PAM: fix crash in the pam expansion condition. Bug 2489
[exim.git] / doc / doc-txt / ChangeLog
CommitLineData
446415f5
HSHR
1This document describes *changes* to previous versions, that might
2affect Exim's operation, with an unchanged configuration file. For new
3options, and new features, see the NewStuff file next to this ChangeLog.
495ae4b0 4
4c57a40e 5
1d717e1c
JH
6Exim version 4.94
7-----------------
d85cdeb5
JH
8
9JH/01 Avoid costly startup code when not strictly needed. This reduces time
10 for some exim process initialisations. It does mean that the logging
11 of TLS configuration problems is only done for the daemon startup.
12
81344b40
JH
13JH/02 Early-pipelining support code is now included unless disabled in Makefile.
14
6ce1ece9
JH
15JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
16 RFC 8301. They can still be enabled, using the dkim_verify_hashes main
17 option.
18
179ed8c3
JH
19JH/04 Support CHUNKING from an smtp transport using a transport_filter, when
20 DKIM signing is being done. Previously a transport_filter would always
21 disable CHUNKING, falling back to traditional DATA.
22
f0fe22cb
JH
23JH/05 Regard command-line receipients as tainted.
24
01446a56
JH
25JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
26
dcbfbada
FG
27JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
28 PAM library frees one of the arguments given to it, despite the
29 documentation. Therefore a plain malloc must be used.
30
d85cdeb5 31
40ed89b3
JH
32Exim version 4.93
33-----------------
34
8a40db1c
JH
35JH/01 OpenSSL: With debug enabled output keying information sufficient, server
36 side, to decode a TLS 1.3 packet capture.
40ed89b3 37
fc243e94 38JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
d7f31bb6
JH
39 Previously the default library behaviour applied, sending two, each in
40 its own TCP segment.
41
897024f1
JH
42JH/03 Debug output for ACL now gives the config file name and line number for
43 each verb.
44
f1be21cf
JH
45JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
46
fe12ec88
JH
47JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
48
05bf16f6
JH
49JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
50 buffer overrun for (non-chunking) other transports.
51
fc243e94
JH
52JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
53 TLS1.3, means that a server rejecting a client certificate is not visible
54 to the client until the first read of encrypted data (typically the
55 response to EHLO). Add detection for that case and treat it as a failed
56 TLS connection attempt, so that the normal retry-in-clear can work (if
57 suitably configured).
58
c05bdbd6 59JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
e2ff8e24
JB
60 and/or domain. Found and fixed by Jason Betts.
61
14bc9cf0
JH
62JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
63 configuration). If a CNAME target was not a wellformed name pattern, a
64 crash could result.
65
254f38d1
JH
66JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
67 the OS reports them interleaved with other addresses.
68
c09dbcfb
JH
69JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
70 used both for input and for a verify callout, both encrypted, SMTP
71 responses being sent by the server could be lost. This resulted in
72 dropped connections and sometimes bounces generated by a peer sending
73 to this system.
254f38d1 74
f9fc9427
JH
75JH/11 Harden plaintext authenticator against a badly misconfigured client-send
76 string. Previously it was possible to cause undefined behaviour in a
77 library routine (usually a crash). Found by "zerons".
78
e6024a5e
JH
79JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no
80 output.
81
1fbf41cd
JH
82JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old
83 API was removed, so update to use the newer ones.
84
3c55eef2 85JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
00c0dd4e 86 any timeout set, is taking a long time. Previously we would hang on to a
3c55eef2
JH
87 rotated logfile "forever" if the input was arriving with long gaps
88 (a previous attempt to fix addressed lack, for a long time, of initial
89 input).
90
cb80814d
HSHR
91HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
92 shared (NFS) environment. The length of the tempfile name is now
93 4 + 16 ("hdr.$message_exim_id") which might break on file
94 systems which restrict the file name length to lower values.
95 (It was "hdr.$pid".)
96
7d8d08c4 97HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
82a996b1
HSHR
98 shared (NFS) environment.
99
7d8d08c4 100HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
82a996b1
HSHR
101 did for all versions <4.90). Notably -M, -m, --invert, -I may be
102 affected.
103
bd83c6f9
JH
104JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
105 on some platforms for bit 31.
106
d9acfc1c
JH
107JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks
108 to changes apparently associated with TLS1.3 handling some of the APIs
109 previously used were either nonfunctional or inappropriate. Strings
110 like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
111 and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
112 the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
113 This affects log line X= elements, the $tls_{in,out}_cipher variables,
114 and the use of specific cipher names in the encrypted= ACL condition.
115
b10c87b3
JH
116JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
117
7a501c87
JH
118JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
119 verification result was not updated unless hosts_require_ocsp applied.
120
e5903596
JH
121JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option
122 queue_list_requires_admin set to false, non-admin users were denied the
123 facility.
124
12d95aa6
JH
125JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
126 directory-of-certs mode. Previously they were advertised despite the
127 documentation.
128
96eb7d2a
JH
129JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
130 A single TCP connection by a client will now hold a TLS connection open
131 for multiple message deliveries, by default. Previoud the default was to
132 not do so.
133
59c0959a 134JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
01603eec
JH
135 default. If built with the facility, DANE will be used. The facility
136 SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
137
138JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
de517fd3
JH
139 is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
140 must be defined and you must still, unless you define DISABLE_TLS, manage
141 the the include-dir and library-file requirements that go with that
142 choice. Non-TLS builds are still supported.
59c0959a 143
48519cef
JH
144JH/24 Fix duplicated logging of peer name/address, on a transport connection-
145 reject under TFO.
96eb7d2a 146
efad2f41 147JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
4e48d56c 148 default. If the platform supports and has the facility enabled, it will
efad2f41
JH
149 be requested on all coneections.
150
4e48d56c
JH
151JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
152 controlled by the build-time option SUPPORT_PIPE_CONNECT.
153
6ee11061 154PP/01 Unbreak heimdal_gssapi, broken in 4.92.
0a5441fc 155
87abcb24
JH
156JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
157 success-DSN messages. Previously the From: header was always the default
158 one for these; the option was ignored.
6ee11061 159
0a5441fc
JH
160JH/28 Fix the timeout on smtp response to apply to the whole response.
161 Previously it was reset for every read, so a teergrubing peer sending
162 single bytes within the time limit could extend the connection for a
163 long time. Credit to Qualsys Security Advisory Team for the discovery.
164
436bda2a
JH
165JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing
166 delivery address, which leaked information of the results of local
167 forwarding. Change to the original envelope recipient address, per
168 standards.
169
df98a6ff
JH
170JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
171 requested. Previously not bounce was generated and a log entry of
172 error ignored was made.
173
21aa0597
JH
174JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
175
f3ebb786
JH
176JH/32 Introduce a general tainting mechanism for values read from the input
177 channel, and values derived from them. Refuse to expand any tainted
178 values, to catch one form of exploit.
179
9fa4d5b4
RJ
180JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result
181 was unused and the unexpanded text used for the test. Found and
182 fixed by Ruben Jenster.
183
bd231acd
JH
184JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open,
185 an attempt to use a TLS library read routine dereffed a nul pointer,
186 causing a segfault.
187
7b564712
JH
188JH/35 Bug 2409: filter out-of-spec chars from callout response before using
189 them in our smtp response.
190
9c6881f8 191JH/36 Have the general router option retry_use_local_part default to true when
dbbf21a7
JH
192 any of the restrictive preconditions are set (to anything). Previously it
193 was only for check_local user. The change removes one item of manual
194 configuration which is required for proper retries when a remote router
195 handles a subset of addresses for a domain.
196
9c6881f8
JH
197JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
198 link count into consideration.
199
7d8d08c4
JH
200HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
201 caused the extension of big_buffer, the following lines were ignored.
202
203JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
204 accordance with RFC 2308. Previously there was no expiry, so a longlived
205 receive process (eg. due to ACL delays) versus a short SOA value could
206 surprise.
207
c3aefacc
HSHR
208HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)
209
1a2e76e1
JH
210JH/39 Promote DMARC support to mainline.
211
d6c829b9
JH
212JH/40 Bug 2452: Add a References: header to DSNs.
213
49132a3b
JH
214JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
215 parameters. The relevant library call is documented as "Deprecated: This
216 function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
217 3.6.0, DH parameters are negotiated following RFC7919."
218
ab0e957b 219HS/06 Change the default of dnssec_request_domains to "*"
40ed89b3 220
c5040dfd
JH
221JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we
222 carried on and emitted a BDAT command, even when PIPELINING was not
223 active.
224
13e70f55
JH
225JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted
226 buffer was used for the filename, resulting in a trap when tainted
227 arguments (eg. $domain) were used.
228
2043336d
JH
229JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
230 recommended to avoid a possible server-load attack. The feature can be
231 re-enabled via the openssl_options main cofiguration option.
232
b2d54f83
JH
233JH/45 local_scan API: documented the current smtp_printf() call. This changed
234 for version 4.90 - adding a "more data" boolean to the arguments.
b3317cfa
JH
235 Bumped the ABI version number also, this having been missed previously;
236 release versions 4.90 to 4.92.3 inclusive were effectively broken in
237 respect of usage of smtp_printf() by either local_scan code or libraries
238 accessed via the ${dlfunc } expansion item. Both will need coding
239 adjustment for any calls to smtp_printf() to match the new function
240 signature; a FALSE value for the new argument is always safe.
b2d54f83 241
1bf08084
JH
242JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating
243 the file-offset (which the Linux syscall does, and exim expects); this
244 resulted in an indefinite loop.
245
7af11cd0
JH
246JH/47 ARC: fix crash in signing, triggered when a configuration error failed
247 to do ARC verification. The Authentication-Results: header line added
248 by the configuration then had no ARC item.
249
c5040dfd 250
d99f54e4
JH
251Exim version 4.92
252-----------------
253
9723f966
JH
254JH/01 Remove code calling the customisable local_scan function, unless a new
255 definition "HAVE_LOCAL_SCAN=yes" is present in the Local/Makefile.
256
257JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in
64b67b65
JH
258 non-signal-safe functions being used.
259
260JH/03 Bug 2269: When presented with a received message having a stupidly large
261 number of DKIM-Signature headers, disable DKIM verification to avoid
262 a resource-consumption attack. The limit is set at twenty.
9723f966 263
ea7b1f16
JH
264JH/04 Add variables $arc_domains, $arc_oldest_pass for ARC verify. Fix the
265 report of oldest_pass in ${authres } in consequence, and separate out
266 some descriptions of reasons for verification fail.
267
cfbb0d24
JH
268JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
269 files in the spool were present and unlocked. A queue-runner could spot
270 them, resulting in a duplicate delivery. Fix that by doing the unlock
0488984d
JH
271 after the unlink. Investigation by Tim Stewart. Take the opportunity to
272 add more error-checking on spoolfile handling while that code is being
cfbb0d24
JH
273 messed with.
274
85defcf0
PP
275PP/01 Refuse to open a spool data file (*-D) if it's a symlink.
276 No known attacks, no CVE, this is defensive hardening.
277
1bd642c2
JH
278JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
279 a queue-runner could start a delivery while other operations were ongoing.
280 Cutthrough delivery was a common victim, resulting in duplicate delivery.
281 Found and investigated by Tim Stewart. Fix by using the open message data
282 file handle rather than opening another, and not locally closing it (which
283 releases a lock) for that case, while creating the temporary .eml format
284 file for the MIME ACL. Also applies to "regex" and "spam" ACL conditions.
285
2ddb4094
JH
286JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting
287 $sender_verify_failure/$recipient_verify_failure to "random".
288
1613fd68
JH
289JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
290 legitimate.
291
e6057245
JH
292JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd.
293 Previously this would segfault.
294
7b9822bf
JH
295JH/10 Fix ARC signing for case when DKIM signing failed. Previously this would
296 segfault.
297
d8d9f930
JH
298JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd
299 like zero, since the resolver should be doing this for us, But we need one
300 as a CNAME but no MX presence gets the CNAME returned; we need to check
301 that doesn't point to an MX to declare it "no MX returned" rather than
302 "error, loop". A new main option is added so the older capability of
303 following some limited number of chain links is maintained.
304
61e3f250
JH
305JH/12 Add client-ip info to non-pass iprev ${authres } lines.
306
7a8b9519
JH
307JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol
308 methods. These should support TLS 1.3; they arrived with TLS 1.3 and the
309 now-deprecated earlier definitions used only specified the range up to TLS
310 1.2 (in the older-version library docs).
311
49e56fb3
JH
312JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots.
313
74f1a423
JH
314JH/15 Rework TLS client-side context management. Stop using a global, and
315 explicitly pass a context around. This enables future use of TLS for
316 connections to service-daemons (eg. malware scanning) while a client smtp
317 connection is using TLS; with cutthrough connections this is quite likely.
318
5054c4fd 319JH/16 Fix ARC verification to do AS checks in reverse order.
611b1961
JH
320
321JH/17 Support a "tls" option on the ${readsocket } expansion item.
5054c4fd 322
946515bf
JH
323JH/18 Bug 2287: Fix the protocol name (eg utf8esmtp) for multiple messages
324 using the SMTPUTF8 option on their MAIL FROM commands, in one connection.
325 Previously the "utf8" would be re-prepended for every additional message.
326
8c34c611
JH
327JH/19 Reject MAIL FROM commands with SMTPUTF8 when the facility was not advertised.
328 Previously thery were accepted, resulting in issues when attempting to
329 forward messages to a non-supporting MTA.
330
1bca4f5f
PP
331PP/02 Let -n work with printing macros too, not just options.
332
8a6b4e02
JH
333JH/20 Bug 2296: Fix cutthrough for >1 address redirection. Previously only
334 one parent address was copied, and bogus data was used at delivery-logging
335 time. Either a crash (after delivery) or bogus log data could result.
336 Discovery and analysis by Tim Stewart.
337
0a682b6c
PP
338PP/03 Make ${utf8clean:} expansion operator detect incomplete final character.
339 Previously if the string ended mid-character, we did not insert the
340 promised '?' replacement.
341
c2c451ac
PP
342PP/04 Documentation: current string operators work on bytes, not codepoints.
343
8768d548
JH
344JH/21 Change as many as possible of the global flags into one-bit bitfields; these
345 should pack well giving a smaller memory footprint so better caching and
346 therefore performance. Group the declarations where this can't be done so
347 that the byte-sized flag variables are not interspersed among pointer
348 variables, giving a better chance of good packing by the compiler.
349
5455f548
JH
350JH/22 Bug 1896: Fix the envelope from for DMARC forensic reports to be possibly
351 non-null, to avoid issues with sites running BATV. Previously reports were
352 sent with an empty envelope sender so looked like bounces.
353
25beaee4
MK
354JH/23 Bug 2318: Fix the noerror command within filters. It wasn't working.
355 The ignore_error flag wasn't being returned from the filter subprocess so
356 was not set for later routers. Investigation and fix by Matthias Kurz.
357
7ea1237c 358JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient,
570cb1bd 359 and a msg:complete for the whole, when a message is manually removed using
7ea1237c
MK
360 -Mrm. Developement by Matthias Kurz, hacked on by JH.
361
ebda598a
JH
362JH/25 Avoid fixed-size buffers for pathnames in DB access. This required using
363 a "Gnu special" function, asprintf() in the DB utility binary builds; I
364 hope that is portable enough.
365
570cb1bd
JH
366JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS. Previously it was also
367 requiring a known-CA anchor certificate; make it now rely entirely on the
368 TLSA as an anchor. Checking the name on the leaf cert against the name
369 on the A-record for the host is still done for TA (but not for EE mode).
370
eb58ddf5
JH
371JH/27 Fix logging of proxy address. Previously, a pointless "PRX=[]:0" would be
372 included in delivery lines for non-proxied connections, when compiled with
373 SUPPORT_SOCKS and running with proxy logging enabled.
374
ffbc20ed
MK
375JH/28 Bug 2314: Fire msg:fail:delivery event even when error is being ignored.
376 Developement by Matthias Kurz, tweaked by JH. While in that bit of code,
377 move the existing event to fire before the normal logging of message
378 failure so that custom logging is bracketed by normal logging.
379
4e928780
MK
380JH/29 Bug 2322: A "fail" command in a non-system filter (file) now fires the
381 msg:fail:internal event. Developement by Matthias Kurz.
382
75c121f0 383JH/30 Bug 2329: Increase buffer size used for dns lookup from 2k, which was
059f2ace 384 far too small for todays use of crypto signatures stored there. Go all
75c121f0
JH
385 the way to the max DNS message size of 64kB, even though this might be
386 overmuch for IOT constrained device use.
387
e30f4f43
JH
388JH/31 Fix a bad use of a copy function, which could be used to pointlessly
389 copy a string over itself. The library routine is documented as not
390 supporting overlapping copies, and on MacOS it actually raised a SIGABRT.
391
a45431fa
JH
392JH/32 For main options check_spool_space and check_inode_space, where the
393 platform supports 64b integers, support more than the previous 2^31 kB
394 (i.e. more than 2 TB). Accept E, P and T multipliers in addition to
395 the previous G, M, k.
396
c0fb53b7
JH
397JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the
398 $authenticated_fail_id variable on authentication failure. Previously
399 it was unset.
400
6aac3239
JH
401JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048. RHEL 8.0
402 OpenSSL didn't want to use such a weak key. Do for GnuTLS also, and for
403 more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to
404 GNUTLS_SEC_PARAM_MEDIUM.
405
5a2a0989
JH
406JH/35 OpenSSL: fail the handshake when SNI processing hits a problem, server
407 side. Previously we would continue as if no SNI had been received.
408
de6f74f2 409JH/36 Harden the handling of string-lists. When a list consisted of a sole
b72f857f
JH
410 "<" character, which should be a list-separator specification, we walked
411 off past the nul-terimation.
412
de6f74f2
JH
413JH/37 Bug 2341: Send "message delayed" warning MDNs (restricted to external
414 causes) even when the retry time is not yet met. Previously they were
415 not, meaning that when (say) an account was over-quota and temp-rejecting,
416 and multiple senders' messages were queued, only one sender would get
417 notified on each configured delay_warning cycle.
418
aa6e77af 419JH/38 Bug 2351: Log failures to extract envelope addresses from message headers.
aaf3e414 420
25fa0868
JH
421JH/39 OpenSSL: clear the error stack after an SSL_accept(). With anon-auth
422 cipher-suites, an error can be left on the stack even for a succeeding
423 accept; this results in impossible error messages when a later operation
424 actually does fail.
