Auths: fix cyrus-sasl driver for gssapi use. Bug 2524
[exim.git] / doc / doc-txt / ChangeLog
CommitLineData
446415f5
HSHR
1This document describes *changes* to previous versions, that might
2affect Exim's operation, with an unchanged configuration file. For new
3options, and new features, see the NewStuff file next to this ChangeLog.
495ae4b0 4
4c57a40e 5
1d717e1c
JH
6Exim version 4.94
7-----------------
d85cdeb5
JH
8
9JH/01 Avoid costly startup code when not strictly needed. This reduces time
10 for some exim process initialisations. It does mean that the logging
11 of TLS configuration problems is only done for the daemon startup.
12
81344b40
JH
13JH/02 Early-pipelining support code is now included unless disabled in Makefile.
14
6ce1ece9
JH
15JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
16 RFC 8301. They can still be enabled, using the dkim_verify_hashes main
17 option.
18
179ed8c3
JH
19JH/04 Support CHUNKING from an smtp transport using a transport_filter, when
20 DKIM signing is being done. Previously a transport_filter would always
21 disable CHUNKING, falling back to traditional DATA.
22
f0fe22cb
JH
23JH/05 Regard command-line receipients as tainted.
24
01446a56
JH
25JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
26
dcbfbada
FG
27JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
28 PAM library frees one of the arguments given to it, despite the
29 documentation. Therefore a plain malloc must be used.
30
c58803fd
JH
31JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
32 on-stack buffers were used, resulting in a taint trap when DSN information
33 copied from a received message was written into the buffer.
34
e9dfcfb7
JH
35JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
36 the ordering of its ARC headers. This caused a crash.
37
5fae29d5
JH
38JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
39 a new record was being constructed with information from the peer, a trap
40 was taken.
41
39fdec3c
JH
42JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
43 installation would get error messages from DMARC verify, when it hit the
44 nonexistent file indicated by the default. Distros wanting DMARC enabled
45 should both provide the file and set the option.
46 Also enforce no DMARC verification for command-line sourced messages.
47
de41aff0
JH
48JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
49 could, depending on the platform, hang at the STARTTLS response.
50
1415d1a6
JH
51JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
52 message on a connection. Previously if one message had ARC headers and
53 the following one did not, a crash could result when adding an
54 Authentication-Results: header.
55
8aa16eb7
JH
56JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
57 Exim main code and Exim-related utities. The introduction of taint
58 tracking also did many adjustments to string handling. Since then, eximon
59 frequently terminated with an assert failure.
60
c4639661
JH
61JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and
62 check for 452 responses. This slightly helps the inefficieny of doing
63 a large alias-expansion into a recipient-limited target. The max_rcpt
64 transport option still applies (and at the current default, will override
65 the new feature). The check is done for either cause of synch, and forces
66 a fast-retry of all 452'd recipients using a new MAIL FROM on the same
67 connection. The new facility is not tunable at this time.
68
98eb9592
JH
69JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
70 library live data was being used, so the results became garbage. Make
71 copies while it is still usable.
72
a55697ac
JH
73JH/17 Logging: when the deliver_time selector ise set, include the DT= field
74 on delivery deferred (==) and failed (**) lines (if a delivery was
75 attemtped). Previously it was only on completion (=>) lines.
76
2b615f22
JH
77JH/18 Authentication: the gsasl driver not provides the $authN variables in time
78 for the expansion of the server_scram_iter and server_scram_salt options.
79
79e5ebf9 80WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library
549d36dd
WB
81 are now specifically given a NO_DATA response without hitting the system
82 resolver. The library goes on to do the now-standard TXT lookup.
79e5ebf9 83 Use of dnsdb lookups is not affected.
b1c673dd
JH
84
85JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
86 only retrieve the errormessage once. Previously two calls to dlerror()
87 were used, and the second one (for mainlog/paniclog) retrieved null
88 information.
79e5ebf9 89
7d99cba1
JH
90JH/20 Taint checking: disallow use of tainted data for
91 - the appendfile transport file and directory options
92 - the pipe transport command
481e63ca 93 - the autoreply transport file, log and once options
7d99cba1 94 - file names used by the redirect router (including filter files)
ed162055 95 - named-queue names
9214d2e4 96 Previously this was permitted.
0d2e392e 97
7a66b3af
JH
98JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it
99 adjusted the size of a major service buffer; this failed because the
100 buffer was in use at the time. Change to a compile-time increase in the
101 buffer size, when this authenticator is compiled into exim.
102
4381d60b
JH
103JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The
104 previous fast-mode was untenable in the face of glibs using mmap to
105 support larger malloc requests.
36eb5d3d 106
c8b050fd
PP
107PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c.
108 New values supported, if defined on system where compiled:
109 allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat,
110 no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding
111
92562f63
JH
112JH/23 Performance improvement in the initial phase of a two-pass queue run. By
113 running a limited number of proceses in parallel, a benefit is gained. The
114 amount varies with the platform hardware and load. The use of the option
115 queue_run_in_order means we cannot do this, as ordering becomes
116 indeterminate.
117
5c329a43
JH
118JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix
119 had introduced a string-copy (for ensuring NUL-termination) which was not
120 appropriate for that case, which can include embedded NUL bytes in the
121 block of data. Investigation showed the copy to actually be needless, the
122 data being length-specified.
123
d85cdeb5 124
40ed89b3
JH
125Exim version 4.93
126-----------------
127
8a40db1c
JH
128JH/01 OpenSSL: With debug enabled output keying information sufficient, server
129 side, to decode a TLS 1.3 packet capture.
40ed89b3 130
fc243e94 131JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
d7f31bb6
JH
132 Previously the default library behaviour applied, sending two, each in
133 its own TCP segment.
134
897024f1
JH
135JH/03 Debug output for ACL now gives the config file name and line number for
136 each verb.
137
f1be21cf
JH
138JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
139
fe12ec88
JH
140JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
141
05bf16f6
JH
142JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
143 buffer overrun for (non-chunking) other transports.
144
fc243e94
JH
145JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
146 TLS1.3, means that a server rejecting a client certificate is not visible
147 to the client until the first read of encrypted data (typically the
148 response to EHLO). Add detection for that case and treat it as a failed
149 TLS connection attempt, so that the normal retry-in-clear can work (if
150 suitably configured).
151
c05bdbd6 152JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
e2ff8e24
JB
153 and/or domain. Found and fixed by Jason Betts.
154
14bc9cf0
JH
155JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
156 configuration). If a CNAME target was not a wellformed name pattern, a
157 crash could result.
158
254f38d1
JH
159JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
160 the OS reports them interleaved with other addresses.
161
c09dbcfb
JH
162JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
163 used both for input and for a verify callout, both encrypted, SMTP
164 responses being sent by the server could be lost. This resulted in
165 dropped connections and sometimes bounces generated by a peer sending
166 to this system.
254f38d1 167
f9fc9427
JH
168JH/11 Harden plaintext authenticator against a badly misconfigured client-send
169 string. Previously it was possible to cause undefined behaviour in a
170 library routine (usually a crash). Found by "zerons".
171
e6024a5e
JH
172JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no
173 output.
174
1fbf41cd
JH
175JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old
176 API was removed, so update to use the newer ones.
177
3c55eef2 178JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
00c0dd4e 179 any timeout set, is taking a long time. Previously we would hang on to a
3c55eef2
JH
180 rotated logfile "forever" if the input was arriving with long gaps
181 (a previous attempt to fix addressed lack, for a long time, of initial
182 input).
183
cb80814d
HSHR
184HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
185 shared (NFS) environment. The length of the tempfile name is now
186 4 + 16 ("hdr.$message_exim_id") which might break on file
187 systems which restrict the file name length to lower values.
188 (It was "hdr.$pid".)
189
7d8d08c4 190HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
82a996b1
HSHR
191 shared (NFS) environment.
192
7d8d08c4 193HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
82a996b1
HSHR
194 did for all versions <4.90). Notably -M, -m, --invert, -I may be
195 affected.
196
bd83c6f9
JH
197JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
198 on some platforms for bit 31.
199
d9acfc1c
JH
200JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks
201 to changes apparently associated with TLS1.3 handling some of the APIs
202 previously used were either nonfunctional or inappropriate. Strings
203 like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
204 and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
205 the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
206 This affects log line X= elements, the $tls_{in,out}_cipher variables,
207 and the use of specific cipher names in the encrypted= ACL condition.
208
b10c87b3
JH
209JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
210
7a501c87
JH
211JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
212 verification result was not updated unless hosts_require_ocsp applied.
213
e5903596
JH
214JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option
215 queue_list_requires_admin set to false, non-admin users were denied the
216 facility.
217
12d95aa6
JH
218JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
219 directory-of-certs mode. Previously they were advertised despite the
220 documentation.
221
96eb7d2a
JH
222JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
223 A single TCP connection by a client will now hold a TLS connection open
224 for multiple message deliveries, by default. Previoud the default was to
225 not do so.
226
59c0959a 227JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
01603eec
JH
228 default. If built with the facility, DANE will be used. The facility
229 SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
230
231JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
de517fd3
JH
232 is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
233 must be defined and you must still, unless you define DISABLE_TLS, manage
234 the the include-dir and library-file requirements that go with that
235 choice. Non-TLS builds are still supported.
59c0959a 236
48519cef
JH
237JH/24 Fix duplicated logging of peer name/address, on a transport connection-
238 reject under TFO.
96eb7d2a 239
efad2f41 240JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
4e48d56c 241 default. If the platform supports and has the facility enabled, it will
efad2f41
JH
242 be requested on all coneections.
243
4e48d56c
JH
244JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
245 controlled by the build-time option SUPPORT_PIPE_CONNECT.
246
6ee11061 247PP/01 Unbreak heimdal_gssapi, broken in 4.92.
0a5441fc 248
87abcb24
JH
249JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
250 success-DSN messages. Previously the From: header was always the default
251 one for these; the option was ignored.
6ee11061 252
0a5441fc
JH
253JH/28 Fix the timeout on smtp response to apply to the whole response.
254 Previously it was reset for every read, so a teergrubing peer sending
255 single bytes within the time limit could extend the connection for a
256 long time. Credit to Qualsys Security Advisory Team for the discovery.
257
436bda2a
JH
258JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing
259 delivery address, which leaked information of the results of local
260 forwarding. Change to the original envelope recipient address, per
261 standards.
262
df98a6ff
JH
263JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
264 requested. Previously not bounce was generated and a log entry of
265 error ignored was made.
266
21aa0597
JH
267JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
268
f3ebb786
JH
269JH/32 Introduce a general tainting mechanism for values read from the input
270 channel, and values derived from them. Refuse to expand any tainted
271 values, to catch one form of exploit.
272
9fa4d5b4
RJ
273JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result
274 was unused and the unexpanded text used for the test. Found and
275 fixed by Ruben Jenster.
276
bd231acd
JH
277JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open,
278 an attempt to use a TLS library read routine dereffed a nul pointer,
279 causing a segfault.
280
7b564712
JH
281JH/35 Bug 2409: filter out-of-spec chars from callout response before using
282 them in our smtp response.
283
9c6881f8 284JH/36 Have the general router option retry_use_local_part default to true when
dbbf21a7
JH
285 any of the restrictive preconditions are set (to anything). Previously it
286 was only for check_local user. The change removes one item of manual
287 configuration which is required for proper retries when a remote router
288 handles a subset of addresses for a domain.
289
9c6881f8
JH
290JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
291 link count into consideration.
292
7d8d08c4
JH
293HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
294 caused the extension of big_buffer, the following lines were ignored.
295
296JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
297 accordance with RFC 2308. Previously there was no expiry, so a longlived
298 receive process (eg. due to ACL delays) versus a short SOA value could
299 surprise.
300
c3aefacc
HSHR
301HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)
302
1a2e76e1
JH
303JH/39 Promote DMARC support to mainline.
304
d6c829b9
JH
305JH/40 Bug 2452: Add a References: header to DSNs.
306
49132a3b
JH
307JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
308 parameters. The relevant library call is documented as "Deprecated: This
309 function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
310 3.6.0, DH parameters are negotiated following RFC7919."
311
ab0e957b 312HS/06 Change the default of dnssec_request_domains to "*"
40ed89b3 313
c5040dfd
JH
314JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we
315 carried on and emitted a BDAT command, even when PIPELINING was not
316 active.
317
13e70f55
JH
318JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted
319 buffer was used for the filename, resulting in a trap when tainted
320 arguments (eg. $domain) were used.
321
2043336d
JH
322JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
323 recommended to avoid a possible server-load attack. The feature can be
324 re-enabled via the openssl_options main cofiguration option.
325
b2d54f83
JH
326JH/45 local_scan API: documented the current smtp_printf() call. This changed
327 for version 4.90 - adding a "more data" boolean to the arguments.
b3317cfa
JH
328 Bumped the ABI version number also, this having been missed previously;
329 release versions 4.90 to 4.92.3 inclusive were effectively broken in
330 respect of usage of smtp_printf() by either local_scan code or libraries
331 accessed via the ${dlfunc } expansion item. Both will need coding
332 adjustment for any calls to smtp_printf() to match the new function
333 signature; a FALSE value for the new argument is always safe.
b2d54f83 334
1bf08084
JH
335JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating
336 the file-offset (which the Linux syscall does, and exim expects); this
337 resulted in an indefinite loop.
338
7af11cd0
JH
339JH/47 ARC: fix crash in signing, triggered when a configuration error failed
340 to do ARC verification. The Authentication-Results: header line added
341 by the configuration then had no ARC item.
342
c5040dfd 343
d99f54e4
JH
344Exim version 4.92
345-----------------
346
9723f966
JH
347JH/01 Remove code calling the customisable local_scan function, unless a new
348 definition "HAVE_LOCAL_SCAN=yes" is present in the Local/Makefile.
349
350JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in
64b67b65
JH
351 non-signal-safe functions being used.
352
353JH/03 Bug 2269: When presented with a received message having a stupidly large
354 number of DKIM-Signature headers, disable DKIM verification to avoid
355 a resource-consumption attack. The limit is set at twenty.
9723f966 356
ea7b1f16
JH
357JH/04 Add variables $arc_domains, $arc_oldest_pass for ARC verify. Fix the
358 report of oldest_pass in ${authres } in consequence, and separate out
359 some descriptions of reasons for verification fail.
360
cfbb0d24
JH
361JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
362 files in the spool were present and unlocked. A queue-runner could spot
363 them, resulting in a duplicate delivery. Fix that by doing the unlock
0488984d
JH
364 after the unlink. Investigation by Tim Stewart. Take the opportunity to
365 add more error-checking on spoolfile handling while that code is being
cfbb0d24
JH
366 messed with.
367
85defcf0
PP
368PP/01 Refuse to open a spool data file (*-D) if it's a symlink.
369 No known attacks, no CVE, this is defensive hardening.
370
1bd642c2
JH
371JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
372 a queue-runner could start a delivery while other operations were ongoing.
373 Cutthrough delivery was a common victim, resulting in duplicate delivery.
374 Found and investigated by Tim Stewart. Fix by using the open message data
375 file handle rather than opening another, and not locally closing it (which
376 releases a lock) for that case, while creating the temporary .eml format
377 file for the MIME ACL. Also applies to "regex" and "spam" ACL conditions.
378
2ddb4094
JH
379JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting
380 $sender_verify_failure/$recipient_verify_failure to "random".
381
1613fd68
JH
382JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
383 legitimate.
384
e6057245
JH
385JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd.
386 Previously this would segfault.
387
7b9822bf
JH
388JH/10 Fix ARC signing for case when DKIM signing failed. Previously this would
389 segfault.
390
d8d9f930
JH
391JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd
392 like zero, since the resolver should be doing this for us, But we need one
393 as a CNAME but no MX presence gets the CNAME returned; we need to check
394 that doesn't point to an MX to declare it "no MX returned" rather than
395 "error, loop". A new main option is added so the older capability of
396 following some limited number of chain links is maintained.
397
61e3f250
JH
398JH/12 Add client-ip info to non-pass iprev ${authres } lines.
399
7a8b9519
JH
400JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol
401 methods. These should support TLS 1.3; they arrived with TLS 1.3 and the
402 now-deprecated earlier definitions used only specified the range up to TLS
403 1.2 (in the older-version library docs).
404
49e56fb3
JH
405JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots.
406
74f1a423
JH
407JH/15 Rework TLS client-side context management. Stop using a global, and
408 explicitly pass a context around. This enables future use of TLS for
409 connections to service-daemons (eg. malware scanning) while a client smtp
410 connection is using TLS; with cutthrough connections this is quite likely.
411
5054c4fd 412JH/16 Fix ARC verification to do AS checks in reverse order.
611b1961
JH
413
414JH/17 Support a "tls" option on the ${readsocket } expansion item.
5054c4fd 415
946515bf
JH
416JH/18 Bug 2287: Fix the protocol name (eg utf8esmtp) for multiple messages
417 using the SMTPUTF8 option on their MAIL FROM commands, in one connection.
418 Previously the "utf8" would be re-prepended for every additional message.
419
8c34c611
JH
420JH/19 Reject MAIL FROM commands with SMTPUTF8 when the facility was not advertised.
421 Previously thery were accepted, resulting in issues when attempting to
422 forward messages to a non-supporting MTA.
423
1bca4f5f
PP
424PP/02 Let -n work with printing macros too, not just options.
425
8a6b4e02
JH
426JH/20 Bug 2296: Fix cutthrough for >1 address redirection. Previously only
427 one parent address was copied, and bogus data was used at delivery-logging
428 time. Either a crash (after delivery) or bogus log data could result.
429 Discovery and analysis by Tim Stewart.
430
0a682b6c
PP
431PP/03 Make ${utf8clean:} expansion operator detect incomplete final character.
432 Previously if the string ended mid-character, we did not insert the
433 promised '?' replacement.
434
c2c451ac
PP
435PP/04 Documentation: current string operators work on bytes, not codepoints.
436
8768d548
JH
437JH/21 Change as many as possible of the global flags into one-bit bitfields; these
438 should pack well giving a smaller memory footprint so better caching and
439 therefore performance. Group the declarations where this can't be done so
440 that the byte-sized flag variables are not interspersed among pointer
441 variables, giving a better chance of good packing by the compiler.
442
5455f548
JH
443JH/22 Bug 1896: Fix the envelope from for DMARC forensic reports to be possibly
444 non-null, to avoid issues with sites running BATV. Previously reports were
445 sent with an empty envelope sender so looked like bounces.
446
25beaee4
MK
447JH/23 Bug 2318: Fix the noerror command within filters. It wasn't working.
448 The ignore_error flag wasn't being returned from the filter subprocess so
449 was not set for later routers. Investigation and fix by Matthias Kurz.
