACES interfaces (common for hosts with a |
| 1083 | slew of virtual interfaces), and Exim had to find the list of local |
| 1084 | interfaces, it ran off the end of the list that the ioctl returned. I had |
| 1085 | assumed the length would be set to correspond to the amount of data |
| 1086 | returned - but in at least one OS it is set to the actual number of |
| 1087 | interfaces, even if they don't all fit in the buffer. |
| 1088 | |
| 1089 | 52. Nit-picking changes to store.c. It was assuming the length of the |
| 1090 | storeblock structure would be a multiple of the alignment, which is almost |
| 1091 | certainly "always" true. However, just in case it might not be it is now |
| 1092 | rounded up. For some long-forgotten reason, Exim was getting blocks of |
| 1093 | store of the size (8192 - alignment), which seems strange. I've changed it |
| 1094 | to plain 8192. |
| 1095 | |
| 1096 | 53. Added functions to compute SHA-1 digests, added the ${sha1: expansion |
| 1097 | operator, added support for {sha1} to crypteq. |
| 1098 | |
| 1099 | 54. When local_scan() times out, include the message size in the log line. |
| 1100 | |
| 1101 | 55. If a pipe transport had no command specified, and the address also had |
| 1102 | no command associated with it, the transport process crashed. Now it defers |
| 1103 | with a suitable message. |
| 1104 | |
| 1105 | 56. An Exim server output mangled junk if it received a HELP command on an |
| 1106 | TLS-encrypted session. |
| 1107 | |
| 1108 | 57. The output from -bV (and at the start of debugging) now lists the optional |
| 1109 | items included in the binary (which routers, etc). The debugging output now |
| 1110 | includes the name of the configuration file at its start. |
| 1111 | |
| 1112 | 58. Added support for GnuTLS as an alternative to OpenSSL. |
| 1113 | |
| 1114 | 59. Give a configuration error if tls_verify_hosts is set, but tls_verify_ |
| 1115 | certificates is not set. It doesn't make sense to require some hosts to |
| 1116 | verify if there's nothing to verify against. |
| 1117 | |
| 1118 | 60. A pipe transport may now have temp_errors = * to specify that all errors |
| 1119 | are to be treated as temporary. |
| 1120 | |
| 1121 | 61. The lmtp transport can now handle delivery to Unix domain sockets. |
| 1122 | |
| 1123 | 62. Added support for flock() to appendfile, for those operating situations |
| 1124 | that need it. Not all OS support flock(). |
| 1125 | |
| 1126 | 63. It seems that host lists obtained from MX records often turn out to have |
| 1127 | duplicate IP addresses, especially for large sites with many MXs and many |
| 1128 | hosts. Exim now removes duplicate IP addresses. (Previously, it removed |
| 1129 | only duplicate names.) |
| 1130 | |
| 1131 | 64. If ${readfile was inside a substring that was not part of the final |
| 1132 | expansion value (because its condition wasn't met), Exim still tried to |
| 1133 | read the file. This made an "exists" test for the file useless. |
| 1134 | |
| 1135 | 65. Added ${readsocket to the expansion facilities. |
| 1136 | |
| 1137 | 66. It is now possible to set errors_to to the empty string in routers. |
| 1138 | |
| 1139 | 67. Added disable_logging as a generic transport and a generic router option. |
| 1140 | |
| 1141 | 68. Applied Stefan Traby's patch to support threaded Perl. As I don't have a |
| 1142 | threaded Perl, I can't test that this fixed the problem, but it doesn't |
| 1143 | appear to break the non-threaded case. |
| 1144 | |
| 1145 | 69. For SPA (NTLM) client authentication, the options are now expanded. |
| 1146 | |
| 1147 | 70. Added support for SPA server authentication, courtesy of Tom Kistner. |
| 1148 | |
| 1149 | 71. Latest versions of TCPwrappers use the macro HAVE_IPV6 inside the tcpd.h |
| 1150 | header, it appears, and this clashes with Exim's use of that macro. |
| 1151 | Renaming it for Exim is an incompatible change, so instead I've just |
| 1152 | arranged that HAVE_IPV6 is undefined while including the tcpd.h header. |
| 1153 | |
| 1154 | 72. Mac OS 10.2 (Darwin) has IP option support that looks like the later |
| 1155 | versions of glibc, but without the __GLIBC__ macro setting. I've added a |
| 1156 | new macro called DARWIN_IP_OPTIONS, and tidied up the code in smtp_in.c to |
| 1157 | simplify the handling of the three different ways of doing this. |
| 1158 | |
| 1159 | 73. If no "subject" keyword is given for a "vacation" command in a filter, the |
| 1160 | subject now defaults to "On vacation". |
| 1161 | |
| 1162 | 74. Exim now counts the number of "non-mail" commands in an SMTP session, and |
| 1163 | drops the connection if there are too many. The new option |
| 1164 | smtp_accept_max_nonmail option defines "too many". This catches some DoS |
| 1165 | attempts and things like repeated failing AUTHs. |
| 1166 | |
| 1167 | 75. Installed configuration files for OpenUNIX. |
| 1168 | |
| 1169 | 76. When a TLS session was started over a TCP/IP connection for LMTP, Exim was |
| 1170 | sending EHLO instead of LHLO after the encrypted channel was established. |
| 1171 | |
| 1172 | 77. When an address that was being verified routed to an smtp transport whose |
| 1173 | protocol was set to LMTP, the SMTP callout used EHLO instead of LHLO. |
| 1174 | |
| 1175 | 78. Installed eximstats 1.23 in the distribution. |
| 1176 | |
| 1177 | 79. Installed a new set of Cygwin-specific files from Pierre Humblet. |
| 1178 | |
| 1179 | 80. Added caching for callout verification. |
| 1180 | |
| 1181 | 81. Added datestamped logs and $tod_logfile. |
| 1182 | |
| 1183 | 82. When Exim starts up with root privilege, set a high limit (1000) for the |
| 1184 | number of files that can be open and the number of processes that can be |
| 1185 | created (on systems where this is possible), in case Exim is called from a |
| 1186 | restricted environment. |
| 1187 | |
| 1188 | 83. Minor bugfix in appendfile: when renaming failed for a file whose name was |
| 1189 | extended with a tag, the untagged name was shown in the error message. |
| 1190 | |
| 1191 | 84. If Exim's retry configuration was changed so as to bounce a certain |
| 1192 | delivery failure immediately, for example to bounce quota errors: |
| 1193 | |
| 1194 | * quota |
| 1195 | |
| 1196 | and there were messages on the queue that had previously been deferred |
| 1197 | because of this error, Exim crashed when trying to deliver them in a queue |
| 1198 | run. Now it will make one more delivery attempt and bounce on failure. |
| 1199 | |
| 1200 | 85. Fixed an obscure problem that arose when (a) an address was redirected |
| 1201 | to itself, AND (b) the message was not delivered at the first attempt, AND |
| 1202 | (c) the pattern of redirection was changed at the next delivery attempt. |
| 1203 | When an address is redirected to the same address, Exim labels the new |
| 1204 | address as "2nd generation", and so on, in order to distinguish these |
| 1205 | homonym addresses from each other. Previously, it recorded the delivery of |
| 1206 | a homonym address as a delivery of the appropriate generation. This does |
| 1207 | not work if the generation numbers change at the next delivery attempt. The |
| 1208 | symptoms can be either duplicated deliveries, or missing deliveries, |
| 1209 | depending on the configuration. |
| 1210 | |
| 1211 | A real-life example is a configuration that takes "unseen" copies of |
| 1212 | messages at certain times only, because an "unseen" router in effect does a |
| 1213 | redirection to a modified address (the unseen delivery) and to the original |
| 1214 | address (for normal delivery). Thus the normal delivery can be either the |
| 1215 | 1st or 2nd generation, depending on whether or not the unseen router is |
| 1216 | triggered at the time of delivery. |
| 1217 | |
| 1218 | The fix is not to record a delivery to a homonym address as such, but |
| 1219 | instead to record a delivery to the original address by the final |
| 1220 | transport. If the same address is subsequently routed to the same transport |
| 1221 | (whichever generation it now is), the delivery is discarded because it has |
| 1222 | already happened. Homonym addresses that are themselves redirected are now |
| 1223 | never recorded as "done", but non-homonym addresses are unaffected, so they |
| 1224 | are marked when all their children are complete (as before), thus saving |
| 1225 | an unnecessary subsequent expansion. |
| 1226 | |
| 1227 | The fix causes more routing processing to be done when homonyms are in use |
| 1228 | and a message is not delivered at the first attempt, but this is not |
| 1229 | expected to be very common, and the extra processing isn't all that much. |
| 1230 | |
| 1231 | 86. Make sure Exim doesn't overrun the buffer if an oversize packet is received |
| 1232 | from a nameserver. |
| 1233 | |
| 1234 | 87. Added argument-expanding versions of hash, length, nhash, and substr |
| 1235 | expansions. |
| 1236 | |
| 1237 | 88. The API for Berkeley DB changed at release 4.1. Exim now supports this |
| 1238 | release. |
| 1239 | |
| 1240 | 89. When a host was looked up using gethostbyname() (or the more recent |
| 1241 | getipnodebyname() on IPv6 systems), Exim was not inspecting the error code |
| 1242 | on failure. Thus, any failure was treated as "host not found". Exim now |
| 1243 | checks for temporary errors, so the behaviour of "byname" and "bydns" |
| 1244 | lookups in this respect should be the same. However, on some OS it has been |
| 1245 | observed that getipnodebyname() gives HOST_NOT_FOUND for names for which a |
| 1246 | DNS lookup gives TRY_AGAIN. See also change 125 below. |
| 1247 | |
| 1248 | 90. Minor rewording of ACL error for attemted header check after RCPT. |
| 1249 | |
| 1250 | 91. When USE_GDBM was set, exim_dbmbuild wasn't working properly (still assumed |
| 1251 | NDBM compatibilify interface); similarly in dbmdb lookups when ownership |
| 1252 | was being tested. |
| 1253 | |
| 1254 | 92. If a Reply-To: header contained newlines and was used to generate |
| 1255 | recipients for an autoreply, the log line for the autoreply "delivery" had |
| 1256 | unwanted newlines. Such newlines are now turned into spaces. |
| 1257 | |
| 1258 | 93. When a redirect router that has the "file" option set discovers that the |
| 1259 | file does not exist (the ENOENT error), it tries to stat() the parent |
| 1260 | directory, as a check against unmounted NFS directories. If the parent |
| 1261 | can't be statted, delivery is deferred. However, it seems wrong to do this |
| 1262 | check if ignore_enotdir is set, because that option tells Exim to ignore |
| 1263 | the error "something on the path is not a directory" (the ENOTDIR error). |
| 1264 | In fact, it seems that some operating systems give ENOENT where others give |
| 1265 | ENOTDIR, so this is a confusing area. |
| 1266 | |
| 1267 | 94. When the rejectlog was cycled, an existing Exim process was not noticing, |
| 1268 | and was therefore not opening a new file. |
| 1269 | |
| 1270 | 95. If expansion of an address_data setting was forced to fail, and debugging |
| 1271 | was enabled, a debugging statement tried to print an undefined value |
| 1272 | instead of the string that was being expanded. This could cause a crash. |
| 1273 | |
| 1274 | 96. When Berkeley DB version 3 or higher is in use, a callback function is now |
| 1275 | set up to log DB error messages that are passed back. |
| 1276 | |
| 1277 | 97. The conditions in the Makefile for rebuilding the exim_dbmbuild utility |
| 1278 | were wrong, leading to failures to rebuild when it should have done. |
| 1279 | |
| 1280 | 98. Added -no_chown and -no_symlink options to the exim_install script. Also |
| 1281 | arranged for the environment variable INSTALL_ARG to be passed over |
| 1282 | from "make install". |
| 1283 | |
| 1284 | 99. Exim sets the IPV6_V6ONLY option on IPv6 listening sockets on operating |
| 1285 | systems that support it. The call to setsockopt() to do this had SOL_SOCKET |
| 1286 | instead of IPPROTO_IPV6 as its second argument (and so wouldn't work). |
| 1287 | |
| 1288 | 100. When a frozen message was timed out by timeout_frozen_after, the system |
| 1289 | filter was incorrectly being run for the message before it was thrown |
| 1290 | away. |
| 1291 | |
| 1292 | 101. If a filter used $thisaddress in an argument to a pipe command, its value |
| 1293 | was not inserted where expected, because the expansion of a pipe command |
| 1294 | does not happen till transport time, and $thisaddress was not being saved. |
| 1295 | It is now saved (along with $1, $2, etc, which were already being saved), |
| 1296 | and reinstated at transport time. |
| 1297 | |
| 1298 | 102. Added host grouping for randomizing to manualroute and smtp. A host list |
| 1299 | that is randomized by manualroute is never re-randomized by smtp. Two |
| 1300 | host lists that are randomized by manualroute are now treated as "the |
| 1301 | same" when checking for possible multiple deliveries in one SMTP |
| 1302 | transaction (this was always true for MX'd host lists). |
| 1303 | |