425
cb6bd80f
JH
426AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they
427 return error codes indicating retry. Under TLS1.3 this becomes required.
428
429JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT. Previously
430 it only wrote the new authenticators, resulting in a lack of tracking of
431 peer changes of ESMTP extensions until the next cache flush.
518b70e9 432
56ac062a
JH
433JH/41 Fix the loop reading a message header line to check for integer overflow,
434 and more-often against header_maxsize. Previously a crafted message could
435 induce a crash of the recive process; now the message is cleanly rejected.
436
ae63862b
MA
437JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option. It had
438 been totally disabled for all of 4.91. Discovery and fix by "Mad Alex".
439
9723f966 440
bb264f6b
JH
441Exim version 4.91
442-----------------
459fca58 443
c39c8870 444GF/01 DEFER rather than ERROR on redis cluster MOVED response.
bb264f6b
JH
445 When redis_servers is set to a list of > 1 element, and the Redis servers
446 in that list are in cluster configuration, convert the REDIS_REPLY_ERROR
447 case of MOVED into a DEFER case instead, thus moving the query onto the
448 next server in the list. For a cluster of N elements, all N servers must
449 be defined in redis_servers.
c39c8870 450
0800ef83
GF
451GF/02 Catch and remove uninitialized value warning in exiqsumm
452 Check for existence of @ARGV before looking at $ARGV[0]
453
459fca58
JH
454JH/01 Replace the store_release() internal interface with store_newblock(),
455 which internalises the check required to safely use the old one, plus
456 the allocate and data copy operations duplicated in both (!) of the
457 extant use locations.
458
944e8b37
JH
459JH/02 Disallow '/' characters in queue names specified for the "queue=" ACL
460 modifier. This matches the restriction on the commandline.
461
bbfb5dcd
JH
462JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
463 Previously only the last row was returned.
464
a05d3e34
JH
465JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
466 we assumed that tags in the header were well-formed, and parsed the
467 element content after inspecting only the first char of the tag.
468 Assumptions at that stage could crash the receive process on malformed
469 input.
470
ce93c6d8
JH
471JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
472 While running the DKIM ACL we operate on the Permanent memory pool so that
473 variables created with "set" persist to the DATA ACL. Also (at any time)
474 DNS lookups that fail create cache records using the Permanent pool. But
475 expansions release any allocations made on the current pool - so a dnsdb
476 lookup expansion done in the DKIM ACL releases the memory used for the
477 DNS negative-cache, and bad things result. Solution is to switch to the
478 Main pool for expansions.
479 While we're in that code, add checks on the DNS cache during store_reset,
480 active in the testsuite.
481 Problem spotted, and debugging aided, by Wolfgang Breyha.
482
2577f55f
JH
483JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
484 When none of the hosts presented to a transport match an already-open
485 connection, close it and proceed with the list. Previously we would
486 queue the message. Spotted by Lena with Yahoo, probably involving
487 round-robin DNS.
488
5b6f7658
JH
489JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
490 Previously a spurious "250 OK id=" response was appended to the proper
491 failure response.
492
c11d665d
JH
493JH/08 The "support for" informational output now, which built with Content
494 Scanning support, has a line for the malware scanner interfaces compiled
495 in. Interface can be individually included or not at build time.
e5ba8aa7
JH
496
497JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included
498 by the template makefile "src/EDITME". The "STREAM" support for an older
499 ClamAV interface method is removed.
c11d665d 500
ba0e37b1
JH
501JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
502 rows affected is given instead).
503
96508de1
JH
504JH/11 The runtime Berkeley DB library version is now additionally output by
505 "exim -d -bV". Previously only the compile-time version was shown.
506
06fdb9f7
JH
507JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
508 SMTP connection. Previously, when one had more receipients than the
509 first, an abortive onward connection was made. Move to full support for
510 multiple onward connections in sequence, handling cutthrough connection
511 for all multi-message initiating connections.
512
f83a760f
JH
513JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
514 routers. Previously, a multi-recipient message would fail to match the
515 onward-connection opened for the first recipient, and cause its closure.
516
f1fed05b
JH
517JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
518 a timeout on read on a GnuTLS initiating connection, resulting in the
519 initiating connection being dropped. This mattered most when the callout
520 was marked defer_ok. Fix to keep the two timeout-detection methods
521 separate.
522
051d5efa
JH
523JH/15 Relax results from ACL control request to enable cutthrough, in
524 unsupported situations, from error to silently (except under debug)
525 ignoring. This covers use with PRDR, frozen messages, queue-only and
526 fake-reject.
527
cf3cd306
HSHR
528HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
529
744976d4
JH
530JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
531 metadata, resulting in a crash in free().
532
aab9a843 533PP/01 Fix broken Heimdal GSSAPI authenticator integration.
7be14582 534 Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
aab9a843 535 Broken also in d185889f4, with init system revamp.
7be14582 536
83d2a861
JH
537JH/17 Bug 2113: Fix conversation closedown with the Avast malware scanner.
538 Previously we abruptly closed the connection after reading a malware-
539 found indication; now we go on to read the "scan ok" response line,
540 and send a quit.
541
6741531c
JH
542JH/18 Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail
543 ACL. Previously, a crash would result.
544
85e03244
JH
545JH/19 Speed up macro lookups during configuration file read, by skipping non-
546 macro text after a replacement (previously it was only once per line) and
547 by skipping builtin macros when searching for an uppercase lead character.
548
c0635b6d
JH
549JH/20 DANE support moved from Experimental to mainline. The Makefile control
550 for the build is renamed.
551
b808677c
JH
552JH/21 Fix memory leak during multi-message connections using STARTTLS. A buffer
553 was allocated for every new TLS startup, meaning one per message. Fix
554 by only allocating once (OpenSSL) or freeing on TLS-close (GnuTLS).
555
6678c382
JH
556JH/22 Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
557 reported the original. Fix to report (as far as possible) the ACL
558 result replacing the original.
559
dec766a1
WB
560JH/23 Fix memory leak during multi-message connections using STARTTLS under
561 OpenSSL. Certificate information is loaded for every new TLS startup,
562 and the resources needed to be freed.
563
15ae19f9
JH
564JH/24 Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
565
e6532c4a
JH
566JH/25 Fix utf8_downconvert propagation through a redirect router. Previously it
567 was not propagated.
568
2556b3c6
SA
569JH/26 Bug 2253: For logging delivery lines under PRDR, append the overall
570 DATA response info to the (existing) per-recipient response info for
571 the "C=" log element. It can have useful tracking info from the
572 destination system. Patch from Simon Arlott.
573
fc8cd529
JH
574JH/27 Bug 2251: Fix ldap lookups that return a single attribute having zero-
575 length value. Previously this would segfault.
576
71bb51e0
HSHR
577HS/02 Support Avast multiline protoocol, this allows passing flags to
578 newer versions of the scanner.
579
e04bfa34
JH
580JH/28 Ensure that variables possibly set during message acceptance are marked
581 dead before release of memory in the daemon loop. This stops complaints
582 about them when the debug_store option is enabled. Discovered specifically
583 for sender_rate_period, but applies to a whole set of variables.
c232fc99
JH
584 Do the same for the queue-runner and queue-list loops, for variables set
585 from spool message files. Do the same for the SMTP per-message loop, for
586 certain variables indirectly set in ACL operations.
e04bfa34 587
ecce6d9a
JH
588JH/29 Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
589 as a multi-recipient message from a mailinglist manager). The coding had
590 an arbitrary cutoff number of characters while checking for more input;
591 enforced by writing a NUL into the buffer. This corrupted long / fast
592 input. The problem was exposed more widely when more pipelineing of SMTP
593 responses was introduced, and one Exim system was feeding another.
594 The symptom is log complaints of SMTP syntax error (NUL chars) on the
595 receiving system, and refused recipients seen by the sending system
596 (propating to people being dropped from mailing lists).
597 Discovered and pinpointed by David Carter.
598
c9cf9ac4
JH
599JH/30 The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
600 replaced by the ${authresults } expansion.
601
b3b37076
JH
602JH/31 Bug 2257: Fix pipe transport to not use a socket-only syscall.
603
830832c9
HSHR
604HS/03 Set a handler for SIGTERM and call exit(3) if running as PID 1. This
605 allows proper process termination in container environments.
606
f64e8b5f
JH
607JH/32 Bug 2258: Fix spool_wireformat in combination with LMTP transport.
608 Previously the "final dot" had a newline after it; ensure it is CR,LF.
609
8f0776b5
JH
610JH/33 SPF: remove support for the "spf" ACL condition outcome values "err_temp"
611 and "err_perm", deprecated since 4.83 when the RFC-defined words
612 "temperror" and "permerror" were introduced.
613
857eaf37
JH
614JH/34 Re-introduce enforcement of no cutthrough delivery on transports having
615 transport-filters or DKIM-signing. The restriction was lost in the
616 consolidation of verify-callout and delivery SMTP handling.
5add7dc4 617 Extend the restriction to also cover ARC-signing.
857eaf37 618
c85476e9
JH
619JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses)
620 in defer=pass mode supply a 450 to the initiator. Previously the message
621 would be spooled.
622
405074ad
PP
623PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
624 tls_require_ciphers is used as before.
625
eb445b04
HSHR
626HS/03 Malware Avast: Better match the Avast multiline protocol. Add
627 "pass_unscanned". Only tmpfails from the scanner are written to
628 the paniclog, as they may require admin intervention (permission
629 denied, license issues). Other scanner errors (like decompression
630 bombs) do not cause a paniclog entry.
ad93c40f 631
d342446f
JH
632JH/36 Fix reinitialisation of DKIM logging variable between messages.
633 Previously it was possible to log spurious information in receive log
634 lines.
635
a28050f8
JH
636JH/37 Bug 2255: Revert the disable of the OpenSSL session caching. This
637 triggered odd behaviour from Outlook Express clients.
638
ddd16464
PP
639PP/03 Add util/renew-opendmarc-tlds.sh script for safe renewal of public
640 suffix list.
641
321ef002
JH
642JH/38 DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,
643 since the IETF WG has not yet settled on that versus the original
644 "bare" representation.
645
3203e7ba
JH
646JH/39 Fix syslog logging for syslog_timestamp=no and log_selector +millisec.
647 Previously the millisecond value corrupted the output.
648 Fix also for syslog_pid=no and log_selector +pid, for which the pid
649 corrupted the output.
650
bbfb5dcd 651
acfc18c3
PP
652Exim version 4.90
653-----------------
654
655JH/01 Rework error string handling in TLS interface so that the caller in
656 more cases is responsible for logging. This permits library-sourced
657 string to be attached to addresses during delivery, and collapses
658 pairs of long lines into single ones.
659
856d1e16
PP
660PP/01 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
661 during configuration. Wildcards are allowed and expanded.
662
b9df1829
JH
663JH/02 Rework error string handling in DKIM to pass more info back to callers.
664 This permits better logging.
665
875512a3
JH
666JH/03 Rework the transport continued-connection mechanism: when TLS is active,
667 do not close it down and have the child transport start it up again on
668 the passed-on TCP connection. Instead, proxy the child (and any
669 subsequent ones) for TLS via a unix-domain socket channel. Logging is
670 affected: the continued delivery log lines do not have any DNSSEC, TLS
5013d912 671 Certificate or OCSP information. TLS cipher information is still logged.
875512a3 672
fc3f96af
JH
673JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of
674 identical IP addresses on different listening ports. Will also affect
675 "exiwhat" output.
676
98913c8e
BK
677PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers;
678 add noisy ifdef guards to special-case this sillyness.
679 Patch from Bernd Kuhls.
680
8d909960
JH
681JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger
682 than 255 are no longer allowed.
683
7006ee24
JH
684JH/06 Default openssl_options to include +no_ticket, to reduce load on peers.
685 Disable the session-cache too, which might reduce our load. Since we
686 currrectly use a new context for every connection, both as server and
687 client, there is no benefit for these.
688 GnuTLS appears to not support tickets server-side by default (we don't
689 call gnutls_session_ticket_enable_server()) but client side is enabled
690 by default on recent versions (3.1.3 +) unless the PFS priority string
691 is used (3.2.4 +).
692
6e411084
PP
693PP/03 Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
694 <https://reproducible-builds.org/specs/source-date-epoch/>.
695
4c2471ca
JH
696JH/07 Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
697 the check for any unsuccessful recipients did not notice the limit, and
698 erroneously found still-pending ones.
699
4e910c01
JH
700JH/08 Pipeline CHUNKING command and data together, on kernels that support
701 MSG_MORE. Only in-clear (not on TLS connections).
702
42055a33
JH
703JH/09 Avoid using a temporary file during transport using dkim. Unless a
704 transport-filter is involved we can buffer the headers in memory for
705 creating the signature, and read the spool data file once for the
706 signature and again for transmission.
707
eeb35890
JH
708JH/10 Enable use of sendfile in Linux builds as default. It was disabled in
709 4.77 as the kernel support then wasn't solid, having issues in 64bit
7d758a6a 710 mode. Now, it's been long enough. Add support for FreeBSD also.
eeb35890 711
b7d3afcf
JH
712JH/11 Bug 2104: Fix continued use of a transport connection with TLS. In the
713 case where the routing stage had gathered several addresses to send to
714 a host before calling the transport for the first, we previously failed
715 to close down TLS in the old transport process before passing the TCP
716 connection to the new process. The new one sent a STARTTLS command
717 which naturally failed, giving a failed delivery and bloating the retry
718 database. Investigation and fix prototype from Wolfgang Breyha.
719
40525d07
JH
720JH/12 Fix check on SMTP command input synchronisation. Previously there were
721 false-negatives in the check that the sender had not preempted a response
722 or prompt from Exim (running as a server), due to that code's lack of
a5ffa9b4 723 awareness of the SMTP input buffering.
40525d07 724
f33875c3
PP
725PP/04 Add commandline_checks_require_admin option.
726 Exim drops privileges sanely, various checks such as -be aren't a
727 security problem, as long as you trust local users with access to their
728 own account. When invoked by services which pass untrusted data to
729 Exim, this might be an issue. Set this option in main configuration
730 AND make fixes to the calling application, such as using `--` to stop
731 processing options.
732
a5ffa9b4
JH
733JH/13 Do pipelining under TLS. Previously, although safe, no advantage was
734 taken. Now take care to pack both (client) MAIL,RCPT,DATA, and (server)
735 responses to those, into a single TLS record each way (this usually means
736 a single packet). As a side issue, smtp_enforce_sync now works on TLS
737 connections.
925ac8e4 738
6600985a
PP
739PP/05 OpenSSL/1.1: use DH_bits() for more accurate DH param sizes. This
740 affects you only if you're dancing at the edge of the param size limits.
741 If you are, and this message makes sense to you, then: raise the
742 configured limit or use OpenSSL 1.1. Nothing we can do for older
743 versions.
744
ac4d558b
JH
745JH/14 For the "sock" variant of the malware scanner interface, accept an empty
746 cmdline element to get the documented default one. Previously it was
747 inaccessible.
748
e69636bc
JH
749JH/15 Fix a crash in the smtp transport caused when two hosts in succession
750 are unsuable for non-message-specific reasons - eg. connection timeout,
751 banner-time rejection.
752
a843a57e
JH
753JH/16 Fix logging of delivery remote port, when specified by router, under
754 callout/hold.
755
8e041ae0
PP
756PP/06 Repair manualroute's ability to take options in any order, even if one
757 is the name of a transport.
833c70bc
PP
758 Fixes bug 2140.
759
35a04365
HSHR
760HS/01 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369)
761
4226691b
JH
762JH/17 Change the list-building routines interface to use the expanding-string
763 triplet model, for better allocation and copying behaviour.
764
d185889f
JH
765JH/18 Prebuild the data-structure for "builtin" macros, for faster startup.
766 Previously it was constructed the first time a possibly-matching string
767 was met in the configuration file input during startup; now it is done
768 during compilation.
769
0a6c178c
JH
770JH/19 Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy-
771 compatible one, to avoid the (poorly documented) possibility of a config
772 file in the working directory redirecting the DB files, possibly correpting
02745400 773 some existing file. CVE-2017-10140 assigned for BDB.
0a6c178c 774
fae8970d
JH
775JH/20 Bug 2147: Do not defer for a verify-with-callout-and-random which is not
776 cache-hot. Previously, although the result was properly cached, the
777 initial verify call returned a defer.
778
ad1a76fe 779JH/21 Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but
14de8063
JH
780 the main verify for receipient in uncached-mode.
781
ad1a76fe
JH
782JH/22 Retire historical build files to an "unsupported" subdir. These are
783 defined as "ones for which we have no current evidence of testing".
784
135e9496
JH
785JH/23 DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field,
786 if present. Previously it was ignored.
787
f2ed27cf
JH
788JH/24 Start using specified-initialisers in C structure init coding. This is
789 a C99 feature (it's 2017, so now considered safe).
790
7eb0e5d2
JH
791JH/25 Use one-bit bitfields for flags in the "addr" data structure. Previously
792 if was a fixed-sized field and bitmask ops via macros; it is now more
793 extensible.
794
4f9f4be4
795PP/07 GitHub PR 56: Apply MariaDB build fix.
796 Patch provided by Jaroslav Škarvada.
797
dc4de9cc
PP
798PP/08 Bug 2161: Fix regression in sieve quoted-printable handling introduced
799 during Coverity cleanups [4.87 JH/47]
800 Diagnosis and fix provided by Michael Fischer v. Mollard.
801
ea18931d
JH
802JH/26 Fix DKIM bug: when the pseudoheader generated for signing was exactly
803 the right size to place the terminating semicolon on its own folded
804 line, the header hash was calculated to an incorrect value thanks to
805 the (relaxed) space the fold became.
806
0768462d 807HS/02 Fix Bug 2130: large writes from the transport subprocess were chunked
2cee425a
HSHR
808 and confused the parent.
809
848214f7
JH
810JH/27 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process
811 which could crash as a result. This could lead to undeliverable messages.
812
9e0ed81f
JH
813JH/28 Logging: "next input sent too soon" now shows where input was truncated
814 for log purposes.
815
2540f2f8
JH
816JH/29 Fix queue_run_in_order to ignore the PID portion of the message ID. This
817 matters on fast-turnover and PID-randomising systems, which were getting
818 out-of-order delivery.
819
e5ab0ba9
JH
820JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for
821 a possibly-overlapping copy. The symptom was that "Remote host closed
822 connection in response to HELO" was logged instead of the actual 4xx
823 error for the HELO.