450
7ea1237c 451JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient,
570cb1bd 452 and a msg:complete for the whole, when a message is manually removed using
7ea1237c
MK
453 -Mrm. Developement by Matthias Kurz, hacked on by JH.
454
ebda598a
JH
455JH/25 Avoid fixed-size buffers for pathnames in DB access. This required using
456 a "Gnu special" function, asprintf() in the DB utility binary builds; I
457 hope that is portable enough.
458
570cb1bd
JH
459JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS. Previously it was also
460 requiring a known-CA anchor certificate; make it now rely entirely on the
461 TLSA as an anchor. Checking the name on the leaf cert against the name
462 on the A-record for the host is still done for TA (but not for EE mode).
463
eb58ddf5
JH
464JH/27 Fix logging of proxy address. Previously, a pointless "PRX=[]:0" would be
465 included in delivery lines for non-proxied connections, when compiled with
466 SUPPORT_SOCKS and running with proxy logging enabled.
467
ffbc20ed
MK
468JH/28 Bug 2314: Fire msg:fail:delivery event even when error is being ignored.
469 Developement by Matthias Kurz, tweaked by JH. While in that bit of code,
470 move the existing event to fire before the normal logging of message
471 failure so that custom logging is bracketed by normal logging.
472
4e928780
MK
473JH/29 Bug 2322: A "fail" command in a non-system filter (file) now fires the
474 msg:fail:internal event. Developement by Matthias Kurz.
475
75c121f0 476JH/30 Bug 2329: Increase buffer size used for dns lookup from 2k, which was
059f2ace 477 far too small for todays use of crypto signatures stored there. Go all
75c121f0
JH
478 the way to the max DNS message size of 64kB, even though this might be
479 overmuch for IOT constrained device use.
480
e30f4f43
JH
481JH/31 Fix a bad use of a copy function, which could be used to pointlessly
482 copy a string over itself. The library routine is documented as not
483 supporting overlapping copies, and on MacOS it actually raised a SIGABRT.
484
a45431fa
JH
485JH/32 For main options check_spool_space and check_inode_space, where the
486 platform supports 64b integers, support more than the previous 2^31 kB
487 (i.e. more than 2 TB). Accept E, P and T multipliers in addition to
488 the previous G, M, k.
489
c0fb53b7
JH
490JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the
491 $authenticated_fail_id variable on authentication failure. Previously
492 it was unset.
493
6aac3239
JH
494JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048. RHEL 8.0
495 OpenSSL didn't want to use such a weak key. Do for GnuTLS also, and for
496 more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to
497 GNUTLS_SEC_PARAM_MEDIUM.
498
5a2a0989
JH
499JH/35 OpenSSL: fail the handshake when SNI processing hits a problem, server
500 side. Previously we would continue as if no SNI had been received.
501
de6f74f2 502JH/36 Harden the handling of string-lists. When a list consisted of a sole
b72f857f
JH
503 "<" character, which should be a list-separator specification, we walked
504 off past the nul-terimation.
505
de6f74f2
JH
506JH/37 Bug 2341: Send "message delayed" warning MDNs (restricted to external
507 causes) even when the retry time is not yet met. Previously they were
508 not, meaning that when (say) an account was over-quota and temp-rejecting,
509 and multiple senders' messages were queued, only one sender would get
510 notified on each configured delay_warning cycle.
511
aa6e77af 512JH/38 Bug 2351: Log failures to extract envelope addresses from message headers.
aaf3e414 513
25fa0868
JH
514JH/39 OpenSSL: clear the error stack after an SSL_accept(). With anon-auth
515 cipher-suites, an error can be left on the stack even for a succeeding
516 accept; this results in impossible error messages when a later operation
517 actually does fail.
518
cb6bd80f
JH
519AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they
520 return error codes indicating retry. Under TLS1.3 this becomes required.
521
522JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT. Previously
523 it only wrote the new authenticators, resulting in a lack of tracking of
524 peer changes of ESMTP extensions until the next cache flush.
518b70e9 525
56ac062a
JH
526JH/41 Fix the loop reading a message header line to check for integer overflow,
527 and more-often against header_maxsize. Previously a crafted message could
528 induce a crash of the recive process; now the message is cleanly rejected.
529
ae63862b
MA
530JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option. It had
531 been totally disabled for all of 4.91. Discovery and fix by "Mad Alex".
532
9723f966 533
bb264f6b
JH
534Exim version 4.91
535-----------------
459fca58 536
c39c8870 537GF/01 DEFER rather than ERROR on redis cluster MOVED response.
bb264f6b
JH
538 When redis_servers is set to a list of > 1 element, and the Redis servers
539 in that list are in cluster configuration, convert the REDIS_REPLY_ERROR
540 case of MOVED into a DEFER case instead, thus moving the query onto the
541 next server in the list. For a cluster of N elements, all N servers must
542 be defined in redis_servers.
c39c8870 543
0800ef83
GF
544GF/02 Catch and remove uninitialized value warning in exiqsumm
545 Check for existence of @ARGV before looking at $ARGV[0]
546
459fca58
JH
547JH/01 Replace the store_release() internal interface with store_newblock(),
548 which internalises the check required to safely use the old one, plus
549 the allocate and data copy operations duplicated in both (!) of the
550 extant use locations.
551
944e8b37
JH
552JH/02 Disallow '/' characters in queue names specified for the "queue=" ACL
553 modifier. This matches the restriction on the commandline.
554
bbfb5dcd
JH
555JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
556 Previously only the last row was returned.
557
a05d3e34
JH
558JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
559 we assumed that tags in the header were well-formed, and parsed the
560 element content after inspecting only the first char of the tag.
561 Assumptions at that stage could crash the receive process on malformed
562 input.
563
ce93c6d8
JH
564JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
565 While running the DKIM ACL we operate on the Permanent memory pool so that
566 variables created with "set" persist to the DATA ACL. Also (at any time)
567 DNS lookups that fail create cache records using the Permanent pool. But
568 expansions release any allocations made on the current pool - so a dnsdb
569 lookup expansion done in the DKIM ACL releases the memory used for the
570 DNS negative-cache, and bad things result. Solution is to switch to the
571 Main pool for expansions.
572 While we're in that code, add checks on the DNS cache during store_reset,
573 active in the testsuite.
574 Problem spotted, and debugging aided, by Wolfgang Breyha.
575
2577f55f
JH
576JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
577 When none of the hosts presented to a transport match an already-open
578 connection, close it and proceed with the list. Previously we would
579 queue the message. Spotted by Lena with Yahoo, probably involving
580 round-robin DNS.
581
5b6f7658
JH
582JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
583 Previously a spurious "250 OK id=" response was appended to the proper
584 failure response.
585
c11d665d
JH
586JH/08 The "support for" informational output now, which built with Content
587 Scanning support, has a line for the malware scanner interfaces compiled
588 in. Interface can be individually included or not at build time.
e5ba8aa7
JH
589
590JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included
591 by the template makefile "src/EDITME". The "STREAM" support for an older
592 ClamAV interface method is removed.
c11d665d 593
ba0e37b1
JH
594JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
595 rows affected is given instead).
596
96508de1
JH
597JH/11 The runtime Berkeley DB library version is now additionally output by
598 "exim -d -bV". Previously only the compile-time version was shown.
599
06fdb9f7
JH
600JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
601 SMTP connection. Previously, when one had more receipients than the
602 first, an abortive onward connection was made. Move to full support for
603 multiple onward connections in sequence, handling cutthrough connection
604 for all multi-message initiating connections.
605
f83a760f
JH
606JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
607 routers. Previously, a multi-recipient message would fail to match the
608 onward-connection opened for the first recipient, and cause its closure.
609
f1fed05b
JH
610JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
611 a timeout on read on a GnuTLS initiating connection, resulting in the
612 initiating connection being dropped. This mattered most when the callout
613 was marked defer_ok. Fix to keep the two timeout-detection methods
614 separate.
615
051d5efa
JH
616JH/15 Relax results from ACL control request to enable cutthrough, in
617 unsupported situations, from error to silently (except under debug)
618 ignoring. This covers use with PRDR, frozen messages, queue-only and
619 fake-reject.
620
cf3cd306
HSHR
621HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
622
744976d4
JH
623JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
624 metadata, resulting in a crash in free().
625
aab9a843 626PP/01 Fix broken Heimdal GSSAPI authenticator integration.
7be14582 627 Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
aab9a843 628 Broken also in d185889f4, with init system revamp.
7be14582 629
83d2a861
JH
630JH/17 Bug 2113: Fix conversation closedown with the Avast malware scanner.
631 Previously we abruptly closed the connection after reading a malware-
632 found indication; now we go on to read the "scan ok" response line,
633 and send a quit.
634
6741531c
JH
635JH/18 Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail
636 ACL. Previously, a crash would result.
637
85e03244
JH
638JH/19 Speed up macro lookups during configuration file read, by skipping non-
639 macro text after a replacement (previously it was only once per line) and
640 by skipping builtin macros when searching for an uppercase lead character.
641
c0635b6d
JH
642JH/20 DANE support moved from Experimental to mainline. The Makefile control
643 for the build is renamed.
644
b808677c
JH
645JH/21 Fix memory leak during multi-message connections using STARTTLS. A buffer
646 was allocated for every new TLS startup, meaning one per message. Fix
647 by only allocating once (OpenSSL) or freeing on TLS-close (GnuTLS).
648
6678c382
JH
649JH/22 Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
650 reported the original. Fix to report (as far as possible) the ACL
651 result replacing the original.
652
dec766a1
WB
653JH/23 Fix memory leak during multi-message connections using STARTTLS under
654 OpenSSL. Certificate information is loaded for every new TLS startup,
655 and the resources needed to be freed.
656
15ae19f9
JH
657JH/24 Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
658
e6532c4a
JH
659JH/25 Fix utf8_downconvert propagation through a redirect router. Previously it
660 was not propagated.
661
2556b3c6
SA
662JH/26 Bug 2253: For logging delivery lines under PRDR, append the overall
663 DATA response info to the (existing) per-recipient response info for
664 the "C=" log element. It can have useful tracking info from the
665 destination system. Patch from Simon Arlott.
666
fc8cd529
JH
667JH/27 Bug 2251: Fix ldap lookups that return a single attribute having zero-
668 length value. Previously this would segfault.
669
71bb51e0
HSHR
670HS/02 Support Avast multiline protoocol, this allows passing flags to
671 newer versions of the scanner.
672
e04bfa34
JH
673JH/28 Ensure that variables possibly set during message acceptance are marked
674 dead before release of memory in the daemon loop. This stops complaints
675 about them when the debug_store option is enabled. Discovered specifically
676 for sender_rate_period, but applies to a whole set of variables.
c232fc99
JH
677 Do the same for the queue-runner and queue-list loops, for variables set
678 from spool message files. Do the same for the SMTP per-message loop, for
679 certain variables indirectly set in ACL operations.
e04bfa34 680
ecce6d9a
JH
681JH/29 Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
682 as a multi-recipient message from a mailinglist manager). The coding had
683 an arbitrary cutoff number of characters while checking for more input;
684 enforced by writing a NUL into the buffer. This corrupted long / fast
685 input. The problem was exposed more widely when more pipelineing of SMTP
686 responses was introduced, and one Exim system was feeding another.
687 The symptom is log complaints of SMTP syntax error (NUL chars) on the
688 receiving system, and refused recipients seen by the sending system
689 (propating to people being dropped from mailing lists).
690 Discovered and pinpointed by David Carter.
691
c9cf9ac4
JH
692JH/30 The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
693 replaced by the ${authresults } expansion.
694
b3b37076
JH
695JH/31 Bug 2257: Fix pipe transport to not use a socket-only syscall.
696
830832c9
HSHR
697HS/03 Set a handler for SIGTERM and call exit(3) if running as PID 1. This
698 allows proper process termination in container environments.
699
f64e8b5f
JH
700JH/32 Bug 2258: Fix spool_wireformat in combination with LMTP transport.
701 Previously the "final dot" had a newline after it; ensure it is CR,LF.
702
8f0776b5
JH
703JH/33 SPF: remove support for the "spf" ACL condition outcome values "err_temp"
704 and "err_perm", deprecated since 4.83 when the RFC-defined words
705 "temperror" and "permerror" were introduced.
706
857eaf37
JH
707JH/34 Re-introduce enforcement of no cutthrough delivery on transports having
708 transport-filters or DKIM-signing. The restriction was lost in the
709 consolidation of verify-callout and delivery SMTP handling.
5add7dc4 710 Extend the restriction to also cover ARC-signing.
857eaf37 711
c85476e9
JH
712JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses)
713 in defer=pass mode supply a 450 to the initiator. Previously the message
714 would be spooled.
715
405074ad
PP
716PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
717 tls_require_ciphers is used as before.
718
eb445b04
HSHR
719HS/03 Malware Avast: Better match the Avast multiline protocol. Add
720 "pass_unscanned". Only tmpfails from the scanner are written to
721 the paniclog, as they may require admin intervention (permission
722 denied, license issues). Other scanner errors (like decompression
723 bombs) do not cause a paniclog entry.
ad93c40f 724
d342446f
JH
725JH/36 Fix reinitialisation of DKIM logging variable between messages.
726 Previously it was possible to log spurious information in receive log
727 lines.
728
a28050f8
JH
729JH/37 Bug 2255: Revert the disable of the OpenSSL session caching. This
730 triggered odd behaviour from Outlook Express clients.
731
ddd16464
PP
732PP/03 Add util/renew-opendmarc-tlds.sh script for safe renewal of public
733 suffix list.
734
321ef002
JH
735JH/38 DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,
736 since the IETF WG has not yet settled on that versus the original
737 "bare" representation.
738
3203e7ba
JH
739JH/39 Fix syslog logging for syslog_timestamp=no and log_selector +millisec.
740 Previously the millisecond value corrupted the output.
741 Fix also for syslog_pid=no and log_selector +pid, for which the pid
742 corrupted the output.
743
bbfb5dcd 744
acfc18c3
PP
745Exim version 4.90
746-----------------
747
748JH/01 Rework error string handling in TLS interface so that the caller in
749 more cases is responsible for logging. This permits library-sourced
750 string to be attached to addresses during delivery, and collapses
751 pairs of long lines into single ones.
752
856d1e16
PP
753PP/01 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
754 during configuration. Wildcards are allowed and expanded.
755
b9df1829
JH
756JH/02 Rework error string handling in DKIM to pass more info back to callers.
757 This permits better logging.
758
875512a3
JH
759JH/03 Rework the transport continued-connection mechanism: when TLS is active,
760 do not close it down and have the child transport start it up again on
761 the passed-on TCP connection. Instead, proxy the child (and any
762 subsequent ones) for TLS via a unix-domain socket channel. Logging is
763 affected: the continued delivery log lines do not have any DNSSEC, TLS
5013d912 764 Certificate or OCSP information. TLS cipher information is still logged.
875512a3 765
fc3f96af
JH
766JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of
767 identical IP addresses on different listening ports. Will also affect
768 "exiwhat" output.
769
98913c8e
BK
770PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers;
771 add noisy ifdef guards to special-case this sillyness.
772 Patch from Bernd Kuhls.
773
8d909960
JH
774JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger
775 than 255 are no longer allowed.
776
7006ee24
JH
777JH/06 Default openssl_options to include +no_ticket, to reduce load on peers.
778 Disable the session-cache too, which might reduce our load. Since we
779 currrectly use a new context for every connection, both as server and
780 client, there is no benefit for these.
781 GnuTLS appears to not support tickets server-side by default (we don't
782 call gnutls_session_ticket_enable_server()) but client side is enabled
783 by default on recent versions (3.1.3 +) unless the PFS priority string
784 is used (3.2.4 +).
785
6e411084
PP
786PP/03 Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
787 <https://reproducible-builds.org/specs/source-date-epoch/>.
788
4c2471ca
JH
789JH/07 Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
790 the check for any unsuccessful recipients did not notice the limit, and
791 erroneously found still-pending ones.
792
4e910c01
JH
793JH/08 Pipeline CHUNKING command and data together, on kernels that support
794 MSG_MORE. Only in-clear (not on TLS connections).
795
42055a33
JH
796JH/09 Avoid using a temporary file during transport using dkim. Unless a
797 transport-filter is involved we can buffer the headers in memory for
798 creating the signature, and read the spool data file once for the
799 signature and again for transmission.
800
eeb35890
JH
801JH/10 Enable use of sendfile in Linux builds as default. It was disabled in
802 4.77 as the kernel support then wasn't solid, having issues in 64bit
7d758a6a 803 mode. Now, it's been long enough. Add support for FreeBSD also.
eeb35890 804
b7d3afcf
JH
805JH/11 Bug 2104: Fix continued use of a transport connection with TLS. In the
806 case where the routing stage had gathered several addresses to send to
807 a host before calling the transport for the first, we previously failed
808 to close down TLS in the old transport process before passing the TCP
809 connection to the new process. The new one sent a STARTTLS command
810 which naturally failed, giving a failed delivery and bloating the retry
811 database. Investigation and fix prototype from Wolfgang Breyha.
812
40525d07
JH
813JH/12 Fix check on SMTP command input synchronisation. Previously there were
814 false-negatives in the check that the sender had not preempted a response
815 or prompt from Exim (running as a server), due to that code's lack of
a5ffa9b4 816 awareness of the SMTP input buffering.
40525d07 817
f33875c3
PP
818PP/04 Add commandline_checks_require_admin option.
819 Exim drops privileges sanely, various checks such as -be aren't a
820 security problem, as long as you trust local users with access to their
821 own account. When invoked by services which pass untrusted data to
822 Exim, this might be an issue. Set this option in main configuration
823 AND make fixes to the calling application, such as using `--` to stop
824 processing options.
825
a5ffa9b4
JH
826JH/13 Do pipelining under TLS. Previously, although safe, no advantage was
827 taken. Now take care to pack both (client) MAIL,RCPT,DATA, and (server)
828 responses to those, into a single TLS record each way (this usually means
829 a single packet). As a side issue, smtp_enforce_sync now works on TLS
830 connections.
925ac8e4 831
6600985a
PP
832PP/05 OpenSSL/1.1: use DH_bits() for more accurate DH param sizes. This
833 affects you only if you're dancing at the edge of the param size limits.
834 If you are, and this message makes sense to you, then: raise the
835 configured limit or use OpenSSL 1.1. Nothing we can do for older
836 versions.
837
ac4d558b
JH
838JH/14 For the "sock" variant of the malware scanner interface, accept an empty
839 cmdline element to get the documented default one. Previously it was
840 inaccessible.
841
e69636bc
JH
842JH/15 Fix a crash in the smtp transport caused when two hosts in succession
843 are unsuable for non-message-specific reasons - eg. connection timeout,
844 banner-time rejection.