| 1304 | 103. Added "randomize" and "no_randomize" options to manualroute. |
| 1305 | |
| 1306 | 104. Added ${hmac expansion item. |
| 1307 | |
| 1308 | 105. When compiling with gcc, make use of its facility for checking printf-like |
| 1309 | function calls (debug_printf and smtp_printf). This would have found the |
| 1310 | problem in 95 above. It actually found a number of missing casts to (int) |
| 1311 | in debug lines, and one spurious additional argument. |
| 1312 | |
| 1313 | 106. Created an ACKNOWLEDGEMENTS file, which I will endeavour to update in |
| 1314 | future. |
| 1315 | |
| 1316 | 107. Minor modification to Makefile: when a command that starts off "cd xxx;" |
| 1317 | is followed by another command (on the next line), put the first one in |
| 1318 | parentheses so that if a "clever" make program amalgamates them, the |
| 1319 | change of directory is turned off when it should be. |
| 1320 | |
| 1321 | 108. If log_timezone is set true, the timestamps in log files now include the |
| 1322 | timezone offset. A new variable $tod_zone contains the offset. The exigrep |
| 1323 | utility has been updated to handle timestamps with offsets. The eximstats |
| 1324 | version included with this release (1.23) has been patched to handle |
| 1325 | timestamps with offsets. There is also a new -utc option that specifies |
| 1326 | the timestamps are in UTC. The Exim monitor has been modified so that it |
| 1327 | omits the zone offset from its display. |
| 1328 | |
| 1329 | 109. If the expansion of an errors_to option is forced to fail, the option is |
| 1330 | ignored. |
| 1331 | |
| 1332 | 110. Added $load_average. |
| 1333 | |
| 1334 | 111. Added router_home_directory generic router option. |
| 1335 | |
| 1336 | 112. Exim crashed on an attempt to check senders or sender domains in an ACL |
| 1337 | other than after RCPT or DATA. It's now a temporary error. |
| 1338 | |
| 1339 | 113. \r was omitted before \n in the SMTP failure response for EHLO/HELO |
| 1340 | argument checking. |
| 1341 | |
| 1342 | 114. On receiving EHLO or HELO, Exim was resetting its state before checking |
| 1343 | the validity of the command. However, RFC 2821 says that the state should |
| 1344 | not be changed if an invalid EHLO/HELO is received, so Exim has been |
| 1345 | changed to conform. This applies mainly when there is more than one |
| 1346 | EHLO/HELO command in a session. |
| 1347 | |
| 1348 | 115. When an Exim root process wrote to a log file, and the log file did not |
| 1349 | already exist, Exim used to create it as root, and then change its |
| 1350 | ownership to exim:exim. This could lead to a race condition if several |
| 1351 | processes were trying to log things at the same time; this happens |
| 1352 | especially when the exiwhat utility is used. I've changed things so that, |
| 1353 | if an Exim root process needs to create a log file, it does so in a |
| 1354 | subprocess that is running as exim:exim. |
| 1355 | |
| 1356 | 116. When running filter tests (-bf and -bF) Exim now changes the current |
| 1357 | directory to "/" so that any assumptions about a particular current |
| 1358 | directory are false. |
| 1359 | |
| 1360 | 117. The appendfile transport was doing the quota_threshold check before |
| 1361 | actually writing the message. However, the act of writing the message |
| 1362 | could make it longer by the addition of prefix, suffix, or additional |
| 1363 | headers. This meant that quota warning could be missed if the basic length |
| 1364 | of a message kept the mailbox below the threshold, but the transport |
| 1365 | additions took it over. The warning threshold check is now done after |
| 1366 | writing the message, when an accurate size is known. |
| 1367 | |
| 1368 | 118. If all verifications for verify = header_sender deferred, the log was |
| 1369 | "temporarily rejected after DATA", without saying why. Now it adds "all |
| 1370 | attempts to verify a sender in a header line deferred". |
| 1371 | |
| 1372 | 119. Added message_id_header_domain option. |
| 1373 | |
| 1374 | 120. Ignore message_id_header_text forced expansion failure. |
| 1375 | |
| 1376 | 121. Typos: "uknown" in acl.c; missing NULL initialized in drtables.c. |
| 1377 | |
| 1378 | 122. When return_size_limit was set greater than zero but smaller than an Exim |
| 1379 | transport buffer size (so that only one buffer would be written), a |
| 1380 | message that was longer than the limit could be omitted from the bounce |
| 1381 | entirely under some circumstances. In other cases, the final buffer full |
| 1382 | before truncation could be omitted. |
| 1383 | |
| 1384 | 123. The inode variables in log.c were of type int with -1 for unset; they |
| 1385 | have been changed to ino_t with 0 for unset. |
| 1386 | |
| 1387 | 124. There are two Makefiles for NetBSD (for different object formats). They |
| 1388 | were originally supplied in a format where one .included the other. The |
| 1389 | problem with this has finally surfaced: when processing the Makefile to |
| 1390 | build config.h, the inclusion isn't seen. The easy way out has been taken: |
| 1391 | there are now two fully independent files. At the same time, HAVE_IPV6 has |
| 1392 | been added to both of them. |
| 1393 | |
| 1394 | 125. Changed the default way of finding an IP address in both the manualroute |
| 1395 | and queryprogram routers. Exim now does a DNS lookup; if that yields |
| 1396 | HOST_NOT_FOUND, it tries calling getipnodebyname() (or gethostbyname()). |
| 1397 | See also change 89 above. |
| 1398 | |
| 1399 | 126. Fixed a race bug in the loop that waits for a delivery subprocess to |
| 1400 | complete. After reading all the data from, and then closing, the pipe, it |
| 1401 | assumed that a call to waitpid() for the known pid would always return |
| 1402 | status for that process. An unfortunately timed signal (e.g. SIGUSR1 from |
| 1403 | exiwhat) could cause waitpid() to return -1/EINTR instead. The effect of |
| 1404 | this was to remain in the loop and call FD_SET() with an argument of -1. |
| 1405 | On Solaris it caused a crash; on other systems it might have looped. |
| 1406 | |
| 1407 | 127. If an ACL that was read from a file was used in more than one message in a |
| 1408 | single SMTP transaction, Exim could crash or misbehave in arbitrary ways. |
| 1409 | The problem was that the ACL was remembered in memory that was thrown away |
| 1410 | at the end of the first message. In fixing this, I've done a bit of |
| 1411 | refactoring of the way memory allocation works, to provide a non-malloc |
| 1412 | allocator for small blocks of data that must be kept for the life of the |
| 1413 | process. There's a new function store_get_perm() and I've reintroduced a |
| 1414 | second storage pool (previously dropped on the 3->4 conversion). A number |
| 1415 | of instances of malloc calls for small amounts of memory have been changed |
| 1416 | to use this instead. It might be a tad more efficient. Then again, it |
| 1417 | might not... |
| 1418 | |
| 1419 | 128. A similar problem to 127: memory corruption could occur for multiple |
| 1420 | messages in one SMTP connection if the data from DNS black list lookups |
| 1421 | was being used in log or user messages, e.g. references to $dnslists_text. |
| 1422 | |
| 1423 | 129. Blanks lines and comments are now ignored in ACLs that are read from |
| 1424 | files. |
| 1425 | |
| 1426 | 130. Two instances of missing \n in debug output. |
| 1427 | |
| 1428 | 131. The new debugging tag +timestamp causes a timestamp to be added to each |
| 1429 | debug output line. |
| 1430 | |
| 1431 | 132. Some debug information is written in multiple calls to debug_printf(), |
| 1432 | with a newline only on the last one. When debugging multiple simultaneous |
| 1433 | processes, the pid was added to each debug text, and for this reason, a |
| 1434 | newline was always forced. Now Exim buffers up debug output until the |
| 1435 | newline is reached, which makes things look much tidier. Also, if there |
| 1436 | are internal newlines and prefix data such as a pid or timestamp are being |
| 1437 | added, the prefix is inserted at the internal newlines. |
| 1438 | |
| 1439 | 133. When running in the test harness, arrange to overwrite all memory that |
| 1440 | is released or freed, so that bugs are more easily found. This picked up |
| 1441 | the following bug: |
| 1442 | |
| 1443 | 134. Expansion error messages were left in released store, so could have been |
| 1444 | overwritten - but in fact most are used immediately, before this happened. |
| 1445 | |
| 1446 | 135. A list of configuration files can be given; the first one that exists is |
| 1447 | used. |
| 1448 | |
| 1449 | 136. Moved the code that ensures that newly-created hints databases and their |
| 1450 | lockfiles are owned by exim:exim so that it runs before the test for |
| 1451 | successful opening, because a case was reported where the file itself was |
| 1452 | created, but the DBM library returned an opening error. |
| 1453 | |
| 1454 | 137. If an address is redirected to just one child address, verification |
| 1455 | continues with the child address. However, if verification of the child |
| 1456 | failed because of (for example) a :fail: redirection, the error message |
| 1457 | did not get passed back as it would have been had the original address |
| 1458 | failed. The error information is now passed back for both fail and defer |
| 1459 | responses. |
| 1460 | |
| 1461 | 138. Added $rcpt_defer_count and $rcpt_fail_count. |
| 1462 | |
| 1463 | 139. Added "rejected_header" log selector. |
| 1464 | |
| 1465 | 140. Added the cannot_route_message generic router option. |
| 1466 | |
| 1467 | 141. Change 87 above introduced a bug in the expansion of substrings when the |
| 1468 | offset was greater than the length of the string, for example |
| 1469 | ${substr_1:}. Exim crashed instead of returning an empty string. |
| 1470 | |
| 1471 | 142. Added extra features to ACLs: the "drop" and "defer" verbs, and the |
| 1472 | "delay" and "control" modifiers (the latter with "freeze" and |
| 1473 | "queue_only"). |
| 1474 | |
| 1475 | 143. If Exim failed to create a log file, it used to try to create the superior |
| 1476 | directories only if the logs were being written in the spool directory. |
| 1477 | Now it tries in all cases, but always from a process running as the exim |
| 1478 | user. |
| 1479 | |
| 1480 | 144. Added $authentication_failed. |
| 1481 | |
| 1482 | 145. Added $host_data for use in ACLs. |
| 1483 | |
| 1484 | 146. Added new ACLs for non-SMTP messages, SMTP connection, MAIL, and STARTTLS. |
| 1485 | |
| 1486 | 147. Added a number of new features to the local_scan() API: |
| 1487 | Access to debug_printf() and the local_scan debug selector |
| 1488 | Direct access to the message_id variable |
| 1489 | LOCAL_SCAN_REJECT_NOLOGHDR and LOCAL_SCAN_TEMPREJECT_NOLOGHDR |
| 1490 | Access to store_get_perm() and store_pool (see 127 above) |
| 1491 | Access to expand_string_message |
| 1492 | Option settings in the main configuration file |
| 1493 | LOCAL_SCAN_ACCEPT_FREEZE and LOCAL_SCAN_ACCEPT_QUEUE |
| 1494 | LOG_PANIC to write to the panic log |
| 1495 | Access to host_checking |
| 1496 | Supporting functions lss_match_xxx() for matching lists |
| 1497 | |
| 1498 | 148. Minor security problem involving pid_file_path (admin user could get root) |
| 1499 | has been fixed. |
| 1500 | |
| 1501 | 149. When an ACL contained a sender_domains condition with a reference to a |
| 1502 | named domain list, the result of the check was not being cached (an |
| 1503 | oversight). |
| 1504 | |
| 1505 | 150. Allowed for quoted keys in lsearch lookups; this makes it possible to have |
| 1506 | whitespace and colons in keys. |
| 1507 | |
| 1508 | 151. Added wildlsearch lookup. |
| 1509 | |
| 1510 | 152. Yet another new set of configuration files for Cygwin from Pierre Humblet. |
| 1511 | |
| 1512 | 153. Ensure that log_file_path contains at most one instance of %s and one |
| 1513 | instance of %D and no other % characters. |
| 1514 | |
| 1515 | 154. Added $tls_certificate_verified. |
| 1516 | |
| 1517 | 155. Now that the list of lookup types has got so long (and more are in |
| 1518 | prospect) arrange to search it by binary chop instead of linear search. |
| 1519 | |
| 1520 | 156. Added passwd lookup. |
| 1521 | |
| 1522 | 157. Added simple arithmetic in expansion strings. |
| 1523 | |
| 1524 | 158. Added the ability to vary what is appended for partial lookups. |
| 1525 | |
| 1526 | 159. Made base 64 encode/decode functions available to local_scan. |
| 1527 | |
| 1528 | |
| 1529 | Exim version 4.10 |
| 1530 | ----------------- |
| 1531 | |
| 1532 | 1. Added HAVE_SA_LEN=YES to the OS/Makefile-Darwin file, because it needs it |
| 1533 | (unsurprising, as it's based on FreeBSD). |
| 1534 | |
| 1535 | 2. Removed the HTML versions of the PCRE and pcretest documentation from the |
| 1536 | distribution tarbundle, and instead included them in the HTML tarbundle, |
| 1537 | linked to the overall index file. |
| 1538 | |
| 1539 | 3. The code for computing load averages was broken in 64-bit Solaris. |
| 1540 | |