824
e99a3a6c
JH
825JH/31 Fix CHUNKING code to properly flush the unwanted chunk after an error.
826 Previously only that bufferd was discarded, resulting in SYMTP command
827 desynchronisation.
828
18067c75
JH
829JH/32 DKIM: when a message has multiple signatures matching an identity given
830 in dkim_verify_signers, run the dkim acl once for each. Previously only
831 one run was done. Bug 2189.
832
72934ba7
JH
833JH/33 Downgrade an unfound-list name (usually a typo in the config file) from
834 "panic the current process" to "deliberately defer". The panic log is
835 still written with the problem list name; the mail and reject logs now
836 get a temp-reject line for the message that was being handled, saying
837 something like "domains check lookup or other defer". The SMTP 451
838 message is still "Temporary local problem".
839
625667b6
JH
840JH/34 Bug 2199: Fix a use-after-free while reading smtp input for header lines.
841 A crafted sequence of BDAT commands could result in in-use memory beeing
b488395f
JH
842 freed. CVE-2017-16943.
843
844HS/03 Bug 2201: Fix checking for leading-dot on a line during headers reading
845 from SMTP input. Previously it was always done; now only done for DATA
846 and not BDAT commands. CVE-2017-16944.
625667b6 847
d21bf202
JH
848JH/35 Bug 2201: Flush received data in BDAT mode after detecting an error fatal
849 to the message (such as an overlong header line). Previously this was
850 not done and we did not exit BDAT mode. Followon from the previous item
851 though a different problem.
852
acfc18c3 853
fd047340 854Exim version 4.89
acfc18c3 855-----------------
4c57a40e 856
9427e879 857JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules
4c04137d 858 than -2003 did; needs libidn2 in addition to libidn.
fd047340 859
7b283890
JH
860JH/02 The path option on a pipe transport is now expanded before use.
861
4c57a40e
PP
862PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections.
863 Patch provided by "Björn", documentation fix added too.
864
5d036699
JH
865JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was
866 missing a wire-to-host endian conversion.
867
f4630439
JH
868JH/04 Bug 2004: fix CHUNKING in non-PIPELINEING mode. Chunk data following
869 close after a BDAT command line could be taken as a following command,
870 giving a synch failure. Fix by only checking for synch immediately
871 before acknowledging the chunk.
872
f988ce57
JS
873PP/02 GitHub PR 52: many spelling fixes, which include fixing parsing of
874 no_require_dnssec option and creation of _HAVE_TRANSPORT_APPEND_MAILDIR
875 macro. Patches provided by Josh Soref.
876
bd8fbe36
JH
877JH/05 Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
878 Previously we did not; the RFC seems ambiguous and VRFY is not listed
879 by IANA as a service extension. However, John Klensin suggests that we
880 should.
881
882JH/06 Bug 2017: Fix DKIM verification in -bh test mode. The data feed into
b895f4b2
JH
883 the dkim code may be unix-mode line endings rather than smtp wire-format
884 CRLF, so prepend a CR to any bare LF.
fd047340 885
bd8fbe36 886JH/07 Rationalise the coding for callout smtp conversations and transport ones.
902fbd69
JH
887 As a side-benfit, callouts can now use PIPELINING hence fewer round-trips.
888
bd8fbe36
JH
889JH/08 Bug 2016: Fix DKIM verification vs. CHUNKING. Any BDAT commands after
890 the first were themselves being wrongly included in the feed into dkim
891 processing; with most chunk sizes in use this resulted in an incorrect
892 body hash calculated value.
893
eea19017
JH
894JH/09 Bug 2014: permit inclusion of a DKIM-Signature header in a received
895 DKIM signature block, for verification. Although advised against by
896 standards it is specifically not ruled illegal.
897
44e6651b
JH
898JH/10 Bug 2025: Fix reception of (quoted) local-parts with embedded spaces.
899
900JH/11 Bug 2029: Fix crash in DKIM verification when a message signature block is
901 missing a body hash (the bh= tag).
902
903JH/12 Bug 2018: Re-order Proxy Protocol startup versus TLS-on-connect startup.
904 It seems that HAProxy sends the Proxy Protocol information in clear and
905 only then does a TLS startup, so do the same.
906
907JH/13 Bug 2027: Avoid attempting to use TCP Fast Open for non-transport client
908 TCP connections (such as for Spamd) unless the daemon successfully set
909 Fast Open mode on its listening sockets. This fixes breakage seen on
910 too-old kernels or those not configured for Fast Open, at the cost of
911 requiring both directions being enabled for TFO, and TFO never being used
912 by non-daemon-related Exim processes.
913
914JH/14 Bug 2000: Reject messages recieved with CHUNKING but with malformed line
915 endings, at least on the first header line. Try to canonify any that get
916 past that check, despite the cost.
917
b6040544
JH
918JH/15 Angle-bracket nesting (an error inserted by broken sendmails) levels are
919 now limited to an arbitrary five deep, while parsing addresses with the
920 strip_excess_angle_brackets option enabled.
921
f700ea4d
PP
922PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and
923 instead leave the unprompted TLS handshake in socket buffer for the
924 TLS library to consume.
925
da88acae
PP
926PP/04 Bug 2018: Also handle Proxy Protocol v2 safely.
927
f6ef9370
PP
928PP/05 FreeBSD compat: handle that Ports no longer create /usr/bin/perl
929
90341c71
JH
930JH/16 Drop variables when they go out of scope. Memory management drops a whole
931 region in one operation, for speed, and this leaves assigned pointers
932 dangling. Add checks run only under the testsuite which checks all
933 variables at a store-reset and panics on a dangling pointer; add code
934 explicitly nulling out all the variables discovered. Fixes one known
935 bug: a transport crash, where a dangling pointer for $sending_ip_address
936 originally assigned in a verify callout, is re-used.
937
1ec2ab36
PP
938PP/06 Drop '.' from @INC in various Perl scripts.
939
940PP/07 Switch FreeBSD iconv to always use the base-system libc functions.
941
942PP/08 Reduce a number of compilation warnings under clang; building with
943 CC=clang CFLAGS+=-Wno-dangling-else -Wno-logical-op-parentheses
944 should be warning-free.
945
8b2b9480
PP
946JH/17 Fix inbound CHUNKING when DKIM disabled at runtime.
947
948HS/01 Fix portability problems introduced by PP/08 for platforms where
949 realloc(NULL) is not equivalent to malloc() [SunOS et al].
950
d953610f
HSHR
951HS/02 Bug 1974: Fix missing line terminator on the last received BDAT
952 chunk. This allows us to accept broken chunked messages. We need a more
953 general solution here.
954
7dc5f827
PP
955PP/09 Wrote util/chunking_fixqueue_finalnewlines.pl to help recover
956 already-broken messages in the queue.
957
4bb432cb
PP
958JH/18 Bug 2061: Fix ${extract } corrupting an enclosing ${reduce } $value.
959
3b1a84c8
PP
960JH/19 Fix reference counting bug in routing-generated-address tracking.
961
902fbd69 962
8d042305
JH
963Exim version 4.88
964-----------------
4c57a40e 965
9094b84b
JH
966JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
967 supports it and a size is available (ie. the sending peer gave us one).
8d042305 968
03d5892b
JH
969JH/02 The obsolete acl condition "demime" is removed (finally, after ten
970 years of being deprecated). The replacements are the ACLs
971 acl_smtp_mime and acl_not_smtp_mime.
972
4b0fe319
JH
973JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
974 a downgraded non-dane trust-anchor for the TLS connection (CA-style)
975 or even an in-clear connection were permitted. Now, if the host lookup
976 was dnssec and dane was requested then the host is only used if the
977 TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
978 MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
979 if one fails this test.
980 This means that a poorly-configured remote DNS will make it incommunicado;
981 but it protects against a DNS-interception attack on it.
982
789f8a4f
JH
983JH/04 Bug 1810: make continued-use of an open smtp transport connection
984 non-noisy when a race steals the message being considered.
985
23bb6982 986JH/05 If main configuration option tls_certificate is unset, generate a
f59aaaaa 987 self-signed certificate for inbound TLS connections.
23bb6982 988
0bd1b1ed 989JH/06 Bug 165: hide more cases of password exposure - this time in expansions
f42deca9 990 in rewrites and routers.
0bd1b1ed 991
20b9a2dc
JH
992JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
993 and logged a warning sing 4.83; now they are a configuration file error.
994
05392bbc
JH
995JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
996 (lacking @domain). Apply the same qualification processing as RCPT.
997
1a6230a3
JH
998JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
999
cfab9d68
JH
1000JH/10 Support ${sha256:} applied to a string (as well as the previous
1001 certificate).
1002
98c82a3d
JH
1003JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
1004 a cutthrough deliver is pending, as we always want to make a connection.
1005 This also avoids re-routing the message when later placing the cutthrough
1006 connection after a verify cache hit.
1007 Do not update it with the verify result either.
1008
1009JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
1010 when routing results in more than one destination address.
1011
ae8386f0
JH
1012JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
1013 signing (which inhibits the cutthrough capability). Previously only
1014 the presence of an option was tested; now an expansion evaluating as
1015 empty is permissible (obviously it should depend only on data available
1016 when the cutthrough connection is made).
1017
0d9fa8c0
JH
1018JH/14 Fix logging of errors under PIPELINING. Previously the log line giving
1019 the relevant preceding SMTP command did not note the pipelining mode.
1020
3581f321
JH
1021JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
1022 Previously they were not counted.
1023
ef3a1a30
JH
1024JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
1025 as one having no matching records. Previously we deferred the message
1026 that needed the lookup.
1027
4c04137d 1028JH/17 Fakereject: previously logged as a normal message arrival "<="; now
27b9e5f4
JH
1029 distinguished as "(=".
1030
1435d4b2
JH
1031JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
1032 for missing MX records. Previously it only worked for missing A records.
1033
eea0defe
JB
1034JH/19 Bug 1850: support Radius libraries that return REJECT_RC.
1035
1036JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
1037 after the data-go-ahead and data-ack. Patch from Jason Betts.
860cdda2 1038
4c04137d 1039JH/21 Bug 1846: Send DMARC forensic reports for reject and quarantine results,
72a201e2
TM
1040 even for a "none" policy. Patch from Tony Meyer.
1041
1c788856
JH
1042JH/22 Fix continued use of a connection for further deliveries. If a port was
1043 specified by a router, it must also match for the delivery to be
1044 compatible.
1045
e3b1f624
JH
1046JH/23 Bug 1874: fix continued use of a connection for further deliveries.
1047 When one of the recipients of a message was unsuitable for the connection
1048 (has no matching addresses), we lost track of needing to mark it
1049 deferred. As a result mail would be lost.
1050
a57ce043
JH
1051JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
1052
f59aaaaa 1053JH/25 Decoding ACL controls is now done using a binary search; the source code
2d009132
JH
1054 takes up less space and should be simpler to maintain. Merge the ACL
1055 condition decode tables also, with similar effect.
d7bed771 1056
d1f9fb42
JH
1057JH/26 Fix problem with one_time used on a redirect router which returned the
1058 parent address unchanged. A retry would see the parent address marked as
1059 delivered, so not attempt the (identical) child. As a result mail would
1060 be lost.
1061
92b0827a
JH
1062JH/27 Fix a possible security hole, wherein a process operating with the Exim
1063 UID can gain a root shell. Credit to http://www.halfdog.net/ for
1064 discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
1065 itself :(
1066
ddf1b11a
JH
1067JH/28 Enable {spool,log} filesystem space and inode checks as default.
1068 Main config options check_{log,spool}_{inodes,space} are now
1069 100 inodes, 10MB unless set otherwise in the configuration.
1070
3cc3f762
JH
1071JH/29 Fix the connection_reject log selector to apply to the connect ACL.
1072 Previously it only applied to the main-section connection policy
1073 options.
1074
ae5afa61
JH
1075JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
1076
317e40ac
PP
1077PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
1078 by me. Added RFC7919 DH primes as an alternative.
1079
8b0fb68e
PP
1080PP/02 Unbreak build via pkg-config with new hash support when crypto headers
1081 are not in the system include path.
1082
ad7fc6eb 1083JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
f59aaaaa 1084 GnuTLS, when a session startup failed (eg because the client disconnected)
ad7fc6eb
JH
1085 Exim did stdio operations after fclose. This was exposed by a recent
1086 change which nulled out the file handle after the fclose.
ad7fc6eb 1087
ee5b1e28
JH
1088JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
1089 signed directly by the cert-signing cert, rather than an intermediate
1090 OCSP-signing cert. This is the model used by LetsEncrypt.
1091
5ddc9771
JH
1092JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
1093
8d73599f
JH
1094HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
1095 an incoming connection.
1096
446415f5
HSHR
1097HS/02 Bug 1802: Do not half-close the connection after sending a request
1098 to rspamd.
1099
8e53a4fc
HSHR
1100HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
1101 fallback to "prime256v1".
8d042305 1102
87cb4a16 1103JH/34 SECURITY: Use proper copy of DATA command in error message.
4c57a40e 1104 Could leak key material. Remotely exploitable. CVE-2016-9963.
87cb4a16
JH
1105
1106
0d9b78be
JH
1107Exim version 4.87
1108-----------------
4c57a40e 1109
82d14d6a
JH
1110JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
1111 and 3.4.4 - once the server is enabled to respond to an OCSP request
1112 it does even when not requested, resulting in a stapling non-aware
1113 client dropping the TLS connection.
0d9b78be 1114
6c6d6e48
TF
1115TF/01 Code cleanup: Overhaul the debug_selector and log_selector machinery to
1116 support variable-length bit vectors. No functional change.
1117
ac881e27
TF
1118TF/02 Improve the consistency of logging incoming and outgoing interfaces.
1119 The I= interface field on outgoing lines is now after the H= remote
1120 host field, same as incoming lines. There is a separate
1121 outgoing_interface log selector which allows you to disable the
1122 outgoing I= field.
1123
c8899c20
JH
1124JH/02 Bug 728: Close logfiles after a daemon-process "exceptional" log write.
1125 If not running log_selector +smtp_connection the mainlog would be held
1126 open indefinitely after a "too many connections" event, including to a
1127 deleted file after a log rotate. Leave the per net connection logging
1128 leaving it open for efficiency as that will be quickly detected by the
1129 check on the next write.
1130
f1b81d81
HSHR
1131HS/01 Bug 1671: Fix post transport crash.
1132 Processing the wait-<transport> messages could crash the delivery
1133 process if the message IDs didn't exist for some reason. When
1134 using 'split_spool_directory=yes' the construction of the spool
1135 file name failed already, exposing the same netto behaviour.
1136
f38917cc
JH
1137JH/03 Bug 425: Capture substrings in $regex1, $regex2 etc from regex &
1138 mime_regex ACL conditions.
1139
895fbaf2
JH
1140JH/04 Bug 1686: When compiled with EXPERIMENTAL_DSN_INFO: Add extra information
1141 to DSN fail messages (bounces): remote IP, remote greeting, remote response
1142 to HELO, local diagnostic string.
1143
805bb5c3
JH
1144JH/05 Downgrade message for a TLS-certificate-based authentication fail from
1145 log line to debug. Even when configured with a tls authenticator many
1146 client connections are expected to not authenticate in this way, so
1147 an authenticate fail is not an error.
1148
56c2a7be
HSHR
1149HS/02 Add the Exim version string to the process info. This way exiwhat
1150 gives some more detail about the running daemon.
1151
4c04137d 1152JH/06 Bug 1395: time-limit caching of DNS lookups, to the TTL value. This may
14b3c5bc
JH
1153 matter for fast-change records such as DNSBLs.
1154
6f6dedcc
JH
1155JH/07 Bug 1678: Always record an interface option value, if set, as part of a
1156 retry record, even if constant. There may be multiple transports with
1157 different interface settings and the retry behaviour needs to be kept
1158 distinct.
1159
0f557e90
JH
1160JH/08 Bug 1586: exiqgrep now refuses to run if there are unexpected arguments.
1161
1162JH/09 Bug 1700: ignore space & tab embedded in base64 during decode.
1163
ec0eb1a3
JH
1164JH/10 Bug 840: fix log_defer_output option of pipe transport
1165
41e93589
JH
1166JH/11 Bug 830: use same host for all RCPTS of a message, even under
1167 hosts_randomize. This matters a lot when combined with mua_wrapper.
1168
98b98887 1169JH/12 Bug 1706: percent and underbar characters are no longer escaped by the
376d2ec0
JH
1170 ${quote_pgsql:<string>} operator.
1171
98b98887
JH
1172JH/13 Bug 1708: avoid misaligned access in cached lookup.
1173
858e91c2
JH
1174JH/14 Change header file name for freeradius-client. Relevant if compiling
1175 with Radius support; from the Gentoo tree and checked under Fedora.
1176
1177JH/15 Bug 1712: Introduce $prdr_requested flag variable
1178
6ff55e50
JH
1179JH/16 Bug 1714: Permit an empty string as expansion result for transport
1180 option transport_filter, meaning no filtering.
1181
3b957582
JB
1182JH/17 Bug 1713: Fix non-PDKIM_DEBUG build. Patch from Jasen Betts.
1183
23f3dc67
JH
1184JH/18 Bug 1709: When built with TLS support, the tls_advertise_hosts option now
1185 defaults to "*" (all hosts). The variable is now available when not built
4c04137d 1186 with TLS, default unset, mainly to enable keeping the testsuite sane.
23f3dc67
JH
1187 If a server certificate is not supplied (via tls_certificate) an error is
1188 logged, and clients will find TLS connections fail on startup. Presumably
1189 they will retry in-clear.
1190 Packagers of Exim are strongly encouraged to create a server certificate
1191 at installation time.
1192
240c288f
JH
1193HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency
1194 with the $config_file variable.
1195
5ef5dd52
JB
1196JH/19 Two additional event types: msg:rcpt:defer and msg:rcpt:host:defer. Both
1197 in transport context, after the attempt, and per-recipient. The latter type
1198 is per host attempted. The event data is the error message, and the errno
1199 information encodes the lookup type (A vs. MX) used for the (first) host,
4c04137d 1200 and the trailing two digits of the smtp 4xx response.
5ef5dd52 1201
e161710d
GF
1202GF/01 Bug 1715: Fix for race condition in exicyclog, where exim could attempt
1203 to write to mainlog (or rejectlog, paniclog) in the window between file
1204 creation and permissions/ownership being changed. Particularly affects
1205 installations where exicyclog is run as root, rather than exim user;
1206 result is that the running daemon panics and dies.