845
a843a57e
JH
846JH/16 Fix logging of delivery remote port, when specified by router, under
847 callout/hold.
848
8e041ae0
PP
849PP/06 Repair manualroute's ability to take options in any order, even if one
850 is the name of a transport.
833c70bc
PP
851 Fixes bug 2140.
852
35a04365
HSHR
853HS/01 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369)
854
4226691b
JH
855JH/17 Change the list-building routines interface to use the expanding-string
856 triplet model, for better allocation and copying behaviour.
857
d185889f
JH
858JH/18 Prebuild the data-structure for "builtin" macros, for faster startup.
859 Previously it was constructed the first time a possibly-matching string
860 was met in the configuration file input during startup; now it is done
861 during compilation.
862
0a6c178c
JH
863JH/19 Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy-
864 compatible one, to avoid the (poorly documented) possibility of a config
865 file in the working directory redirecting the DB files, possibly correpting
02745400 866 some existing file. CVE-2017-10140 assigned for BDB.
0a6c178c 867
fae8970d
JH
868JH/20 Bug 2147: Do not defer for a verify-with-callout-and-random which is not
869 cache-hot. Previously, although the result was properly cached, the
870 initial verify call returned a defer.
871
ad1a76fe 872JH/21 Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but
14de8063
JH
873 the main verify for receipient in uncached-mode.
874
ad1a76fe
JH
875JH/22 Retire historical build files to an "unsupported" subdir. These are
876 defined as "ones for which we have no current evidence of testing".
877
135e9496
JH
878JH/23 DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field,
879 if present. Previously it was ignored.
880
f2ed27cf
JH
881JH/24 Start using specified-initialisers in C structure init coding. This is
882 a C99 feature (it's 2017, so now considered safe).
883
7eb0e5d2
JH
884JH/25 Use one-bit bitfields for flags in the "addr" data structure. Previously
885 if was a fixed-sized field and bitmask ops via macros; it is now more
886 extensible.
887
4f9f4be4
888PP/07 GitHub PR 56: Apply MariaDB build fix.
889 Patch provided by Jaroslav Škarvada.
890
dc4de9cc
PP
891PP/08 Bug 2161: Fix regression in sieve quoted-printable handling introduced
892 during Coverity cleanups [4.87 JH/47]
893 Diagnosis and fix provided by Michael Fischer v. Mollard.
894
ea18931d
JH
895JH/26 Fix DKIM bug: when the pseudoheader generated for signing was exactly
896 the right size to place the terminating semicolon on its own folded
897 line, the header hash was calculated to an incorrect value thanks to
898 the (relaxed) space the fold became.
899
0768462d 900HS/02 Fix Bug 2130: large writes from the transport subprocess were chunked
2cee425a
HSHR
901 and confused the parent.
902
848214f7
JH
903JH/27 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process
904 which could crash as a result. This could lead to undeliverable messages.
905
9e0ed81f
JH
906JH/28 Logging: "next input sent too soon" now shows where input was truncated
907 for log purposes.
908
2540f2f8
JH
909JH/29 Fix queue_run_in_order to ignore the PID portion of the message ID. This
910 matters on fast-turnover and PID-randomising systems, which were getting
911 out-of-order delivery.
912
e5ab0ba9
JH
913JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for
914 a possibly-overlapping copy. The symptom was that "Remote host closed
915 connection in response to HELO" was logged instead of the actual 4xx
916 error for the HELO.
917
e99a3a6c
JH
918JH/31 Fix CHUNKING code to properly flush the unwanted chunk after an error.
919 Previously only that bufferd was discarded, resulting in SYMTP command
920 desynchronisation.
921
18067c75
JH
922JH/32 DKIM: when a message has multiple signatures matching an identity given
923 in dkim_verify_signers, run the dkim acl once for each. Previously only
924 one run was done. Bug 2189.
925
72934ba7
JH
926JH/33 Downgrade an unfound-list name (usually a typo in the config file) from
927 "panic the current process" to "deliberately defer". The panic log is
928 still written with the problem list name; the mail and reject logs now
929 get a temp-reject line for the message that was being handled, saying
930 something like "domains check lookup or other defer". The SMTP 451
931 message is still "Temporary local problem".
932
625667b6
JH
933JH/34 Bug 2199: Fix a use-after-free while reading smtp input for header lines.
934 A crafted sequence of BDAT commands could result in in-use memory beeing
b488395f
JH
935 freed. CVE-2017-16943.
936
937HS/03 Bug 2201: Fix checking for leading-dot on a line during headers reading
938 from SMTP input. Previously it was always done; now only done for DATA
939 and not BDAT commands. CVE-2017-16944.
625667b6 940
d21bf202
JH
941JH/35 Bug 2201: Flush received data in BDAT mode after detecting an error fatal
942 to the message (such as an overlong header line). Previously this was
943 not done and we did not exit BDAT mode. Followon from the previous item
944 though a different problem.
945
acfc18c3 946
fd047340 947Exim version 4.89
acfc18c3 948-----------------
4c57a40e 949
9427e879 950JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules
4c04137d 951 than -2003 did; needs libidn2 in addition to libidn.
fd047340 952
7b283890
JH
953JH/02 The path option on a pipe transport is now expanded before use.
954
4c57a40e
PP
955PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections.
956 Patch provided by "Björn", documentation fix added too.
957
5d036699
JH
958JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was
959 missing a wire-to-host endian conversion.
960
f4630439
JH
961JH/04 Bug 2004: fix CHUNKING in non-PIPELINEING mode. Chunk data following
962 close after a BDAT command line could be taken as a following command,
963 giving a synch failure. Fix by only checking for synch immediately
964 before acknowledging the chunk.
965
f988ce57
JS
966PP/02 GitHub PR 52: many spelling fixes, which include fixing parsing of
967 no_require_dnssec option and creation of _HAVE_TRANSPORT_APPEND_MAILDIR
968 macro. Patches provided by Josh Soref.
969
bd8fbe36
JH
970JH/05 Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
971 Previously we did not; the RFC seems ambiguous and VRFY is not listed
972 by IANA as a service extension. However, John Klensin suggests that we
973 should.
974
975JH/06 Bug 2017: Fix DKIM verification in -bh test mode. The data feed into
b895f4b2
JH
976 the dkim code may be unix-mode line endings rather than smtp wire-format
977 CRLF, so prepend a CR to any bare LF.
fd047340 978
bd8fbe36 979JH/07 Rationalise the coding for callout smtp conversations and transport ones.
902fbd69
JH
980 As a side-benfit, callouts can now use PIPELINING hence fewer round-trips.
981
bd8fbe36
JH
982JH/08 Bug 2016: Fix DKIM verification vs. CHUNKING. Any BDAT commands after
983 the first were themselves being wrongly included in the feed into dkim
984 processing; with most chunk sizes in use this resulted in an incorrect
985 body hash calculated value.
986
eea19017
JH
987JH/09 Bug 2014: permit inclusion of a DKIM-Signature header in a received
988 DKIM signature block, for verification. Although advised against by
989 standards it is specifically not ruled illegal.
990
44e6651b
JH
991JH/10 Bug 2025: Fix reception of (quoted) local-parts with embedded spaces.
992
993JH/11 Bug 2029: Fix crash in DKIM verification when a message signature block is
994 missing a body hash (the bh= tag).
995
996JH/12 Bug 2018: Re-order Proxy Protocol startup versus TLS-on-connect startup.
997 It seems that HAProxy sends the Proxy Protocol information in clear and
998 only then does a TLS startup, so do the same.
999
1000JH/13 Bug 2027: Avoid attempting to use TCP Fast Open for non-transport client
1001 TCP connections (such as for Spamd) unless the daemon successfully set
1002 Fast Open mode on its listening sockets. This fixes breakage seen on
1003 too-old kernels or those not configured for Fast Open, at the cost of
1004 requiring both directions being enabled for TFO, and TFO never being used
1005 by non-daemon-related Exim processes.
1006
1007JH/14 Bug 2000: Reject messages recieved with CHUNKING but with malformed line
1008 endings, at least on the first header line. Try to canonify any that get
1009 past that check, despite the cost.
1010
b6040544
JH
1011JH/15 Angle-bracket nesting (an error inserted by broken sendmails) levels are
1012 now limited to an arbitrary five deep, while parsing addresses with the
1013 strip_excess_angle_brackets option enabled.
1014
f700ea4d
PP
1015PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and
1016 instead leave the unprompted TLS handshake in socket buffer for the
1017 TLS library to consume.
1018
da88acae
PP
1019PP/04 Bug 2018: Also handle Proxy Protocol v2 safely.
1020
f6ef9370
PP
1021PP/05 FreeBSD compat: handle that Ports no longer create /usr/bin/perl
1022
90341c71
JH
1023JH/16 Drop variables when they go out of scope. Memory management drops a whole
1024 region in one operation, for speed, and this leaves assigned pointers
1025 dangling. Add checks run only under the testsuite which checks all
1026 variables at a store-reset and panics on a dangling pointer; add code
1027 explicitly nulling out all the variables discovered. Fixes one known
1028 bug: a transport crash, where a dangling pointer for $sending_ip_address
1029 originally assigned in a verify callout, is re-used.
1030
1ec2ab36
PP
1031PP/06 Drop '.' from @INC in various Perl scripts.
1032
1033PP/07 Switch FreeBSD iconv to always use the base-system libc functions.
1034
1035PP/08 Reduce a number of compilation warnings under clang; building with
1036 CC=clang CFLAGS+=-Wno-dangling-else -Wno-logical-op-parentheses
1037 should be warning-free.
1038
8b2b9480
PP
1039JH/17 Fix inbound CHUNKING when DKIM disabled at runtime.
1040
1041HS/01 Fix portability problems introduced by PP/08 for platforms where
1042 realloc(NULL) is not equivalent to malloc() [SunOS et al].
1043
d953610f
HSHR
1044HS/02 Bug 1974: Fix missing line terminator on the last received BDAT
1045 chunk. This allows us to accept broken chunked messages. We need a more
1046 general solution here.
1047
7dc5f827
PP
1048PP/09 Wrote util/chunking_fixqueue_finalnewlines.pl to help recover
1049 already-broken messages in the queue.
1050
4bb432cb
PP
1051JH/18 Bug 2061: Fix ${extract } corrupting an enclosing ${reduce } $value.
1052
3b1a84c8
PP
1053JH/19 Fix reference counting bug in routing-generated-address tracking.
1054
902fbd69 1055
8d042305
JH
1056Exim version 4.88
1057-----------------
4c57a40e 1058
9094b84b
JH
1059JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
1060 supports it and a size is available (ie. the sending peer gave us one).
8d042305 1061
03d5892b
JH
1062JH/02 The obsolete acl condition "demime" is removed (finally, after ten
1063 years of being deprecated). The replacements are the ACLs
1064 acl_smtp_mime and acl_not_smtp_mime.
1065
4b0fe319
JH
1066JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
1067 a downgraded non-dane trust-anchor for the TLS connection (CA-style)
1068 or even an in-clear connection were permitted. Now, if the host lookup
1069 was dnssec and dane was requested then the host is only used if the
1070 TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
1071 MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
1072 if one fails this test.
1073 This means that a poorly-configured remote DNS will make it incommunicado;
1074 but it protects against a DNS-interception attack on it.
1075
789f8a4f
JH
1076JH/04 Bug 1810: make continued-use of an open smtp transport connection
1077 non-noisy when a race steals the message being considered.
1078
23bb6982 1079JH/05 If main configuration option tls_certificate is unset, generate a
f59aaaaa 1080 self-signed certificate for inbound TLS connections.
23bb6982 1081
0bd1b1ed 1082JH/06 Bug 165: hide more cases of password exposure - this time in expansions
f42deca9 1083 in rewrites and routers.
0bd1b1ed 1084
20b9a2dc
JH
1085JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
1086 and logged a warning sing 4.83; now they are a configuration file error.
1087
05392bbc
JH
1088JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
1089 (lacking @domain). Apply the same qualification processing as RCPT.
1090
1a6230a3
JH
1091JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
1092
cfab9d68
JH
1093JH/10 Support ${sha256:} applied to a string (as well as the previous
1094 certificate).
1095
98c82a3d
JH
1096JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
1097 a cutthrough deliver is pending, as we always want to make a connection.
1098 This also avoids re-routing the message when later placing the cutthrough
1099 connection after a verify cache hit.
1100 Do not update it with the verify result either.
1101
1102JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
1103 when routing results in more than one destination address.
1104
ae8386f0
JH
1105JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
1106 signing (which inhibits the cutthrough capability). Previously only
1107 the presence of an option was tested; now an expansion evaluating as
1108 empty is permissible (obviously it should depend only on data available
1109 when the cutthrough connection is made).
1110
0d9fa8c0
JH
1111JH/14 Fix logging of errors under PIPELINING. Previously the log line giving
1112 the relevant preceding SMTP command did not note the pipelining mode.
1113
3581f321
JH
1114JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
1115 Previously they were not counted.
1116
ef3a1a30
JH
1117JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
1118 as one having no matching records. Previously we deferred the message
1119 that needed the lookup.
1120
4c04137d 1121JH/17 Fakereject: previously logged as a normal message arrival "<="; now
27b9e5f4
JH
1122 distinguished as "(=".
1123
1435d4b2
JH
1124JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
1125 for missing MX records. Previously it only worked for missing A records.
1126
eea0defe
JB
1127JH/19 Bug 1850: support Radius libraries that return REJECT_RC.
1128
1129JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
1130 after the data-go-ahead and data-ack. Patch from Jason Betts.
860cdda2 1131
4c04137d 1132JH/21 Bug 1846: Send DMARC forensic reports for reject and quarantine results,
72a201e2
TM
1133 even for a "none" policy. Patch from Tony Meyer.
1134
1c788856
JH
1135JH/22 Fix continued use of a connection for further deliveries. If a port was
1136 specified by a router, it must also match for the delivery to be
1137 compatible.
1138
e3b1f624
JH
1139JH/23 Bug 1874: fix continued use of a connection for further deliveries.
1140 When one of the recipients of a message was unsuitable for the connection
1141 (has no matching addresses), we lost track of needing to mark it
1142 deferred. As a result mail would be lost.
1143
a57ce043
JH
1144JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
1145
f59aaaaa 1146JH/25 Decoding ACL controls is now done using a binary search; the source code
2d009132
JH
1147 takes up less space and should be simpler to maintain. Merge the ACL
1148 condition decode tables also, with similar effect.
d7bed771 1149
d1f9fb42
JH
1150JH/26 Fix problem with one_time used on a redirect router which returned the
1151 parent address unchanged. A retry would see the parent address marked as
1152 delivered, so not attempt the (identical) child. As a result mail would
1153 be lost.
1154
92b0827a
JH
1155JH/27 Fix a possible security hole, wherein a process operating with the Exim
1156 UID can gain a root shell. Credit to http://www.halfdog.net/ for
1157 discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
1158 itself :(
1159
ddf1b11a
JH
1160JH/28 Enable {spool,log} filesystem space and inode checks as default.
1161 Main config options check_{log,spool}_{inodes,space} are now
1162 100 inodes, 10MB unless set otherwise in the configuration.
1163
3cc3f762
JH
1164JH/29 Fix the connection_reject log selector to apply to the connect ACL.
1165 Previously it only applied to the main-section connection policy
1166 options.
1167
ae5afa61
JH
1168JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
1169
317e40ac
PP
1170PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
1171 by me. Added RFC7919 DH primes as an alternative.
1172
8b0fb68e
PP
1173PP/02 Unbreak build via pkg-config with new hash support when crypto headers
1174 are not in the system include path.
1175
ad7fc6eb 1176JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
f59aaaaa 1177 GnuTLS, when a session startup failed (eg because the client disconnected)
ad7fc6eb
JH
1178 Exim did stdio operations after fclose. This was exposed by a recent
1179 change which nulled out the file handle after the fclose.
ad7fc6eb 1180
ee5b1e28
JH
1181JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
1182 signed directly by the cert-signing cert, rather than an intermediate
1183 OCSP-signing cert. This is the model used by LetsEncrypt.
1184
5ddc9771
JH
1185JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
1186
8d73599f
JH
1187HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
1188 an incoming connection.
1189
446415f5
HSHR
1190HS/02 Bug 1802: Do not half-close the connection after sending a request
1191 to rspamd.
1192
8e53a4fc
HSHR
1193HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
1194 fallback to "prime256v1".
8d042305 1195
87cb4a16 1196JH/34 SECURITY: Use proper copy of DATA command in error message.
4c57a40e 1197 Could leak key material. Remotely exploitable. CVE-2016-9963.
87cb4a16
JH
1198
1199
0d9b78be
JH
1200Exim version 4.87
1201-----------------
4c57a40e 1202
82d14d6a
JH
1203JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
1204 and 3.4.4 - once the server is enabled to respond to an OCSP request
1205 it does even when not requested, resulting in a stapling non-aware
1206 client dropping the TLS connection.
0d9b78be 1207
6c6d6e48
TF
1208TF/01 Code cleanup: Overhaul the debug_selector and log_selector machinery to
1209 support variable-length bit vectors. No functional change.
1210
ac881e27
TF
1211TF/02 Improve the consistency of logging incoming and outgoing interfaces.
1212 The I= interface field on outgoing lines is now after the H= remote
1213 host field, same as incoming lines. There is a separate
1214 outgoing_interface log selector which allows you to disable the
1215 outgoing I= field.
1216
c8899c20
JH
1217JH/02 Bug 728: Close logfiles after a daemon-process "exceptional" log write.
1218 If not running log_selector +smtp_connection the mainlog would be held
1219 open indefinitely after a "too many connections" event, including to a
1220 deleted file after a log rotate. Leave the per net connection logging
1221 leaving it open for efficiency as that will be quickly detected by the
1222 check on the next write.
1223
f1b81d81
HSHR
1224HS/01 Bug 1671: Fix post transport crash.
1225 Processing the wait-<transport> messages could crash the delivery
1226 process if the message IDs didn't exist for some reason. When
1227 using 'split_spool_directory=yes' the construction of the spool
1228 file name failed already, exposing the same netto behaviour.
1229
f38917cc
JH
1230JH/03 Bug 425: Capture substrings in $regex1, $regex2 etc from regex &
1231 mime_regex ACL conditions.
1232
895fbaf2
JH
1233JH/04 Bug 1686: When compiled with EXPERIMENTAL_DSN_INFO: Add extra information
1234 to DSN fail messages (bounces): remote IP, remote greeting, remote response
1235 to HELO, local diagnostic string.
1236
805bb5c3
JH
1237JH/05 Downgrade message for a TLS-certificate-based authentication fail from
1238 log line to debug. Even when configured with a tls authenticator many
1239 client connections are expected to not authenticate in this way, so
1240 an authenticate fail is not an error.