| 1541 | 4. Make the default ACL refuse local parts that start with a dot. |
| 1542 | |
| 1543 | 5. LDAP binds with an empty password are considered anonymous regardless of |
| 1544 | the username and will succeed in most configurations. Exim has been changed |
| 1545 | so that the LDAP authentication (the ${if ldapauth... condition) always |
| 1546 | fails when an empty password is used. |
| 1547 | |
| 1548 | 6. Remove quoting from rbl_domains when used in an ACL by the convert4r4 |
| 1549 | script. |
| 1550 | |
| 1551 | 7. A lookup entry in a list that had spaces after the lookup type, e.g. |
| 1552 | "lsearch; /etc/relaydomains" was including the space as part of the file |
| 1553 | name. |
| 1554 | |
| 1555 | 8. Give an error if EXIM_USER or EXIM_GROUP contains control characters (it |
| 1556 | happened when somebody had CRLF terminations in Local/Makefile, which |
| 1557 | messed up the "unknown user" error message). |
| 1558 | |
| 1559 | 9. Ensure recipient address appears in log line for internal pipe problems |
| 1560 | during redirection. |
| 1561 | |
| 1562 | 10. Tidies to code for calls to fork(): (a) 3 typos of "<=" that should have |
| 1563 | been "<" (but would have no actual effect). (b) 2 cases of fork() failures |
| 1564 | not being logged: during -M for multiple messages, and for auto-delivery |
| 1565 | of incoming messages. |
| 1566 | |
| 1567 | 11. A reference to any header line that contains addresses (e.g. $h_to:) caused |
| 1568 | a crash if the header was empty. Change 46 for 4.05 introduced this bug. |
| 1569 | |
| 1570 | 12. If a system filter file was defined as a non-absolute path, but system_ |
| 1571 | filter_user was undefined, Exim's behaviour was undefined. It could, for |
| 1572 | example, discard all deliveries, thinking the system filter had overridden |
| 1573 | them all. Delivery is now deferred, with a message written to the panic |
| 1574 | log. |
| 1575 | |
| 1576 | 13. If a redirection file (or system filter file when system_filter_user was |
| 1577 | set) was defined as a non-absolute path containing no slash characters, |
| 1578 | Exim crashed. |
| 1579 | |
| 1580 | 14. Added $rcpt_count, containing the number of RCPT commands received during |
| 1581 | an SMTP transaction. This differs from $recipients_count when some of the |
| 1582 | RCPTs are rejected. |
| 1583 | |
| 1584 | 15. Added $pid, containing the pid of the current process. |
| 1585 | |
| 1586 | 16. Fixed uninitialized variable warning in eximstats for relayed messages when |
| 1587 | there was no sending host name (logged as H=[n.n.n.n]). There's no change |
| 1588 | of output. |
| 1589 | |
| 1590 | 17. The exiqusumm script failed horribly if it encountered a message that had |
| 1591 | been on the queue for 100 days or more. |
| 1592 | |
| 1593 | 18. Added the message_logs option for suppressing the writing of message logs. |
| 1594 | |
| 1595 | 19. Allow local_scan() to change the errors_to setting on recipient addresses. |
| 1596 | (This was made trivially possible because of change 10 in 4.03.) |
| 1597 | |
| 1598 | 20. Convert4r4 changed: if forbid_pipe is set on a forwardfile director, also |
| 1599 | set forbid_filter_run on the generated redirect router. |
| 1600 | |
| 1601 | 21. In the Makefile, $(INCLUDE) was preceding the -I. item that refers to |
| 1602 | Exim's own include files. This caused a conflict with an external library |
| 1603 | that also happened to have a config.h file. Exim saw the wrong file, and |
| 1604 | chaos ensued. I've moved the -I. item in the relevant lines so that it |
| 1605 | comes before $(INCLUDE). |
| 1606 | |
| 1607 | 22. Added $acl_verify_message to contain any existing user message when |
| 1608 | expanding the "message" modifier in an ACL. |
| 1609 | |
| 1610 | 23. Changed the default argument for egrep when called in exiwhat to find |
| 1611 | Exim processes. It is now ' exim( |$$|-)' instead of ' exim( |$$)' so that |
| 1612 | it works on OS where the true file name appears. |
| 1613 | |
| 1614 | 24. In the plaintext authenticator, server_prompts was not being expanded, as |
| 1615 | documented. It now is. |
| 1616 | |
| 1617 | 25. The exinext script was outputting in an incorrect format for routing |
| 1618 | delays. It said "deliver" when it should have said "route", and the layout |
| 1619 | of the text was screwed up. In fact, "deliver" is not the right word |
| 1620 | anyway. I've changed it to "transport". Also removed redundant code for |
| 1621 | "directing" delays, because these can't occur in Exim 4. |
| 1622 | |
| 1623 | 26. Fixed some problems concerned with retrying address errors in remote |
| 1624 | deliveries: |
| 1625 | |
| 1626 | (a) I'd overlooked temporary address errors, and assumed that all the |
| 1627 | retry items would be for host errors, and therefore on the first |
| 1628 | address when multiple RCPTs were involved. Consequently, no retry |
| 1629 | record was written for second and subsequent addresses if they |
| 1630 | received a 4xx error. Thus, these addresses wouldn't be delayed |
| 1631 | after such a delivery failure. |
| 1632 | |
| 1633 | (b) A temporary address error causes a routing delay; when the address |
| 1634 | is eventually tried again, and routing succeeds, the retry record is |
| 1635 | flagged for deletion. If the address gets another temporary error, |
| 1636 | the retry record got updated, and then deleted. Thus, temporary |
| 1637 | address errors were not being delayed and would be tried on every |
| 1638 | queue run. |
| 1639 | |
| 1640 | 27. A minor code tidy for the CRAM-MD5 authenticator. |
| 1641 | |
| 1642 | 28. Some OS have a command to select processes by the name of the command they |
| 1643 | are running, and send a signal to them. Linux and FreeBSD have "killall"; |
| 1644 | Solaris has "pkill" (it also has "killall", but that does something |
| 1645 | disastrously different). Using such a command makes "exiwhat" more |
| 1646 | efficient, and reduces the chances of it trying to signal a non-existent |
| 1647 | process. There are now two build-time parameters, EXIWHAT_MULTIKILL_CMD and |
| 1648 | EXIWHAT_MULTIKILL_ARG, which can be set to enable this feature to be used. |
| 1649 | They are defined in the OS-specific files for Linux, FreeBSD, and Solaris. |
| 1650 | See OS/Makefile-Default for more details. |
| 1651 | |
| 1652 | 29. As part of tidying up for 28, changed the name of the build-time parameter |
| 1653 | EXIWHAT_KILL_ARG to EXIWHAT_KILL_SIGNAL so that its name makes more sense |
| 1654 | when used in both kinds of exiwhat processing. |
| 1655 | |
| 1656 | 30. By default, the daemon doesn't write a pid file if -bd is not used (i.e. if |
| 1657 | only -q is used). The -oP didn't override this - it was ignored. It now |
| 1658 | overrides the default and causes a pid file to be written. |
| 1659 | |
| 1660 | 31. The values of $local_part, $domain, etc. were not being set during the |
| 1661 | expansion of shadow_condition in a local transport. |
| 1662 | |
| 1663 | 32. The convert4r4 script failed when macros that had continuation lines were |
| 1664 | present in the Exim 3 configuration file. It inserted junk lines into the |
| 1665 | output and gave uninitialized variable errors. |
| 1666 | |
| 1667 | 33. The convert4r4 script discards (with a comment) a setting of "rewrite" on |
| 1668 | a smartuser director that has no setting of new_address when it turns it |
| 1669 | into an "accept" router. |
| 1670 | |
| 1671 | 34. When an alias generated an address with a single-component domain, and |
| 1672 | routing that domain caused it to be widened, Exim remembered only that it |
| 1673 | had delivered to the widened domain. If any other addresses were deferred, |
| 1674 | so that another delivery attempt happened later, Exim re-delivered to the |
| 1675 | widened address, because it checked only the original address. When this |
| 1676 | kind of widening happens, Exim now checks for previous delivery. |
| 1677 | |
| 1678 | 35. A delivery was silently discarded under the following specific |
| 1679 | circumstances: |
| 1680 | . The original address is x@a.b.c, where a.b.c is the local host; |
| 1681 | . a.b.c is recognized as a local domain, and the address is redirected |
| 1682 | to x@a; |
| 1683 | . a is not recognized as a local domain, causing the address to be |
| 1684 | processed by a dnslookup router; |
| 1685 | . the router widens the address to a.b.c, routes it, and discovers it |
| 1686 | is the local host. |
| 1687 | Exim realized that because the domain had been widened, it might have |
| 1688 | become a local domain, so it arranged to re-route from scratch, using the |
| 1689 | new domain. However, because the original address was the same address, |
| 1690 | it thought it had already dealt with it. |
| 1691 | |
| 1692 | 36. A space at the start of an LDAP query in an expansion (after the opening |
| 1693 | curly) was provoking a syntax error. |
| 1694 | |
| 1695 | 37. A syntax error in the data of an ldapauth expansion caused the condition to |
| 1696 | be false without an LDAP query even being tried. Now it causes the |
| 1697 | expansion to fail. |
| 1698 | |
| 1699 | 38. Ensure that an incomplete config.h is removed when the buildconfig program |
| 1700 | gives an error. Otherwise, if the error is a non-existent Exim user, and |
| 1701 | the admin fixes this by creating the user (and not modifying any files), |
| 1702 | Exim will try to use the broken config.h next time. |
| 1703 | |
| 1704 | 39. A call with an argument of the form "-D=xxxx" (i.e. omitting the macro |
| 1705 | name) caused Exim to loop. It now reports an error. |
| 1706 | |
| 1707 | 40. If an ACL tested an address for being in a named domain list (e.g. |
| 1708 | +relay_domains) and then called for recipient verification, and the |
| 1709 | recipient was rewritten, the cache for remembering matching domain lists |
| 1710 | was not being cleared after the rewrite, leading to potential routing (and |
| 1711 | therefore verification) errors. Furthermore, the rewritten address would |
| 1712 | (incorrectly) have been used for any subsequent address checking within |
| 1713 | the ACL. |
| 1714 | |
| 1715 | 41. If an address such as a%b@c was processed using the "percent hack" and then |
| 1716 | transmitted over SMTP, Exim was sending "RCPT TO:<a%b@c>" instead of |
| 1717 | "RCPT TO:<a@b>". |
| 1718 | |
| 1719 | 42. A revised Makefile-CYGWIN file from Pierre Humblet. |
| 1720 | |
| 1721 | 43. If local_scan() rejected a -bS message, it wasn't handling the error in the |
| 1722 | way -bS errors should be handled. |
| 1723 | |
| 1724 | |
| 1725 | Exim version 4.05 |
| 1726 | ----------------- |
| 1727 | |
| 1728 | 1. In the log display in Eximon, put the insert point (caret) at the start of |
| 1729 | the last line instead of at the end, because this stops unwanted horizontal |
| 1730 | scrolling when certain X libraries are used. |
| 1731 | |
| 1732 | 2. A malformed spool file with an incorrect number of recipients (which |
| 1733 | should never occur, of course) could cause eximon (and probably exim) to |
| 1734 | crash. |
| 1735 | |
| 1736 | 3. Updated Cygwin Makefile and os.h (minor tweaks). |
| 1737 | |
| 1738 | 4. Setting allow_domain_literals=true was not allowing domain literal |
| 1739 | addresses in the -f command line option. |
| 1740 | |
| 1741 | 5. Added debugging output for removing and adding header lines at transport |
| 1742 | time. |
| 1743 | |
| 1744 | 6. On systems where SA_NOCLDWAIT is defined, changed from using signal( |
| 1745 | SIGCHLD, SIG_DFL) to using sigaction(), with flags explicitly set zero, to |
| 1746 | ensure that SA_NOCLDWAIT is definitely off. This fixes a bug in AIX where |
| 1747 | subprocesses were disappearing without being turned into zombies for Exim |
| 1748 | to reap. There was a previous report of the error "remote delivery process |
| 1749 | count got out of step" on a Linux box that was never resolved. It is |
| 1750 | possible that this change fixes that too. |
| 1751 | |
| 1752 | 7. Other applications that support IPv6 have been coded to choose IPv6 |
| 1753 | addresses in preference to IPv4 addresses where possible. This is |
| 1754 | encouraged, in order to speed up the use of IPv6. Exim has now been changed |
| 1755 | to do likewise when it looks up IP addresses from host names. This applies |
| 1756 | both to hosts that have more than one IP address, and to MX records with |
| 1757 | equal preference values when the hosts they point to have both IPv4 and |
| 1758 | IPv6 addresses. Within one preference value, Exim will try all the IPv6 |
| 1759 | addresses before any IPv4 addresses, even when some of the IPv4 addresses |
| 1760 | belong to hosts that also have IPv6 addresses. |
| 1761 | |
| 1762 | 8. When Exim sent HELO after EHLO was rejected, or when it sent a second EHLO |
| 1763 | after starting a TLS session, it used the primary host name as the |
| 1764 | argument, instead of the expansion of the helo_data option. |
| 1765 | |
| 1766 | 9. Exim was failing to batch addresses for local delivery when errors_to was |
| 1767 | set on the router to the same string for each address, in the case when the |