1207
a159f203
JH
1208JH/20 Bug 1701: For MySQL lookups, support MySQL config file option group names.
1209
7f06582c
JH
1210JH/21 Bug 1720: Add support for priority groups and weighted-random proxy
1211 selection for the EXPERIMENTAL_SOCKS feature, via new per-proxy options
1212 "pri" and "weight". Note that the previous implicit priority given by the
1213 list order is no longer honoured.
1214
4c04137d 1215JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalization
abe1010c
JH
1216 for DKIM processing.
1217
f0989ec0
JH
1218JH/23 Move SOCKS5 support from Experimental to mainline, enabled for a build
1219 by defining SUPPORT_SOCKS.
74f150bf 1220
cee5f132
JH
1221JH/26 Move PROXY support from Experimental to mainline, enabled for a build
1222 by defining SUPPORT_PROXY. Note that the proxy_required_hosts option
e6d2a989
JH
1223 is renamed to hosts_proxy, and the proxy_{host,target}_{address,port}.
1224 variables are renamed to proxy_{local,external}_{address,port}.
cee5f132 1225
8c5d388a
JH
1226JH/27 Move Internationalisation support from Experimental to mainline, enabled
1227 for a build by defining SUPPORT_I18N
1228
2d8d625b
JH
1229JH/28 Bug 1745: Fix redis lookups to handle (quoted) spaces embedded in parts
1230 of the query string, and make ${quote_redis:} do that quoting.
1231
0cbf2b82
JH
1232JH/29 Move Events support from Experimental to mainline, enabled by default
1233 and removable for a build by defining DISABLE_EVENT.
1234
f2f2c91b
JH
1235JH/30 Updated DANE implementation code to current from Viktor Dukhovni.
1236
ce325893
JH
1237JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly
1238 cached by the daemon.
1239
de78e2d5
JH
1240JH/32 Move Redis support from Experimental to mainline, enabled for a build
1241 by defining LOOKUP_REDIS. The libhiredis library is required.
1242
379ba7d0
JH
1243JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit
1244 keys are given for lookup.
1245
f444c2c7
JH
1246JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM
1247 support, by using OpenSSL or GnuTLS library ones. This means DKIM is
07c73177
JH
1248 only supported when built with TLS support. The PolarSSL SHA routines
1249 are still used when the TLS library is too old for convenient support.
f444c2c7 1250
a57b6200
JH
1251JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option
1252 openssl_options), for security. OpenSSL forces this from version 1.1.0
1253 server-side so match that on older versions.
1254
07c73177 1255JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh
fa01e4f8 1256 allocation for $value could be released as the expansion processing
07c73177 1257 concluded, but leaving the global pointer active for it.
fa01e4f8 1258
4f6ae5c3
JH
1259JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response,
1260 and to use the domains and local_parts ACL conditions.
1261
1bc460a6
JH
1262JH/38 Fix cutthrough bug with body lines having a single dot. The dot was
1263 incorrectly not doubled on cutthrough transmission, hence seen as a
1264 body-termination at the receiving system - resulting in truncated mails.
62ac2eb7 1265 Commonly the sender saw a TCP-level error, and retransmitted the message
1bc460a6
JH
1266 via the normal store-and-forward channel. This could result in duplicates
1267 received - but deduplicating mailstores were liable to retain only the
1268 initial truncated version.
1269
ab9152ff 1270JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64.
df3def24 1271
67e87fcf
JH
1272JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS.
1273
ab9152ff
JH
1274JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While
1275 we're in there, support oversigning also; bug 1309.
1276
af483912
JH
1277JH/42 Bug 1796: Fix error logged on a malware scanner connection failure.
1278
bc3c7bb7 1279HS/04 Add support for keep_environment and add_environment options.
df3def24 1280
13559da6
JH
1281JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain;
1282 either intentional arithmetic overflow during PRNG, or testing config-
1283 induced overflows.
1284
59eaad2b
JH
1285JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough
1286 delivery resulted in actual delivery. Cancel cutthrough before DATA
1287 stage.
1288
f9334a28
JH
1289JH/45 Fix cutthrough, when connection not opened by verify and target hard-
1290 rejects a recipient: pass the reject to the originator.
1291
dc8091e7
JH
1292JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs.
1293 Many were false-positives and ignorable, but it's worth fixing the
1294 former class.
1295
dfe7d917
JH
1296JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also
1297 for the new environment-manipulation done at startup. Move the routines
1298 from being local to tls.c to being global via the os.c file.
1299
93cc2d6e
JH
1300JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing
1301 an extract embedded as result-arg for a map, the first arg for extract
1302 is unavailable so we cannot tell if this is a numbered or keyed
1303 extraction. Accept either.
1304
13559da6 1305
9c695f6d
JH
1306Exim version 4.86
1307-----------------
4c57a40e 1308
9c695f6d
JH
1309JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
1310 expanded.
1311
506900af
JH
1312JH/02 The smtp transport option "multi_domain" is now expanded.
1313
ad07e9ad
JH
1314JH/03 The smtp transport now requests PRDR by default, if the server offers
1315 it.
1316
01a4a5c5 1317JH/04 Certificate name checking on server certificates, when exim is a client,
b3ef41c9 1318 is now done by default. The transport option tls_verify_cert_hostnames
01a4a5c5
JH
1319 can be used to disable this per-host. The build option
1320 EXPERIMENTAL_CERTNAMES is withdrawn.
1321
cb1d7830 1322JH/05 The value of the tls_verify_certificates smtp transport and main options
0e0f3f56 1323 default to the word "system" to access the system default CA bundle.
cb1d7830
JH
1324 For GnuTLS, only version 3.0.20 or later.
1325
610ff438 1326JH/06 Verification of the server certificate for a TLS connection is now tried
6d580f19
JH
1327 (but not required) by default. The verification status is now logged by
1328 default, for both outbound TLS and client-certificate supplying inbound
1329 TLS connections
610ff438 1330
f926e272
JH
1331JH/07 Changed the default rfc1413 lookup settings to disable calls. Few
1332 sites use this now.
1333
50dc7409
JH
1334JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery
1335 Status Notification (bounce) messages are now MIME format per RFC 3464.
1336 Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised
1337 under the control of the dsn_advertise_hosts option, and routers may
1338 have a dsn_lasthop option.
1339
0f0c8159
JH
1340JH/09 A timeout of 2 minutes is now applied to all malware scanner types by
1341 default, modifiable by a malware= option. The list separator for
23763898 1342 the options can now be changed in the usual way. Bug 68.
4e71661f 1343
1ad6489e
JH
1344JH/10 The smtp_receive_timeout main option is now expanded before use.
1345
aeaf5db3
JH
1346JH/11 The incoming_interface log option now also enables logging of the
1347 local interface on delivery outgoing connections.
1348
5032d1cf
JH
1349JH/12 The cutthrough-routing facility now supports multi-recipient mails,
1350 if the interface and destination host and port all match.
1351
7e8360e6
JH
1352JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
1353 /defer_ok option.
1354
c5f280e2
AL
1355JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd.
1356 Patch from Andrew Lewis.
1357
fd4d8871 1358JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition)
dc7b3d36 1359 now supports optional time-restrictions, weighting, and priority
fd4d8871
R
1360 modifiers per server. Patch originally by <rommer@active.by>.
1361
1362JH/16 The spamd_address main option now supports a mixed list of local
2aad5761
JH
1363 and remote servers. Remote servers can be IPv6 addresses, and
1364 specify a port-range.
fd4d8871 1365
23763898
JH
1366JH/17 Bug 68: The spamd_address main option now supports an optional
1367 timeout value per server.
1368
2ad78978
JH
1369JH/18 Bug 1581: Router and transport options headers_add/remove can
1370 now have the list separator specified.
1371
8a512ed5 1372JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
cfab9d68 1373 option values.
8a512ed5 1374
82c0c8ea 1375JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
f69979cf
JH
1376 under OpenSSL.
1377
cc00f4af
JH
1378JH/21 Support for the A6 type of dns record is withdrawn.
1379
82c0c8ea
JH
1380JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
1381 rather than the verbs used.
1382
b980ed83
JH
1383JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
1384 from 255 to 1024 chars.
1385
6c9ed72e
JH
1386JH/24 Verification callouts now attempt to use TLS by default.
1387
cfab9d68 1388HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
99c1bb4e 1389 are generic router options now. The defaults didn't change.
50dc7409 1390
f846c8f5
JH
1391JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
1392 Original patch from Alexander Shikoff, worked over by JH.
1393
fd4c285c
HSHR
1394HS/02 Bug 1575: exigrep falls back to autodetection of compressed
1395 files if ZCAT_COMMAND is not executable.
1396
4c04137d 1397JH/26 Bug 1539: Add timeout/retry options on dnsdb lookups.
fd7f7910 1398
d2a2c69b
JH
1399JH/27 Bug 286: Support SOA lookup in dnsdb lookups.
1400
8241d8dd
JH
1401JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN.
1402 Normally benign, it bites when the pair was led to by a CNAME;
4c04137d 1403 modern usage is to not canonicalize the domain to a CNAME target
8241d8dd
JH
1404 (and we were inconsistent anyway for A-only vs AAAA+A).
1405
1f12df4d
JH
1406JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards.
1407
1f155f8e
JH
1408JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse,
1409 when evaluating $sender_host_dnssec.
1410
1705dd20
JH
1411JH/31 Check the HELO verification lookup for DNSSEC, adding new
1412 $sender_helo_dnssec variable.
1413
038597d2
PP
1414JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve.
1415
474f71bf
JH
1416JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log.
1417
7137ca4b
JH
1418JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues.
1419
dcb1095c
JH
1420JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was
1421 documented as working, but never had. Support all but $spam_report.
1422
2f460950
JH
1423JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
1424 added for tls authenticator.
1425
2f680c0c
HSHR
1426HS/03 Add perl_taintmode main config option
1427
9c695f6d 1428
e449c3b0
TL
1429Exim version 4.85
1430-----------------
4c57a40e 1431
e449c3b0
TL
1432TL/01 When running the test suite, the README says that variables such as
1433 no_msglog_check are global and can be placed anywhere in a specific
1434 test's script, however it was observed that placement needed to be near
1435 the beginning for it to behave that way. Changed the runtest perl
1436 script to read through the entire script once to detect and set these
1437 variables, reset to the beginning of the script, and then run through
1438 the script parsing/test process like normal.
1439
ac20058f
TL
1440TL/02 The BSD's have an arc4random API. One of the functions to induce
1441 adding randomness was arc4random_stir(), but it has been removed in
1442 OpenBSD 5.5. Detect this OpenBSD version and skip calling this
1443 function when detected.
1444
a9b8ec8b
JH
1445JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now
1446 cause callback expansion.
1447
6286d7c4
TL
1448TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that
1449 syntax errors in an expansion can be treated as a string instead of
1450 logging or causing an error, due to the internal use of bool_lax
1451 instead of bool when processing it.
1452
0f06b4f2 1453JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for
d567a64d
JH
1454 server certificates when making smtp deliveries.
1455
be36e572
JH
1456JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups.
1457
ac4ef9bd
JH
1458JH/04 Add ${sort {list}{condition}{extractor}} expansion item.
1459
0eb51736
TL
1460TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep.
1461
c713ca4b
TL
1462TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups.
1463 Merged patch from Sebastian Wiedenroth.
e449c3b0 1464
bd21a787
WB
1465JH/05 Fix results-pipe from transport process. Several recipients, combined
1466 with certificate use, exposed issues where response data items split
1467 over buffer boundaries were not parsed properly. This eventually
1468 resulted in duplicates being sent. This issue only became common enough
4c04137d 1469 to notice due to the introduction of connection certificate information,
bd21a787
WB
1470 the item size being so much larger. Found and fixed by Wolfgang Breyha.
1471
8bc732e8
JH
1472JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed
1473 size buffer was used, resulting in syntax errors when an expansion
1474 exceeded it.
1475
a7fec7a7
JH
1476JH/07 Add support for directories of certificates when compiled with a GnuTLS
1477 version 3.3.6 or later.
1478
4c04137d 1479JH/08 Rename the TPDA experimental facility to Event Actions. The #ifdef
774ef2d7
JH
1480 is EXPERIMENTAL_EVENT, the main-configuration and transport options
1481 both become "event_action", the variables become $event_name, $event_data
aec45841 1482 and $event_defer_errno. There is a new variable $verify_mode, usable in
723fe533
JH
1483 routers, transports and related events. The tls:cert event is now also
1484 raised for inbound connections, if the main configuration event_action
1485 option is defined.
774ef2d7 1486
eca4debb
TL
1487TL/06 In test suite, disable OCSP for old versions of openssl which contained
1488 early OCSP support, but no stapling (appears to be less than 1.0.0).
1489
8d692470
JH
1490JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on
1491 server certificate names available under the smtp transport option
1492 "tls_verify_cert_hostname" now do not permit multi-component wildcard
1493 matches.
1494
e9477a08
JH
1495JH/10 Time-related extraction expansions from certificates now use the main
1496 option "timezone" setting for output formatting, and are consistent
1497 between OpenSSL and GnuTLS compilations. Bug 1541.
1498
ad4c5ff9
JH
1499JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047-
1500 encoded parameter in the incoming message. Bug 1558.
8dea5edf
JH
1501
1502JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now
1503 include certificate info, eximon was claiming there were spoolfile
1504 syntax errors.
1505
3394b36a 1506JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return.
8dea5edf
JH
1507
1508JH/14 Log delivery-related information more consistently, using the sequence
1509 "H=<name> [<ip>]" wherever possible.
1510
3394b36a
TL
1511TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which
1512 are problematic for Debian distribution, omit them from the release
1513 tarball.
1514
ad4c5ff9
JH
1515JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature.
1516
4c04137d 1517JH/16 Fix string representation of time values on 64bit time_t architectures.
ad4c5ff9
JH
1518 Bug 1561.
1519
1520JH/17 Fix a null-indirection in certextract expansions when a nondefault
1521 output list separator was used.
1522
8bc732e8 1523
1f0ebb98
TL
1524Exim version 4.84
1525-----------------
09728d20
TL
1526TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static
1527 checkers that were complaining about end of non-void function with no
1528 return.
1f0ebb98 1529
a612424f 1530JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers.
4c04137d 1531 This was a regression introduced in 4.83 by another bugfix.
a612424f
JH
1532
1533JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled.
1534
1535TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when
a9b8ec8b 1536 EXPERIMENTAL_DSN is enabled. Fix from Wolfgang Breyha.
a612424f 1537
1f0ebb98 1538
c0e56233
TF
1539Exim version 4.83
1540-----------------
1541
1542TF/01 Correctly close the server side of TLS when forking for delivery.
1543
1544 When a message was received over SMTP with TLS, Exim failed to clear up
1545 the incoming connection properly after forking off the child process to
1546 deliver the message. In some situations the subsequent outgoing
1547 delivery connection happened to have the same fd number as the incoming
1548 connection previously had. Exim would try to use TLS and fail, logging
1549 a "Bad file descriptor" error.
1550
7245734e
TF
1551TF/02 Portability fix for building lookup modules on Solaris when the xpg4
1552 utilities have not been installed.
1553
fd5dad68
JH
1554JH/01 Fix memory-handling in use of acl as a conditional; avoid free of
1555 temporary space as the ACL may create new global variables.
1556
5428a946
TL
1557TL/01 LDAP support uses per connection or global context settings, depending
1558 upon the detected version of the libraries at build time.
1559
a3c86431
TL
1560TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection
1561 to extract and use the src ip:port in logging and expansions as if it
8ded8589
TL
1562 were a direct connection from the outside internet. PPv2 support was
1563 updated based on HAProxy spec change in May 2014.
a3c86431 1564
aa26e137
JH
1565JH/02 Add ${listextract {number}{list}{success}{fail}}.
1566
5a1b8443
WB
1567TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents.
1568 Properly escape header and check for NULL return.
1569
72c9e342
PP
1570PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok
1571 not dns_use_dnssec.
1572
76f44207
WB
1573JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp.
1574
770747fd
MFM
1575TL/04 Add verify = header_names_ascii check to reject email with non-ASCII
1576 characters in header names, implemented as a verify condition.
1577 Contributed by Michael Fischer v. Mollard.
1578
8ddef691 1579TL/05 Rename SPF condition results err_perm and err_temp to standardized
982650ec
TL
1580 results permerror and temperror. Previous values are deprecated but
1581 still accepted. In a future release, err_perm and err_temp will be
1582 completely removed, which will be a backward incompatibility if the
1583 ACL tests for either of these two old results. Patch contributed by
8ddef691 1584 user bes-internal on the mailing list.
c0e56233 1585
b9c2e32f
AR
1586JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau.
1587
e45a1c37
JH
1588JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log
1589 selectors, in both main and reject logs.
1590
67d81c10
JH
1591JH/06 Log outbound-TLS and port details, subject to log selectors, for a
1592 failed delivery.
1593
b1f8e4f8
JH
1594JH/07 Add malware type "sock" for talking to simple daemon.
1595
511a6c14 1596JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport.
511a6c14
JH
1597
1598JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in
1599 routers/transports under cutthrough routing.
214042d2 1600
51c7471d
JH
1601JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative
1602 numbers. Touch up "bool" conditional to keep the same definition.
1603
3695be34
TL
1604TL/06 Remove duplicated language in spec file from 4.82 TL/16.
1605
1e06383a
TL
1606JH/11 Add dnsdb tlsa lookup. From Todd Lyons.
1607
76146973
JH
1608JH/12 Expand items in router/transport headers_add or headers_remove lists
1609 individually rather than the list as a whole. Bug 1452.
1610
1611 Required for reasonable handling of multiple headers_ options when
1612 they may be empty; requires that headers_remove items with embedded
1613 colons must have them doubled (or the list-separator changed).
1614
8c8b8274
TL
1615TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
1616 view the policy declared in the DMARC record. Currently, $dmarc_status
1617 is a combined value of both the record presence and the result of the
1618 analysis.
b1f8e4f8 1619
35aba663
JH
1620JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.
1621
8c51eead 1622JH/14 New options dnssec_request_domains, dnssec_require_domains on the
578897ea
JH
1623 dnslookup router and the smtp transport (applying to the forward
1624 lookup).