1241
56c2a7be
HSHR
1242HS/02 Add the Exim version string to the process info. This way exiwhat
1243 gives some more detail about the running daemon.
1244
4c04137d 1245JH/06 Bug 1395: time-limit caching of DNS lookups, to the TTL value. This may
14b3c5bc
JH
1246 matter for fast-change records such as DNSBLs.
1247
6f6dedcc
JH
1248JH/07 Bug 1678: Always record an interface option value, if set, as part of a
1249 retry record, even if constant. There may be multiple transports with
1250 different interface settings and the retry behaviour needs to be kept
1251 distinct.
1252
0f557e90
JH
1253JH/08 Bug 1586: exiqgrep now refuses to run if there are unexpected arguments.
1254
1255JH/09 Bug 1700: ignore space & tab embedded in base64 during decode.
1256
ec0eb1a3
JH
1257JH/10 Bug 840: fix log_defer_output option of pipe transport
1258
41e93589
JH
1259JH/11 Bug 830: use same host for all RCPTS of a message, even under
1260 hosts_randomize. This matters a lot when combined with mua_wrapper.
1261
98b98887 1262JH/12 Bug 1706: percent and underbar characters are no longer escaped by the
376d2ec0
JH
1263 ${quote_pgsql:<string>} operator.
1264
98b98887
JH
1265JH/13 Bug 1708: avoid misaligned access in cached lookup.
1266
858e91c2
JH
1267JH/14 Change header file name for freeradius-client. Relevant if compiling
1268 with Radius support; from the Gentoo tree and checked under Fedora.
1269
1270JH/15 Bug 1712: Introduce $prdr_requested flag variable
1271
6ff55e50
JH
1272JH/16 Bug 1714: Permit an empty string as expansion result for transport
1273 option transport_filter, meaning no filtering.
1274
3b957582
JB
1275JH/17 Bug 1713: Fix non-PDKIM_DEBUG build. Patch from Jasen Betts.
1276
23f3dc67
JH
1277JH/18 Bug 1709: When built with TLS support, the tls_advertise_hosts option now
1278 defaults to "*" (all hosts). The variable is now available when not built
4c04137d 1279 with TLS, default unset, mainly to enable keeping the testsuite sane.
23f3dc67
JH
1280 If a server certificate is not supplied (via tls_certificate) an error is
1281 logged, and clients will find TLS connections fail on startup. Presumably
1282 they will retry in-clear.
1283 Packagers of Exim are strongly encouraged to create a server certificate
1284 at installation time.
1285
240c288f
JH
1286HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency
1287 with the $config_file variable.
1288
5ef5dd52
JB
1289JH/19 Two additional event types: msg:rcpt:defer and msg:rcpt:host:defer. Both
1290 in transport context, after the attempt, and per-recipient. The latter type
1291 is per host attempted. The event data is the error message, and the errno
1292 information encodes the lookup type (A vs. MX) used for the (first) host,
4c04137d 1293 and the trailing two digits of the smtp 4xx response.
5ef5dd52 1294
e161710d
GF
1295GF/01 Bug 1715: Fix for race condition in exicyclog, where exim could attempt
1296 to write to mainlog (or rejectlog, paniclog) in the window between file
1297 creation and permissions/ownership being changed. Particularly affects
1298 installations where exicyclog is run as root, rather than exim user;
1299 result is that the running daemon panics and dies.
1300
a159f203
JH
1301JH/20 Bug 1701: For MySQL lookups, support MySQL config file option group names.
1302
7f06582c
JH
1303JH/21 Bug 1720: Add support for priority groups and weighted-random proxy
1304 selection for the EXPERIMENTAL_SOCKS feature, via new per-proxy options
1305 "pri" and "weight". Note that the previous implicit priority given by the
1306 list order is no longer honoured.
1307
4c04137d 1308JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalization
abe1010c
JH
1309 for DKIM processing.
1310
f0989ec0
JH
1311JH/23 Move SOCKS5 support from Experimental to mainline, enabled for a build
1312 by defining SUPPORT_SOCKS.
74f150bf 1313
cee5f132
JH
1314JH/26 Move PROXY support from Experimental to mainline, enabled for a build
1315 by defining SUPPORT_PROXY. Note that the proxy_required_hosts option
e6d2a989
JH
1316 is renamed to hosts_proxy, and the proxy_{host,target}_{address,port}.
1317 variables are renamed to proxy_{local,external}_{address,port}.
cee5f132 1318
8c5d388a
JH
1319JH/27 Move Internationalisation support from Experimental to mainline, enabled
1320 for a build by defining SUPPORT_I18N
1321
2d8d625b
JH
1322JH/28 Bug 1745: Fix redis lookups to handle (quoted) spaces embedded in parts
1323 of the query string, and make ${quote_redis:} do that quoting.
1324
0cbf2b82
JH
1325JH/29 Move Events support from Experimental to mainline, enabled by default
1326 and removable for a build by defining DISABLE_EVENT.
1327
f2f2c91b
JH
1328JH/30 Updated DANE implementation code to current from Viktor Dukhovni.
1329
ce325893
JH
1330JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly
1331 cached by the daemon.
1332
de78e2d5
JH
1333JH/32 Move Redis support from Experimental to mainline, enabled for a build
1334 by defining LOOKUP_REDIS. The libhiredis library is required.
1335
379ba7d0
JH
1336JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit
1337 keys are given for lookup.
1338
f444c2c7
JH
1339JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM
1340 support, by using OpenSSL or GnuTLS library ones. This means DKIM is
07c73177
JH
1341 only supported when built with TLS support. The PolarSSL SHA routines
1342 are still used when the TLS library is too old for convenient support.
f444c2c7 1343
a57b6200
JH
1344JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option
1345 openssl_options), for security. OpenSSL forces this from version 1.1.0
1346 server-side so match that on older versions.
1347
07c73177 1348JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh
fa01e4f8 1349 allocation for $value could be released as the expansion processing
07c73177 1350 concluded, but leaving the global pointer active for it.
fa01e4f8 1351
4f6ae5c3
JH
1352JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response,
1353 and to use the domains and local_parts ACL conditions.
1354
1bc460a6
JH
1355JH/38 Fix cutthrough bug with body lines having a single dot. The dot was
1356 incorrectly not doubled on cutthrough transmission, hence seen as a
1357 body-termination at the receiving system - resulting in truncated mails.
62ac2eb7 1358 Commonly the sender saw a TCP-level error, and retransmitted the message
1bc460a6
JH
1359 via the normal store-and-forward channel. This could result in duplicates
1360 received - but deduplicating mailstores were liable to retain only the
1361 initial truncated version.
1362
ab9152ff 1363JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64.
df3def24 1364
67e87fcf
JH
1365JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS.
1366
ab9152ff
JH
1367JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While
1368 we're in there, support oversigning also; bug 1309.
1369
af483912
JH
1370JH/42 Bug 1796: Fix error logged on a malware scanner connection failure.
1371
bc3c7bb7 1372HS/04 Add support for keep_environment and add_environment options.
df3def24 1373
13559da6
JH
1374JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain;
1375 either intentional arithmetic overflow during PRNG, or testing config-
1376 induced overflows.
1377
59eaad2b
JH
1378JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough
1379 delivery resulted in actual delivery. Cancel cutthrough before DATA
1380 stage.
1381
f9334a28
JH
1382JH/45 Fix cutthrough, when connection not opened by verify and target hard-
1383 rejects a recipient: pass the reject to the originator.
1384
dc8091e7
JH
1385JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs.
1386 Many were false-positives and ignorable, but it's worth fixing the
1387 former class.
1388
dfe7d917
JH
1389JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also
1390 for the new environment-manipulation done at startup. Move the routines
1391 from being local to tls.c to being global via the os.c file.
1392
93cc2d6e
JH
1393JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing
1394 an extract embedded as result-arg for a map, the first arg for extract
1395 is unavailable so we cannot tell if this is a numbered or keyed
1396 extraction. Accept either.
1397
13559da6 1398
9c695f6d
JH
1399Exim version 4.86
1400-----------------
4c57a40e 1401
9c695f6d
JH
1402JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
1403 expanded.
1404
506900af
JH
1405JH/02 The smtp transport option "multi_domain" is now expanded.
1406
ad07e9ad
JH
1407JH/03 The smtp transport now requests PRDR by default, if the server offers
1408 it.
1409
01a4a5c5 1410JH/04 Certificate name checking on server certificates, when exim is a client,
b3ef41c9 1411 is now done by default. The transport option tls_verify_cert_hostnames
01a4a5c5
JH
1412 can be used to disable this per-host. The build option
1413 EXPERIMENTAL_CERTNAMES is withdrawn.
1414
cb1d7830 1415JH/05 The value of the tls_verify_certificates smtp transport and main options
0e0f3f56 1416 default to the word "system" to access the system default CA bundle.
cb1d7830
JH
1417 For GnuTLS, only version 3.0.20 or later.
1418
610ff438 1419JH/06 Verification of the server certificate for a TLS connection is now tried
6d580f19
JH
1420 (but not required) by default. The verification status is now logged by
1421 default, for both outbound TLS and client-certificate supplying inbound
1422 TLS connections
610ff438 1423
f926e272
JH
1424JH/07 Changed the default rfc1413 lookup settings to disable calls. Few
1425 sites use this now.
1426
50dc7409
JH
1427JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery
1428 Status Notification (bounce) messages are now MIME format per RFC 3464.
1429 Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised
1430 under the control of the dsn_advertise_hosts option, and routers may
1431 have a dsn_lasthop option.
1432
0f0c8159
JH
1433JH/09 A timeout of 2 minutes is now applied to all malware scanner types by
1434 default, modifiable by a malware= option. The list separator for
23763898 1435 the options can now be changed in the usual way. Bug 68.
4e71661f 1436
1ad6489e
JH
1437JH/10 The smtp_receive_timeout main option is now expanded before use.
1438
aeaf5db3
JH
1439JH/11 The incoming_interface log option now also enables logging of the
1440 local interface on delivery outgoing connections.
1441
5032d1cf
JH
1442JH/12 The cutthrough-routing facility now supports multi-recipient mails,
1443 if the interface and destination host and port all match.
1444
7e8360e6
JH
1445JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
1446 /defer_ok option.
1447
c5f280e2
AL
1448JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd.
1449 Patch from Andrew Lewis.
1450
fd4d8871 1451JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition)
dc7b3d36 1452 now supports optional time-restrictions, weighting, and priority
fd4d8871
R
1453 modifiers per server. Patch originally by <rommer@active.by>.
1454
1455JH/16 The spamd_address main option now supports a mixed list of local
2aad5761
JH
1456 and remote servers. Remote servers can be IPv6 addresses, and
1457 specify a port-range.
fd4d8871 1458
23763898
JH
1459JH/17 Bug 68: The spamd_address main option now supports an optional
1460 timeout value per server.
1461
2ad78978
JH
1462JH/18 Bug 1581: Router and transport options headers_add/remove can
1463 now have the list separator specified.
1464
8a512ed5 1465JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
cfab9d68 1466 option values.
8a512ed5 1467
82c0c8ea 1468JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
f69979cf
JH
1469 under OpenSSL.
1470
cc00f4af
JH
1471JH/21 Support for the A6 type of dns record is withdrawn.
1472
82c0c8ea
JH
1473JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
1474 rather than the verbs used.
1475
b980ed83
JH
1476JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
1477 from 255 to 1024 chars.
1478
6c9ed72e
JH
1479JH/24 Verification callouts now attempt to use TLS by default.
1480
cfab9d68 1481HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
99c1bb4e 1482 are generic router options now. The defaults didn't change.
50dc7409 1483
f846c8f5
JH
1484JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
1485 Original patch from Alexander Shikoff, worked over by JH.
1486
fd4c285c
HSHR
1487HS/02 Bug 1575: exigrep falls back to autodetection of compressed
1488 files if ZCAT_COMMAND is not executable.
1489
4c04137d 1490JH/26 Bug 1539: Add timeout/retry options on dnsdb lookups.
fd7f7910 1491
d2a2c69b
JH
1492JH/27 Bug 286: Support SOA lookup in dnsdb lookups.
1493
8241d8dd
JH
1494JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN.
1495 Normally benign, it bites when the pair was led to by a CNAME;
4c04137d 1496 modern usage is to not canonicalize the domain to a CNAME target
8241d8dd
JH
1497 (and we were inconsistent anyway for A-only vs AAAA+A).
1498
1f12df4d
JH
1499JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards.
1500
1f155f8e
JH
1501JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse,
1502 when evaluating $sender_host_dnssec.
1503
1705dd20
JH
1504JH/31 Check the HELO verification lookup for DNSSEC, adding new
1505 $sender_helo_dnssec variable.
1506
038597d2
PP
1507JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve.
1508
474f71bf
JH
1509JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log.
1510
7137ca4b
JH
1511JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues.
1512
dcb1095c
JH
1513JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was
1514 documented as working, but never had. Support all but $spam_report.
1515
2f460950
JH
1516JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
1517 added for tls authenticator.
1518
2f680c0c
HSHR
1519HS/03 Add perl_taintmode main config option
1520
9c695f6d 1521
e449c3b0
TL
1522Exim version 4.85
1523-----------------
4c57a40e 1524
e449c3b0
TL
1525TL/01 When running the test suite, the README says that variables such as
1526 no_msglog_check are global and can be placed anywhere in a specific
1527 test's script, however it was observed that placement needed to be near
1528 the beginning for it to behave that way. Changed the runtest perl
1529 script to read through the entire script once to detect and set these
1530 variables, reset to the beginning of the script, and then run through
1531 the script parsing/test process like normal.
1532
ac20058f
TL
1533TL/02 The BSD's have an arc4random API. One of the functions to induce
1534 adding randomness was arc4random_stir(), but it has been removed in
1535 OpenBSD 5.5. Detect this OpenBSD version and skip calling this
1536 function when detected.
1537
a9b8ec8b
JH
1538JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now
1539 cause callback expansion.
1540
6286d7c4
TL
1541TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that
1542 syntax errors in an expansion can be treated as a string instead of
1543 logging or causing an error, due to the internal use of bool_lax
1544 instead of bool when processing it.
1545
0f06b4f2 1546JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for
d567a64d
JH
1547 server certificates when making smtp deliveries.
1548
be36e572
JH
1549JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups.
1550
ac4ef9bd
JH
1551JH/04 Add ${sort {list}{condition}{extractor}} expansion item.
1552
0eb51736
TL
1553TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep.
1554
c713ca4b
TL
1555TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups.
1556 Merged patch from Sebastian Wiedenroth.
e449c3b0 1557
bd21a787
WB
1558JH/05 Fix results-pipe from transport process. Several recipients, combined
1559 with certificate use, exposed issues where response data items split
1560 over buffer boundaries were not parsed properly. This eventually
1561 resulted in duplicates being sent. This issue only became common enough
4c04137d 1562 to notice due to the introduction of connection certificate information,
bd21a787
WB
1563 the item size being so much larger. Found and fixed by Wolfgang Breyha.
1564
8bc732e8
JH
1565JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed
1566 size buffer was used, resulting in syntax errors when an expansion
1567 exceeded it.
1568
a7fec7a7
JH
1569JH/07 Add support for directories of certificates when compiled with a GnuTLS
1570 version 3.3.6 or later.
1571
4c04137d 1572JH/08 Rename the TPDA experimental facility to Event Actions. The #ifdef
774ef2d7
JH
1573 is EXPERIMENTAL_EVENT, the main-configuration and transport options
1574 both become "event_action", the variables become $event_name, $event_data
aec45841 1575 and $event_defer_errno. There is a new variable $verify_mode, usable in
723fe533
JH
1576 routers, transports and related events. The tls:cert event is now also
1577 raised for inbound connections, if the main configuration event_action
1578 option is defined.
774ef2d7 1579
eca4debb
TL
1580TL/06 In test suite, disable OCSP for old versions of openssl which contained
1581 early OCSP support, but no stapling (appears to be less than 1.0.0).
1582
8d692470
JH
1583JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on
1584 server certificate names available under the smtp transport option
1585 "tls_verify_cert_hostname" now do not permit multi-component wildcard
1586 matches.
1587
e9477a08
JH
1588JH/10 Time-related extraction expansions from certificates now use the main
1589 option "timezone" setting for output formatting, and are consistent
1590 between OpenSSL and GnuTLS compilations. Bug 1541.
1591
ad4c5ff9
JH
1592JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047-
1593 encoded parameter in the incoming message. Bug 1558.
8dea5edf
JH
1594
1595JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now
1596 include certificate info, eximon was claiming there were spoolfile
1597 syntax errors.
1598
3394b36a 1599JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return.
8dea5edf
JH
1600
1601JH/14 Log delivery-related information more consistently, using the sequence
1602 "H=<name> [<ip>]" wherever possible.
1603
3394b36a
TL
1604TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which
1605 are problematic for Debian distribution, omit them from the release
1606 tarball.
1607
ad4c5ff9
JH
1608JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature.
1609
4c04137d 1610JH/16 Fix string representation of time values on 64bit time_t architectures.
ad4c5ff9
JH
1611 Bug 1561.
1612
1613JH/17 Fix a null-indirection in certextract expansions when a nondefault
1614 output list separator was used.
1615
8bc732e8 1616
1f0ebb98
TL
1617Exim version 4.84
1618-----------------
09728d20
TL
1619TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static
1620 checkers that were complaining about end of non-void function with no
1621 return.
1f0ebb98 1622
a612424f 1623JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers.
4c04137d 1624 This was a regression introduced in 4.83 by another bugfix.
a612424f
JH
1625
1626JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled.
1627
1628TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when
a9b8ec8b 1629 EXPERIMENTAL_DSN is enabled. Fix from Wolfgang Breyha.
a612424f 1630
1f0ebb98 1631
c0e56233
TF
1632Exim version 4.83
1633-----------------
1634
1635TF/01 Correctly close the server side of TLS when forking for delivery.
1636
1637 When a message was received over SMTP with TLS, Exim failed to clear up
1638 the incoming connection properly after forking off the child process to
1639 deliver the message. In some situations the subsequent outgoing
1640 delivery connection happened to have the same fd number as the incoming
1641 connection previously had. Exim would try to use TLS and fail, logging
1642 a "Bad file descriptor" error.
1643
7245734e
TF
1644TF/02 Portability fix for building lookup modules on Solaris when the xpg4
1645 utilities have not been installed.
1646
fd5dad68
JH
1647JH/01 Fix memory-handling in use of acl as a conditional; avoid free of
1648 temporary space as the ACL may create new global variables.