| 1768 | string involved some kind of expansion (that ended up with the same value |
| 1769 | each time). If the string was fixed (i.e. no expansion) the batching was |
| 1770 | not blocked. In other words, I was testing the addresses of the strings but |
| 1771 | forgetting to compare the content. The same problem was not present for |
| 1772 | remote deliveries, but the code was written out instead of using a |
| 1773 | subroutine that now exists for this purpose, so I tidied that code. |
| 1774 | |
| 1775 | 10. When Exim passes a connected TCP/IP socket to a new Exim process in order |
| 1776 | to deliver another message on the same connection, it closes down TLS, |
| 1777 | because it can't pass on the state information that is required by the |
| 1778 | OpenSSL package. The new process then tries to start up TLS again. |
| 1779 | Unfortunately, not all servers handle this - and, it has to be said, it is |
| 1780 | a bit of a dubious interpretation of the RFC. (Exim as a server copes OK, |
| 1781 | needless to say.) The problem is that the server may just die or give an |
| 1782 | invalid response, causing a retry delay to occur. The option |
| 1783 | hosts_nopass_tls was invented to help with this, but an automatic way of |
| 1784 | testing has been invented. What now happens is that Exim sends a new EHLO |
| 1785 | after shutting down TLS, before passing the socket on. This in itself |
| 1786 | reduces the dubiousness of the procedure. If there isn't an OK response, |
| 1787 | Exim doesn't try to pass the socket on. |
| 1788 | |
| 1789 | 11. There was inconsistency in the way failures to set up TLS sessions in the |
| 1790 | smtp transport were handled when the host was not in hosts_require_tls. |
| 1791 | It deferred for 4xx responses to STARTTLS, but tried in clear if the actual |
| 1792 | TLS negotiation failed. It now does the same thing in both cases, and what |
| 1793 | this is can be controlled by the new option tls_tempfail_tryclear. This |
| 1794 | defaults true, causing a retry in clear to occur. If it is set false, these |
| 1795 | kinds of temporary failure cause a defer (for that host; if there are |
| 1796 | other hosts, they are tried). |
| 1797 | |
| 1798 | 12. Tidying. When starting up a new delivery process to deliver another message |
| 1799 | over an existing SMTP connection, pass over the IP address as well as the |
| 1800 | host name. This saves having to get the IP address from the socket. |
| 1801 | |
| 1802 | 13. Added "#define base_62 36" to OS/os.h-Darwin because the MacOS X operating |
| 1803 | system has case-insensitive file names. |
| 1804 | |
| 1805 | 14. Tidies to rewriting code: (1) It was getting an unnecessarily large block |
| 1806 | of memory for a rewritten header. (2) Removed some unnecessary debugging |
| 1807 | code that just duplicated log output. |
| 1808 | |
| 1809 | 15. In an expansion like "${if <condition> {${mask:xxxx}}{yyyy}}" Exim still |
| 1810 | tried to perform the masking operation even when the condition was false |
| 1811 | and the yield was "yyyy". This could fail when "xxxx" wasn't a valid string |
| 1812 | for the masking operation. Some other operators (e.g. base62) could fail in |
| 1813 | a similar way. All string operations are now skipped when processing the |
| 1814 | unused substring of a condition. |
| 1815 | |
| 1816 | 16. If a verification of a sender address in a header (caused by verify = |
| 1817 | header_sender in an ACL) caused the address in the header to be rewritten |
| 1818 | (typically because a DNS lookup had widened the domain), the newline at the |
| 1819 | end of the header got lost, thereby causing two headers to be run together. |
| 1820 | Sometimes, but not always, this caused a "spool format error". |
| 1821 | |
| 1822 | 17. A user wanted to use "save" in a filter file with a non-absolute path, and |
| 1823 | to set file_transport to a non-appendfile transport that made use of |
| 1824 | $address_file for its own purposes. This didn't work because Exim was |
| 1825 | distinguishing between file and autoreplies by the leading '/' of the |
| 1826 | former. It now checks for the leading '>' of the latter instead. |
| 1827 | |
| 1828 | 18. The "accept" router was forcing log_as_local instead of just defaulting it. |
| 1829 | |
| 1830 | 19. Exim crashed while verifying a recipient in an ACL if the address was |
| 1831 | verified by a dnslookup router that widened the domain. |
| 1832 | |
| 1833 | 20. When checking the parameters returned from an ident call, Exim was assuming |
| 1834 | that the format would be textually identical to the values it sent, |
| 1835 | including the white space. This is not always the case, causing Exim to |
| 1836 | discard returned ident data that it should have been accepting. |
| 1837 | |
| 1838 | 21. Typo (space missing) in "failed to expand condition" error message. |
| 1839 | |
| 1840 | 22. The option of specifying an individual transport in a route_data or |
| 1841 | route_list option of the manualroute router wasn't working. Such settings |
| 1842 | were being completely ignored. |
| 1843 | |
| 1844 | 23. The memory management was poor when building up a string from a lookup that |
| 1845 | retrieved a large number of data items that had to be concatenated, for |
| 1846 | example, an alias lookup in a database that returned thousands of |
| 1847 | addresses. In extreme cases, this could grind the host to a halt. (Compare |
| 1848 | change 8 for 4.00, which was a similar effect.) Two changes have been made |
| 1849 | to improve matters: (a) For longer strings, it extends them in bigger |
| 1850 | chunks, thus requiring fewer extensions. (b) It is now able to release some |
| 1851 | unwanted memory when a string is copied out of it into a larger block. |
| 1852 | |
| 1853 | 24. There was a small error in the memory sizes quoted when -d+memory was used |
| 1854 | and emptied memory blocks were released. |
| 1855 | |
| 1856 | 25. When helo[_try]_verify was set, Exim crashed if the reverse DNS lookup gave |
| 1857 | a temporary error when trying to look up the host name. It now tries to |
| 1858 | check with a forward DNS lookup (as it does when the reverse lookup can't |
| 1859 | find a name). For helo_verify, a temporary error is now given if |
| 1860 | verification failed, but the host name lookup gave a temporary error. (As |
| 1861 | before, a permanent error is given if there is no host name available.) |
| 1862 | |
| 1863 | 26. When checking quotes for maildir++ format, if the directory name was given |
| 1864 | with a trailing slash in the "directory" option of the appendfile |
| 1865 | transport, Exim got the quota calculation wrong because it scanned the |
| 1866 | final directory instead of the parent directory. |
| 1867 | |
| 1868 | 27. The "quota_xxx" error facility for retry rules was broken in Exim 4 if |
| 1869 | the mailbox had not been read for more than approximately 10 hours. |
| 1870 | |
| 1871 | 28. If a router with "unseen" had a setting of address_data, the value was not |
| 1872 | passed on to subsequent routers for the continuing processing of the |
| 1873 | address. It now is. |
| 1874 | |
| 1875 | 29. If a daemon was started with (e.g.) -qff15m, it omitted the second 'f' when |
| 1876 | starting queue runners. Likewise, if the flags included 'i', this was |
| 1877 | omitted. |
| 1878 | |
| 1879 | 30. Some operating systems log warnings if exec() happens without the standard |
| 1880 | input, output, and error file descriptors existing. The worry is that the |
| 1881 | called program will open some file which will be allocated one of these |
| 1882 | fds. Another bit of code might assume it can write an error message to |
| 1883 | stderr, or whatever. Exim was calling itself to regain privilege for |
| 1884 | delivery without these fds set, thus provoking the warning. Of course, it |
| 1885 | didn't make use of them itself, but the exposure was there for libraries it |
| 1886 | might be using. The code has been changed to ensure that, if any of the |
| 1887 | file descriptors 0, 1, or 2 does not exist at the time of a call to exec(), |
| 1888 | they are opened to /dev/null. |
| 1889 | |
| 1890 | 31. A delivery process could loop under the unusual combination of the |
| 1891 | following circumstances: |
| 1892 | (1) A delivery process had envelope_to_add set for its transport. |
| 1893 | (2) The delivery was for a child address of an envelope address that |
| 1894 | also had another child. |
| 1895 | (3) This other child had been discarded because it was a duplicate of a |
| 1896 | second envelope address. |
| 1897 | (4) The second envelope address had generated a child that was discarded |
| 1898 | because it was a duplicate of the first envelope address. |
| 1899 | |
| 1900 | 32. The -bp option was failing to notice delivered addresses that were in the |
| 1901 | -J file but had not yet made it into the -H file. (This got broken between |
| 1902 | Exim 3 and Exim 4.) |
| 1903 | |
| 1904 | 33. If "query" or "queries" in aliasfile director, or "route_query" or |
| 1905 | "route_queries" in a domainlist router were enclosed in quotes, the |
| 1906 | convert4r4 script was not removing the quotes before inserting the query |
| 1907 | into an expansion string, leading to invalid queries within the string. |
| 1908 | |
| 1909 | 34. If more than two addresses were being delivered in a batch (either local or |
| 1910 | remote deliveries), and they all had the same, non-empty value for |
| 1911 | $self_hostname, but had different domains, Exim crashed. (This is rare, |
| 1912 | because the use of "self=pass", which is the only way $self_hostname gets |
| 1913 | set, is rare.) |
| 1914 | |
| 1915 | 35. If $message_headers was used in a context where there were no headers (e.g. |
| 1916 | while verifying an address before receiving a message), it caused an |
| 1917 | "unknown variable" error. Now it just returns an empty string. |
| 1918 | |
| 1919 | 36. Exim was not diagnosing missing time units letters in times on retry |
| 1920 | rules. It was treating such malformed times as "-1", which caused the rules |
| 1921 | to misbehave. |
| 1922 | |
| 1923 | 37. Added some debugging output to the CRAM-MD5 server code. |
| 1924 | |
| 1925 | 38. In the appendfile transport, check for a file name supplied by redirection |
| 1926 | by checking for "not pipe and not autoreply" instead of looking for a |
| 1927 | leading '/' in the "address". |
| 1928 | |
| 1929 | 39. The os.h file for Darwin defined CRYPT_H, which apparently is wrong. |
| 1930 | |
| 1931 | 40. The "condition" condition in ACLs has been tightened up. Formerly, anything |
| 1932 | other than an empty string, "0", "no" or "false" was treated as "true". Now |
| 1933 | it insists on "yes", "true", or a non-zero number. |
| 1934 | |
| 1935 | 41. Change 22 of 4.02 has been improved; somebody mailed me the correct code |
| 1936 | to get an error message when ldap_result() doesn't set a result. |
| 1937 | |
| 1938 | 42. Update convert4r4 to recognize "ldap:" in require_files, and double the |
| 1939 | colon. |
| 1940 | |
| 1941 | 43. Added "protocol violation" to the "SMTP synchronization" error message, to |
| 1942 | make it clearer what it is complaining about. |
| 1943 | |
| 1944 | 44. Change 26 of 4.03 was incomplete. The same problem could arise if a lookup |
| 1945 | failed while checking the pre-conditions of a router that was subsequently |
| 1946 | run. This can happen for negated conditions such as "domains = !<lookup>". |
| 1947 | |
| 1948 | 45. Somebody managed to set up a configuration that crashed buildconfig such |
| 1949 | that it left a half-built config.h but did not stop the build process. I |
| 1950 | can't reproduce it, but I have added a check after building config.h to |
| 1951 | test for the presence of its last line ("/* End of config.h */"). |
| 1952 | |
| 1953 | 46. Added a .PHONY target to the Makefile to be tidy for GNU make. (It should |
| 1954 | be ignored by other versions). |
| 1955 | |
| 1956 | 45. When Exim uses Berkeley DB version 3 or 4 to create a DBM file, it creates |
| 1957 | it in hashed format. Previously, it opened these files for reading in the |
| 1958 | same format. Now it opens them as "unknown", which means that other formats |
| 1959 | can be accommodated when using DB files for auxiliary data. |
| 1960 | |
| 1961 | 46. When concatenating header lines that may contain lists of addresses (From:, |
| 1962 | To:, etc.) as a result of references to $h_from: etc., a comma is now |
| 1963 | inserted at the concatenation point. Without it, the use of "if |
| 1964 | foranyaddress" fails on such headers, which is dangerous. |
| 1965 | |
| 1966 | 47. The code for ratelimiting MAIL commands was triggering on the count of |
| 1967 | messages received, instead of the number of MAIL commands (which is not the |
| 1968 | same thing if no message is accepted in a transaction). The smtp_accept_ |
| 1969 | max_per_connection limit has also been changed to use the count of MAIL |
| 1970 | commands instead of the count of messages accepted. |
| 1971 | |