8c51eead 1625
deae092e
HS
1626TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list
1627 of ldap servers used for a specific lookup. Patch provided by Heiko
1628 Schlichting.
35aba663 1629
fd3b6a4a 1630JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups.
4e0983dc 1631 New variable $lookup_dnssec_authenticated for observability.
fd3b6a4a 1632
8d91c6dc
LT
1633TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use.
1634 Patch submitted by Lars Timman.
1635
2b4a568d
JH
1636JH/19 EXPERIMENTAL_OCSP support under GnuTLS. Bug 1459.
1637
d2af03f4
HS
1638TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim.
1639 Requires trusted mode and valid format message id, aborts otherwise.
1640 Patch contributed by Heiko Schlichting.
1641
9d1c15ef
JH
1642JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item
1643 certextract with support for various fields. Bug 1358.
1644
44662487
JH
1645JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling
1646 is requested by default, modifiable by smtp transport option
6a8a60e0
JH
1647 hosts_request_ocsp.
1648
ed3bba5f 1649JH/22 Expansion operators ${md5:string} and ${sha1:string} can now
6a8a60e0 1650 operate on certificate variables to give certificate fingerprints
9ef9101c 1651 Also new ${sha256:cert_variable}.
44662487 1652
8ccd00b1
JH
1653JH/23 The PRDR feature is moved from being Experimental into the mainline.
1654
8ded8589
TL
1655TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from
1656 Christian Aistleitner.
1657
f2de3a33
JH
1658JH/24 The OCSP stapling feature is moved from Experimental into the mainline.
1659
6eb02f88
TL
1660TL/12 Bug 1444: Fix improper \r\n sequence handling when writing spool
1661 file. Patch from Wolfgang Breyha.
1662
00bff6f6
JH
1663JH/25 Expand the coverage of the delivery $host and $host_address to
1664 client authenticators run in verify callout. Bug 1476.
1665
071c51f7
JH
1666JH/26 Port service names are now accepted for tls_on_connect_ports, to
1667 align with daemon_smtp_ports. Bug 72.
1668
a6d4c44e
TF
1669TF/03 Fix udpsend. The ip_connectedsocket() function's socket type
1670 support and error reporting did not work properly.
1671
3ae173e7
ACK
1672TL/13 Bug 1495: Exiqgrep check if -C config file specified on cli exists
1673 and is readable. Patch from Andrew Colin Kissa.
1674
c13d09b8
TL
1675TL/14 Enhance documentation of ${run expansion and how it parses the
1676 commandline after expansion, particularly in the case when an
1677 unquoted variable expansion results in an empty value.
1678
0df4ab80
JH
1679JH/27 The TLS SNI feature was broken in 4.82. Fix it.
1680
66be95e0
PP
1681PP/02 Fix internal collision of T_APL on systems which support RFC3123
1682 by renaming away from it. Addresses GH issue 15, reported by
1683 Jasper Wallace.
1684
1bd0d12b
JH
1685JH/28 Fix parsing of MIME headers for parameters with quoted semicolons.
1686
0de7239e
TL
1687TL/15 SECURITY: prevent double expansion in math comparison functions
1688 (can expand unsanitized data). Not remotely exploitable.
1689 CVE-2014-2972
1690
fd3b6a4a 1691
2c422e6f 1692Exim version 4.82
98a90c36
PP
1693-----------------
1694
1695PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities.
1696
12f69989
PP
1697PP/02 Make -n do something, by making it not do something.
1698 When combined with -bP, the name of an option is not output.
1699
54c90be1
PP
1700PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured
1701 by GnuTLS.
1702
1f4a55da
PP
1703PP/04 First step towards DNSSEC, provide $sender_host_dnssec for
1704 $sender_host_name and config options to manage this, and basic check
1705 routines.
1706
13363eba 1707PP/05 DSCP support for outbound connections and control modifier for inbound.
36a3ae5f 1708
66645890 1709PP/06 Cyrus SASL: set local and remote IP;port properties for driver.
e402235f
PP
1710 (Only plugin which currently uses this is kerberos4, which nobody should
1711 be using, but we should make it available and other future plugins might
1712 conceivably use it, even though it would break NAT; stuff *should* be
1713 using channel bindings instead).
66645890 1714
a3fb9793 1715PP/07 Handle "exim -L <tag>" to indicate to use syslog with tag as the process
f4ee74ac
PP
1716 name; added for Sendmail compatibility; requires admin caller.
1717 Handle -G as equivalent to "control = suppress_local_fixups" (we used to
1718 just ignore it); requires trusted caller.
a3fb9793 1719 Also parse but ignore: -Ac -Am -X<logfile>
f4ee74ac 1720 Bugzilla 1117.
a3fb9793 1721
d27f98fe 1722TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing.
98a90c36 1723
6822b909
TL
1724TL/02 Add +smtp_confirmation as a default logging option.
1725
e7568d51
TL
1726TL/03 Bugzilla 198 - Implement remove_header ACL modifier.
1727 Patch by Magnus Holmgren from 2007-02-20.
1728
ae0e32ee 1729TL/04 Bugzilla 1281 - Spec typo.
ca0ff207 1730 Bugzilla 1283 - Spec typo.
97f42f10 1731 Bugzilla 1290 - Spec grammar fixes.
ca0ff207
TL
1732
1733TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation.
ae0e32ee 1734
e2658fff
TL
1735TL/06 Add Experimental DMARC support using libopendmarc libraries.
1736
83712b39
TL
1737TL/07 Fix an out of order global option causing a segfault. Reported to dev
1738 mailing list by by Dmitry Isaikin.
1739
976b7e9f
JH
1740JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support.
1741
be4a1376
JH
1742JH/02 Support "G" suffix to numbers in ${if comparisons.
1743
ec4b68e5
PP
1744PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL.
1745
d7148a07
NM
1746NM/01 Bugzilla 1197 - Spec typo
1747 Bugzilla 1196 - Spec examples corrections
ec4b68e5 1748
585121e2 1749JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
ec4b68e5 1750
2519e60d
TL
1751PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called
1752 gnutls_enable_pkcs11, but renamed to more accurately indicate its
1753 function.
a5f239e4 1754
13d08c90
PP
1755PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC.
1756 Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
1757
bef3ea7f
JH
1758JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition
1759 "acl {{name}{arg}...}", and optional args on acl condition
1760 "acl = name arg..."
a5f239e4 1761
846726c5
JH
1762JH/05 Permit multiple router/transport headers_add/remove lines.
1763
3a796370
JH
1764JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination.
1765
ea722490 1766JH/07 Avoid using a waiting database for a single-message-only transport.
8b260705
PP
1767 Performance patch from Paul Fisher. Bugzilla 1262.
1768
b1b05573
JH
1769JH/08 Strip leading/trailing newlines from add_header ACL modifier data.
1770 Bugzilla 884.
1771
362145b5
JH
1772JH/09 Add $headers_added variable, with content from use of ACL modifier
1773 add_header (but not yet added to the message). Bugzilla 199.
1774
3c0a92dc
JH
1775JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line.
1776 Pulled from Bugzilla 817 by Wolfgang Breyha.
1777
6d7c6175
PP
1778PP/11 SECURITY: protect DKIM DNS decoding from remote exploit.
1779 CVE-2012-5671
e78e6ecf 1780 (nb: this is the same fix as in Exim 4.80.1)
6d7c6175 1781
6f123593
JH
1782JH/11 Add A= logging on delivery lines, and a client_set_id option on
1783 authenticators.
1784
c8e2fc1e
JH
1785JH/12 Add optional authenticated_sender logging to A= and a log_selector
1786 for control.
1787
005ac57f
PP
1788PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29.
1789
3f1df0e3
PP
1790PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not
1791 advertise SMTP AUTH mechanism to us, instead of a generic
1792 protocol violation error. Also, make Exim more robust to bad
1793 data from the Dovecot auth socket.
1794
67bd1ab3
TF
1795TF/01 Fix ultimate retry timeouts for intermittently deliverable recipients.
1796
1797 When a queue runner is handling a message, Exim first routes the
1798 recipient addresses, during which it prunes them based on the retry
1799 hints database. After that it attempts to deliver the message to
1800 any remaining recipients. It then updates the hints database using
1801 the retry rules.
1802
1803 So if a recipient address works intermittently, it can get repeatedly
1804 deferred at routing time. The retry hints record remains fresh so the
1805 address never reaches the final cutoff time.
1806
1807 This is a fairly common occurrence when a user is bumping up against
1808 their storage quota. Exim had some logic in its local delivery code
1809 to deal with this. However it did not apply to per-recipient defers
1810 in remote deliveries, e.g. over LMTP to a separate IMAP message store.
1811
1ddeb334
TF
1812 This change adds a proper retry rule check during routing so that the
1813 final cutoff time is checked against the message's age. We only do
1814 this check if there is an address retry record and there is not a
1815 domain retry record; this implies that previous attempts to handle
1816 the address had the retry_use_local_parts option turned on. We use
1817 this as an approximation for the destination being like a local
1818 delivery, as in LMTP.
67bd1ab3
TF
1819
1820 I suspect this new check makes the old local delivery cutoff check
1821 redundant, but I have not verified this so I left the code in place.
1822
326cdc37
TF
1823TF/02 Correct gecos expansion when From: is a prefix of the username.
1824
1825 Test 0254 submits a message to Exim with the header
1826
1827 Resent-From: f
1828
1829 When I ran the test suite under the user fanf2, Exim expanded
1830 the header to contain my full name, whereas it should have added
1831 a Resent-Sender: header. It erroneously treats any prefix of the
1832 username as equal to the username.
1833
1834 This change corrects that bug.
1835
f62514b3
GF
1836GF/01 DCC debug and logging tidyup
1837 Error conditions log to paniclog rather than rejectlog.
1838 Debug lines prefixed by "DCC: " to remove any ambiguity.
1839
eb505532
TF
1840TF/03 Avoid unnecessary rebuilds of lookup-related code.
1841
14c7b357
PP
1842PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server.
1843 Bug spotted by Jeremy Harris; was flawed since initial commit.
1844 Would have resulted in OCSP responses post-SNI triggering an Exim
1845 NULL dereference and crash.
1846
94eaf700
PP
1847JH/13 Add $router_name and $transport_name variables. Bugzilla 308.
1848
6f5a440a
PP
1849PP/15 Define SIOCGIFCONF_GIVES_ADDR for GNU Hurd.
1850 Bug detection, analysis and fix by Samuel Thibault.
1851 Bugzilla 1331, Debian bug #698092.
1852
514ee161
SC
1853SC/01 Update eximstats to watch out for senders sending 'HELO [IpAddr]'
1854
fd98a5c6
JH
1855JH/14 SMTP PRDR (http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt).
1856 Server implementation by Todd Lyons, client by JH.
1857 Only enabled when compiled with EXPERIMENTAL_PRDR. A new
1858 config variable "prdr_enable" controls whether the server
1859 advertises the facility. If the client requests PRDR a new
1860 acl_data_smtp_prdr ACL is called once for each recipient, after
1861 the body content is received and before the acl_smtp_data ACL.
4c04137d 1862 The client is controlled by both of: a hosts_try_prdr option
fd98a5c6
JH
1863 on the smtp transport, and the server advertisement.
1864 Default client logging of deliveries and rejections involving
1865 PRDR are flagged with the string "PRDR".
1866
035c7f1e
PP
1867PP/16 Fix problems caused by timeouts during quit ACLs trying to double
1868 fclose(). Diagnosis by Todd Lyons.
1869
ff284120
PP
1870PP/17 Update configure.default to handle IPv6 localhost better.
1871 Patch by Alain Williams (plus minor tweaks).
1872 Bugzilla 880.
1873
26e72755
PP
1874PP/18 OpenSSL made graceful with empty tls_verify_certificates setting.
1875 This is now consistent with GnuTLS, and is now documented: the
1876 previous undocumented portable approach to treating the option as
1877 unset was to force an expansion failure. That still works, and
1878 an empty string is now equivalent.
1879
0fbd9bff
PP
1880PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it
1881 clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag,
1882 not performing validation itself.
1883
700d22f3
PP
1884PP/20 Added force_command boolean option to pipe transport.
1885 Patch from Nick Koston, of cPanel Inc.
1886
fcc8e047
JH
1887JH/15 AUTH support on callouts (and hence cutthrough-deliveries).
1888 Bugzilla 321, 823.
1889
4c04137d 1890TF/04 Added udpsend ACL modifier and hexquote expansion operator
7142daca 1891
8c020188
PP
1892PP/21 Fix eximon continuous updating with timestamped log-files.
1893 Broken in a format-string cleanup in 4.80, missed when I repaired the
1894 other false fix of the same issue.
1895 Report and fix from Heiko Schlichting.
1896 Bugzilla 1363.
1897
d13cdd30
PP
1898PP/22 Guard LDAP TLS usage against Solaris LDAP variant.
1899 Report from Prashanth Katuri.
1900
e2fbf4a2
PP
1901PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options.
1902 It's SecureTransport, so affects any MacOS clients which use the
1903 system-integrated TLS libraries, including email clients.
1904
f4c1088b
PP
1905PP/24 Fix segfault from trying to fprintf() to a NULL stdio FILE* if
1906 using a MIME ACL for non-SMTP local injection.
1907 Report and assistance in diagnosis by Warren Baker.
1908
c5c2182f
PP
1909TL/08 Adjust exiqgrep to be case-insensitive for sender/receiver.
1910
73431ca9
JH
1911JH/16 Fix comparisons for 64b. Bugzilla 1385.
1912
2d07a215
TL
1913TL/09 Add expansion variable $authenticated_fail_id to keep track of
1914 last id that failed so it may be referenced in subsequent ACL's.
1915
a30a8861
TL
1916TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
1917 Alexander Miroch.
1918
33382dd9
TL
1919TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
1920 ldap library initialization, allowing self-signed CA's to be
1921 used. Also properly sets require_cert option later in code by
1922 using NULL (global ldap config) instead of ldap handle (per
1923 session). Bug diagnosis and testing by alxgomz.
6d7c6175 1924
046172e6
TL
1925TL/12 Enhanced documentation in the ratelimit.pl script provided in
1926 the src/util/ subdirectory.
1927
581d7bee 1928TL/13 Bug 1031 - Imported transport SQL logging patch from Axel Rau
1a7b746d 1929 renamed to Transport Post Delivery Action by Jeremy Harris, as
9bdd29ad
TL
1930 EXPERIMENTAL_TPDA.
1931
1932TL/14 Bugzilla 1217 - Redis lookup support has been added. It is only enabled
1933 when Exim is compiled with EXPERIMENTAL_REDIS. A new config variable
1934 redis_servers = needs to be configured which will be used by the redis
1935 lookup. Patch from Warren Baker, of The Packet Hub.
1936
237b2cf2
TL
1937TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard Hall.
1938
9fc5a352
TL
1939TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a
1940 hostname or reverse DNS when processing a host list. Used suggestions
1941 from multiple comments on this bug.
1a7b746d 1942
b10e4ec2
TL
1943TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey.
1944
e2cebd74
TL
1945TL/18 Had previously added a -CONTINUE option to runtest in the test suite.
1946 Missed a few lines, added it to make the runtest require no keyboard
1947 interaction.
1948
1949TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite
1950 contains upper case chars. Make router use caseful_local_part.
1951
2519e60d
TL
1952TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS
1953 support when GnuTLS has been built with p11-kit.
1954
e78e6ecf 1955
4263f395
PP
1956Exim version 4.80.1
1957-------------------
1958
1959PP/01 SECURITY: protect DKIM DNS decoding from remote exploit.
1960 CVE-2012-5671
2c422e6f 1961 This, or similar/improved, will also be change PP/11 of 4.82.
3c0a92dc 1962
ea722490 1963
b1770b6e 1964Exim version 4.80
0599f9cf
PP
1965-----------------
1966
1967PP/01 Handle short writes when writing local log-files.
1968 In practice, only affects FreeBSD (8 onwards).
1969 Bugzilla 1053, with thanks to Dmitry Isaikin.
1970
23c7e742
NM
1971NM/01 Bugzilla 949 - Documentation tweak
1972
b322aac8
NM
1973NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps
1974 improved.
1975
4a891427
NM
1976NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
1977
c1e794ba 1978PP/02 Implemented gsasl authenticator.
b322aac8 1979
97753960
PP
1980PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option.
1981
1982PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
1983 `pkg-config foo` for cflags/libs.
1984
df6303fa
PP
1985PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
1986 with rest of GSASL and with heimdal_gssapi.
1987
7e6a8985
PP
1988PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
1989 `pkg-config foo` for cflags/libs for the TLS implementation.
1990
f1e05cc7 1991PP/07 New expansion variable $tls_bits; Cyrus SASL server connection
20aa9dbd
PP
1992 properties get this fed in as external SSF. A number of robustness
1993 and debugging improvements to the cyrus_sasl authenticator.
b322aac8 1994
4c287009
PP
1995PP/08 cyrus_sasl server now expands the server_realm option.
1996
b98bb9ac
PP
1997PP/09 Bugzilla 1214 - Log authentication information in reject log.
1998 Patch by Jeremy Harris.
1999
4a6a987a
PP
2000PP/10 Added dbmjz lookup type.
2001
c45dd180 2002PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid.
c7955b11 2003
7db8d074
PP
2004PP/12 MAIL args handles TAB as well as SP, for better interop with
2005 non-compliant senders.
2006 Analysis and variant patch by Todd Lyons.
2007
eae0036b 2008NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated
cfab9d68 2009 Bug report from Lars Müller <lars@samba.org> (via SUSE),
e0df1c83
DM
2010 Patch from Dirk Mueller <dmueller@suse.com>
2011
dec5017e
PP
2012PP/13 tls_peerdn now print-escaped for spool files.
2013 Observed some $tls_peerdn in wild which contained \n, which resulted
2014 in spool file corruption.
2015
c80c5570
PP
2016PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
2017 values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
2018 or write after TLS renegotiation, which otherwise led to messages
2019 "Got SSL error 2".
2020
076b11e2
PP
2021TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted
2022 as a tracking header (ie: a signed header comes before the signature).
2023 Patch from Wolfgang Breyha.
2024
5407bfff
JH
2025JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
2026 comma-sep list; embedded commas doubled.
2027
9e45c72b
PP
2028JH/02 Refactored ACL "verify =" logic to table-driven dispatch.
2029
e74376d8
PP
2030PP/15 LDAP: Check for errors of TLS initialisation, to give correct
2031 diagnostics.