1649
5428a946
TL
1650TL/01 LDAP support uses per connection or global context settings, depending
1651 upon the detected version of the libraries at build time.
1652
a3c86431
TL
1653TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection
1654 to extract and use the src ip:port in logging and expansions as if it
8ded8589
TL
1655 were a direct connection from the outside internet. PPv2 support was
1656 updated based on HAProxy spec change in May 2014.
a3c86431 1657
aa26e137
JH
1658JH/02 Add ${listextract {number}{list}{success}{fail}}.
1659
5a1b8443
WB
1660TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents.
1661 Properly escape header and check for NULL return.
1662
72c9e342
PP
1663PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok
1664 not dns_use_dnssec.
1665
76f44207
WB
1666JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp.
1667
770747fd
MFM
1668TL/04 Add verify = header_names_ascii check to reject email with non-ASCII
1669 characters in header names, implemented as a verify condition.
1670 Contributed by Michael Fischer v. Mollard.
1671
8ddef691 1672TL/05 Rename SPF condition results err_perm and err_temp to standardized
982650ec
TL
1673 results permerror and temperror. Previous values are deprecated but
1674 still accepted. In a future release, err_perm and err_temp will be
1675 completely removed, which will be a backward incompatibility if the
1676 ACL tests for either of these two old results. Patch contributed by
8ddef691 1677 user bes-internal on the mailing list.
c0e56233 1678
b9c2e32f
AR
1679JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau.
1680
e45a1c37
JH
1681JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log
1682 selectors, in both main and reject logs.
1683
67d81c10
JH
1684JH/06 Log outbound-TLS and port details, subject to log selectors, for a
1685 failed delivery.
1686
b1f8e4f8
JH
1687JH/07 Add malware type "sock" for talking to simple daemon.
1688
511a6c14 1689JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport.
511a6c14
JH
1690
1691JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in
1692 routers/transports under cutthrough routing.
214042d2 1693
51c7471d
JH
1694JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative
1695 numbers. Touch up "bool" conditional to keep the same definition.
1696
3695be34
TL
1697TL/06 Remove duplicated language in spec file from 4.82 TL/16.
1698
1e06383a
TL
1699JH/11 Add dnsdb tlsa lookup. From Todd Lyons.
1700
76146973
JH
1701JH/12 Expand items in router/transport headers_add or headers_remove lists
1702 individually rather than the list as a whole. Bug 1452.
1703
1704 Required for reasonable handling of multiple headers_ options when
1705 they may be empty; requires that headers_remove items with embedded
1706 colons must have them doubled (or the list-separator changed).
1707
8c8b8274
TL
1708TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
1709 view the policy declared in the DMARC record. Currently, $dmarc_status
1710 is a combined value of both the record presence and the result of the
1711 analysis.
b1f8e4f8 1712
35aba663
JH
1713JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.
1714
8c51eead 1715JH/14 New options dnssec_request_domains, dnssec_require_domains on the
578897ea
JH
1716 dnslookup router and the smtp transport (applying to the forward
1717 lookup).
8c51eead 1718
deae092e
HS
1719TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list
1720 of ldap servers used for a specific lookup. Patch provided by Heiko
1721 Schlichting.
35aba663 1722
fd3b6a4a 1723JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups.
4e0983dc 1724 New variable $lookup_dnssec_authenticated for observability.
fd3b6a4a 1725
8d91c6dc
LT
1726TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use.
1727 Patch submitted by Lars Timman.
1728
2b4a568d
JH
1729JH/19 EXPERIMENTAL_OCSP support under GnuTLS. Bug 1459.
1730
d2af03f4
HS
1731TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim.
1732 Requires trusted mode and valid format message id, aborts otherwise.
1733 Patch contributed by Heiko Schlichting.
1734
9d1c15ef
JH
1735JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item
1736 certextract with support for various fields. Bug 1358.
1737
44662487
JH
1738JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling
1739 is requested by default, modifiable by smtp transport option
6a8a60e0
JH
1740 hosts_request_ocsp.
1741
ed3bba5f 1742JH/22 Expansion operators ${md5:string} and ${sha1:string} can now
6a8a60e0 1743 operate on certificate variables to give certificate fingerprints
9ef9101c 1744 Also new ${sha256:cert_variable}.
44662487 1745
8ccd00b1
JH
1746JH/23 The PRDR feature is moved from being Experimental into the mainline.
1747
8ded8589
TL
1748TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from
1749 Christian Aistleitner.
1750
f2de3a33
JH
1751JH/24 The OCSP stapling feature is moved from Experimental into the mainline.
1752
6eb02f88
TL
1753TL/12 Bug 1444: Fix improper \r\n sequence handling when writing spool
1754 file. Patch from Wolfgang Breyha.
1755
00bff6f6
JH
1756JH/25 Expand the coverage of the delivery $host and $host_address to
1757 client authenticators run in verify callout. Bug 1476.
1758
071c51f7
JH
1759JH/26 Port service names are now accepted for tls_on_connect_ports, to
1760 align with daemon_smtp_ports. Bug 72.
1761
a6d4c44e
TF
1762TF/03 Fix udpsend. The ip_connectedsocket() function's socket type
1763 support and error reporting did not work properly.
1764
3ae173e7
ACK
1765TL/13 Bug 1495: Exiqgrep check if -C config file specified on cli exists
1766 and is readable. Patch from Andrew Colin Kissa.
1767
c13d09b8
TL
1768TL/14 Enhance documentation of ${run expansion and how it parses the
1769 commandline after expansion, particularly in the case when an
1770 unquoted variable expansion results in an empty value.
1771
0df4ab80
JH
1772JH/27 The TLS SNI feature was broken in 4.82. Fix it.
1773
66be95e0
PP
1774PP/02 Fix internal collision of T_APL on systems which support RFC3123
1775 by renaming away from it. Addresses GH issue 15, reported by
1776 Jasper Wallace.
1777
1bd0d12b
JH
1778JH/28 Fix parsing of MIME headers for parameters with quoted semicolons.
1779
0de7239e
TL
1780TL/15 SECURITY: prevent double expansion in math comparison functions
1781 (can expand unsanitized data). Not remotely exploitable.
1782 CVE-2014-2972
1783
fd3b6a4a 1784
2c422e6f 1785Exim version 4.82
98a90c36
PP
1786-----------------
1787
1788PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities.
1789
12f69989
PP
1790PP/02 Make -n do something, by making it not do something.
1791 When combined with -bP, the name of an option is not output.
1792
54c90be1
PP
1793PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured
1794 by GnuTLS.
1795
1f4a55da
PP
1796PP/04 First step towards DNSSEC, provide $sender_host_dnssec for
1797 $sender_host_name and config options to manage this, and basic check
1798 routines.
1799
13363eba 1800PP/05 DSCP support for outbound connections and control modifier for inbound.
36a3ae5f 1801
66645890 1802PP/06 Cyrus SASL: set local and remote IP;port properties for driver.
e402235f
PP
1803 (Only plugin which currently uses this is kerberos4, which nobody should
1804 be using, but we should make it available and other future plugins might
1805 conceivably use it, even though it would break NAT; stuff *should* be
1806 using channel bindings instead).
66645890 1807
a3fb9793 1808PP/07 Handle "exim -L <tag>" to indicate to use syslog with tag as the process
f4ee74ac
PP
1809 name; added for Sendmail compatibility; requires admin caller.
1810 Handle -G as equivalent to "control = suppress_local_fixups" (we used to
1811 just ignore it); requires trusted caller.
a3fb9793 1812 Also parse but ignore: -Ac -Am -X<logfile>
f4ee74ac 1813 Bugzilla 1117.
a3fb9793 1814
d27f98fe 1815TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing.
98a90c36 1816
6822b909
TL
1817TL/02 Add +smtp_confirmation as a default logging option.
1818
e7568d51
TL
1819TL/03 Bugzilla 198 - Implement remove_header ACL modifier.
1820 Patch by Magnus Holmgren from 2007-02-20.
1821
ae0e32ee 1822TL/04 Bugzilla 1281 - Spec typo.
ca0ff207 1823 Bugzilla 1283 - Spec typo.
97f42f10 1824 Bugzilla 1290 - Spec grammar fixes.
ca0ff207
TL
1825
1826TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation.
ae0e32ee 1827
e2658fff
TL
1828TL/06 Add Experimental DMARC support using libopendmarc libraries.
1829
83712b39
TL
1830TL/07 Fix an out of order global option causing a segfault. Reported to dev
1831 mailing list by by Dmitry Isaikin.
1832
976b7e9f
JH
1833JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support.
1834
be4a1376
JH
1835JH/02 Support "G" suffix to numbers in ${if comparisons.
1836
ec4b68e5
PP
1837PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL.
1838
d7148a07
NM
1839NM/01 Bugzilla 1197 - Spec typo
1840 Bugzilla 1196 - Spec examples corrections
ec4b68e5 1841
585121e2 1842JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
ec4b68e5 1843
2519e60d
TL
1844PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called
1845 gnutls_enable_pkcs11, but renamed to more accurately indicate its
1846 function.
a5f239e4 1847
13d08c90
PP
1848PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC.
1849 Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
1850
bef3ea7f
JH
1851JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition
1852 "acl {{name}{arg}...}", and optional args on acl condition
1853 "acl = name arg..."
a5f239e4 1854
846726c5
JH
1855JH/05 Permit multiple router/transport headers_add/remove lines.
1856
3a796370
JH
1857JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination.
1858
ea722490 1859JH/07 Avoid using a waiting database for a single-message-only transport.
8b260705
PP
1860 Performance patch from Paul Fisher. Bugzilla 1262.
1861
b1b05573
JH
1862JH/08 Strip leading/trailing newlines from add_header ACL modifier data.
1863 Bugzilla 884.
1864
362145b5
JH
1865JH/09 Add $headers_added variable, with content from use of ACL modifier
1866 add_header (but not yet added to the message). Bugzilla 199.
1867
3c0a92dc
JH
1868JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line.
1869 Pulled from Bugzilla 817 by Wolfgang Breyha.
1870
6d7c6175
PP
1871PP/11 SECURITY: protect DKIM DNS decoding from remote exploit.
1872 CVE-2012-5671
e78e6ecf 1873 (nb: this is the same fix as in Exim 4.80.1)
6d7c6175 1874
6f123593
JH
1875JH/11 Add A= logging on delivery lines, and a client_set_id option on
1876 authenticators.
1877
c8e2fc1e
JH
1878JH/12 Add optional authenticated_sender logging to A= and a log_selector
1879 for control.
1880
005ac57f
PP
1881PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29.
1882
3f1df0e3
PP
1883PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not
1884 advertise SMTP AUTH mechanism to us, instead of a generic
1885 protocol violation error. Also, make Exim more robust to bad
1886 data from the Dovecot auth socket.
1887
67bd1ab3
TF
1888TF/01 Fix ultimate retry timeouts for intermittently deliverable recipients.
1889
1890 When a queue runner is handling a message, Exim first routes the
1891 recipient addresses, during which it prunes them based on the retry
1892 hints database. After that it attempts to deliver the message to
1893 any remaining recipients. It then updates the hints database using
1894 the retry rules.
1895
1896 So if a recipient address works intermittently, it can get repeatedly
1897 deferred at routing time. The retry hints record remains fresh so the
1898 address never reaches the final cutoff time.
1899
1900 This is a fairly common occurrence when a user is bumping up against
1901 their storage quota. Exim had some logic in its local delivery code
1902 to deal with this. However it did not apply to per-recipient defers
1903 in remote deliveries, e.g. over LMTP to a separate IMAP message store.
1904
1ddeb334
TF
1905 This change adds a proper retry rule check during routing so that the
1906 final cutoff time is checked against the message's age. We only do
1907 this check if there is an address retry record and there is not a
1908 domain retry record; this implies that previous attempts to handle
1909 the address had the retry_use_local_parts option turned on. We use
1910 this as an approximation for the destination being like a local
1911 delivery, as in LMTP.
67bd1ab3
TF
1912
1913 I suspect this new check makes the old local delivery cutoff check
1914 redundant, but I have not verified this so I left the code in place.
1915
326cdc37
TF
1916TF/02 Correct gecos expansion when From: is a prefix of the username.
1917
1918 Test 0254 submits a message to Exim with the header
1919
1920 Resent-From: f
1921
1922 When I ran the test suite under the user fanf2, Exim expanded
1923 the header to contain my full name, whereas it should have added
1924 a Resent-Sender: header. It erroneously treats any prefix of the
1925 username as equal to the username.
1926
1927 This change corrects that bug.
1928
f62514b3
GF
1929GF/01 DCC debug and logging tidyup
1930 Error conditions log to paniclog rather than rejectlog.
1931 Debug lines prefixed by "DCC: " to remove any ambiguity.
1932
eb505532
TF
1933TF/03 Avoid unnecessary rebuilds of lookup-related code.
1934
14c7b357
PP
1935PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server.
1936 Bug spotted by Jeremy Harris; was flawed since initial commit.
1937 Would have resulted in OCSP responses post-SNI triggering an Exim
1938 NULL dereference and crash.
1939
94eaf700
PP
1940JH/13 Add $router_name and $transport_name variables. Bugzilla 308.
1941
6f5a440a
PP
1942PP/15 Define SIOCGIFCONF_GIVES_ADDR for GNU Hurd.
1943 Bug detection, analysis and fix by Samuel Thibault.
1944 Bugzilla 1331, Debian bug #698092.
1945
514ee161
SC
1946SC/01 Update eximstats to watch out for senders sending 'HELO [IpAddr]'
1947
fd98a5c6
JH
1948JH/14 SMTP PRDR (http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt).
1949 Server implementation by Todd Lyons, client by JH.
1950 Only enabled when compiled with EXPERIMENTAL_PRDR. A new
1951 config variable "prdr_enable" controls whether the server
1952 advertises the facility. If the client requests PRDR a new
1953 acl_data_smtp_prdr ACL is called once for each recipient, after
1954 the body content is received and before the acl_smtp_data ACL.
4c04137d 1955 The client is controlled by both of: a hosts_try_prdr option
fd98a5c6
JH
1956 on the smtp transport, and the server advertisement.
1957 Default client logging of deliveries and rejections involving
1958 PRDR are flagged with the string "PRDR".
1959
035c7f1e
PP
1960PP/16 Fix problems caused by timeouts during quit ACLs trying to double
1961 fclose(). Diagnosis by Todd Lyons.
1962
ff284120
PP
1963PP/17 Update configure.default to handle IPv6 localhost better.
1964 Patch by Alain Williams (plus minor tweaks).
1965 Bugzilla 880.
1966
26e72755
PP
1967PP/18 OpenSSL made graceful with empty tls_verify_certificates setting.
1968 This is now consistent with GnuTLS, and is now documented: the
1969 previous undocumented portable approach to treating the option as
1970 unset was to force an expansion failure. That still works, and
1971 an empty string is now equivalent.
1972
0fbd9bff
PP
1973PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it
1974 clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag,
1975 not performing validation itself.
1976
700d22f3
PP
1977PP/20 Added force_command boolean option to pipe transport.
1978 Patch from Nick Koston, of cPanel Inc.
1979
fcc8e047
JH
1980JH/15 AUTH support on callouts (and hence cutthrough-deliveries).
1981 Bugzilla 321, 823.
1982
4c04137d 1983TF/04 Added udpsend ACL modifier and hexquote expansion operator
7142daca 1984
8c020188
PP
1985PP/21 Fix eximon continuous updating with timestamped log-files.
1986 Broken in a format-string cleanup in 4.80, missed when I repaired the
1987 other false fix of the same issue.
1988 Report and fix from Heiko Schlichting.
1989 Bugzilla 1363.
1990
d13cdd30
PP
1991PP/22 Guard LDAP TLS usage against Solaris LDAP variant.
1992 Report from Prashanth Katuri.
1993
e2fbf4a2
PP
1994PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options.
1995 It's SecureTransport, so affects any MacOS clients which use the
1996 system-integrated TLS libraries, including email clients.
1997
f4c1088b
PP
1998PP/24 Fix segfault from trying to fprintf() to a NULL stdio FILE* if
1999 using a MIME ACL for non-SMTP local injection.
2000 Report and assistance in diagnosis by Warren Baker.
2001
c5c2182f
PP
2002TL/08 Adjust exiqgrep to be case-insensitive for sender/receiver.
2003
73431ca9
JH
2004JH/16 Fix comparisons for 64b. Bugzilla 1385.
2005
2d07a215
TL
2006TL/09 Add expansion variable $authenticated_fail_id to keep track of
2007 last id that failed so it may be referenced in subsequent ACL's.
2008
a30a8861
TL
2009TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
2010 Alexander Miroch.
2011
33382dd9
TL
2012TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
2013 ldap library initialization, allowing self-signed CA's to be
2014 used. Also properly sets require_cert option later in code by
2015 using NULL (global ldap config) instead of ldap handle (per
2016 session). Bug diagnosis and testing by alxgomz.
6d7c6175 2017
046172e6
TL
2018TL/12 Enhanced documentation in the ratelimit.pl script provided in
2019 the src/util/ subdirectory.
2020
581d7bee 2021TL/13 Bug 1031 - Imported transport SQL logging patch from Axel Rau
1a7b746d 2022 renamed to Transport Post Delivery Action by Jeremy Harris, as
9bdd29ad
TL
2023 EXPERIMENTAL_TPDA.
2024
2025TL/14 Bugzilla 1217 - Redis lookup support has been added. It is only enabled
2026 when Exim is compiled with EXPERIMENTAL_REDIS. A new config variable
2027 redis_servers = needs to be configured which will be used by the redis
2028 lookup. Patch from Warren Baker, of The Packet Hub.
2029
237b2cf2
TL
2030TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard Hall.
2031
9fc5a352
TL
2032TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a
2033 hostname or reverse DNS when processing a host list. Used suggestions
2034 from multiple comments on this bug.
1a7b746d 2035
b10e4ec2
TL
2036TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey.
2037
e2cebd74
TL
2038TL/18 Had previously added a -CONTINUE option to runtest in the test suite.
2039 Missed a few lines, added it to make the runtest require no keyboard
2040 interaction.
2041
2042TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite
2043 contains upper case chars. Make router use caseful_local_part.
2044
2519e60d
TL
2045TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS
2046 support when GnuTLS has been built with p11-kit.
2047
e78e6ecf 2048
4263f395
PP
2049Exim version 4.80.1
2050-------------------
2051
2052PP/01 SECURITY: protect DKIM DNS decoding from remote exploit.
2053 CVE-2012-5671
2c422e6f 2054 This, or similar/improved, will also be change PP/11 of 4.82.