| 1972 | 48. There was a typo in the exiwhat script which broke it if the esoteric |
| 1973 | CONFIGURE_FILE_USE_NODE option was in use. |
| 1974 | |
| 1975 | |
| 1976 | Exim version 4.04 |
| 1977 | ----------------- |
| 1978 | |
| 1979 | 1. Fix 10 for 4.03 had a bug in it, which could cause problems when converting |
| 1980 | from an earlier 4.xx release with delayed "one_time" messages on the spool. |
| 1981 | 4.03 incorrectly complains about spool format errors (and refuses to |
| 1982 | process these messages). |
| 1983 | |
| 1984 | 2. Changed the status of the text widgets in the monitor from Append to Edit, |
| 1985 | because this matters on some versions of X. |
| 1986 | |
| 1987 | 3. Change 22 for 4.03 turns out to be misguided. Luckily it is controlled by |
| 1988 | a compile-time macro. I have removed the settings from OS/os.h-Linux that |
| 1989 | made it try to use these functions. |
| 1990 | |
| 1991 | |
| 1992 | Exim version 4.03 |
| 1993 | ----------------- |
| 1994 | |
| 1995 | 1. Change 12 for 4.02 overlooked one case where 256 should have been replaced |
| 1996 | by MAX_LOCALHOST_NUMBER. |
| 1997 | |
| 1998 | 2. Timeouts (etc) in dnslist lookups were not behaving as documented; they |
| 1999 | were deferring (causing 4xx errors) instead of behaving as if the host was |
| 2000 | not in the list. This has been fixed. In addition, some new special items |
| 2001 | may appear in dns lists, to control what happens in this case. The items |
| 2002 | are +include_unknown, +exclude_unknown, and +defer_unknown. |
| 2003 | |
| 2004 | 3. Added #include <unix.h> to OS/os.h-QNX because it was reported that this |
| 2005 | was needed, in order to get O_NDELAY. |
| 2006 | |
| 2007 | 4. Added #define BASE_62 36 to OS/os.h-Cygwin. |
| 2008 | |
| 2009 | 5. Change 8 for 4.02 overlooked the fact that "directory" need not be set if |
| 2010 | the directory name is coming from a filter or forwarding file. The check |
| 2011 | has now been moved from initialization time to run time. Thus, it happens |
| 2012 | later, but it still helps to diagnose the problem. |
| 2013 | |
| 2014 | 6. The file direct.c had been accidentally left in the distribution. |
| 2015 | |
| 2016 | 7. When a new process was forked to deliver another message down an existing |
| 2017 | SMTP connection, a pipe file descriptor was accidentally left open. This |
| 2018 | meant that if there was a long chain of such processes, the number of open |
| 2019 | file descriptors increased by one for each process, and if there were |
| 2020 | sufficent, the limit of open descriptors could be reached, causing various |
| 2021 | problems. |
| 2022 | |
| 2023 | 8. When an address was being checked with -bt and the routing involved an |
| 2024 | errors_to setting whose address verification also involved an errors_to |
| 2025 | setting, Exim got into a verifying loop. It shouldn't verify an errors_to |
| 2026 | setting when already verifying, but got this wrong if it started from -bt. |
| 2027 | |
| 2028 | 9. Tidied up some compiler warnings when compiling with TCP wrappers. |
| 2029 | |
| 2030 | 10. When a child address was promoted to a toplevel address by "one_time" after |
| 2031 | a deferred delivery, it was not remembering any "errors_to" address that |
| 2032 | was set by the routers that processed the original address. Consequently, |
| 2033 | the subsequent delivery had (incorrectly) the original sender address in |
| 2034 | the envelope. Exim now remembers the "errors_to" address with the new |
| 2035 | toplevel address and reinstates it for the next delivery. |
| 2036 | |
| 2037 | 11. When Exim received a message other than from the daemon, there were two |
| 2038 | situations in which it did not re-exec itself for delivery: when it was |
| 2039 | running as root, or when it was running in an unprivileged mode. This was |
| 2040 | an attempt to save some resources (very early Exims ran as root more often) |
| 2041 | but has turned out to be pretty rare. A bug has been discovered in this |
| 2042 | case: if the incoming message was on a TLS session (from inetd, for |
| 2043 | example), but the outgoing delivery was on an unencrypted SMTP connection, |
| 2044 | Exim got confused. The effect was minimal: it sent two EHLO commands, but |
| 2045 | otherwise worked. Multiple EHLOs are not an error, according to the RFCs, |
| 2046 | but there was at least one broken MTA that objected. This error would have |
| 2047 | occurred only when synchronous delivery (-odi or -odf) was specified. |
| 2048 | |
| 2049 | While sorting this out, I have abandoned the logic that did a delivery |
| 2050 | without forking in the interests of simplicity. This was an even rarer |
| 2051 | case: it only happened when Exim was running as root or in an unprivileged |
| 2052 | mode AND synchronous delivery was specified. |
| 2053 | |
| 2054 | 12. Change references to /bin/rm in the Makefile to plain rm. |
| 2055 | |
| 2056 | 13. If EXIM_PERL was set in Local/Makefile, but PERL_COMMAND was set to a |
| 2057 | command that was not a file, or if it was set to a non-existent file, |
| 2058 | the build process carried on trying to build Perl support, but without the |
| 2059 | relevant variables for the Perl libraries, etc., which is disastrous. In |
| 2060 | fact, the build process shouldn't have been using PERL_COMMAND; that is a |
| 2061 | value for screwing into utility scripts. The build process assumes a |
| 2062 | suitable PATH for things like rm, mv, etc., which have xxx_COMMAND |
| 2063 | variables for scripts. So I've changed it to use just "perl". It now bombs |
| 2064 | out if "perl --version" doesn't produce some output. |
| 2065 | |
| 2066 | 14. Changed the #includes in perl.c for the Perl headers to use <> instead of |
| 2067 | "" because this is apparently better usage. |
| 2068 | |
| 2069 | 15. Added local_scan_timeout to apply a timeout to local_scan(). |
| 2070 | |
| 2071 | 16. Recognize IPv6 addresses as IP addresses, even when Exim is not compiled |
| 2072 | with IPv6 support. |
| 2073 | |
| 2074 | 17. When verifying a HELO/EHLO name, Exim was not checking the alias host names |
| 2075 | it obtained from calling gethostbyaddr(). In many cases, this didn't cause |
| 2076 | any unwanted rejections because as a last resort Exim does a forward lookup |
| 2077 | on the HELO name to see if any of its IP addresses matches. But it fixing |
| 2078 | the bug saves the unnecessary additional lookup. |
| 2079 | |
| 2080 | 18. Added "domains = ! +local_domains" to the commented-out ipliteral router in |
| 2081 | the default configuration. |
| 2082 | |
| 2083 | 19. Default sender_host_aliases to an empty alias list, instead of NULL. This |
| 2084 | is just for tidiness; the way it was coded, it didn't cause any problems. |
| 2085 | |
| 2086 | 20. Added -tls-on-connect, which starts a TLS session without waiting for |
| 2087 | STARTTLS. This supports older clients that used a different port. |
| 2088 | |
| 2089 | 21. Added support for the Cyrus pwcheck daemon. |
| 2090 | |
| 2091 | 22. Arranged to use getipnodebyaddr() instead of gethostbyaddr() in systems |
| 2092 | with IPv6 support that have this function, because gethostbyaddr() doesn't |
| 2093 | work for IPv6 addresses on all systems (it does on some). |
| 2094 | |
| 2095 | 23. Header lines added by "warn" statements in the ACL for RCPT are saved up to |
| 2096 | be added after the message's header has been received. Previously, Exim was |
| 2097 | saving up all added headers, from both RCPT and DATA, until the very end. |
| 2098 | Now it adds those from RCPT before the DATA ACL is obeyed, so that they can |
| 2099 | be accessed from within the DATA ACL. |
| 2100 | |
| 2101 | 24. Changed TLS initialization to use SSL_CTX_use_certificate_chain_file() |
| 2102 | instead of SSL_CTX_use_certificate_file(). This means that the file can |
| 2103 | contain the whole chain of certificates that authenticate the server. |
| 2104 | |
| 2105 | 25. Updated convert4r4 to check for colons that look as if they are part of |
| 2106 | expansion items in require_files lists (e.g. ${lc:xxxx}). In Exim 3, the |
| 2107 | whole list was expanded before splitting up, but in Exim 4, the splitting |
| 2108 | happens first, so such colons must be doubled. The conversion script now |
| 2109 | doubles such colons, and outputs a warning message. The test for one of |
| 2110 | these colons is a match against "\$\{\w+:". |
| 2111 | |
| 2112 | 26. If, while verifying a recipient address, a router was skipped because a |
| 2113 | lookup did not succeed, and the following router suffered a temporary |
| 2114 | failure (e.g. a timeout), the log line for the temporary rejection showed |
| 2115 | the error from the first router instead of from the second. |
| 2116 | |
| 2117 | 27. Exim crashed if a dnslists test was obeyed in an ACL for an SMTP message |
| 2118 | from the local host. Now it just fails to match the list. |
| 2119 | |
| 2120 | |
| 2121 | Exim version 4.02 |
| 2122 | ----------------- |
| 2123 | |
| 2124 | 1. Bug in string expansion: if a "fail" substring of a conditional contained |
| 2125 | another conditional that used the "fail" facility, Exim didn't swallow the |
| 2126 | right number of closing parentheses in the case when the original condition |
| 2127 | succeeded (i.e. when the condition containing the "fail" should be |
| 2128 | skipped). |
| 2129 | |
| 2130 | 2. helo_verify_hosts wasn't working when comparing host names. |
| 2131 | |
| 2132 | 3. When delivering down an existing SMTP connection, the error "Unexpectedly |
| 2133 | no free subprocess slot" was sometimes given for other addresses in the |
| 2134 | message. |
| 2135 | |
| 2136 | 4. Binary zeroes in the message body are now turned into spaces in the |
| 2137 | contents of $message_body and $message_body_end. |
| 2138 | |
| 2139 | 5. If the value of a field in a MySQL result was SQL NULL, and more than one |
| 2140 | field was selected, Exim crashed. |
| 2141 | |
| 2142 | 6. It seems that many OS treat 0.0.0.0 as meaning the local host, typically |
| 2143 | making it behave like 127.0.0.1. Since there have been incidents where this |
| 2144 | was found in the DNS, two changes have been made: |
| 2145 | (a) Added 0.0.0.0 to the ignore_target_hosts setting in the default |
| 2146 | configuration. |
| 2147 | (b) Unconditionally recognize 0.0.0.0 as the local host while routing. |
| 2148 | |
| 2149 | 7. Added helo_allow_chars so people can let in underscores if they really |
| 2150 | have to. Sigh. |
| 2151 | |
| 2152 | 8. Give configuration error if "maildir_format" or "mailstore_format" is |
| 2153 | specified for appendfile without specifying "directory". |
| 2154 | |
| 2155 | 9. When return_path was expanded in an smtp transport, the values of |
| 2156 | $local_part and $domain were not set up. |
| 2157 | |
| 2158 | 10. The optimization for sending multiple copies of a single message over one |
| 2159 | SMTP connection when there are lots of recipients (but too many for one |
| 2160 | copy of the message) was messing up in the case when max_rcpt was set to 1 |
| 2161 | (for VERP). It would send lots of copies with one RCPT each, correctly, but |
| 2162 | because the transport was passed more than one address, $local_part and |
| 2163 | $domain weren't set. Since setting max_rcpt to 1 is almost always |
| 2164 | associated with VERP (or at least, you do it because you want to use |
| 2165 | $domain or $local_part), I've made that a special case where the |
| 2166 | optimization is disabled. |
| 2167 | |
| 2168 | 11. Cygwin has case-insensitive file names. Therefore, we can't use base 62 |
| 2169 | numbers for Exim's identifiers. We have to use base 36 instead. Luckily 6 |
| 2170 | base 36 digits are still plenty enough to hold the time for some years to |
| 2171 | come. There's now a macro that is set either to 62 or 36, but the names and |
| 2172 | documentation still talk about "base 62". |
| 2173 | |
| 2174 | 12. Added build-time variable MAX_LOCALHOST_NUMBER (default 256) to allow the |
| 2175 | localhost number to be traded off against the maximum number of messages |
| 2176 | one process can receive in one second. This is relevant only when |
| 2177 | localhost_number is set. It may be useful for Cygwin, where the maximum |
| 2178 | sequence number is much less when up to 256 hosts are allowed. |
| 2179 | |
| 2180 | 13. Extended MySQL server data to allow for the specification of an alternate |
| 2181 | Unix domain socket. |
| 2182 | |
| 2183 | 14. Give error if too many slashes in mysql_servers or pgsql_servers item. |
| 2184 | |
| 2185 | 15. Changed the wording "debug string overflowed buffer" to "debug string too |
| 2186 | long - truncated" to make it clearer that it's not a big disaster. |
| 2187 | |
| 2188 | 16. Now that I finally understand the difference between the resolver's returns |
| 2189 | HOST_NOT_FOUND and NO_DATA, I've optimized Exim's DNS lookup so that if an |
| 2190 | MX lookup gets HOST_NOT_FOUND, it doesn't bother to try to look up an |
| 2191 | address record. Only if it gets NO_DATA does it do that. |
| 2192 | |
| 2193 | 17. The contents of Envelope-To: were not correct in cases when more than one |