2032 Report and patch from Dmitry Banschikov.
2033
4c04137d 2034PP/16 Removed "dont_insert_empty_fragments" from "openssl_options".
da3ad30d
PP
2035 Removed SSL_clear() after SSL_new() which led to protocol negotiation
2036 failures. We appear to now support TLS1.1+ with Exim.
2037
7be682ca
PP
2038PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
2039 lets Exim select keys and certificates based upon TLS SNI from client.
3f0945ff
PP
2040 Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly
2041 before an outbound SMTP session. New log_selector, +tls_sni.
7be682ca 2042
ef840681
PP
2043PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid
2044 NULL dereference. Report and patch from Alun Jones.
2045
5bfb4cdf
PP
2046PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage
2047 on less well tested platforms). Obviates NetBSD pkgsrc patch-ac.
2048 Not seeing resolver debug output on NetBSD, but suspect this is a
2049 resolver implementation change.
2050
c6e95d22
PP
2051PP/20 Revert part of NM/04, it broke log_path containing %D expansions.
2052 Left warnings. Added "eximon gdb" invocation mode.
2053
9cbad13b
PP
2054PP/21 Defaulting "accept_8bitmime" to true, not false.
2055
9ee44efb
PP
2056PP/22 Added -bw for inetd wait mode support.
2057
6a6084f8
PP
2058PP/23 Added PCRE_CONFIG=yes support to Makefile for using pcre-config to
2059 locate the relevant includes and libraries. Made this the default.
2060
12dd53c7
PP
2061PP/24 Fixed headers_only on smtp transports (was not sending trailing dot).
2062 Bugzilla 1246, report and most of solution from Tomasz Kusy.
2063
9e45c72b 2064JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
97d17305
JH
2065 This may cause build issues on older platforms.
2066
17c76198
PP
2067PP/25 Revamped GnuTLS support, passing tls_require_ciphers to
2068 gnutls_priority_init, ignoring Exim options gnutls_require_kx,
2069 gnutls_require_mac & gnutls_require_protocols (no longer supported).
2070 Added SNI support via GnuTLS too.
af3498d6 2071 Made ${randint:..} supplier available, if using not-too-old GnuTLS.
17c76198 2072
53947857 2073PP/26 Added EXPERIMENTAL_OCSP for OpenSSL.
3f7eeb86 2074
eae0036b 2075PP/27 Applied dnsdb SPF support patch from Janne Snabb.
8ee4b30e
PP
2076 Applied second patch from Janne, implementing suggestion to default
2077 multiple-strings-in-record handling to match SPF spec.
eae0036b 2078
9e45c72b 2079JH/04 Added expansion variable $tod_epoch_l for a higher-precision time.
2605c55b 2080
7390e768
PP
2081PP/28 Fix DCC dcc_header content corruption (stack memory referenced,
2082 read-only, out of scope).
2083 Patch from Wolfgang Breyha, report from Stuart Northfield.
2084
08488c86
PP
2085PP/29 Fix three issues highlighted by clang analyser static analysis.
2086 Only crash-plausible issue would require the Cambridge-specific
2087 iplookup router and a misconfiguration.
2088 Report from Marcin Mirosław.
2089
6475bd82
PP
2090PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
2091
81f91683
PP
2092PP/31 %D in printf continues to cause issues (-Wformat=security), so for
2093 now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
2094 As part of this, removing so much warning spew let me fix some minor
2095 real issues in debug logging.
2096
5779e6aa
PP
2097PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing
2098 assignment on my part. Fixed.
2099
3375e053
PP
2100PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit
2101 of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by
2102 Janne Snabb (who went above and beyond: thank you).
2103
2104PP/34 Validate tls_require_ciphers on startup, since debugging an invalid
2105 string otherwise requires a connection and a bunch more work and it's
78e0c7a3
PP
2106 relatively easy to get wrong. Should also expose TLS library linkage
2107 problems.
3375e053 2108
9d26b8c0
PP
2109PP/35 Pull in <features.h> on Linux, for some portability edge-cases of
2110 64-bit ${eval} (JH/03).
2111
57eb9e91 2112PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of
b87a6e0e
PP
2113 GNU libc to support some of the 64-bit stuff, should not lead to
2114 conflicts. Defined before os.h is pulled in, so if a given platform
2115 needs to override this, it can.
2116
16880d1a
PP
2117PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought
2118 protection layer was required, which is not implemented.
2119 Bugzilla 1254, patch from Wolfgang Breyha.
2120
a799883d
PP
2121PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built
2122 into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make
2123 tls_dhparam take prime identifiers. Also unbreak combination of
2124 OpenSSL+DH_params+TLSSNI.
2125
3ecab157 2126PP/39 Disable SSLv2 by default in OpenSSL support.
f0f5a555 2127
0599f9cf 2128
867fcbf5
PP
2129Exim version 4.77
2130-----------------
2131
2132PP/01 Solaris build fix for Oracle's LDAP libraries.
2133 Bugzilla 1109, patch from Stephen Usher.
2134
f1a29782
TF
2135TF/01 HP/UX build fix: avoid arithmetic on a void pointer.
2136
ab42bd23
TK
2137TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o
2138 whitespace trailer
867fcbf5 2139
0ca0cf52
TF
2140TF/02 Fix a couple more cases where we did not log the error message
2141 when unlink() failed. See also change 4.74-TF/03.
2142
921b12ca
TF
2143TF/03 Make the exiwhat support code safe for signals. Previously Exim might
2144 lock up or crash if it happened to be inside a call to libc when it
2145 got a SIGUSR1 from exiwhat.
2146
2147 The SIGUSR1 handler appends the current process status to the process
2148 log which is later printed by exiwhat. It used to use the general
2149 purpose logging code to do this, but several functions it calls are
2150 not safe for signals.
2151
2152 The new output code in the SIGUSR1 handler is specific to the process
2153 log, and simple enough that it's easy to inspect for signal safety.
2154 Removing some special cases also simplifies the general logging code.
2155 Removing the spurious timestamps from the process log simplifies
2156 exiwhat.
2157
c99ce5c9
TF
2158TF/04 Improved ratelimit ACL condition.
2159
2160 The /noupdate option has been deprecated in favour of /readonly which
2161 has clearer semantics. The /leaky, /strict, and /readonly update modes
2162 are mutually exclusive. The update mode is no longer included in the
2163 database key; it just determines when the database is updated. (This
4c04137d 2164 means that when you upgrade Exim will forget old rate measurements.)
c99ce5c9
TF
2165
2166 Exim now checks that the per_* options are used with an update mode that
2167 makes sense for the current ACL. For example, when Exim is processing a
2168 message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify
2169 per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you
2170 must specify per_mail/readonly. If you omit the update mode it defaults to
2171 /leaky where that makes sense (as before) or /readonly where required.
2172
2173 The /noupdate option is now undocumented but still supported for
2174 backwards compatibility. It is equivalent to /readonly except that in
2175 ACLs where /readonly is required you may specify /leaky/noupdate or
2176 /strict/noupdate which are treated the same as /readonly.
2177
2178 A useful new feature is the /count= option. This is a generalization
2179 of the per_byte option, so that you can measure the throughput of other
2180 aggregate values. For example, the per_byte option is now equivalent
2181 to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }.
2182
2183 The per_rcpt option has been generalized using the /count= mechanism
2184 (though it's more complicated than the per_byte equivalence). When it is
2185 used in acl_smtp_rcpt, the per_rcpt option adds recipients to the
2186 measured rate one at a time; if it is used later (e.g. in acl_smtp_data)
2187 or in a non-SMTP ACL it adds all the recipients in one go. (The latter
2188 /count=$recipients_count behaviour used to work only in non-SMTP ACLs.)
2189 Note that using per_rcpt with a non-readonly update mode in more than
2190 one ACL will cause the recipients to be double-counted. (The per_mail
2191 and per_byte options don't have this problem.)
2192
2193 The handling of very low rates has changed slightly. If the computed rate
2194 is less than the event's count (usually one) then this event is the first
2195 after a long gap. In this case the rate is set to the same as this event's
2196 count, so that the first message of a spam run is counted properly.
2197
2198 The major new feature is a mechanism for counting the rate of unique
2199 events. The new per_addr option counts the number of different
2200 recipients that someone has sent messages to in the last time period. It
2201 behaves like per_rcpt if all the recipient addresses are different, but
2202 duplicate recipient addresses do not increase the measured rate. Like
2203 the /count= option this is a general mechanism, so the per_addr option
2204 is equivalent to per_rcpt/unique=$local_part@$domain. You can, for
2205 example, measure the rate that a client uses different sender addresses
2206 with the options per_mail/unique=$sender_address. There are further
2207 details in the main documentation.
2208
3634fc25
TF
2209TF/05 Removed obsolete $Cambridge$ CVS revision strings.
2210
792e8a19
TF
2211TF/06 Removed a few PCRE remnants.
2212
5901f0ab
TF
2213TF/07 Automatically extract Exim's version number from tags in the git
2214 repository when doing development or release builds.
2215
7f2a2a43
PP
2216PP/02 Raise smtp_cmd_buffer_size to 16kB.
2217 Bugzilla 879. Patch from Paul Fisher.
e2ca7082 2218
061b7ebd
PP
2219PP/03 Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
2220 Heavily based on revision 40f9a89a from Simon Arlott's tree.
2221 Bugzilla 97.
2222
e12f8c32
PP
2223PP/04 Use .dylib instead of .so for dynamic library loading on MacOS.
2224
9e949f00 2225PP/05 Variable $av_failed, true if the AV scanner deferred.
7f2a2a43
PP
2226 Bugzilla 1078. Patch from John Horne.
2227
2228PP/06 Stop make process more reliably on build failure.
2229 Bugzilla 1087. Patch from Heiko Schlittermann.
9e949f00 2230
555ae6af 2231PP/07 Make maildir_use_size_file an _expandable_ boolean.
ac53fcda
PP
2232 Bugzilla 1089. Patch from Heiko Schlittermann.
2233
2234PP/08 Handle ${run} returning more data than OS pipe buffer size.
2235 Bugzilla 1131. Patch from Holger Weiß.
555ae6af 2236
6f7fe114
PP
2237PP/09 Handle IPv6 addresses with SPF.
2238 Bugzilla 860. Patch from Wolfgang Breyha.
2239
c566dd90
PP
2240PP/10 GnuTLS: support TLS 1.2 & 1.1.
2241 Bugzilla 1156.
89f897c3
PP
2242 Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler].
2243 Bugzilla 1095.
c566dd90 2244
d6cc7c78 2245PP/11 match_* no longer expand right-hand-side by default.
39257585
PP
2246 New compile-time build option, EXPAND_LISTMATCH_RHS.
2247 New expansion conditions, "inlist", "inlisti".
2248
0d0e4455
PP
2249PP/12 fix uninitialised greeting string from PP/03 (smtps client support).
2250
3399bb60 2251PP/13 shell and compiler warnings fixes for RC1-RC4 changes.
d690cbdc
PP
2252
2253PP/14 fix log_write() format string regression from TF/03.
2254 Bugzilla 1152. Patch from Dmitry Isaikin.
2255
0ca0cf52 2256
10906672
PP
2257Exim version 4.76
2258-----------------
2259
2260PP/01 The new ldap_require_cert option would segfault if used. Fixed.
2261
754a0503
PP
2262PP/02 Harmonised TLS library version reporting; only show if debugging.
2263 Layout now matches that introduced for other libraries in 4.74 PP/03.
2264
c0c7b2da
PP
2265PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
2266
e97d1f08
PP
2267PP/04 New "dns_use_edns0" global option.
2268
084c1d8c
PP
2269PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid.
2270 Bugzilla 1098.
2271
4e7ee012
PP
2272PP/06 Extra paranoia around buffer usage at the STARTTLS transition.
2273 nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
da80c2a8 2274
c8d52a00
PP
2275TK/01 Updated PolarSSL code to 0.14.2.
2276 Bugzilla 1097. Patch from Andreas Metzler.
2277
54e7ce4a
PP
2278PP/07 Catch divide-by-zero in ${eval:...}.
2279 Fixes bugzilla 1102.
2280
5ee6f336
PP
2281PP/08 Condition negation of bool{}/bool_lax{} did not negate. Fixed.
2282 Bugzilla 1104.
2283
c8d52a00 2284TK/02 Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a
6ea4a851
PP
2285 format-string attack -- SECURITY: remote arbitrary code execution.
2286
2287TK/03 SECURITY - DKIM signature header parsing was double-expanded, second
2288 time unintentionally subject to list matching rules, letting the header
2289 cause arbitrary Exim lookups (of items which can occur in lists, *not*
2290 arbitrary string expansion). This allowed for information disclosure.
2291
2292PP/09 Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
2293 INT_MIN/-1 -- value coerced to INT_MAX.
c8d52a00 2294
10906672 2295
aa097c4c
NM
2296Exim version 4.75
2297-----------------
2298
4c04137d 2299NM/01 Workaround for PCRE version dependency in version reporting
aa097c4c
NM
2300 Bugzilla 1073
2301
7f3d9eff
TF
2302TF/01 Update valgrind.h and memcheck.h to copies from valgrind-3.6.0.
2303 This fixes portability to compilers other than gcc, notably
2304 Solaris CC and HP-UX CC. Fixes Bugzilla 1050.
2305
159f52d2
TF
2306TF/02 Bugzilla 139: Avoid using the += operator in the modular lookup
2307 makefiles for portability to HP-UX and POSIX correctness.
2308
0cc9542a
PP
2309PP/01 Permit LOOKUP_foo enabling on the make command-line.
2310 Also via indented variable definition in the Makefile.
2311 (Debugging by Oliver Heesakkers).
2312
f7274286
PP
2313PP/02 Restore caching of spamd results with expanded spamd_address.
2314 Patch from author of expandable spamd_address patch, Wolfgang Breyha.
2315
7b797365
PP
2316PP/03 Build issue: lookups-Makefile now exports LC_ALL=C
2317 Improves build reliability. Fix from: Frank Elsner
2318
caacae52
NM
2319NM/02 Fix wide character breakage in the rfc2047 coding
2320 Fixes bug 1064. Patch from Andrey N. Oktyabrski
2321
09dcaba9
NM
2322NM/03 Allow underscore in dnslist lookups
2323 Fixes bug 1026. Patch from Graeme Fowler
2324
bc19a55b
PP
2325PP/04 Bugzilla 230: Support TLS-enabled LDAP (in addition to ldaps).
2326 Code patches from Adam Ciarcinski of NetBSD.
caacae52 2327
bd4c9759
NM
2328NM/04 Fixed exiqgrep to cope with mailq missing size issue
2329 Fixes bug 943.
2330
b72aab72
PP
2331PP/05 Bugzilla 1083: when lookup expansion defers, escape the output which
2332 is logged, to avoid truncation. Patch from John Horne.
2333
2fe76745
PP
2334PP/06 Bugzilla 1042: implement freeze_signal on pipe transports.
2335 Patch from Jakob Hirsch.
2336
76aa570c
PP
2337PP/07 Bugzilla 1061: restrict error messages sent over SMTP to not reveal
2338 SQL string expansion failure details.
2339 Patch from Andrey Oktyabrski.
2340
f1e5fef5
PP
2341PP/08 Bugzilla 486: implement %M datestamping in log filenames.
2342 Patch from Simon Arlott.
2343
4d805ee9
PP
2344PP/09 New lookups functionality failed to compile on old gcc which rejects
2345 extern declarations in function scope.
2346 Patch from Oliver Fleischmann
2347
cd59ab18
PP
2348PP/10 Use sig_atomic_t for flags set from signal handlers.
2349 Check getgroups() return and improve debugging.
2350 Fixed developed for diagnosis in bug 927 (which turned out to be
2351 a kernel bug).
2352
332f5cf3
PP
2353PP/11 Bugzilla 1055: Update $message_linecount for maildir_tag.
2354 Patch from Mark Zealey.
2355
29cfeb94
PP
2356PP/12 Bugzilla 1056: Improved spamd server selection.
2357 Patch from Mark Zealey.
2358
660242ad
PP
2359PP/13 Bugzilla 1086: Deal with maildir quota file races.
2360 Based on patch from Heiko Schlittermann.
2361
bc4bc4c5
PP
2362PP/14 Bugzilla 1019: DKIM multiple signature generation fix.
2363 Patch from Uwe Doering, sign-off by Michael Haardt.
2364
2e64baa9
NM
2365NM/05 Fix to spam.c to accommodate older gcc versions which dislike
2366 variable declaration deep within a block. Bug and patch from
2367 Dennis Davis.
2368
4c04137d 2369PP/15 lookups-Makefile IRIX compatibility coercion.
bddd7526 2370
6bac1a9a
PP
2371PP/16 Make DISABLE_DKIM build knob functional.
2372
552193f0
NM
2373NM/06 Bugzilla 968: child_open_uid: restore default SIGPIPE handler
2374 Patch by Simon Arlott
baeee2c1 2375
1b587e48
TF
2376TF/03 Fix valgrind.h portability to C89 compilers that do not support
2377 variable argument macros. Our copy now differs from upstream.
2378
aa097c4c 2379
8c07b69f
TF
2380Exim version 4.74
2381-----------------
2382
2383TF/01 Failure to get a lock on a hints database can have serious
2384 consequences so log it to the panic log.
2385
c0ea85ab
TF
2386TF/02 Log LMTP confirmation messages in the same way as SMTP,
2387 controlled using the smtp_confirmation log selector.
2388
0761d44e
TF
2389TF/03 Include the error message when we fail to unlink a spool file.
2390
0a349494
PP
2391DW/01 Bugzilla 139: Support dynamically loaded lookups as modules.
2392 With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux
2393 for maintaining out-of-tree patches for some time.
2394
2395PP/01 Bugzilla 139: Documentation and portability issues.
2396 Avoid GNU Makefile-isms, let Exim continue to build on BSD.
2397 Handle per-OS dynamic-module compilation flags.
2398
fea24b2e
PP
2399PP/02 Let /dev/null have normal permissions.
2400 The 4.73 fixes were a little too stringent and complained about the
2401 permissions on /dev/null. Exempt it from some checks.
2402 Reported by Andreas M. Kirchwitz.
2403
6545de78
PP
2404PP/03 Report version information for many libraries, including
2405 Exim version information for dynamically loaded libraries. Created
2406 version.h, now support a version extension string for distributors
2407 who patch heavily. Dynamic module ABI change.