3c0a92dc 2055
ea722490 2056
b1770b6e 2057Exim version 4.80
0599f9cf
PP
2058-----------------
2059
2060PP/01 Handle short writes when writing local log-files.
2061 In practice, only affects FreeBSD (8 onwards).
2062 Bugzilla 1053, with thanks to Dmitry Isaikin.
2063
23c7e742
NM
2064NM/01 Bugzilla 949 - Documentation tweak
2065
b322aac8
NM
2066NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps
2067 improved.
2068
4a891427
NM
2069NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
2070
c1e794ba 2071PP/02 Implemented gsasl authenticator.
b322aac8 2072
97753960
PP
2073PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option.
2074
2075PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
2076 `pkg-config foo` for cflags/libs.
2077
df6303fa
PP
2078PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
2079 with rest of GSASL and with heimdal_gssapi.
2080
7e6a8985
PP
2081PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
2082 `pkg-config foo` for cflags/libs for the TLS implementation.
2083
f1e05cc7 2084PP/07 New expansion variable $tls_bits; Cyrus SASL server connection
20aa9dbd
PP
2085 properties get this fed in as external SSF. A number of robustness
2086 and debugging improvements to the cyrus_sasl authenticator.
b322aac8 2087
4c287009
PP
2088PP/08 cyrus_sasl server now expands the server_realm option.
2089
b98bb9ac
PP
2090PP/09 Bugzilla 1214 - Log authentication information in reject log.
2091 Patch by Jeremy Harris.
2092
4a6a987a
PP
2093PP/10 Added dbmjz lookup type.
2094
c45dd180 2095PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid.
c7955b11 2096
7db8d074
PP
2097PP/12 MAIL args handles TAB as well as SP, for better interop with
2098 non-compliant senders.
2099 Analysis and variant patch by Todd Lyons.
2100
eae0036b 2101NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated
cfab9d68 2102 Bug report from Lars Müller <lars@samba.org> (via SUSE),
e0df1c83
DM
2103 Patch from Dirk Mueller <dmueller@suse.com>
2104
dec5017e
PP
2105PP/13 tls_peerdn now print-escaped for spool files.
2106 Observed some $tls_peerdn in wild which contained \n, which resulted
2107 in spool file corruption.
2108
c80c5570
PP
2109PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
2110 values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
2111 or write after TLS renegotiation, which otherwise led to messages
2112 "Got SSL error 2".
2113
076b11e2
PP
2114TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted
2115 as a tracking header (ie: a signed header comes before the signature).
2116 Patch from Wolfgang Breyha.
2117
5407bfff
JH
2118JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
2119 comma-sep list; embedded commas doubled.
2120
9e45c72b
PP
2121JH/02 Refactored ACL "verify =" logic to table-driven dispatch.
2122
e74376d8
PP
2123PP/15 LDAP: Check for errors of TLS initialisation, to give correct
2124 diagnostics.
2125 Report and patch from Dmitry Banschikov.
2126
4c04137d 2127PP/16 Removed "dont_insert_empty_fragments" from "openssl_options".
da3ad30d
PP
2128 Removed SSL_clear() after SSL_new() which led to protocol negotiation
2129 failures. We appear to now support TLS1.1+ with Exim.
2130
7be682ca
PP
2131PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
2132 lets Exim select keys and certificates based upon TLS SNI from client.
3f0945ff
PP
2133 Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly
2134 before an outbound SMTP session. New log_selector, +tls_sni.
7be682ca 2135
ef840681
PP
2136PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid
2137 NULL dereference. Report and patch from Alun Jones.
2138
5bfb4cdf
PP
2139PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage
2140 on less well tested platforms). Obviates NetBSD pkgsrc patch-ac.
2141 Not seeing resolver debug output on NetBSD, but suspect this is a
2142 resolver implementation change.
2143
c6e95d22
PP
2144PP/20 Revert part of NM/04, it broke log_path containing %D expansions.
2145 Left warnings. Added "eximon gdb" invocation mode.
2146
9cbad13b
PP
2147PP/21 Defaulting "accept_8bitmime" to true, not false.
2148
9ee44efb
PP
2149PP/22 Added -bw for inetd wait mode support.
2150
6a6084f8
PP
2151PP/23 Added PCRE_CONFIG=yes support to Makefile for using pcre-config to
2152 locate the relevant includes and libraries. Made this the default.
2153
12dd53c7
PP
2154PP/24 Fixed headers_only on smtp transports (was not sending trailing dot).
2155 Bugzilla 1246, report and most of solution from Tomasz Kusy.
2156
9e45c72b 2157JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
97d17305
JH
2158 This may cause build issues on older platforms.
2159
17c76198
PP
2160PP/25 Revamped GnuTLS support, passing tls_require_ciphers to
2161 gnutls_priority_init, ignoring Exim options gnutls_require_kx,
2162 gnutls_require_mac & gnutls_require_protocols (no longer supported).
2163 Added SNI support via GnuTLS too.
af3498d6 2164 Made ${randint:..} supplier available, if using not-too-old GnuTLS.
17c76198 2165
53947857 2166PP/26 Added EXPERIMENTAL_OCSP for OpenSSL.
3f7eeb86 2167
eae0036b 2168PP/27 Applied dnsdb SPF support patch from Janne Snabb.
8ee4b30e
PP
2169 Applied second patch from Janne, implementing suggestion to default
2170 multiple-strings-in-record handling to match SPF spec.
eae0036b 2171
9e45c72b 2172JH/04 Added expansion variable $tod_epoch_l for a higher-precision time.
2605c55b 2173
7390e768
PP
2174PP/28 Fix DCC dcc_header content corruption (stack memory referenced,
2175 read-only, out of scope).
2176 Patch from Wolfgang Breyha, report from Stuart Northfield.
2177
08488c86
PP
2178PP/29 Fix three issues highlighted by clang analyser static analysis.
2179 Only crash-plausible issue would require the Cambridge-specific
2180 iplookup router and a misconfiguration.
2181 Report from Marcin Mirosław.
2182
6475bd82
PP
2183PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
2184
81f91683
PP
2185PP/31 %D in printf continues to cause issues (-Wformat=security), so for
2186 now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
2187 As part of this, removing so much warning spew let me fix some minor
2188 real issues in debug logging.
2189
5779e6aa
PP
2190PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing
2191 assignment on my part. Fixed.
2192
3375e053
PP
2193PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit
2194 of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by
2195 Janne Snabb (who went above and beyond: thank you).
2196
2197PP/34 Validate tls_require_ciphers on startup, since debugging an invalid
2198 string otherwise requires a connection and a bunch more work and it's
78e0c7a3
PP
2199 relatively easy to get wrong. Should also expose TLS library linkage
2200 problems.
3375e053 2201
9d26b8c0
PP
2202PP/35 Pull in <features.h> on Linux, for some portability edge-cases of
2203 64-bit ${eval} (JH/03).
2204
57eb9e91 2205PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of
b87a6e0e
PP
2206 GNU libc to support some of the 64-bit stuff, should not lead to
2207 conflicts. Defined before os.h is pulled in, so if a given platform
2208 needs to override this, it can.
2209
16880d1a
PP
2210PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought
2211 protection layer was required, which is not implemented.
2212 Bugzilla 1254, patch from Wolfgang Breyha.
2213
a799883d
PP
2214PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built
2215 into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make
2216 tls_dhparam take prime identifiers. Also unbreak combination of
2217 OpenSSL+DH_params+TLSSNI.
2218
3ecab157 2219PP/39 Disable SSLv2 by default in OpenSSL support.
f0f5a555 2220
0599f9cf 2221
867fcbf5
PP
2222Exim version 4.77
2223-----------------
2224
2225PP/01 Solaris build fix for Oracle's LDAP libraries.
2226 Bugzilla 1109, patch from Stephen Usher.
2227
f1a29782
TF
2228TF/01 HP/UX build fix: avoid arithmetic on a void pointer.
2229
ab42bd23
TK
2230TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o
2231 whitespace trailer
867fcbf5 2232
0ca0cf52
TF
2233TF/02 Fix a couple more cases where we did not log the error message
2234 when unlink() failed. See also change 4.74-TF/03.
2235
921b12ca
TF
2236TF/03 Make the exiwhat support code safe for signals. Previously Exim might
2237 lock up or crash if it happened to be inside a call to libc when it
2238 got a SIGUSR1 from exiwhat.
2239
2240 The SIGUSR1 handler appends the current process status to the process
2241 log which is later printed by exiwhat. It used to use the general
2242 purpose logging code to do this, but several functions it calls are
2243 not safe for signals.
2244
2245 The new output code in the SIGUSR1 handler is specific to the process
2246 log, and simple enough that it's easy to inspect for signal safety.
2247 Removing some special cases also simplifies the general logging code.
2248 Removing the spurious timestamps from the process log simplifies
2249 exiwhat.
2250
c99ce5c9
TF
2251TF/04 Improved ratelimit ACL condition.
2252
2253 The /noupdate option has been deprecated in favour of /readonly which
2254 has clearer semantics. The /leaky, /strict, and /readonly update modes
2255 are mutually exclusive. The update mode is no longer included in the
2256 database key; it just determines when the database is updated. (This
4c04137d 2257 means that when you upgrade Exim will forget old rate measurements.)
c99ce5c9
TF
2258
2259 Exim now checks that the per_* options are used with an update mode that
2260 makes sense for the current ACL. For example, when Exim is processing a
2261 message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify
2262 per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you
2263 must specify per_mail/readonly. If you omit the update mode it defaults to
2264 /leaky where that makes sense (as before) or /readonly where required.
2265
2266 The /noupdate option is now undocumented but still supported for
2267 backwards compatibility. It is equivalent to /readonly except that in
2268 ACLs where /readonly is required you may specify /leaky/noupdate or
2269 /strict/noupdate which are treated the same as /readonly.
2270
2271 A useful new feature is the /count= option. This is a generalization
2272 of the per_byte option, so that you can measure the throughput of other
2273 aggregate values. For example, the per_byte option is now equivalent
2274 to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }.
2275
2276 The per_rcpt option has been generalized using the /count= mechanism
2277 (though it's more complicated than the per_byte equivalence). When it is
2278 used in acl_smtp_rcpt, the per_rcpt option adds recipients to the
2279 measured rate one at a time; if it is used later (e.g. in acl_smtp_data)
2280 or in a non-SMTP ACL it adds all the recipients in one go. (The latter
2281 /count=$recipients_count behaviour used to work only in non-SMTP ACLs.)
2282 Note that using per_rcpt with a non-readonly update mode in more than
2283 one ACL will cause the recipients to be double-counted. (The per_mail
2284 and per_byte options don't have this problem.)
2285
2286 The handling of very low rates has changed slightly. If the computed rate
2287 is less than the event's count (usually one) then this event is the first
2288 after a long gap. In this case the rate is set to the same as this event's
2289 count, so that the first message of a spam run is counted properly.
2290
2291 The major new feature is a mechanism for counting the rate of unique
2292 events. The new per_addr option counts the number of different
2293 recipients that someone has sent messages to in the last time period. It
2294 behaves like per_rcpt if all the recipient addresses are different, but
2295 duplicate recipient addresses do not increase the measured rate. Like
2296 the /count= option this is a general mechanism, so the per_addr option
2297 is equivalent to per_rcpt/unique=$local_part@$domain. You can, for
2298 example, measure the rate that a client uses different sender addresses
2299 with the options per_mail/unique=$sender_address. There are further
2300 details in the main documentation.
2301
3634fc25
TF
2302TF/05 Removed obsolete $Cambridge$ CVS revision strings.
2303
792e8a19
TF
2304TF/06 Removed a few PCRE remnants.
2305
5901f0ab
TF
2306TF/07 Automatically extract Exim's version number from tags in the git
2307 repository when doing development or release builds.
2308
7f2a2a43
PP
2309PP/02 Raise smtp_cmd_buffer_size to 16kB.
2310 Bugzilla 879. Patch from Paul Fisher.
e2ca7082 2311
061b7ebd
PP
2312PP/03 Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
2313 Heavily based on revision 40f9a89a from Simon Arlott's tree.
2314 Bugzilla 97.
2315
e12f8c32
PP
2316PP/04 Use .dylib instead of .so for dynamic library loading on MacOS.
2317
9e949f00 2318PP/05 Variable $av_failed, true if the AV scanner deferred.
7f2a2a43
PP
2319 Bugzilla 1078. Patch from John Horne.
2320
2321PP/06 Stop make process more reliably on build failure.
2322 Bugzilla 1087. Patch from Heiko Schlittermann.
9e949f00 2323
555ae6af 2324PP/07 Make maildir_use_size_file an _expandable_ boolean.
ac53fcda
PP
2325 Bugzilla 1089. Patch from Heiko Schlittermann.
2326
2327PP/08 Handle ${run} returning more data than OS pipe buffer size.
2328 Bugzilla 1131. Patch from Holger Weiß.
555ae6af 2329
6f7fe114
PP
2330PP/09 Handle IPv6 addresses with SPF.
2331 Bugzilla 860. Patch from Wolfgang Breyha.
2332
c566dd90
PP
2333PP/10 GnuTLS: support TLS 1.2 & 1.1.
2334 Bugzilla 1156.
89f897c3
PP
2335 Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler].
2336 Bugzilla 1095.
c566dd90 2337
d6cc7c78 2338PP/11 match_* no longer expand right-hand-side by default.
39257585
PP
2339 New compile-time build option, EXPAND_LISTMATCH_RHS.
2340 New expansion conditions, "inlist", "inlisti".
2341
0d0e4455
PP
2342PP/12 fix uninitialised greeting string from PP/03 (smtps client support).
2343
3399bb60 2344PP/13 shell and compiler warnings fixes for RC1-RC4 changes.
d690cbdc
PP
2345
2346PP/14 fix log_write() format string regression from TF/03.
2347 Bugzilla 1152. Patch from Dmitry Isaikin.
2348
0ca0cf52 2349
10906672
PP
2350Exim version 4.76
2351-----------------
2352
2353PP/01 The new ldap_require_cert option would segfault if used. Fixed.
2354
754a0503
PP
2355PP/02 Harmonised TLS library version reporting; only show if debugging.
2356 Layout now matches that introduced for other libraries in 4.74 PP/03.
2357
c0c7b2da
PP
2358PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
2359
e97d1f08
PP
2360PP/04 New "dns_use_edns0" global option.
2361
084c1d8c
PP
2362PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid.
2363 Bugzilla 1098.
2364
4e7ee012
PP
2365PP/06 Extra paranoia around buffer usage at the STARTTLS transition.
2366 nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
da80c2a8 2367
c8d52a00
PP
2368TK/01 Updated PolarSSL code to 0.14.2.
2369 Bugzilla 1097. Patch from Andreas Metzler.
2370
54e7ce4a
PP
2371PP/07 Catch divide-by-zero in ${eval:...}.
2372 Fixes bugzilla 1102.
2373
5ee6f336
PP
2374PP/08 Condition negation of bool{}/bool_lax{} did not negate. Fixed.
2375 Bugzilla 1104.
2376
c8d52a00 2377TK/02 Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a
6ea4a851
PP
2378 format-string attack -- SECURITY: remote arbitrary code execution.
2379
2380TK/03 SECURITY - DKIM signature header parsing was double-expanded, second
2381 time unintentionally subject to list matching rules, letting the header
2382 cause arbitrary Exim lookups (of items which can occur in lists, *not*
2383 arbitrary string expansion). This allowed for information disclosure.
2384
2385PP/09 Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
2386 INT_MIN/-1 -- value coerced to INT_MAX.
c8d52a00 2387
10906672 2388
aa097c4c
NM
2389Exim version 4.75
2390-----------------
2391
4c04137d 2392NM/01 Workaround for PCRE version dependency in version reporting
aa097c4c
NM
2393 Bugzilla 1073
2394
7f3d9eff
TF
2395TF/01 Update valgrind.h and memcheck.h to copies from valgrind-3.6.0.
2396 This fixes portability to compilers other than gcc, notably
2397 Solaris CC and HP-UX CC. Fixes Bugzilla 1050.
2398
159f52d2
TF
2399TF/02 Bugzilla 139: Avoid using the += operator in the modular lookup
2400 makefiles for portability to HP-UX and POSIX correctness.
2401
0cc9542a
PP
2402PP/01 Permit LOOKUP_foo enabling on the make command-line.
2403 Also via indented variable definition in the Makefile.
2404 (Debugging by Oliver Heesakkers).
2405
f7274286
PP
2406PP/02 Restore caching of spamd results with expanded spamd_address.
2407 Patch from author of expandable spamd_address patch, Wolfgang Breyha.
2408
7b797365
PP
2409PP/03 Build issue: lookups-Makefile now exports LC_ALL=C
2410 Improves build reliability. Fix from: Frank Elsner
2411
caacae52
NM
2412NM/02 Fix wide character breakage in the rfc2047 coding
2413 Fixes bug 1064. Patch from Andrey N. Oktyabrski
2414
09dcaba9
NM
2415NM/03 Allow underscore in dnslist lookups
2416 Fixes bug 1026. Patch from Graeme Fowler
2417
bc19a55b
PP
2418PP/04 Bugzilla 230: Support TLS-enabled LDAP (in addition to ldaps).
2419 Code patches from Adam Ciarcinski of NetBSD.
caacae52 2420
bd4c9759
NM
2421NM/04 Fixed exiqgrep to cope with mailq missing size issue
2422 Fixes bug 943.
2423
b72aab72
PP
2424PP/05 Bugzilla 1083: when lookup expansion defers, escape the output which
2425 is logged, to avoid truncation. Patch from John Horne.
2426
2fe76745
PP
2427PP/06 Bugzilla 1042: implement freeze_signal on pipe transports.
2428 Patch from Jakob Hirsch.
2429
76aa570c
PP
2430PP/07 Bugzilla 1061: restrict error messages sent over SMTP to not reveal
2431 SQL string expansion failure details.
2432 Patch from Andrey Oktyabrski.
2433
f1e5fef5
PP
2434PP/08 Bugzilla 486: implement %M datestamping in log filenames.
2435 Patch from Simon Arlott.
2436
4d805ee9
PP
2437PP/09 New lookups functionality failed to compile on old gcc which rejects
2438 extern declarations in function scope.
2439 Patch from Oliver Fleischmann
2440
cd59ab18
PP
2441PP/10 Use sig_atomic_t for flags set from signal handlers.
2442 Check getgroups() return and improve debugging.
2443 Fixed developed for diagnosis in bug 927 (which turned out to be
2444 a kernel bug).
2445
332f5cf3
PP
2446PP/11 Bugzilla 1055: Update $message_linecount for maildir_tag.
2447 Patch from Mark Zealey.
2448
29cfeb94
PP
2449PP/12 Bugzilla 1056: Improved spamd server selection.