| 2194 | envelope address was redirected to a single delivery address via an |
| 2195 | intermediate address, because the duplication was detected at the |
| 2196 | intermediate stage, but the checking for Envelope-To: only looked at |
| 2197 | duplicates of the final address. |
| 2198 | |
| 2199 | 18. If a message with the -N flag was on the spool, and was selected during a |
| 2200 | queue run by -R or -S, the -N flag was incorrectly passed on to all |
| 2201 | subsequent messages, leading to their being thrown away. |
| 2202 | |
| 2203 | 19. Remove unnecessary check for the local host when looking up host names in |
| 2204 | host lists. |
| 2205 | |
| 2206 | 20. If tls_certificate is supplied, but tls_privatekey is not, assume that both |
| 2207 | are in the tls_certificate file. |
| 2208 | |
| 2209 | 21. If a router set transport_current_directory or transport_home_directory |
| 2210 | to something that involved an LDAP lookup, and there was more than one |
| 2211 | local delivery to be done for a single message, all but the first got |
| 2212 | deferred because the LDAP connection for those variables got opened in the |
| 2213 | superior process, but closed in the first subprocess. The second subprocess |
| 2214 | then assumed it was still open. We now ensure that each subprocess starts |
| 2215 | with a clean slate (everything closed down) so that it can open and close |
| 2216 | its own connections as needed. |
| 2217 | |
| 2218 | 22. After a failure of ldap_result(), Exim was calling ldap_result2error() in |
| 2219 | order to get an error message. However, it appears that it shouldn't do |
| 2220 | this if the value of result variable is NULL. As I can't find any way of |
| 2221 | getting an error message out of LDAP in this circumstance, Exim now just |
| 2222 | gives says "ldap_result failed and result is NULL". |
| 2223 | |
| 2224 | 23. If a message arrives over a TLS connection via inetd, close down the SSL |
| 2225 | library in the subprocess for message delivery (but don't molest the |
| 2226 | parent's SSL connection). |
| 2227 | |
| 2228 | |
| 2229 | Exim version 4.01 |
| 2230 | ----------------- |
| 2231 | |
| 2232 | 1. When setting TCP_NODELAY, the call to setsockopt() was using SOL_SOCKET |
| 2233 | instead of IPPROTO_TCP, which caused excessive logging on some systems. |
| 2234 | |
| 2235 | 2. Changed the Makefile for Cygwin to set EXIM_USER and EXIM_GROUP to 0. |
| 2236 | |
| 2237 | 3. The SMTP rewriting facility was broken. |
| 2238 | |
| 2239 | 4. There was some malformatting in the spec.txt file (the other formats were |
| 2240 | OK). |
| 2241 | |
| 2242 | 5. Made convert4r4 change "bydns_a" into "bydns" in route_list options, and |
| 2243 | to do the same for "bydns_mx", but in this case to comment that it won't |
| 2244 | work the same (and to suggest a workaround). |
| 2245 | |
| 2246 | 6. Removed redundant code in deliver.c for indicating when a reused SMTP |
| 2247 | connection had been closed in a subprocess - this was being done twice. |
| 2248 | |
| 2249 | 7. Change 2 of 3.164 removed Exim's explicit checking that a reverse DNS |
| 2250 | lookup yielded a name whose forwarded lookup gave the original IP address, |
| 2251 | because I thought that gethostbyaddr() did this automatically (it seems to |
| 2252 | on some systems). There is hard evidence that I was wrong, so this test has |
| 2253 | been put back, and in a better form, because it now checks alias names. |
| 2254 | This means that the verify=reverse_host_lookup condition in an ACL reduces |
| 2255 | to requiring that the host name has been looked up, since the checks it |
| 2256 | previously did are not always applied. |
| 2257 | |
| 2258 | 8. When sender verification fails, the error associated with it is given by |
| 2259 | default before the 550 error for the first RCPT command. Not everybody |
| 2260 | wants to see this. There is now an option (no_details) that suppresses it. |
| 2261 | |
| 2262 | 9. The patterns in rewriting rules with the 'S' flag were not being expanded. |
| 2263 | For consistency with other patterns (and the documentation), this has been |
| 2264 | changed. |
| 2265 | |
| 2266 | 10. "domainlist", "hostlist", and "addresslist" weren't recognized if the |
| 2267 | immediately following character was a tab rather than a space. |
| 2268 | |
| 2269 | 11. The rules for writing daemon pid files have changed. A new option -oP has |
| 2270 | been added to provide a way of specifying a pid file path on the command |
| 2271 | line. Exim now writes a pid file when -bd is used, unless -oX is specified |
| 2272 | without -oP. |
| 2273 | |
| 2274 | 12. The version number of OpenSSL was included in the response to the STARTTLS |
| 2275 | command - a legacy from the original contributed code that doesn't seem |
| 2276 | sensible. It no longer appears, and I took it out of the debug output as |
| 2277 | well because that was the only place left, and the code to compute it was |
| 2278 | "mysterious magic" that didn't seem worth keeping. |
| 2279 | |
| 2280 | 13. When another message was processed in order to send it down an existing |
| 2281 | SMTP connection, Exim was doing the routing for all the addresses. Even if |
| 2282 | called from a delivery from a queue runner, this doesn't count as "in a |
| 2283 | queue run", so retry times were not being inspected. If the message had a |
| 2284 | large number of recipients, and several of them timed out while routing, |
| 2285 | the delay could be so large that the server at the other end of the SMTP |
| 2286 | connection would time out. To avoid this happening, Exim now skips routing |
| 2287 | for any addresses that have a domain retry time set for routing, whether or |
| 2288 | not that retry time has arrived, when dealing with a pre-existing SMTP |
| 2289 | connection. This will be "right" pretty well all of the time, and even |
| 2290 | when it is "wrong", the only consequence will be some delay. (This doesn't |
| 2291 | apply to "address" retry times, because those are usually the result of 4xx |
| 2292 | errors, not timeouts.) |
| 2293 | |
| 2294 | 14. Added words to the initial output from -bh pointing out that no ident |
| 2295 | callback is done. |
| 2296 | |
| 2297 | 15. The convert4r4 script wasn't getting it quite right with an aliasfile |
| 2298 | director that had a "transport" setting. It was missing the "yes/no" in the |
| 2299 | "condition" setting. |
| 2300 | |
| 2301 | |
| 2302 | Exim version 4.00 |
| 2303 | ----------------- |
| 2304 | |
| 2305 | 1. Changed the name of debug_print for authenticators (3.953/38) to |
| 2306 | server_debug_print because it applies only when the authenticator is |
| 2307 | running as a server. |
| 2308 | |
| 2309 | 2. Forgot to change DB_ to EXIMDB_ in the Cygwin Makefile. |
| 2310 | |
| 2311 | 3. There were still a couple of uses of vfork() when passing a socket to a |
| 2312 | new delivery process. The use of vfork() is not recommended these days, |
| 2313 | so I changed them to fork(). |
| 2314 | |
| 2315 | 4. Added the spa authentication mechanism, using the code contributed by Marc |
| 2316 | Prud'hommeaux (and mostly taken from the Samba project). This supports |
| 2317 | Microsoft's "Secure Password Authentication", but only as a client. |
| 2318 | |
| 2319 | 5. queryprogram had current_directory unset, but used "/" when it was unset. |
| 2320 | It is tidier just to make the default "/" and have done with it. |
| 2321 | |
| 2322 | 6. When a delivery is run with -v, the -v flag is no longer passed on to new |
| 2323 | processes that are started in order to send other messages on existing |
| 2324 | SMTP connections. This prevents non-admin users from seeing these other |
| 2325 | deliveries. Admin users can specify a higher level of debugging, and when |
| 2326 | this is done, the debugging selection is passed on. |
| 2327 | |
| 2328 | 7. Increased the increment for dynamic strings from 50 to 100. |
| 2329 | |
| 2330 | 8. When Exim was building a dynamic string for $header_xxx from a number of |
| 2331 | headers of the same name, or for $message_headers, it was using the dynamic |
| 2332 | string function which is designed for use with relatively short strings. If |
| 2333 | a pathological message had an enormous header, it chewed up memory at a |
| 2334 | ridiculous rate. The code has been rewritten so that it does not do this. |
| 2335 | With a 64K header string (there's a limit set at 64K) it now just gets one |
| 2336 | 64K buffer. Previously it used a large number of megabytes to build such a |
| 2337 | string, and some system filter processing ran machines into the ground on |
| 2338 | messages with huge headers. |
| 2339 | |
| 2340 | 9. The work for 8 involved a small amount of other "refactoring" in the |
| 2341 | expansion functions. |
| 2342 | |
| 2343 | 10. If "headers add" or "headers remove" were used in a system filter, the |
| 2344 | headers didn't actually get changed when testing with -bF. This could |
| 2345 | affect later commands in the filter that referred to the headers. |
| 2346 | |
| 2347 | 11. Two system filter bugs: (a) The system filter was always being run as root, |
| 2348 | even if system_filter_user was set. (b) When the system filter was not run |
| 2349 | as root, changes to the header lines by "headers add" or "headers remove" |
| 2350 | were being lost. Because of (a), (b) would never have bitten. |
| 2351 | |
| 2352 | 12. Some "refactoring" in the daemon: |
| 2353 | (a) Removed redundant statement smtp_in=NULL. |
| 2354 | (b) The test for fork failure for a delivery process was not quite in the |
| 2355 | right place. |
| 2356 | (c) Added main and panic logging for receive and delivery fork failures. |
| 2357 | (d) Check for fdopen() failure, and don't try to continue, but ensure |
| 2358 | the sockets get closed. |
| 2359 | (e) Log fclose() failures. |
| 2360 | |
| 2361 | 13. Added the "/data" facility to ACL dnslists so as to make it easy to use, |
| 2362 | for example, the domain lookup of rfc-ignorant.org. |
| 2363 | |
| 2364 | 14. Refactored the code in the daemon to use a vector of structures instead of |
| 2365 | two separate vectors for storing the pid of a spawned accepting process and |
| 2366 | the corresponding IP address of the client. (This is to make it easier to |
| 2367 | add other things.) |
| 2368 | |
| 2369 | 15. If EXIM_USER or EXIM_GROUP were set to the empty string in Local/Makefile, |
| 2370 | the uid or gid were set to zero, which is unsafe. These settings now cause |
| 2371 | an error message at build time. |
| 2372 | |
| 2373 | 16. check_ancestor was doing its check case-sensitively, which meant that it |
| 2374 | did not work with some configurations when redirecting changed the case of |
| 2375 | the local part. Now check_ancestor respects the setting of |
| 2376 | caseful_local_part on the router which routed the ancestor address. |
| 2377 | |
| 2378 | 17. The check for router looping (whether the current router had previously |
| 2379 | routed the same address) was always being done case-insensitively. It |
| 2380 | should do the local part check case-sensitively when caseful_local_part is |
| 2381 | set for that router. |
| 2382 | |
| 2383 | 18. Added helo_try_verify_hosts, which is like helo_verify_hosts except that |
| 2384 | it doesn't reject failing HELO/EHLO. Instead the verification state can be |
| 2385 | testing in an ACL by verify=helo. |
| 2386 | |
| 2387 | 19. When echoing log writes from a parallel remote delivery process to the |
| 2388 | debug output, the pid of the parallel process was being omitted. |
| 2389 | |
| 2390 | 20. In an ACL run for a RCPT command, the values of $domain and $local_part |
| 2391 | were becoming unset after a sender or recipient verification. |
| 2392 | |
| 2393 | 21. Exim crashed if called with -C followed by a ridiculously long string. |
| 2394 | |
| 2395 | 22. Some other potential points of trouble caused by pathological input data |
| 2396 | have been defended. |
| 2397 | |
| 2398 | 23. If hosts_randomize was set on an smtp transport, the randomizing code had |
| 2399 | a bug which could put the delivery process into a tight loop. |
| 2400 | |
| 2401 | |
| 2402 | |
| 2403 | Exim version 3.953 |
| 2404 | ------------------ |
| 2405 | |
| 2406 | 1. Exim was not terminating the names of named lists in memory. It got away |
| 2407 | with this on systems where newly malloc()d store is zeroed (always a bad |
| 2408 | practice). When running in its test harness, Exim now ensures that all |
| 2409 | new memory from malloc is filled with a non-zero value. This will help |
| 2410 | pick up bugs like this in future. (I haven't made it do it always, for |
| 2411 | performance reasons.) |
| 2412 | |
| 2413 | 2. When skip_syntax_errors was set on a redirect router, and a forward file |
| 2414 | (NOT a filter file) contained only invalid addresses, the message was |
| 2415 | discarded. The router now declines, as it does for invalid filter files. |
| 2416 | Thus, the address is passed on unless no_more is set. |
| 2417 | |
| 2418 | 3. When an address containing upper case letters in the local part was |