2408
1670ef10
PP
2409PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a
2410 privilege escalation vulnerability whereby the Exim run-time user
2411 can cause root to append content of the attacker's choosing to
2412 arbitrary files.
2413
c0886197
PP
2414PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code.
2415 (Wolfgang Breyha)
2416
b7487bce
PP
2417PP/06 Bugzilla 1071: fix delivery logging with untrusted macros.
2418 If dropping privileges for untrusted macros, we disabled normal logging
2419 on the basis that it would fail; for the Exim run-time user, this is not
2420 the case, and it resulted in successful deliveries going unlogged.
2421 Fixed. Reported by Andreas Metzler.
2422
8c07b69f 2423
97fd1e48 2424Exim version 4.73
ed7f7860 2425-----------------
97fd1e48
PP
2426
2427PP/01 Date: & Message-Id: revert to normally being appended to a message,
2428 only prepend for the Resent-* case. Fixes regression introduced in
2429 Exim 4.70 by NM/22 for Bugzilla 607.
2430
6901c596
PP
2431PP/02 Include check_rfc2047_length in configure.default because we're seeing
2432 increasing numbers of administrators be bitten by this.
2433
a8c8d6b5
JJ
2434JJ/01 Added DISABLE_DKIM and comment to src/EDITME
2435
77bb000f
PP
2436PP/03 Bugzilla 994: added openssl_options main configuration option.
2437
a29e5231
PP
2438PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads.
2439
ec5a0394 2440PP/05 Bugzilla 834: provide a permit_coredump option for pipe transports.
a29e5231 2441
55c75993
PP
2442PP/06 Adjust NTLM authentication to handle SASL Initial Response.
2443
453a6645 2444PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but
ec5a0394
PP
2445 without a peer certificate, leading to a segfault because of an
2446 assumption that peers always have certificates. Be a little more
453a6645
PP
2447 paranoid. Problem reported by Martin Tscholak.
2448
8544e77a
PP
2449PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
2450 filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
2451 NB: ClamAV planning to remove STREAM in "middle of 2010".
3346ab01
PP
2452 CL also introduces -bmalware, various -d+acl logging additions and
2453 more caution in buffer sizes.
8544e77a 2454
83e029d5
PP
2455PP/09 Implemented reverse_ip expansion operator.
2456
ed7f7860
PP
2457PP/10 Bugzilla 937: provide a "debug" ACL control.
2458
7d9f747b
PP
2459PP/11 Bugzilla 922: Documentation dusting, patch provided by John Horne.
2460
4b2241d2
PP
2461PP/12 Bugzilla 973: Implement --version.
2462
10385c15
PP
2463PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0.
2464
dbc4b90d
PP
2465PP/14 Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
2466
532be449
PP
2467PP/15 Bugzilla 816: support multiple condition rules on Routers.
2468
6a8de854 2469PP/16 Add bool_lax{} expansion operator and use that for combining multiple
71265ae9
PP
2470 condition rules, instead of bool{}. Make both bool{} and bool_lax{}
2471 ignore trailing whitespace.
6a8de854 2472
5dc43717
JJ
2473JJ/02 prevent non-panic DKIM error from being sent to paniclog
2474
2475JJ/03 added tcp_wrappers_daemon_name to allow host entries other than
2476 "exim" to be used
55c75993 2477
3346ab01
PP
2478PP/17 Fix malware regression for cmdline scanner introduced in PP/08.
2479 Notification from Dr Andrew Aitchison.
2480
491fab4c
PP
2481PP/18 Change ClamAV response parsing to be more robust and to handle ClamAV's
2482 ExtendedDetectionInfo response format.
2483 Notification from John Horne.
2484
13eb9497
PP
2485PP/19 OpenSSL 1.0.0a compatibility const-ness change, should be backwards
2486 compatible.
2487
2488PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http:
2489 XSL and documented dependency on system catalogs, with examples of how
2490 it normally works.
2491
7f36d675
DW
2492DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store
2493 access.
2494
c1d94452
DW
2495DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour
2496 of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a
2497 configuration file which is writeable by the Exim user or group.
2498
e2f5dc15
DW
2499DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability
2500 of configuration files to cover files specified with the -C option if
2501 they are going to be used with root privileges, not just the default
2502 configuration file.
2503
cd25e41d
DW
2504DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY
2505 option (effectively making it always true).
2506
261dc43e
DW
2507DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration
2508 files to be used while preserving root privileges.
2509
fa32850b
DW
2510DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure
2511 that rogue child processes cannot use them.
2512
79d4bc3d
PP
2513PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim
2514 run-time user, instead of root.
2515
43236f35 2516PP/28 Add WHITELIST_D_MACROS option to let some macros be overridden by the
2cfd3221
PP
2517 Exim run-time user without dropping privileges.
2518
fb08281f
DW
2519DW/29 Remove use of va_copy() which breaks pre-C99 systems. Duplicate the
2520 result string, instead of calling string_vformat() twice with the same
2521 arguments.
3346ab01 2522
74935b98
DW
2523DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not
2524 for other users. Others should always drop root privileges if they use
2525 -C on the command line, even for a whitelisted configure file.
2526
90b6341f
DW
2527DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes.
2528
57730b52
ML
2529NM/01 Fixed bug #1002 - Message loss when using multiple deliveries
2530
66581d1e 2531
465e92cf
JJ
2532Exim version 4.72
2533-----------------
2534
453a6645
PP
2535JJ/01 installed exipick 20100104.1, adding $max_received_linelength,
2536 $data_path, and $header_path variables; fixed documentation bugs and
2537 typos
465e92cf 2538
453a6645
PP
2539JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow
2540 exipick to access non-standard spools, including the "frozen" queue
2541 (Finput)
edae0343 2542
9bd3e22c
NM
2543NM/01 Bugzilla 965: Support mysql stored procedures.
2544 Patch from Alain Williams
2545
bb576ff7
NM
2546NM/02 Bugzilla 961: Spacing fix (syntax error) on Makefile directives for NetBSD
2547
5a1a5845
NM
2548NM/03 Bugzilla 955: Documentation fix for max_rcpts.
2549 Patch from Andreas Metzler
2550
981a9fad
NM
2551NM/04 Bugzilla 954: Fix for unknown responses from Dovecot authenticator.
2552 Patch from Kirill Miazine
2553
7fc497ee
NM
2554NM/05 Bugzilla 671: Added umask to procmail example.
2555
1a41defa
JJ
2556JJ/03 installed exipick 20100323.0, fixing doc bug
2557
a466095c 2558NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail
b26eacf1 2559 directory. Notification and patch from Dan Rosenberg.
a466095c 2560
94a6bd0b
NM
2561TK/01 PDKIM: Upgrade PolarSSL files to upstream version 0.12.1.
2562
2563TK/02 Improve log output when DKIM signing operation fails.
2564
2565MH/01 Treat the transport option dkim_domain as a colon separated
2566 list, not as a single string, and sign the message with each element,
2567 omitting multiple occurences of the same signer.
2568
c1b141a8
NM
2569NM/07 Null terminate DKIM strings, Null initialise DKIM variable
2570 Bugzilla 985, 986. Patch by Simon Arlott
94a6bd0b 2571
b26eacf1 2572NM/08 Bugzilla 967. dnsdb DNS TXT record bug fix (DKIM-related)
0d0c6357
NM
2573 Patch by Simon Arlott
2574
179c5980 2575PP/01 Bugzilla 989: CVE-2010-2024 - work round race condition on
b26eacf1 2576 MBX locking. Notification from Dan Rosenberg.
179c5980 2577
9bd3e22c 2578
7c6d71af
NM
2579Exim version 4.71
2580-----------------
2581
7d9f747b 2582TK/01 Bugzilla 912: Fix DKIM segfault on empty headers/body.
7c6d71af 2583
f013fb92
NM
2584NM/01 Bugzilla 913: Documentation fix for gnutls_* options.
2585
0eb8eedd
NM
2586NM/02 Bugzilla 722: Documentation for randint. Better randomness defaults.
2587
663ee6d9
NM
2588NM/03 Bugzilla 847: Enable DNSDB lookup by default.
2589
177ebd9b
NM
2590NM/04 Bugzilla 915: Flag broken perl installation during build.
2591
7c6d71af 2592
210f147e
NM
2593Exim version 4.70
2594-----------------
2595
cdd3bb85 2596TK/01 Added patch by Johannes Berg that expands the main option
e739e3d9 2597 "spamd_address" if it starts with a dollar sign.
cdd3bb85
TK
2598
2599TK/02 Write list of recipients to X-Envelope-Sender header when building
2600 the mbox-format spool file for content scanning (suggested by Jakob
7d9f747b 2601 Hirsch).
cdd3bb85
TK
2602
2603TK/03 Added patch by Wolfgang Breyha that adds experimental DCC
2604 (http://www.dcc-servers.net/) support via dccifd. Activated by
e739e3d9 2605 setting EXPERIMENTAL_DCC=yes in Local/Makefile.
cdd3bb85
TK
2606
2607TK/04 Bugzilla 673: Add f-protd malware scanner support. Patch submitted
2608 by Mark Daniel Reidel <mr@df.eu>.
2609
210f147e
NM
2610NM/01 Bugzilla 657: Embedded PCRE removed from the exim source tree.
2611 When building exim an external PCRE library is now needed -
2612 PCRE is a system library on the majority of modern systems.
2613 See entry on PCRE_LIBS in EDITME file.
2614
deafd5b3
NM
2615NM/02 Bugzilla 646: Removed unwanted C/R in Dovecot authenticator
2616 conversation. Added nologin parameter to request.
7d9f747b 2617 Patch contributed by Kirill Miazine.
deafd5b3 2618
089793a4
TF
2619TF/01 Do not log submission mode rewrites if they do not change the address.
2620
5f16ca82
TF
2621TF/02 Bugzilla 662: Fix stack corruption before exec() in daemon.c.
2622
dae9d94e 2623NM/03 Bugzilla 602: exicyclog now handles panic log, and creates empty
7d9f747b 2624 log files in place. Contributed by Roberto Lima.
dae9d94e 2625
7d9f747b 2626NM/04 Bugzilla 667: Close socket used by dovecot authenticator.
3f0da4d0 2627
06864c44
TF
2628TF/03 Bugzilla 615: When checking the local_parts router precondition
2629 after a local_part_suffix or local_part_prefix option, Exim now
2630 does not use the address's named list lookup cache, since this
2631 contains cached lookups for the whole local part.
2632
65a7d8c3 2633NM/05 Bugzilla 521: Integrated SPF Best Guess support contributed by
7d9f747b 2634 Robert Millan. Documentation is in experimental-spec.txt.
65a7d8c3 2635
23510047 2636TF/04 Bugzilla 668: Fix parallel build (make -j).
65a7d8c3 2637
7d9f747b 2638NM/05.2 Bugzilla 437: Prevent Maildir aux files being created with mode 000.
5f28a6e8 2639
7d8eec3a 2640NM/05.3 Bugzilla 598: Improvement to Dovecot authenticator handling.
7d9f747b 2641 Patch provided by Jan Srzednicki.
6c588e74 2642
89dec7b6
TF
2643TF/05 Leading white space used to be stripped from $spam_report which
2644 wrecked the formatting. Now it is preserved.
5f28a6e8 2645
a99de90c
TF
2646TF/06 Save $spam_score, $spam_bar, and $spam_report in spool files, so
2647 that they are available at delivery time.
2648
e2803e40
TF
2649TF/07 Fix the way ${extract is skipped in the untaken branch of a conditional.
2650
7199e1ee
TF
2651TF/08 TLS error reporting now respects the incoming_interface and
2652 incoming_port log selectors.
2653
e276e04b
TF
2654TF/09 Produce a more useful error message if an SMTP transport's hosts
2655 setting expands to an empty string.
2656
ce552449 2657NM/06 Bugzilla 744: EXPN did not work under TLS.
7d9f747b 2658 Patch provided by Phil Pennock.
ce552449 2659
e765a0f1 2660NM/07 Bugzilla 769: Extraneous comma in usage fprintf
7d9f747b 2661 Patch provided by Richard Godbee.
e765a0f1 2662
4f054c63 2663NM/08 Fixed erroneous documentation references to smtp_notquit_acl to be
447de4b0 2664 acl_smtp_notquit, added index entry.
4f054c63 2665
7d9f747b
PP
2666NM/09 Bugzilla 787: Potential buffer overflow in string_format.
2667 Patch provided by Eugene Bujak.
24c929a2 2668
7d9f747b
PP
2669NM/10 Bugzilla 770: Problem on some platforms modifying the len parameter to
2670 accept(). Patch provided by Maxim Dounin.
cf73943b 2671
b52bc06e 2672NM/11 Bugzilla 749: Preserve old behaviour of blanks comparing equal to zero.
7d9f747b 2673 Patch provided by Phil Pennock.
b52bc06e 2674
447de4b0
NM
2675NM/12 Bugzilla 497: Correct behaviour of exiwhat when no config exists.
2676
4c69d561 2677NM/13 Bugzilla 590: Correct handling of Resent-Date headers.
7d9f747b 2678 Patch provided by Brad "anomie" Jorsch.
4c69d561 2679
d5c39246 2680NM/14 Bugzilla 622: Added timeout setting to transport filter.
7d9f747b 2681 Patch provided by Dean Brooks.
9b989985 2682
0b23848a
TK
2683TK/05 Add native DKIM support (does not depend on external libraries).
2684
8f3414a1 2685NM/15 Bugzilla 854: Removed code that symlinks to pcre as its no longer useful.
7d9f747b 2686 Patch provided by Graeme Fowler.
e2aacdfd 2687
fb6f955d
NM
2688NM/16 Bugzilla 851: Documentation example syntax fix.
2689
2690NM/17 Changed NOTICE file to remove references to embedded PCRE.
8f3414a1 2691
7d9f747b
PP
2692NM/18 Bugzilla 894: Fix issue with very long lines including comments in
2693 lsearch.
dbb0bf41 2694
7d9f747b
PP
2695NM/19 Bugzilla 745: TLS version reporting.
2696 Patch provided by Phil Pennock.
f3766eb5 2697
7d9f747b
PP
2698NM/20 Bugzilla 167: bool: condition support.
2699 Patch provided by Phil Pennock.
36f12725 2700
7d9f747b
PP
2701NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken
2702 clients. Patch provided by Phil Pennock.
e6060e2c 2703
7d9f747b
PP
2704NM/22 Bugzilla 607: prepend (not append) Resent-Message-ID and Resent-Date.
2705 Patch provided by Brad "anomie" Jorsch.
5eb690a1 2706
7d9f747b
PP
2707NM/23 Bugzilla 687: Fix misparses in eximstats.
2708 Patch provided by Heiko Schlittermann.
d5c13d66 2709
7d9f747b
PP
2710NM/24 Bugzilla 688: Fix exiwhat to handle log_selector = +pid.
2711 Patch provided by Heiko Schlittermann.
b2335c0b 2712
7d9f747b 2713NM/25 Bugzilla 727: Use transport mode as default mode for maildirsize file.
1da77999 2714 plus update to original patch.
f4cd9433 2715
7d9f747b 2716NM/26 Bugzilla 799: Documentation correction for ratelimit.
dc988b7e 2717
7d9f747b
PP
2718NM/27 Bugzilla 802: Improvements to local interface IP addr detection.
2719 Patch provided by David Brownlee.
8dc71ab3 2720
7d9f747b 2721NM/28 Bugzilla 807: Improvements to LMTP delivery logging.
400eda43 2722
7d9f747b 2723NM/29 Bugzilla 862, 866, 875: Documentation bugfixes.
ec5a421b 2724
7d9f747b 2725NM/30 Bugzilla 888: TLS documentation bugfixes.
07af267e 2726
7d9f747b 2727NM/31 Bugzilla 896: Dovecot buffer overrun fix.
51473862 2728
17792b53 2729NM/32 Bugzilla 889: Change all instances of "expr" in shell scripts to "expr --"
7d9f747b 2730 Unlike the original bugzilla I have changed all shell scripts in src tree.
17792b53 2731
7d9f747b
PP
2732NM/33 Bugzilla 898: Transport filter timeout fix.
2733 Patch by Todd Rinaldo.
52383f8f 2734
91576cec 2735NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches.
7d9f747b 2736 Patch by Serge Demonchaux.
5ca6d115 2737
7d9f747b
PP
2738NM/35 Bugzilla 39: Base64 decode bug fixes.
2739 Patch by Jakob Hirsch.
baee9eee 2740
7d9f747b 2741NM/36 Bugzilla 909: Correct connect() call in dcc code.
e93a964c 2742
7d9f747b 2743NM/37 Bugzilla 910: Correct issue with relaxed/simple handling.
9bf3d68f 2744
7d9f747b 2745NM/38 Bugzilla 908: Removed NetBSD3 support as no longer needed.
96535b98 2746
7d9f747b 2747NM/39 Bugzilla 911: Fixed MakeLinks build script.
30339e0f 2748
deafd5b3 2749
47db1125
NM
2750Exim version 4.69
2751-----------------
2752
4b3504d0
TK
2753TK/01 Add preliminary DKIM support. Currently requires a forked version of
2754 ALT-N's libdkim that I have put here:
2755 http://duncanthrax.net/exim-experimental/
2756
2757 Note to Michael Haardt: I had to rename some vars in sieve.c. They
2758 were called 'true' and it seems that C99 defines that as a reserved
2759 keyword to be used with 'bool' variable types. That means you could
2760 not include C99-style headers which use bools without triggering
2761 build errors in sieve.c.
2762
81ea09ca
NM
2763NM/01 Bugzilla 592: --help option is handled incorrectly if exim is invoked
2764 as mailq or other aliases. Changed the --help handling significantly
2765 to do whats expected. exim_usage() emits usage/help information.
2766
f13cddcb
SC
2767SC/01 Added the -bylocaldomain option to eximstats.
2768
7d9f747b 2769NM/02 Bugzilla 619: Defended against bad data coming back from gethostbyaddr.
8ad076b2 2770
7d9f747b 2771NM/03 Bugzilla 613: Documentation fix for acl_not_smtp.
a843aaa6 2772
7d9f747b 2773NM/04 Bugzilla 628: PCRE update to 7.4 (work done by John Hall).
47db1125
NM
2774
2775
eb4c0de6
PH
2776Exim version 4.68
2777-----------------
2778
2779PH/01 Another patch from the Sieve maintainer.