2450 Patch from Mark Zealey.
2451
660242ad
PP
2452PP/13 Bugzilla 1086: Deal with maildir quota file races.
2453 Based on patch from Heiko Schlittermann.
2454
bc4bc4c5
PP
2455PP/14 Bugzilla 1019: DKIM multiple signature generation fix.
2456 Patch from Uwe Doering, sign-off by Michael Haardt.
2457
2e64baa9
NM
2458NM/05 Fix to spam.c to accommodate older gcc versions which dislike
2459 variable declaration deep within a block. Bug and patch from
2460 Dennis Davis.
2461
4c04137d 2462PP/15 lookups-Makefile IRIX compatibility coercion.
bddd7526 2463
6bac1a9a
PP
2464PP/16 Make DISABLE_DKIM build knob functional.
2465
552193f0
NM
2466NM/06 Bugzilla 968: child_open_uid: restore default SIGPIPE handler
2467 Patch by Simon Arlott
baeee2c1 2468
1b587e48
TF
2469TF/03 Fix valgrind.h portability to C89 compilers that do not support
2470 variable argument macros. Our copy now differs from upstream.
2471
aa097c4c 2472
8c07b69f
TF
2473Exim version 4.74
2474-----------------
2475
2476TF/01 Failure to get a lock on a hints database can have serious
2477 consequences so log it to the panic log.
2478
c0ea85ab
TF
2479TF/02 Log LMTP confirmation messages in the same way as SMTP,
2480 controlled using the smtp_confirmation log selector.
2481
0761d44e
TF
2482TF/03 Include the error message when we fail to unlink a spool file.
2483
0a349494
PP
2484DW/01 Bugzilla 139: Support dynamically loaded lookups as modules.
2485 With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux
2486 for maintaining out-of-tree patches for some time.
2487
2488PP/01 Bugzilla 139: Documentation and portability issues.
2489 Avoid GNU Makefile-isms, let Exim continue to build on BSD.
2490 Handle per-OS dynamic-module compilation flags.
2491
fea24b2e
PP
2492PP/02 Let /dev/null have normal permissions.
2493 The 4.73 fixes were a little too stringent and complained about the
2494 permissions on /dev/null. Exempt it from some checks.
2495 Reported by Andreas M. Kirchwitz.
2496
6545de78
PP
2497PP/03 Report version information for many libraries, including
2498 Exim version information for dynamically loaded libraries. Created
2499 version.h, now support a version extension string for distributors
2500 who patch heavily. Dynamic module ABI change.
2501
1670ef10
PP
2502PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a
2503 privilege escalation vulnerability whereby the Exim run-time user
2504 can cause root to append content of the attacker's choosing to
2505 arbitrary files.
2506
c0886197
PP
2507PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code.
2508 (Wolfgang Breyha)
2509
b7487bce
PP
2510PP/06 Bugzilla 1071: fix delivery logging with untrusted macros.
2511 If dropping privileges for untrusted macros, we disabled normal logging
2512 on the basis that it would fail; for the Exim run-time user, this is not
2513 the case, and it resulted in successful deliveries going unlogged.
2514 Fixed. Reported by Andreas Metzler.
2515
8c07b69f 2516
97fd1e48 2517Exim version 4.73
ed7f7860 2518-----------------
97fd1e48
PP
2519
2520PP/01 Date: & Message-Id: revert to normally being appended to a message,
2521 only prepend for the Resent-* case. Fixes regression introduced in
2522 Exim 4.70 by NM/22 for Bugzilla 607.
2523
6901c596
PP
2524PP/02 Include check_rfc2047_length in configure.default because we're seeing
2525 increasing numbers of administrators be bitten by this.
2526
a8c8d6b5
JJ
2527JJ/01 Added DISABLE_DKIM and comment to src/EDITME
2528
77bb000f
PP
2529PP/03 Bugzilla 994: added openssl_options main configuration option.
2530
a29e5231
PP
2531PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads.
2532
ec5a0394 2533PP/05 Bugzilla 834: provide a permit_coredump option for pipe transports.
a29e5231 2534
55c75993
PP
2535PP/06 Adjust NTLM authentication to handle SASL Initial Response.
2536
453a6645 2537PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but
ec5a0394
PP
2538 without a peer certificate, leading to a segfault because of an
2539 assumption that peers always have certificates. Be a little more
453a6645
PP
2540 paranoid. Problem reported by Martin Tscholak.
2541
8544e77a
PP
2542PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
2543 filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
2544 NB: ClamAV planning to remove STREAM in "middle of 2010".
3346ab01
PP
2545 CL also introduces -bmalware, various -d+acl logging additions and
2546 more caution in buffer sizes.
8544e77a 2547
83e029d5
PP
2548PP/09 Implemented reverse_ip expansion operator.
2549
ed7f7860
PP
2550PP/10 Bugzilla 937: provide a "debug" ACL control.
2551
7d9f747b
PP
2552PP/11 Bugzilla 922: Documentation dusting, patch provided by John Horne.
2553
4b2241d2
PP
2554PP/12 Bugzilla 973: Implement --version.
2555
10385c15
PP
2556PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0.
2557
dbc4b90d
PP
2558PP/14 Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
2559
532be449
PP
2560PP/15 Bugzilla 816: support multiple condition rules on Routers.
2561
6a8de854 2562PP/16 Add bool_lax{} expansion operator and use that for combining multiple
71265ae9
PP
2563 condition rules, instead of bool{}. Make both bool{} and bool_lax{}
2564 ignore trailing whitespace.
6a8de854 2565
5dc43717
JJ
2566JJ/02 prevent non-panic DKIM error from being sent to paniclog
2567
2568JJ/03 added tcp_wrappers_daemon_name to allow host entries other than
2569 "exim" to be used
55c75993 2570
3346ab01
PP
2571PP/17 Fix malware regression for cmdline scanner introduced in PP/08.
2572 Notification from Dr Andrew Aitchison.
2573
491fab4c
PP
2574PP/18 Change ClamAV response parsing to be more robust and to handle ClamAV's
2575 ExtendedDetectionInfo response format.
2576 Notification from John Horne.
2577
13eb9497
PP
2578PP/19 OpenSSL 1.0.0a compatibility const-ness change, should be backwards
2579 compatible.
2580
2581PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http:
2582 XSL and documented dependency on system catalogs, with examples of how
2583 it normally works.
2584
7f36d675
DW
2585DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store
2586 access.
2587
c1d94452
DW
2588DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour
2589 of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a
2590 configuration file which is writeable by the Exim user or group.
2591
e2f5dc15
DW
2592DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability
2593 of configuration files to cover files specified with the -C option if
2594 they are going to be used with root privileges, not just the default
2595 configuration file.
2596
cd25e41d
DW
2597DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY
2598 option (effectively making it always true).
2599
261dc43e
DW
2600DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration
2601 files to be used while preserving root privileges.
2602
fa32850b
DW
2603DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure
2604 that rogue child processes cannot use them.
2605
79d4bc3d
PP
2606PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim
2607 run-time user, instead of root.
2608
43236f35 2609PP/28 Add WHITELIST_D_MACROS option to let some macros be overridden by the
2cfd3221
PP
2610 Exim run-time user without dropping privileges.
2611
fb08281f
DW
2612DW/29 Remove use of va_copy() which breaks pre-C99 systems. Duplicate the
2613 result string, instead of calling string_vformat() twice with the same
2614 arguments.
3346ab01 2615
74935b98
DW
2616DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not
2617 for other users. Others should always drop root privileges if they use
2618 -C on the command line, even for a whitelisted configure file.
2619
90b6341f
DW
2620DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes.
2621
57730b52
ML
2622NM/01 Fixed bug #1002 - Message loss when using multiple deliveries
2623
66581d1e 2624
465e92cf
JJ
2625Exim version 4.72
2626-----------------
2627
453a6645
PP
2628JJ/01 installed exipick 20100104.1, adding $max_received_linelength,
2629 $data_path, and $header_path variables; fixed documentation bugs and
2630 typos
465e92cf 2631
453a6645
PP
2632JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow
2633 exipick to access non-standard spools, including the "frozen" queue
2634 (Finput)
edae0343 2635
9bd3e22c
NM
2636NM/01 Bugzilla 965: Support mysql stored procedures.
2637 Patch from Alain Williams
2638
bb576ff7
NM
2639NM/02 Bugzilla 961: Spacing fix (syntax error) on Makefile directives for NetBSD
2640
5a1a5845
NM
2641NM/03 Bugzilla 955: Documentation fix for max_rcpts.
2642 Patch from Andreas Metzler
2643
981a9fad
NM
2644NM/04 Bugzilla 954: Fix for unknown responses from Dovecot authenticator.
2645 Patch from Kirill Miazine
2646
7fc497ee
NM
2647NM/05 Bugzilla 671: Added umask to procmail example.
2648
1a41defa
JJ
2649JJ/03 installed exipick 20100323.0, fixing doc bug
2650
a466095c 2651NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail
b26eacf1 2652 directory. Notification and patch from Dan Rosenberg.
a466095c 2653
94a6bd0b
NM
2654TK/01 PDKIM: Upgrade PolarSSL files to upstream version 0.12.1.
2655
2656TK/02 Improve log output when DKIM signing operation fails.
2657
2658MH/01 Treat the transport option dkim_domain as a colon separated
2659 list, not as a single string, and sign the message with each element,
2660 omitting multiple occurences of the same signer.
2661
c1b141a8
NM
2662NM/07 Null terminate DKIM strings, Null initialise DKIM variable
2663 Bugzilla 985, 986. Patch by Simon Arlott
94a6bd0b 2664
b26eacf1 2665NM/08 Bugzilla 967. dnsdb DNS TXT record bug fix (DKIM-related)
0d0c6357
NM
2666 Patch by Simon Arlott
2667
179c5980 2668PP/01 Bugzilla 989: CVE-2010-2024 - work round race condition on
b26eacf1 2669 MBX locking. Notification from Dan Rosenberg.
179c5980 2670
9bd3e22c 2671
7c6d71af
NM
2672Exim version 4.71
2673-----------------
2674
7d9f747b 2675TK/01 Bugzilla 912: Fix DKIM segfault on empty headers/body.
7c6d71af 2676
f013fb92
NM
2677NM/01 Bugzilla 913: Documentation fix for gnutls_* options.
2678
0eb8eedd
NM
2679NM/02 Bugzilla 722: Documentation for randint. Better randomness defaults.
2680
663ee6d9
NM
2681NM/03 Bugzilla 847: Enable DNSDB lookup by default.
2682
177ebd9b
NM
2683NM/04 Bugzilla 915: Flag broken perl installation during build.
2684
7c6d71af 2685
210f147e
NM
2686Exim version 4.70
2687-----------------
2688
cdd3bb85 2689TK/01 Added patch by Johannes Berg that expands the main option
e739e3d9 2690 "spamd_address" if it starts with a dollar sign.
cdd3bb85
TK
2691
2692TK/02 Write list of recipients to X-Envelope-Sender header when building
2693 the mbox-format spool file for content scanning (suggested by Jakob
7d9f747b 2694 Hirsch).
cdd3bb85
TK
2695
2696TK/03 Added patch by Wolfgang Breyha that adds experimental DCC
2697 (http://www.dcc-servers.net/) support via dccifd. Activated by
e739e3d9 2698 setting EXPERIMENTAL_DCC=yes in Local/Makefile.
cdd3bb85
TK
2699
2700TK/04 Bugzilla 673: Add f-protd malware scanner support. Patch submitted
2701 by Mark Daniel Reidel <mr@df.eu>.
2702
210f147e
NM
2703NM/01 Bugzilla 657: Embedded PCRE removed from the exim source tree.
2704 When building exim an external PCRE library is now needed -
2705 PCRE is a system library on the majority of modern systems.
2706 See entry on PCRE_LIBS in EDITME file.
2707
deafd5b3
NM
2708NM/02 Bugzilla 646: Removed unwanted C/R in Dovecot authenticator
2709 conversation. Added nologin parameter to request.
7d9f747b 2710 Patch contributed by Kirill Miazine.
deafd5b3 2711
089793a4
TF
2712TF/01 Do not log submission mode rewrites if they do not change the address.
2713
5f16ca82
TF
2714TF/02 Bugzilla 662: Fix stack corruption before exec() in daemon.c.
2715
dae9d94e 2716NM/03 Bugzilla 602: exicyclog now handles panic log, and creates empty
7d9f747b 2717 log files in place. Contributed by Roberto Lima.
dae9d94e 2718
7d9f747b 2719NM/04 Bugzilla 667: Close socket used by dovecot authenticator.
3f0da4d0 2720
06864c44
TF
2721TF/03 Bugzilla 615: When checking the local_parts router precondition
2722 after a local_part_suffix or local_part_prefix option, Exim now
2723 does not use the address's named list lookup cache, since this
2724 contains cached lookups for the whole local part.
2725
65a7d8c3 2726NM/05 Bugzilla 521: Integrated SPF Best Guess support contributed by
7d9f747b 2727 Robert Millan. Documentation is in experimental-spec.txt.
65a7d8c3 2728
23510047 2729TF/04 Bugzilla 668: Fix parallel build (make -j).
65a7d8c3 2730
7d9f747b 2731NM/05.2 Bugzilla 437: Prevent Maildir aux files being created with mode 000.
5f28a6e8 2732
7d8eec3a 2733NM/05.3 Bugzilla 598: Improvement to Dovecot authenticator handling.
7d9f747b 2734 Patch provided by Jan Srzednicki.
6c588e74 2735
89dec7b6
TF
2736TF/05 Leading white space used to be stripped from $spam_report which
2737 wrecked the formatting. Now it is preserved.
5f28a6e8 2738
a99de90c
TF
2739TF/06 Save $spam_score, $spam_bar, and $spam_report in spool files, so
2740 that they are available at delivery time.
2741
e2803e40
TF
2742TF/07 Fix the way ${extract is skipped in the untaken branch of a conditional.
2743
7199e1ee
TF
2744TF/08 TLS error reporting now respects the incoming_interface and
2745 incoming_port log selectors.
2746
e276e04b
TF
2747TF/09 Produce a more useful error message if an SMTP transport's hosts
2748 setting expands to an empty string.
2749
ce552449 2750NM/06 Bugzilla 744: EXPN did not work under TLS.
7d9f747b 2751 Patch provided by Phil Pennock.
ce552449 2752
e765a0f1 2753NM/07 Bugzilla 769: Extraneous comma in usage fprintf
7d9f747b 2754 Patch provided by Richard Godbee.
e765a0f1 2755
4f054c63 2756NM/08 Fixed erroneous documentation references to smtp_notquit_acl to be
447de4b0 2757 acl_smtp_notquit, added index entry.
4f054c63 2758
7d9f747b
PP
2759NM/09 Bugzilla 787: Potential buffer overflow in string_format.
2760 Patch provided by Eugene Bujak.
24c929a2 2761
7d9f747b
PP
2762NM/10 Bugzilla 770: Problem on some platforms modifying the len parameter to
2763 accept(). Patch provided by Maxim Dounin.
cf73943b 2764
b52bc06e 2765NM/11 Bugzilla 749: Preserve old behaviour of blanks comparing equal to zero.
7d9f747b 2766 Patch provided by Phil Pennock.
b52bc06e 2767
447de4b0
NM
2768NM/12 Bugzilla 497: Correct behaviour of exiwhat when no config exists.
2769
4c69d561 2770NM/13 Bugzilla 590: Correct handling of Resent-Date headers.
7d9f747b 2771 Patch provided by Brad "anomie" Jorsch.
4c69d561 2772
d5c39246 2773NM/14 Bugzilla 622: Added timeout setting to transport filter.
7d9f747b 2774 Patch provided by Dean Brooks.
9b989985 2775
0b23848a
TK
2776TK/05 Add native DKIM support (does not depend on external libraries).
2777
8f3414a1 2778NM/15 Bugzilla 854: Removed code that symlinks to pcre as its no longer useful.
7d9f747b 2779 Patch provided by Graeme Fowler.
e2aacdfd 2780
fb6f955d
NM
2781NM/16 Bugzilla 851: Documentation example syntax fix.
2782
2783NM/17 Changed NOTICE file to remove references to embedded PCRE.
8f3414a1 2784
7d9f747b
PP
2785NM/18 Bugzilla 894: Fix issue with very long lines including comments in
2786 lsearch.
dbb0bf41 2787
7d9f747b
PP
2788NM/19 Bugzilla 745: TLS version reporting.
2789 Patch provided by Phil Pennock.
f3766eb5 2790
7d9f747b
PP
2791NM/20 Bugzilla 167: bool: condition support.
2792 Patch provided by Phil Pennock.
36f12725 2793
7d9f747b
PP
2794NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken
2795 clients. Patch provided by Phil Pennock.
e6060e2c 2796
7d9f747b
PP
2797NM/22 Bugzilla 607: prepend (not append) Resent-Message-ID and Resent-Date.
2798 Patch provided by Brad "anomie" Jorsch.
5eb690a1 2799
7d9f747b
PP
2800NM/23 Bugzilla 687: Fix misparses in eximstats.
2801 Patch provided by Heiko Schlittermann.
d5c13d66 2802
7d9f747b
PP
2803NM/24 Bugzilla 688: Fix exiwhat to handle log_selector = +pid.
2804 Patch provided by Heiko Schlittermann.
b2335c0b 2805
7d9f747b 2806NM/25 Bugzilla 727: Use transport mode as default mode for maildirsize file.
1da77999 2807 plus update to original patch.
f4cd9433 2808
7d9f747b 2809NM/26 Bugzilla 799: Documentation correction for ratelimit.
dc988b7e 2810
7d9f747b
PP
2811NM/27 Bugzilla 802: Improvements to local interface IP addr detection.
2812 Patch provided by David Brownlee.
8dc71ab3 2813
7d9f747b 2814NM/28 Bugzilla 807: Improvements to LMTP delivery logging.
400eda43 2815
7d9f747b 2816NM/29 Bugzilla 862, 866, 875: Documentation bugfixes.
ec5a421b 2817
7d9f747b 2818NM/30 Bugzilla 888: TLS documentation bugfixes.
07af267e 2819
7d9f747b 2820NM/31 Bugzilla 896: Dovecot buffer overrun fix.
51473862 2821
17792b53 2822NM/32 Bugzilla 889: Change all instances of "expr" in shell scripts to "expr --"
7d9f747b 2823 Unlike the original bugzilla I have changed all shell scripts in src tree.
17792b53 2824
7d9f747b
PP
2825NM/33 Bugzilla 898: Transport filter timeout fix.
2826 Patch by Todd Rinaldo.
52383f8f 2827
91576cec 2828NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches.
7d9f747b 2829 Patch by Serge Demonchaux.