| 2419 | deferred, eximon showed the lowercased version with the caseful version |
| 2420 | as a "parent", as well as the original caseful version in its queue list. |
| 2421 | |
| 2422 | 4. When hide_child_in_errmsg was set on a redirect router, bounce messages |
| 2423 | still showed the failed addresses in the X-Failed-Recipients: header line. |
| 2424 | |
| 2425 | 5. Change 6 for 3.952 should also have included SIGTERM. |
| 2426 | |
| 2427 | 6. exim -bP +something was searching only the domain lists. It now searches |
| 2428 | all lists for a matching name. |
| 2429 | |
| 2430 | 7. If Local/Makefile contains more than one of USE_DB, USE_GDBM, or USE_TDB, |
| 2431 | give a build-time error. When it does contain one of them, arrange for any |
| 2432 | OS default for any other one to be overridden. (The code expects at most |
| 2433 | one of these to be defined.) |
| 2434 | |
| 2435 | 8. When a value for transport_home_directory is taken from the password |
| 2436 | information, wrap it in \N...\N so that it isn't expanded in the transport. |
| 2437 | This affects Cygwin, where home directories may contain $ characters. |
| 2438 | |
| 2439 | 9. Fixed an occasional crash when autoreply was sending a message created by |
| 2440 | a user's filter file. It was referencing uninitialized memory. (The |
| 2441 | prophylactic mentioned in 1 above made it a hard error.) |
| 2442 | |
| 2443 | 10. The "run" and "readfile" expansion items could sometimes return extra junk |
| 2444 | characters (yet another uninitialized memory bug). |
| 2445 | |
| 2446 | 11. The lockout options forbid_filter_existstest etc. were not propagating to |
| 2447 | the expansion of files sent as part of "mail" messages from users' filter |
| 2448 | files. |
| 2449 | |
| 2450 | 12. Another unterminated string bug: when an ACL was read from a file |
| 2451 | dynamically it wasn't properly terminated. |
| 2452 | |
| 2453 | 13. Cached pgsql connections weren't being re-used, leading to a potential |
| 2454 | build-up of open connections. |
| 2455 | |
| 2456 | 14. $message_headers is supposed to be limited to 64K in length, but it wasn't |
| 2457 | so limited if an individual header line was longer than 64K. |
| 2458 | |
| 2459 | 15. An individual header line, or concatenation of multiple identically- |
| 2460 | named header lines, inserted by $h_xxxx is supposed to be limited to 64K in |
| 2461 | length, but it wasn't so limited if the only header line was longer than |
| 2462 | 64K. |
| 2463 | |
| 2464 | 16. A syntactically incorrect setting of -d... is now treated as a command line |
| 2465 | syntax error (message to stderr, return code 1), without any entry on the |
| 2466 | log. |
| 2467 | |
| 2468 | 17. Modifications to the exim_install script: |
| 2469 | (a) Scan the combined Makefile in the build directory instead of messing |
| 2470 | around scanning its individual constituent files. |
| 2471 | (b) Use sed instead of a pipe of grep, tail and cuts. This allows better |
| 2472 | control, but has to be very simple sed in order to work on Solaris. |
| 2473 | (c) Allow for the setting of EXE to add a subscript to executables for |
| 2474 | the benefit of Cygwin. |
| 2475 | (d) Use -c instead of -b with "cut" because the "cut" in BSD/OS doesn't |
| 2476 | grok -b. |
| 2477 | |
| 2478 | 18. Changes for Cygwin: |
| 2479 | (a) Update scripts/os-type to recognize CYGWIN. |
| 2480 | (b) Arrange (via the Uopen() macro) for all calls to open() to have |
| 2481 | the O_BINARY flag, to avoid CRLF problems. |
| 2482 | (c) If OS_INIT is defined, call it at the very start of Exim's execution. |
| 2483 | (d) When resolver debugging is enabled, set _res.options |= RES_DEBUG |
| 2484 | before calling res_init() as well as after, because that generates |
| 2485 | some debugging info during initialization. |
| 2486 | |
| 2487 | 19. Make the initial call to os_getloadavg() in exim.c conditional on |
| 2488 | LOAD_AVG_NEEDS_ROOT because it is done just to initialize os_getloadavg() |
| 2489 | on systems that require the first call to be done as root. It should be |
| 2490 | called only when messages are being received; it was being called |
| 2491 | unnecessarily in some cases. |
| 2492 | |
| 2493 | 20. If Exim failed to open its retry hints database at routing time, it crashed |
| 2494 | during a subsequent local delivery. |
| 2495 | |
| 2496 | 21. If Exim is neither setuid root nor called by root, there is no need to |
| 2497 | attempt to drop root privilege when it is not needed. |
| 2498 | |
| 2499 | 22. I'd forgotten to remove the check for the presence of %s in pid_file_path |
| 2500 | when it was set at run time. |
| 2501 | |
| 2502 | 23. If a transport filter crashed, or yielded a non-zero return code during an |
| 2503 | SMTP delivery, Exim was not aborting the delivery. This led to multiple |
| 2504 | partial deliveries of the message until the transport filter was fixed. |
| 2505 | |
| 2506 | 24. Do not try alternate hosts if a transport filter crashes or yields a |
| 2507 | non-zero return during an SMTP delivery. |
| 2508 | |
| 2509 | 25. When exim -be is reading input lines from stdin, backslash can now be used |
| 2510 | for continuations. This makes it easier to test expansions from a |
| 2511 | configuration file by cut and paste, and long expansions in general. |
| 2512 | |
| 2513 | 26. The file src/auths/xtextdecode.c was incorrectly named xtestdecode.c, but |
| 2514 | because the MakeLinks script built a symbolic link that worked, this |
| 2515 | mistake didn't actually show up. |
| 2516 | |
| 2517 | 27. When Exim is delivering another message down an existing connection, |
| 2518 | remote_max_parallel should be forced to 1; this wasn't happening, though |
| 2519 | it would have caused a problem only if a message had more than 100 |
| 2520 | recipients routed to the host. |
| 2521 | |
| 2522 | 28. When there was a problem while delivering down an existing connection, such |
| 2523 | that the transport process closed the connection, this fact wasn't getting |
| 2524 | communicated to the calling delivery process, which might have tried to do |
| 2525 | more deliveries on the same connection. This would only have caused a |
| 2526 | problem if there were more than 100 recipients to the same host. |
| 2527 | |
| 2528 | 29. The ${extract} action, with a negative field number that selected the first |
| 2529 | field in a string, could return junk characters at the start of the |
| 2530 | extracted field. |
| 2531 | |
| 2532 | 30. When Exim is acting as a client, if an attempt to start a TLS session fails |
| 2533 | during the TLS negotiation phase (i.e. STARTTLS is accepted, but there's a |
| 2534 | problem such as an unrecognized certificate during TLS session startup), |
| 2535 | Exim used always to defer delivery. Now, unless the host is in |
| 2536 | hosts_require_tls, Exim makes a new connection to the host and attempts to |
| 2537 | send the message unencrypted. This avoids stuck messages for servers that |
| 2538 | advertise STARTTLS but don't actually support it properly. |
| 2539 | |
| 2540 | 31. Added ${address:xxx} to go with ${domain:xxx} and ${local_part:xxx} which |
| 2541 | extract from RFC 2822 addresses. |
| 2542 | |
| 2543 | 32. The rules for recognizing when Exim is being called from inetd have |
| 2544 | changed. Previously Exim required SMTP input, stdin to be a TCP/IP socket, |
| 2545 | and the caller to be root or the Exim user. This left a gaping hole if the |
| 2546 | caller was not root or the Exim user, because then it wouldn't do the |
| 2547 | policy checking for a remote host, because it didn't realize it was being |
| 2548 | called from inetd. (This was seen on Debian configurations). Exim now |
| 2549 | behaves as follows: if the input is SMTP and stdin is a TCP/IP socket, a |
| 2550 | call from inetd is assumed. This is allowed to proceed either if the caller |
| 2551 | is root or the Exim user, or if the port used is privileged (less than |
| 2552 | 1024). Otherwise (a different user passing an unprivileged port) Exim gives |
| 2553 | a "Permission denied" error. |
| 2554 | |
| 2555 | 33. Removed $compile_number from the default SMTP banner line (after discussion |
| 2556 | on the mailing list). Also removed it from the default $Received: header. |
| 2557 | |
| 2558 | 34. # is documented as a comment character in the run time configuration only |
| 2559 | when it appears at the start of a line. In the case of boolean values, |
| 2560 | extra characters after "= true" or "= false" were being ignored, leading to |
| 2561 | a false impression that comments could appear there. This is now diagnosed |
| 2562 | as an error. |
| 2563 | |
| 2564 | 35. If a boolean option without a following "=" was followed by # (in the |
| 2565 | mistaken belief that this would be a comment), the error was "missing =", |
| 2566 | which was confusing. Exim now complains about extra characters. |
| 2567 | |
| 2568 | 36. When Exim complains about extra characters following an option setting, it |
| 2569 | now adds a comment about comments if the first extra character is #. |
| 2570 | |
| 2571 | 37. Output debug_print strings when testing a host using -bh. |
| 2572 | |
| 2573 | 38. Added server_debug_print to authenticators (compare routers and |
| 2574 | transports). This outputs when an authenticator is called as a server. It |
| 2575 | can be helpful while testing with -bh. |
| 2576 | |
| 2577 | 39. Added debugging output to the crypteq condition. |
| 2578 | |
| 2579 | 40. If a named domain or local part list used in a "domains" or "local_parts" |
| 2580 | option on a router matched by means of a lookup, the $domain_data and |
| 2581 | $local_part_data variables were set for the first router that did this, but |
| 2582 | were not set for any subsequent routers that used the same named list. The |
| 2583 | same was true for multiple tests of named domain or local parts lists in an |
| 2584 | ACL. |
| 2585 | |
| 2586 | 41. If the variable "build" is set when the top-level Makefile is run, the |
| 2587 | variable now propagates from the top-level Makefile to subsidiary ones. |
| 2588 | In addition, Local/Makefile-$(build) is added to the list of concatenated |
| 2589 | files that go at the start of the Makefile in the build directory. |
| 2590 | |
| 2591 | 42. If NO_SYMLINK is defined in Local/Makefile, the exim_install script just |
| 2592 | copies the Exim binary in with its unique name, without moving the "exim" |
| 2593 | symbolic link to it. |
| 2594 | |
| 2595 | 43. Added BSDI 4.2 as a BSDI variant in scripts/os-type. |
| 2596 | |
| 2597 | 44. The spool file format for remembering a "one_time" redirection has changed; |
| 2598 | I had forgotten to make Exim 4 capable of reading Exim 3 spool files. |
| 2599 | |
| 2600 | 45. Address lists are now permitted to include items of the form *@+name where |
| 2601 | "name" is a named domain list. (Note that an item of the form +name is |
| 2602 | taken as a named _address_ list.) |
| 2603 | |
| 2604 | 46. When Exim gives up privilege and reverts to the calling user because it was |
| 2605 | called with the -C, -D, -be, or -bi options, it now reinstates the |
| 2606 | supplementary group list as well as the uid and gid. |
| 2607 | |
| 2608 | 47. The crypteq condition has been extended. When the encrypted string begins |
| 2609 | with "{md5}" Exim used to assume that the digest was encoded as a base64 |
| 2610 | string. Now it assumes this only if its length is 24 bytes. If the length |
| 2611 | is 32 bytes, Exim assumes a digest expressed in hex characters. If the |
| 2612 | length is neither 24 nor 32, the comparison always fails. |
| 2613 | |
| 2614 | 48. Updated the convert4r4 script: |
| 2615 | |
| 2616 | (a) Some typos in the comments. |
| 2617 | (b) Remove kill_ip_options, log_ip_options, and refuse_ip_options, which |
| 2618 | no longer exist. |
| 2619 | (c) Move all macro definitions to the top of the output, to ensure that |
| 2620 | they precede any references to them. |
| 2621 | (d) If tls_verify_ciphers was set without tls_verify_hosts, the generated |
| 2622 | new configuration insisted on encryption ("these ciphers must be |
| 2623 | used for all connections") instead of just checking the cipher when |
| 2624 | encryption happened ("if encrypted, these ciphers must be used"). |
| 2625 | (e) Address lists are now checked to see if they contain any bare lookup |
| 2626 | items and if they do, these are converted to two items, the first |
| 2627 | preceded by "*@" and the second with "partial-" removed. This makes |
| 2628 | Exim 4 behave in the way that Exim 3 used to. An explanatory comment |
| 2629 | is output. |
| 2630 | (f) Put more explanation in above the "hosts = :" test. |
| 2631 | |
| 2632 | 49. Write a main and panic log entry when "partial-" is ignored in a lookup |
| 2633 | that is part of an address list. (Applies when the item is a lookup for |
| 2634 | which the whole address is the key.) |
| 2635 | |
| 2636 | 50. Two changes to the way $original_local_part and $parent_local_part work: |
| 2637 | |
| 2638 | (a) When an address that had a prefix or suffix was redirected to another |