5ca6d115 2830
7d9f747b
PP
2831NM/35 Bugzilla 39: Base64 decode bug fixes.
2832 Patch by Jakob Hirsch.
baee9eee 2833
7d9f747b 2834NM/36 Bugzilla 909: Correct connect() call in dcc code.
e93a964c 2835
7d9f747b 2836NM/37 Bugzilla 910: Correct issue with relaxed/simple handling.
9bf3d68f 2837
7d9f747b 2838NM/38 Bugzilla 908: Removed NetBSD3 support as no longer needed.
96535b98 2839
7d9f747b 2840NM/39 Bugzilla 911: Fixed MakeLinks build script.
30339e0f 2841
deafd5b3 2842
47db1125
NM
2843Exim version 4.69
2844-----------------
2845
4b3504d0
TK
2846TK/01 Add preliminary DKIM support. Currently requires a forked version of
2847 ALT-N's libdkim that I have put here:
2848 http://duncanthrax.net/exim-experimental/
2849
2850 Note to Michael Haardt: I had to rename some vars in sieve.c. They
2851 were called 'true' and it seems that C99 defines that as a reserved
2852 keyword to be used with 'bool' variable types. That means you could
2853 not include C99-style headers which use bools without triggering
2854 build errors in sieve.c.
2855
81ea09ca
NM
2856NM/01 Bugzilla 592: --help option is handled incorrectly if exim is invoked
2857 as mailq or other aliases. Changed the --help handling significantly
2858 to do whats expected. exim_usage() emits usage/help information.
2859
f13cddcb
SC
2860SC/01 Added the -bylocaldomain option to eximstats.
2861
7d9f747b 2862NM/02 Bugzilla 619: Defended against bad data coming back from gethostbyaddr.
8ad076b2 2863
7d9f747b 2864NM/03 Bugzilla 613: Documentation fix for acl_not_smtp.
a843aaa6 2865
7d9f747b 2866NM/04 Bugzilla 628: PCRE update to 7.4 (work done by John Hall).
47db1125
NM
2867
2868
eb4c0de6
PH
2869Exim version 4.68
2870-----------------
2871
2872PH/01 Another patch from the Sieve maintainer.
2873
6a3bceb1
PH
2874PH/02 When an IPv6 address is converted to a string for single-key lookup
2875 in an address list (e.g. for an item such as "net24-dbm;/net/works"),
2876 dots are used instead of colons so that keys in lsearch files need not
2877 contain colons. This was done some time before quoting was made available
2878 in lsearch files. However, iplsearch files do require colons in IPv6 keys
2879 (notated using the quote facility) so as to distinguish them from IPv4
2880 keys. This meant that lookups for IP addresses in host lists did not work
2881 for iplsearch lookups.
2882
2883 This has been fixed by arranging for IPv6 addresses to be expressed with
2884 colons if the lookup type is iplsearch. This is not incompatible, because
2885 previously such lookups could never work.
2886
4c04137d 2887 The situation is now rather anomalous, since one *can* have colons in
6a3bceb1
PH
2888 ordinary lsearch keys. However, making the change in all cases is
2889 incompatible and would probably break a number of configurations.
2890
2e30fa9d
TK
2891TK/01 Change PRVS address formatting scheme to reflect latests BATV draft
2892 version.
2893
0806a9c5
MH
2894MH/01 The "spam" ACL condition code contained a sscanf() call with a %s
2895 conversion specification without a maximum field width, thereby enabling
2896 a rogue spamd server to cause a buffer overflow. While nobody in their
2897 right mind would setup Exim to query an untrusted spamd server, an
2898 attacker that gains access to a server running spamd could potentially
2899 exploit this vulnerability to run arbitrary code as the Exim user.
2900
ae276964
TK
2901TK/02 Bugzilla 502: Apply patch to make the SPF-Received: header use
2902 $primary_hostname instead of what libspf2 thinks the hosts name is.
2903
0f2cbd1b
MH
2904MH/02 The dsearch lookup now uses lstat(2) instead of stat(2) to look for
2905 a directory entry by the name of the lookup key. Previously, if a
2906 symlink pointed to a non-existing file or a file in a directory that
2907 Exim lacked permissions to read, a lookup for a key matching that
2908 symlink would fail. Now it is enough that a matching directory entry
2909 exists, symlink or not. (Bugzilla 503.)
2910
2b85bce7
PH
2911PH/03 The body_linecount and body_zerocount variables are now exported in the
2912 local_scan API.
2913
93655c46
PH
2914PH/04 Added the $dnslist_matched variable.
2915
6c512171
PH
2916PH/05 Unset $tls_cipher and $tls_peerdn before making a connection as a client.
2917 This means they are set thereafter only if the connection becomes
2918 encrypted.
2919
2920PH/06 Added the client_condition to authenticators so that some can be skipped
2921 by clients under certain conditions.
2922
aa6dc513
PH
2923PH/07 The error message for a badly-placed control=no_multiline_responses left
2924 "_responses" off the end of the name.
2925
a96603a0
PH
2926PH/08 Added -Mvc to output a copy of a message in RFC 2822 format.
2927
8f240103
PH
2928PH/09 Tidied the code for creating ratelimiting keys, creating them explicitly
2929 (without spaces) instead of just copying the configuration text.
2930
2931PH/10 Added the /noupdate option to the ratelimit ACL condition.
2932
d677b2f2
PH
2933PH/11 Added $max_received_linelength.
2934
d52120f2
PH
2935PH/12 Added +ignore_defer and +include_defer to host lists.
2936
64f2600a
PH
2937PH/13 Installed PCRE version 7.2. This needed some changes because of the new
2938 way in which PCRE > 7.0 is built.
2939
8669f003
PH
2940PH/14 Implemented queue_only_load_latch.
2941
a4dc33a8
PH
2942PH/15 Removed an incorrect (int) cast when reading the value of SIZE in a
2943 MAIL command. The effect was to mangle the value on 64-bit systems.
2944
d6a60c0f
PH
2945PH/16 Another patch from the Sieve maintainer.
2946
8f128379
PH
2947PH/17 Added the NOTQUIT ACL, based on a patch from Ted Cooper.
2948
8932dffe
PH
2949PH/18 If a system quota error occurred while trying to create the file for
2950 a maildir delivery, the message "Mailbox is full" was not appended to the
2951 bounce if the delivery eventually timed out. Change 4.67/27 below applied
2952 only to a quota excession during the actual writing of the file.
d6a60c0f 2953
ddea74fa 2954PH/19 It seems that peer DN values may contain newlines (and other non-printing
48ed62d9
PH
2955 characters?) which causes problems in log lines. The DN values are now
2956 passed through string_printing() before being added to log lines.
2957
ddea74fa 2958PH/20 Added the "servers=" facility to MySQL and PostgreSQL lookups. (Oracle
b7670459
PH
2959 and InterBase are left for another time.)
2960
ddea74fa
PH
2961PH/21 Added message_body_newlines option.
2962
ce9f225c
PH
2963PH/22 Guard against possible overflow in moan_check_errorcopy().
2964
19897d52
PH
2965PH/23 POSIX allows open() to be a macro; guard against that.
2966
bc64a74d
PH
2967PH/24 If the recipient of an error message contained an @ in the local part
2968 (suitably quoted, of course), incorrect values were put in $domain and
2969 $local_part during the evaluation of errors_copy.
2970
eb4c0de6 2971
b4ed4da0
PH
2972Exim version 4.67
2973-----------------
2974
22ad45c9
MH
2975MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address
2976 is unset (happens when testing with -bh and -oMi isn't used). Thanks to
2977 Jan Srzednicki.
2978
b4ed4da0
PH
2979PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not
2980 issue a MAIL command.
2981
431b7361
PH
2982PH/02 In an ACL statement such as
2983
2984 deny dnslists = X!=127.0.0.2 : X=127.0.0.2
2985
2986 if a client was not listed at all, or was listed with a value other than
2987 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list,
2988 the condition was not true (as it should be), so access was not denied.
2989 The bug was that the ! inversion was incorrectly passed on to the second
2990 item. This has been fixed.
2991
2992PH/03 Added additional dnslists conditions == and =& which are different from
2993 = and & when the dns lookup returns more than one IP address.
2994
83da1223
PH
2995PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the
2996 cipher suites used by GnuTLS. These options are ignored by OpenSSL.
2997
54fc8428
PH
2998PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_
2999 FSYNC, which compiles an option called disable_fsync that allows for
3000 bypassing fsync(). The documentation is heavily laced with warnings.
3001
34c5e8dd
SC
3002SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket.
3003
bbe15da8
PH
3004PH/06 Some tidies to the infrastructure of the Test Suite that is concerned
3005 with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT
3006 to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile,
3007 including adding "make clean"; (3) Added -fPIC when compiling the test
3008 dynamically loaded module, to get rid of a warning.
3009
0e8a9471
MH
3010MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce
3011 message fails, move_frozen_messages = true and ignore_bounce_errors_after
3012 = 0s. The bug is otherwise harmless.
3013
f0872424
PH
3014PH/07 There was a bug in the dovecot authenticator such that the value of
3015 $auth1 could be overwritten, and so not correctly preserved, after a
3016 successful authentication. This usually meant that the value preserved by
3017 the server_setid option was incorrect.
3018
b01dd148
PH
3019PH/08 Added $smtp_count_at_connection_start, deliberately with a long name.
3020
6bf342e1
PH
3021PH/09 Installed PCRE release 7.0.
3022
273f34d0
PH
3023PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being
3024 run for batched SMTP input. It is now run at the start of every message
3025 in the batch. While fixing this I discovered that the process information
3026 (output by running exiwhat) was not always getting set for -bs and -bS
3027 input. This is fixed, and it now also says "batched" for BSMTP.
3028
cf8b11a5
PH
3029PH/11 Added control=no_pipelining.
3030
41c7c167
PH
3031PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's
3032 patch, slightly modified), and move the expansion of helo_data till after
3033 the connection is made in the smtp transport (so it can use these
3034 values).
3035
9c57cbc0
PH
3036PH/13 Added ${rfc2047d: to decoded RFC 2047 strings.
3037
f3f065bb
PH
3038PH/14 Added log_selector = +pid.
3039
047bdd8c
PH
3040PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set.
3041
0ce9abe6
PH
3042PH/16 Add ${if forany and ${if forall.
3043
0e22dfd1
PH
3044PH/17 Added dsn_from option to vary the From: line in DSNs.
3045
4c590bd1
PH
3046PH/18 Flush SMTP output before performing a callout, unless control =
3047 no_callout_flush is set.
3048
09945f1e
PH
3049PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender
3050 was true (the default) a successful delivery failed to delete the retry
3051 item, thus causing premature timeout of the address. The bug is now
3052 fixed.
3053
c51b8e75
PH
3054PH/20 Added hosts_avoid_pipelining to the smtp transport.
3055
e28326d8 3056PH/21 Long custom messages for fakedefer and fakereject are now split up
4c04137d 3057 into multiline responses in the same way that messages for "deny" and
e28326d8
PH
3058 other ACL rejections are.
3059
75b1493f
PH
3060PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep,
3061 with slight modification.
3062
7c5214ec
PH
3063PH/23 Applied sieve patches from the maintainer "tracking the latest notify
3064 draft, changing the syntax and factoring some duplicate code".
3065
4311097e
PH
3066PH/24 When the log selector "outgoing_port" was set, the port was shown as -1
3067 for deliveries of the second and subsequent messages over the same SMTP
3068 connection.
3069
29f89cad
PH
3070PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and
3071 ${reduce, with only minor "tidies".
3072
5e687460
SC
3073SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match.
3074
c3611384
PH
3075PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its
3076 expansion side effects.
3077
5a11a7b4
PH
3078PH/27 When a message times out after an over-quota error from an Exim-imposed
3079 quota, the bounce message says "mailbox is full". This message was not
3080 being given when it was a system quota that was exceeded. It now should
3081 be the same.
3082
0e20aff9
MH
3083MH/03 Made $recipients available in local_scan(). local_scan() already has
3084 better access to the recipient list through recipients_list[], but
3085 $recipients can be useful in postmaster-provided expansion strings.
3086
ca86f471
PH
3087PH/28 The $smtp_command and $smtp_command_argument variables were not correct
3088 in the case of a MAIL command with additional options following the
3089 address, for example: MAIL FROM:<foo@bar> SIZE=1234. The option settings
3090 were accidentally chopped off.
3091
a14e5636
PH
3092PH/29 SMTP synchronization checks are implemented when a command is read -
3093 there is a check that no more input is waiting when there shouldn't be
3094 any. However, for some commands, a delay in an ACL can mean that it is
3095 some time before the response is written. In this time, more input might
3096 arrive, invalidly. So now there are extra checks after an ACL has run for
3097 HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when
3098 pipelining has not been advertised.
3099
ec95d1a6
PH
3100PH/30 MH's patch to allow iscntrl() characters to be list separators.
3101
42855d71
PH
3102PH/31 Unlike :fail:, a custom message specified with :defer: was not being
3103 returned in the SMTP response when smtp_return_error_details was false.
3104 This has been fixed.
3105
57c2c631
PH
3106PH/32 Change the Dovecot authenticator to use read() and write() on the socket
3107 instead of the C I/O that was originally supplied, because problems were
3108 reported on Solaris.
3109
58c01c94
PH
3110PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in
3111 Exim which did not show up earlier: it was assuming that a call to
3112 SSL_CTX_set_info_callback() might give an error value. In fact, there is
3113 no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback()
3114 was a macro that became an assignment, so it seemed to work. This has
3115 changed to a proper function call with a void return, hence the compile
3116 error. Exim's code has been fixed.
3117
dee5a20a
PH
3118PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit
3119 cpus.
3120
d2ee6114
PH
3121PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify".
3122
b2d5182b
PH
3123PH/36 Applied John Jetmore's patch to add -v functionality to exigrep.
3124
79749a79
PH
3125PH/37 If a message is not accepted after it has had an id assigned (e.g.
3126 because it turns out to be too big or there is a timeout) there is no
3ce62588
PH
3127 "Completed" line in the log. When some messages of this type were
3128 selected by exigrep, they were listed as "not completed". Others were
3129 picked up by some special patterns. I have improved the selection
3130 criteria to be more general.
79749a79 3131
c456d9bb
PH
3132PH/38 The host_find_failed option in the manualroute router can now be set
3133 to "ignore", to completely ignore a host whose IP address cannot be
3134 found. If all hosts are ignored, the behaviour is controlled by the new
3135 host_all_ignored option.
3136
cd9868ec
PH
3137PH/39 In a list of hosts for manualroute, if one item (either because of multi-
3138 homing or because of multiple MX records with /mx) generated more than
3139 one IP address, and the following item turned out to be the local host,
3140 all the secondary addresses of the first item were incorrectly removed
3141 from the list, along with the local host and any following hosts (which
3142 is what is supposed to happen).
3143
ebeaf996
PH
3144PH/40 When Exim receives a message, it writes the login name, uid, and gid of
3145 whoever called Exim into the -H file. In the case of the daemon it was
3146 behaving confusingly. When first started, it used values for whoever
3147 started the daemon, but after a SIGHUP it used the Exim user (because it
3148 calls itself on a restart). I have changed the code so that it now always
3149 uses the Exim user.
3150
2679d413
PH
3151PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a
3152 message are rejected with the same error (e.g. no authentication or bad
3153 sender address), and a DATA command is nevertheless sent (as can happen
3154 with PIPELINING or a stupid MUA), the error message that was given to the
3155 RCPT commands is included in the rejection of the DATA command. This is
3156 intended to be helpful for MUAs that show only the final error to their
3157 users.
3158
84024b72
PH
3159PH/42 Another patch from the Sieve maintainer.
3160
8005d38e
SC
3161SC/02 Eximstats - Differentiate between permanent and temporary rejects.
3162 Eximstats - Fixed some broken HTML links and added missing column headers
3163 (Jez Hancock).
3164 Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email
3165 columns for Rejects, Temp Rejects, Ham, and Spam rows.
3166
3298c6c6
SC
3167SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables.
3168
a43a27c5
PH
3169PH/43 Yet another patch from the Sieve maintainer.
3170
58eb016e 3171PH/44 I found a way to check for a TCP/IP connection going away before sending
563b63fa
PH
3172 the response to the final '.' that terminates a message, but only in the
3173 case where the client has not sent further data following the '.'
3174 (unfortunately, this is allowed). However, in many cases there won't be
3175 any further data because there won't be any more messages to send. A call
3176 to select() can be used: if it shows that the input is "ready", there is
3177 either input waiting, or the socket has been closed. An attempt to read
3178 the next input character can distinguish the two cases. Previously, Exim
58eb016e 3179 would have sent an OK response which the client would never have see.
563b63fa
PH
3180 This could lead to message repetition. This fix should cure that, at
3181 least in a lot of common cases.
58eb016e 3182
b43a74ea
PH
3183PH/45 Do not advertise STARTTLS in response to HELP unless it would be
3184 advertised in response to EHLO.
3185
b4ed4da0 3186
5dd1517f
PH
3187Exim version 4.66
3188-----------------
3189
3190PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one
3191 fixed by 4.65/MH/01 (is this a record?) are fixed:
3192
3193 (i) An empty string was always treated as zero by the numeric comparison
3194 operators. This behaviour has been restored.
3195
3196 (ii) It is documented that the numeric comparison operators always treat
3197 their arguments as decimal numbers. This was broken in that numbers
3198 starting with 0 were being interpreted as octal.
3199
3200 While fixing these problems I realized that there was another issue that
3201 hadn't been noticed. Values of message_size_limit (both the global option
3202 and the transport option) were treated as octal if they started with 0.
3203 The documentation was vague. These values are now always treated as
3204 decimal, and I will make that clear in the documentation.
3205
3206
93cfa765
TK
3207Exim version 4.65
3208-----------------
3209
3210TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with
3211 Linux large file support (_FILE_OFFSET_BITS=64) on older glibc
3212 versions. (#438)
3213
d6066548
MH
3214MH/01 Don't check that the operands of numeric comparison operators are
3215 integers when their expansion is in "skipping" mode (fixes bug
3216 introduced by 4.64-PH/07).
3217
4362ff0d
PH
3218PH/01 If a system filter or a router generates more than SHRT_MAX (32767)
3219 child addresses, Exim now panics and dies. Previously, because the count
3220 is held in a short int, deliveries were likely to be lost. As such a
3221 large number of recipients for a single message is ridiculous
3222 (performance will be very, very poor), I have chosen to impose a limit
3223 rather than extend the field.
3224
93cfa765 3225
944e9e9c
TF
3226Exim version 4.64
3227-----------------
aa41d2de 3228
21d74bd9
TK
3229TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a
3230