| 2639 | address, the value of $original_local_part and $parent_local_part |
| 2640 | had the prefix or suffix stripped when referred to during the |
| 2641 | processing of the child address. This doesn't seem right, so it has |
| 2642 | been changed. |
| 2643 | (b) When an address that had a prefix or suffix was being processed, |
| 2644 | $local_part had the affix stripped, and if it was a top-level |
| 2645 | address, $original_local_part also has the affix stripped. This has |
| 2646 | been changed. Now $original_local_part contains the same value at all |
| 2647 | levels. ($parent_local_part remains empty at top level.) |
| 2648 | |
| 2649 | 51. A number of macros in the Exim source began with "DB_". When compiling |
| 2650 | with Berkeley DB version 4, DB_LOCK_TIMEOUT clashed with a macro set by |
| 2651 | that package. The Exim macros now all start with "EXIMDB_", and Exim |
| 2652 | therefore now supports DB version 4. |
| 2653 | |
| 2654 | 52. Newlines in a "freeze" text from a system filter were being sent as \n |
| 2655 | in messages created by the "freeze_tell" option. They are now converted |
| 2656 | back to newlines (in the log line they continue to appear as \n). |
| 2657 | |
| 2658 | 53. Added a new ACL condition "verify = reverse_host_lookup". This does a |
| 2659 | reverse lookup of the client host's IP address, then does a forward lookup |
| 2660 | for all the names it receives, and checks that at least one of the IP |
| 2661 | addresses obtained from the forward lookup matches the incoming IP address. |
| 2662 | The lookups are done with gethostbyaddr() and gethostbyname(), |
| 2663 | respectively. |
| 2664 | |
| 2665 | 54. A small fix to eximstats reduces its store usage substantially when it is |
| 2666 | processing very large log files: when a message's "completed" line is |
| 2667 | reached, discard the memory of the message's size. |
| 2668 | |
| 2669 | 55. If an address was redirected to itself more than once (e.g. by two |
| 2670 | different "redirect" routers, or because of the use of "unseen", it was |
| 2671 | incorrectly discarded as a duplicate address. |
| 2672 | |
| 2673 | 56. For a rewrite pattern of the form *@something, if an actual address |
| 2674 | contained @ in the local part (e.g. "a@b"@x.y), the value of $1 was set |
| 2675 | incorrectly during expansion of the replacement address (it stopped at the |
| 2676 | first @ instead of at the last one). |
| 2677 | |
| 2678 | 57. Added hosts_nopass_tls to the smtp transport. For any host that matches |
| 2679 | this list, a connection on which a TLS session has been started will not be |
| 2680 | passed to a new delivery process for sending another message on the same |
| 2681 | connection. |
| 2682 | |
| 2683 | 58. The -dropcr command line option now turns CRLF into LF, while leaving |
| 2684 | isolated CR characters alone. (Previously it removed _all_ CR characters.) |
| 2685 | There is now also a drop_cr main option which has the effect of -dropcr for |
| 2686 | all incoming non-SMTP messages. |
| 2687 | |
| 2688 | 59. If a configuration file macro expanded into a boolean option which was not |
| 2689 | followed by = and a value, Exim gave a spurious error for an "unknown" |
| 2690 | value for the option (typically a string from the previous line). |
| 2691 | |
| 2692 | |
| 2693 | Exim version 3.952 |
| 2694 | ------------------ |
| 2695 | |
| 2696 | 1. convert4r4 had an incorrect file name in its comment output. |
| 2697 | |
| 2698 | 2. convert4r4 was looking up $local_part instead of $domain in its generated |
| 2699 | manualroute output. |
| 2700 | |
| 2701 | 3. There was no check that getpeername() was giving a socket address when |
| 2702 | called on stdin passed from a previous delivery. |
| 2703 | |
| 2704 | 4. Fixed an old bug whereby Exim could segfault if debugging was turned on and |
| 2705 | a DNS lookup found MX records for hosts whose A records had to be looked up |
| 2706 | separately, and some of them pointed to the local host (pretty rare). |
| 2707 | |
| 2708 | 5. The debugging output for log writes now shows the names of any log selectors |
| 2709 | instead of the hex value of the selector word. |
| 2710 | |
| 2711 | 6. If a delivery subprocess is terminated by SIGKILL or SIGQUIT, do not freeze |
| 2712 | the message. This can happen during system shutdown. Other kinds of process |
| 2713 | failure indicate problems. |
| 2714 | |
| 2715 | 7. If a sender verification did not complete (e.g. DNS lookup timed out), the |
| 2716 | log line for the temporary RCPT rejection did not always say why (it lost |
| 2717 | the message if there had been a previous call to any lookup). |
| 2718 | |
| 2719 | 8. The special message about MX records that point to IP addresses instead of |
| 2720 | host names was not getting returned in the SMTP response when a |
| 2721 | verification failed. This has been fixed, and the message that is logged in |
| 2722 | this circumstance has been made less verbose. |
| 2723 | |
| 2724 | 9. When an SMTP callout is done, Exim tries to use the interface and port |
| 2725 | number from the transport that the address was routed to during the prior |
| 2726 | verification. If it wasn't routed to a remote transport, or if there's a |
| 2727 | problem expanding the relevant options, Exim does not use a specific |
| 2728 | interface, and it connects to port 25. |
| 2729 | |
| 2730 | 10. If the string "syslog" happened to occur in the log file path, eximon was |
| 2731 | failing to extract the name of the main log file correctly. |
| 2732 | |
| 2733 | 11. Unlike other operating systems, Linux does not sync a directory after a |
| 2734 | rename. However, we need this to happen to be sure an incoming message has |
| 2735 | been safely recorded after it has been received. I have therefore added a |
| 2736 | macro called NEED_SYNC_DIRECTORY (which is set in OS/os.h_Linux) to request |
| 2737 | Exim to do an explicit sync on the directory after the rename. If |
| 2738 | O_DIRECTORY is defined, it is used when opening the directory. |
| 2739 | |
| 2740 | 12. When a system filter creates any new deliveries, they are given a fake |
| 2741 | "parent" address which appears on the logs, and is necessary for pipes, |
| 2742 | files, and autoreplies, which cannot be toplevel addresses. This fake was |
| 2743 | set up with the text "system filter". It's been changed to "system-filter" |
| 2744 | because the space in the previous text could cause trouble. |
| 2745 | |
| 2746 | 13. The new option local_sender_retain suppresses the removal of Sender: header |
| 2747 | lines in locally-submited (non-TCP/IP) messages from untrusted users. It is |
| 2748 | required that no_local_from_check be set with local_sender_retain. |
| 2749 | |
| 2750 | 14. In a file interpolated into an address list, if a local part contained a |
| 2751 | # character and there was also a following comment (introduced by a # |
| 2752 | preceded by white space), the comment was not recognized. |
| 2753 | |
| 2754 | 15. Local part lists are now handled as address lists as far as recognition of |
| 2755 | comments in interpolated files and the processing of +caseful at the top |
| 2756 | level are concerned. In the local_parts option of a router, +caseful will |
| 2757 | restore case-sensitive matching, even when the router does not have |
| 2758 | caseful_local_part set (the default). |
| 2759 | |
| 2760 | 16. The key used for a dsearch lookup may not contain '/'. If it does, the |
| 2761 | lookup defers. |
| 2762 | |
| 2763 | 17. When starting a delivery process after receiving a message locally, discard |
| 2764 | the controlling terminal unless debugging is turned on. |
| 2765 | |
| 2766 | 18. The exim group was automatically trusted; this was not correct because it |
| 2767 | meant that admin users who were in the exim group were automatically |
| 2768 | trusted. If you want the exim group to be trusted, it must now be |
| 2769 | explicitly configured. |
| 2770 | |
| 2771 | 19. The default configuration mentioned "dns_lists" instead of "dnslists" in a |
| 2772 | comment. |
| 2773 | |
| 2774 | 20. Minor corrections and changes to the Exim4.upgrade document and to the |
| 2775 | OptionLists.txt document. |
| 2776 | |
| 2777 | 21. If a local part beginning with a pipe symbol was routed to a pipe |
| 2778 | transport, the transport got confused as to which command it should run. |
| 2779 | This could be a security exposure if unchecked local parts are routed to |
| 2780 | pipe transports. |
| 2781 | |
| 2782 | 22. When logging SMTP connections to the daemon from other hosts, include the |
| 2783 | connection count in the log line. Tidied up the identification of SMTP |
| 2784 | sources in logging lines. |
| 2785 | |
| 2786 | 23. Added "sender_domains" as a new ACL condition so that the Exim 3 setting |
| 2787 | of sender_verify_callback_domains can easily be replicated. Corrected |
| 2788 | convert4r4, which was incorrectly converting this to a "domains" setting. |
| 2789 | |
| 2790 | 24. The code for reading ident values was not discarding leading spaces, which |
| 2791 | some hosts seem to send. |
| 2792 | |
| 2793 | 25. The building process was still insisting that PID_FILE_PATH contained %s, |
| 2794 | but this is not required for Exim 4. |
| 2795 | |
| 2796 | 26. The logging of ETRN commands had got lost. It has been restored, and the |
| 2797 | log selector "etrn" (on by default) added to control it. |
| 2798 | |
| 2799 | 27. IPv6 reverse DNS lookups were originally specified as happening in the |
| 2800 | ip6.int domain, but this is being changed to ip6.arpa (and they've changed |
| 2801 | the meaning of "arpa" to "Address and Routing Parameters Area"). The only |
| 2802 | time Exim does reverse lookups directly (as opposed to calling |
| 2803 | gethostbyaddress()) is in the code for the dnsdb lookup type. This has been |
| 2804 | changed to use ip6.arpa. |
| 2805 | |
| 2806 | 28. Made the test programs (test_dbfn for testing DBM files, and some others) |
| 2807 | compile! Updated the help output from test_dbfn. |
| 2808 | |
| 2809 | 29. Changed all occurrences of "r" and "w" in fopen() fdopen() calls to "rb" |
| 2810 | and "wb". This makes no difference in Unix systems, but is apparently |
| 2811 | necessary for running Exim under Cygwin. |
| 2812 | |
| 2813 | 30. Three changes that make virtually no difference when Exim is run on a real |
| 2814 | Unix system, but which were asked for to make life easier when porting it |
| 2815 | to run under Cygwin: |
| 2816 | |
| 2817 | (a) Changed the logic for locking a message when an Exim process is |
| 2818 | handling it. Previously, the entire -D file was locked to indicate |
| 2819 | this. Now Exim locks only the first line, which contains the name of |
| 2820 | the file. Apparently, in the Cygwin environment, a subprocess cannot |
| 2821 | read locked parts of a file, even when it is passed an open file |
| 2822 | descriptor to that file from the process that did the locking. By |
| 2823 | locking only the first line, which the subprocess does not want to read |
| 2824 | (it just needs to read the data that follows), we can get round this |
| 2825 | restriction with minimal effort. |
| 2826 | |
| 2827 | (b) Added support for native gdbm function calls. GDBM is apparently the |
| 2828 | only DBM library that is currently available Cygwin, and only with its |
| 2829 | native API. |
| 2830 | |
| 2831 | (c) The default modes for files, directories, and lock files in the |
| 2832 | appendfile transport can now be set in Local/Makefile at build time. |
| 2833 | |
| 2834 | 31. When transmitting a message using SMTP with PIPELINING, if the server gave |
| 2835 | a malformed SMTP response, the message logged by Exim didn't associate it |
| 2836 | with the pipelined SMTP command to which it referred. For example it logged |
| 2837 | "after DATA" if all the recipients had been sent. Also, if the response |
| 2838 | was an empty line (illegal), it didn't show up very clearly. The error |
| 2839 | messages are now more accurate, and point out empty lines. |
| 2840 | |
| 2841 | 32. Minor corrections and changes to src/configure.default. |
| 2842 | |
| 2843 | 33. When a host list in a route_list item that was enclosed in double quotes |
| 2844 | contained single quotes within it, the quoting was incorrectly terminated. |
| 2845 | Both the pattern and the host list in route_list items are now handled by |
| 2846 | the standard quote-processing function. |
| 2847 | |
| 2848 | 34. Corrected the EDITME file for eximon so that the default stripchart |
| 2849 | patterns work with the default runtime configuration for local deliveries. |
| 2850 | (Previously it matched a delivery via a director - not possible in Exim 4.) |
| 2851 | |
| 2852 | |
| 2853 | Exim version 3.951 |
| 2854 | ------------------ |
| 2855 | |
| 2856 | Exim 3.951 is the first alpha testing release for Exim 4. A list the many |
| 2857 | individual changes to the code made between Exim 3.33 and Exim 3.951 was not |
| 2858 | kept. The functional changes are listed in the Exim4.upgrade file. |
| 2859 | |
| 2860 | **** |