2780
6a3bceb1
PH
2781PH/02 When an IPv6 address is converted to a string for single-key lookup
2782 in an address list (e.g. for an item such as "net24-dbm;/net/works"),
2783 dots are used instead of colons so that keys in lsearch files need not
2784 contain colons. This was done some time before quoting was made available
2785 in lsearch files. However, iplsearch files do require colons in IPv6 keys
2786 (notated using the quote facility) so as to distinguish them from IPv4
2787 keys. This meant that lookups for IP addresses in host lists did not work
2788 for iplsearch lookups.
2789
2790 This has been fixed by arranging for IPv6 addresses to be expressed with
2791 colons if the lookup type is iplsearch. This is not incompatible, because
2792 previously such lookups could never work.
2793
4c04137d 2794 The situation is now rather anomalous, since one *can* have colons in
6a3bceb1
PH
2795 ordinary lsearch keys. However, making the change in all cases is
2796 incompatible and would probably break a number of configurations.
2797
2e30fa9d
TK
2798TK/01 Change PRVS address formatting scheme to reflect latests BATV draft
2799 version.
2800
0806a9c5
MH
2801MH/01 The "spam" ACL condition code contained a sscanf() call with a %s
2802 conversion specification without a maximum field width, thereby enabling
2803 a rogue spamd server to cause a buffer overflow. While nobody in their
2804 right mind would setup Exim to query an untrusted spamd server, an
2805 attacker that gains access to a server running spamd could potentially
2806 exploit this vulnerability to run arbitrary code as the Exim user.
2807
ae276964
TK
2808TK/02 Bugzilla 502: Apply patch to make the SPF-Received: header use
2809 $primary_hostname instead of what libspf2 thinks the hosts name is.
2810
0f2cbd1b
MH
2811MH/02 The dsearch lookup now uses lstat(2) instead of stat(2) to look for
2812 a directory entry by the name of the lookup key. Previously, if a
2813 symlink pointed to a non-existing file or a file in a directory that
2814 Exim lacked permissions to read, a lookup for a key matching that
2815 symlink would fail. Now it is enough that a matching directory entry
2816 exists, symlink or not. (Bugzilla 503.)
2817
2b85bce7
PH
2818PH/03 The body_linecount and body_zerocount variables are now exported in the
2819 local_scan API.
2820
93655c46
PH
2821PH/04 Added the $dnslist_matched variable.
2822
6c512171
PH
2823PH/05 Unset $tls_cipher and $tls_peerdn before making a connection as a client.
2824 This means they are set thereafter only if the connection becomes
2825 encrypted.
2826
2827PH/06 Added the client_condition to authenticators so that some can be skipped
2828 by clients under certain conditions.
2829
aa6dc513
PH
2830PH/07 The error message for a badly-placed control=no_multiline_responses left
2831 "_responses" off the end of the name.
2832
a96603a0
PH
2833PH/08 Added -Mvc to output a copy of a message in RFC 2822 format.
2834
8f240103
PH
2835PH/09 Tidied the code for creating ratelimiting keys, creating them explicitly
2836 (without spaces) instead of just copying the configuration text.
2837
2838PH/10 Added the /noupdate option to the ratelimit ACL condition.
2839
d677b2f2
PH
2840PH/11 Added $max_received_linelength.
2841
d52120f2
PH
2842PH/12 Added +ignore_defer and +include_defer to host lists.
2843
64f2600a
PH
2844PH/13 Installed PCRE version 7.2. This needed some changes because of the new
2845 way in which PCRE > 7.0 is built.
2846
8669f003
PH
2847PH/14 Implemented queue_only_load_latch.
2848
a4dc33a8
PH
2849PH/15 Removed an incorrect (int) cast when reading the value of SIZE in a
2850 MAIL command. The effect was to mangle the value on 64-bit systems.
2851
d6a60c0f
PH
2852PH/16 Another patch from the Sieve maintainer.
2853
8f128379
PH
2854PH/17 Added the NOTQUIT ACL, based on a patch from Ted Cooper.
2855
8932dffe
PH
2856PH/18 If a system quota error occurred while trying to create the file for
2857 a maildir delivery, the message "Mailbox is full" was not appended to the
2858 bounce if the delivery eventually timed out. Change 4.67/27 below applied
2859 only to a quota excession during the actual writing of the file.
d6a60c0f 2860
ddea74fa 2861PH/19 It seems that peer DN values may contain newlines (and other non-printing
48ed62d9
PH
2862 characters?) which causes problems in log lines. The DN values are now
2863 passed through string_printing() before being added to log lines.
2864
ddea74fa 2865PH/20 Added the "servers=" facility to MySQL and PostgreSQL lookups. (Oracle
b7670459
PH
2866 and InterBase are left for another time.)
2867
ddea74fa
PH
2868PH/21 Added message_body_newlines option.
2869
ce9f225c
PH
2870PH/22 Guard against possible overflow in moan_check_errorcopy().
2871
19897d52
PH
2872PH/23 POSIX allows open() to be a macro; guard against that.
2873
bc64a74d
PH
2874PH/24 If the recipient of an error message contained an @ in the local part
2875 (suitably quoted, of course), incorrect values were put in $domain and
2876 $local_part during the evaluation of errors_copy.
2877
eb4c0de6 2878
b4ed4da0
PH
2879Exim version 4.67
2880-----------------
2881
22ad45c9
MH
2882MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address
2883 is unset (happens when testing with -bh and -oMi isn't used). Thanks to
2884 Jan Srzednicki.
2885
b4ed4da0
PH
2886PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not
2887 issue a MAIL command.
2888
431b7361
PH
2889PH/02 In an ACL statement such as
2890
2891 deny dnslists = X!=127.0.0.2 : X=127.0.0.2
2892
2893 if a client was not listed at all, or was listed with a value other than
2894 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list,
2895 the condition was not true (as it should be), so access was not denied.
2896 The bug was that the ! inversion was incorrectly passed on to the second
2897 item. This has been fixed.
2898
2899PH/03 Added additional dnslists conditions == and =& which are different from
2900 = and & when the dns lookup returns more than one IP address.
2901
83da1223
PH
2902PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the
2903 cipher suites used by GnuTLS. These options are ignored by OpenSSL.
2904
54fc8428
PH
2905PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_
2906 FSYNC, which compiles an option called disable_fsync that allows for
2907 bypassing fsync(). The documentation is heavily laced with warnings.
2908
34c5e8dd
SC
2909SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket.
2910
bbe15da8
PH
2911PH/06 Some tidies to the infrastructure of the Test Suite that is concerned
2912 with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT
2913 to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile,
2914 including adding "make clean"; (3) Added -fPIC when compiling the test
2915 dynamically loaded module, to get rid of a warning.
2916
0e8a9471
MH
2917MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce
2918 message fails, move_frozen_messages = true and ignore_bounce_errors_after
2919 = 0s. The bug is otherwise harmless.
2920
f0872424
PH
2921PH/07 There was a bug in the dovecot authenticator such that the value of
2922 $auth1 could be overwritten, and so not correctly preserved, after a
2923 successful authentication. This usually meant that the value preserved by
2924 the server_setid option was incorrect.
2925
b01dd148
PH
2926PH/08 Added $smtp_count_at_connection_start, deliberately with a long name.
2927
6bf342e1
PH
2928PH/09 Installed PCRE release 7.0.
2929
273f34d0
PH
2930PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being
2931 run for batched SMTP input. It is now run at the start of every message
2932 in the batch. While fixing this I discovered that the process information
2933 (output by running exiwhat) was not always getting set for -bs and -bS
2934 input. This is fixed, and it now also says "batched" for BSMTP.
2935
cf8b11a5
PH
2936PH/11 Added control=no_pipelining.
2937
41c7c167
PH
2938PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's
2939 patch, slightly modified), and move the expansion of helo_data till after
2940 the connection is made in the smtp transport (so it can use these
2941 values).
2942
9c57cbc0
PH
2943PH/13 Added ${rfc2047d: to decoded RFC 2047 strings.
2944
f3f065bb
PH
2945PH/14 Added log_selector = +pid.
2946
047bdd8c
PH
2947PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set.
2948
0ce9abe6
PH
2949PH/16 Add ${if forany and ${if forall.
2950
0e22dfd1
PH
2951PH/17 Added dsn_from option to vary the From: line in DSNs.
2952
4c590bd1
PH
2953PH/18 Flush SMTP output before performing a callout, unless control =
2954 no_callout_flush is set.
2955
09945f1e
PH
2956PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender
2957 was true (the default) a successful delivery failed to delete the retry
2958 item, thus causing premature timeout of the address. The bug is now
2959 fixed.
2960
c51b8e75
PH
2961PH/20 Added hosts_avoid_pipelining to the smtp transport.
2962
e28326d8 2963PH/21 Long custom messages for fakedefer and fakereject are now split up
4c04137d 2964 into multiline responses in the same way that messages for "deny" and
e28326d8
PH
2965 other ACL rejections are.
2966
75b1493f
PH
2967PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep,
2968 with slight modification.
2969
7c5214ec
PH
2970PH/23 Applied sieve patches from the maintainer "tracking the latest notify
2971 draft, changing the syntax and factoring some duplicate code".
2972
4311097e
PH
2973PH/24 When the log selector "outgoing_port" was set, the port was shown as -1
2974 for deliveries of the second and subsequent messages over the same SMTP
2975 connection.
2976
29f89cad
PH
2977PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and
2978 ${reduce, with only minor "tidies".
2979
5e687460
SC
2980SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match.
2981
c3611384
PH
2982PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its
2983 expansion side effects.
2984
5a11a7b4
PH
2985PH/27 When a message times out after an over-quota error from an Exim-imposed
2986 quota, the bounce message says "mailbox is full". This message was not
2987 being given when it was a system quota that was exceeded. It now should
2988 be the same.
2989
0e20aff9
MH
2990MH/03 Made $recipients available in local_scan(). local_scan() already has
2991 better access to the recipient list through recipients_list[], but
2992 $recipients can be useful in postmaster-provided expansion strings.
2993
ca86f471
PH
2994PH/28 The $smtp_command and $smtp_command_argument variables were not correct
2995 in the case of a MAIL command with additional options following the
2996 address, for example: MAIL FROM:<foo@bar> SIZE=1234. The option settings
2997 were accidentally chopped off.
2998
a14e5636
PH
2999PH/29 SMTP synchronization checks are implemented when a command is read -
3000 there is a check that no more input is waiting when there shouldn't be
3001 any. However, for some commands, a delay in an ACL can mean that it is
3002 some time before the response is written. In this time, more input might
3003 arrive, invalidly. So now there are extra checks after an ACL has run for
3004 HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when
3005 pipelining has not been advertised.
3006
ec95d1a6
PH
3007PH/30 MH's patch to allow iscntrl() characters to be list separators.
3008
42855d71
PH
3009PH/31 Unlike :fail:, a custom message specified with :defer: was not being
3010 returned in the SMTP response when smtp_return_error_details was false.
3011 This has been fixed.
3012
57c2c631
PH
3013PH/32 Change the Dovecot authenticator to use read() and write() on the socket
3014 instead of the C I/O that was originally supplied, because problems were
3015 reported on Solaris.
3016
58c01c94
PH
3017PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in
3018 Exim which did not show up earlier: it was assuming that a call to
3019 SSL_CTX_set_info_callback() might give an error value. In fact, there is
3020 no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback()
3021 was a macro that became an assignment, so it seemed to work. This has
3022 changed to a proper function call with a void return, hence the compile
3023 error. Exim's code has been fixed.
3024
dee5a20a
PH
3025PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit
3026 cpus.
3027
d2ee6114
PH
3028PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify".
3029
b2d5182b
PH
3030PH/36 Applied John Jetmore's patch to add -v functionality to exigrep.
3031
79749a79
PH
3032PH/37 If a message is not accepted after it has had an id assigned (e.g.
3033 because it turns out to be too big or there is a timeout) there is no
3ce62588
PH
3034 "Completed" line in the log. When some messages of this type were
3035 selected by exigrep, they were listed as "not completed". Others were
3036 picked up by some special patterns. I have improved the selection
3037 criteria to be more general.
79749a79 3038
c456d9bb
PH
3039PH/38 The host_find_failed option in the manualroute router can now be set
3040 to "ignore", to completely ignore a host whose IP address cannot be
3041 found. If all hosts are ignored, the behaviour is controlled by the new
3042 host_all_ignored option.
3043
cd9868ec
PH
3044PH/39 In a list of hosts for manualroute, if one item (either because of multi-
3045 homing or because of multiple MX records with /mx) generated more than
3046 one IP address, and the following item turned out to be the local host,
3047 all the secondary addresses of the first item were incorrectly removed
3048 from the list, along with the local host and any following hosts (which
3049 is what is supposed to happen).
3050
ebeaf996
PH
3051PH/40 When Exim receives a message, it writes the login name, uid, and gid of
3052 whoever called Exim into the -H file. In the case of the daemon it was
3053 behaving confusingly. When first started, it used values for whoever
3054 started the daemon, but after a SIGHUP it used the Exim user (because it
3055 calls itself on a restart). I have changed the code so that it now always
3056 uses the Exim user.
3057
2679d413
PH
3058PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a
3059 message are rejected with the same error (e.g. no authentication or bad
3060 sender address), and a DATA command is nevertheless sent (as can happen
3061 with PIPELINING or a stupid MUA), the error message that was given to the
3062 RCPT commands is included in the rejection of the DATA command. This is
3063 intended to be helpful for MUAs that show only the final error to their
3064 users.
3065
84024b72
PH
3066PH/42 Another patch from the Sieve maintainer.
3067
8005d38e
SC
3068SC/02 Eximstats - Differentiate between permanent and temporary rejects.
3069 Eximstats - Fixed some broken HTML links and added missing column headers
3070 (Jez Hancock).
3071 Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email
3072 columns for Rejects, Temp Rejects, Ham, and Spam rows.
3073
3298c6c6
SC
3074SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables.
3075
a43a27c5
PH
3076PH/43 Yet another patch from the Sieve maintainer.
3077
58eb016e 3078PH/44 I found a way to check for a TCP/IP connection going away before sending
563b63fa
PH
3079 the response to the final '.' that terminates a message, but only in the
3080 case where the client has not sent further data following the '.'
3081 (unfortunately, this is allowed). However, in many cases there won't be
3082 any further data because there won't be any more messages to send. A call
3083 to select() can be used: if it shows that the input is "ready", there is
3084 either input waiting, or the socket has been closed. An attempt to read
3085 the next input character can distinguish the two cases. Previously, Exim
58eb016e 3086 would have sent an OK response which the client would never have see.
563b63fa
PH
3087 This could lead to message repetition. This fix should cure that, at
3088 least in a lot of common cases.
58eb016e 3089
b43a74ea
PH
3090PH/45 Do not advertise STARTTLS in response to HELP unless it would be
3091 advertised in response to EHLO.
3092
b4ed4da0 3093
5dd1517f
PH
3094Exim version 4.66
3095-----------------
3096
3097PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one
3098 fixed by 4.65/MH/01 (is this a record?) are fixed:
3099
3100 (i) An empty string was always treated as zero by the numeric comparison
3101 operators. This behaviour has been restored.
3102
3103 (ii) It is documented that the numeric comparison operators always treat
3104 their arguments as decimal numbers. This was broken in that numbers
3105 starting with 0 were being interpreted as octal.
3106
3107 While fixing these problems I realized that there was another issue that
3108 hadn't been noticed. Values of message_size_limit (both the global option
3109 and the transport option) were treated as octal if they started with 0.
3110 The documentation was vague. These values are now always treated as
3111 decimal, and I will make that clear in the documentation.
3112
3113
93cfa765
TK
3114Exim version 4.65
3115-----------------
3116
3117TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with
3118 Linux large file support (_FILE_OFFSET_BITS=64) on older glibc
3119 versions. (#438)
3120
d6066548
MH
3121MH/01 Don't check that the operands of numeric comparison operators are
3122 integers when their expansion is in "skipping" mode (fixes bug
3123 introduced by 4.64-PH/07).
3124
4362ff0d
PH
3125PH/01 If a system filter or a router generates more than SHRT_MAX (32767)
3126 child addresses, Exim now panics and dies. Previously, because the count
3127 is held in a short int, deliveries were likely to be lost. As such a
3128 large number of recipients for a single message is ridiculous
3129 (performance will be very, very poor), I have chosen to impose a limit
3130 rather than extend the field.
3131
93cfa765 3132
944e9e9c
TF
3133Exim version 4.64
3134-----------------
aa41d2de 3135
21d74bd9
TK
3136TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a
3137 leftover -K file (the existence of which was triggered by #402).
3138 While we were at it, introduced process PID as part of the -K
3139 filename. This should rule out race conditions when creating
3140 these files.
3141
3142TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing
3143 processing considerably. Previous code took too long for large mails,
3144 triggering a timeout which in turn triggers #401.
3145
3146TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used
3147 in the DK code in transports.c. sendfile() is not really portable,
3148 hence the _LINUX specificness.
944e9e9c
TF
3149
3150TF/01 In the add_headers option to the mail command in an Exim filter,
3151 there was a bug that Exim would claim a syntax error in any
3152 header after the first one which had an odd number of characters
3153 in the field name.
3154
2b1c6e3a
PH
3155PH/01 If a server that rejects MAIL FROM:<> was the target of a sender
3156 callout verification, Exim cached a "reject" for the entire domain. This
3157 is correct for most verifications, but it is not correct for a recipient
3158 verification with use_sender or use_postmaster set, because in that case
3159 the callout does not use MAIL FROM:<>. Exim now distinguishes the special
3160 case of MAIL FROM:<> rejection from other early rejections (e.g.
3161 rejection of HELO). When verifying a recipient using a non-null MAIL
3162 address, the cache is ignored if it shows MAIL FROM:<> rejection.
3163 Whatever the result of the callout, the value of the domain cache is
3164 left unchanged (for any other kind of callout, getting as far as trying
3165 RCPT means that the domain itself is ok).
3166
1f872c80
PH
3167PH/02 Tidied a number of unused variable and signed/unsigned warnings that
3168 gcc 4.1.1 threw up.
3169
3170PH/03 On Solaris, an unexpectedly close socket (dropped connection) can
3171 manifest itself as EPIPE rather than ECONNECT. When tidying away a
3172 session, the daemon ignores ECONNECT errors and logs others; it now
3173 ignores EPIPE as well.
3174
d203e649
PH
3175PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c
3176 (quoted-printable decoding).
3177
cc2ed8f7 3178PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and
21a04aa3 3179 later the small subsequent patch to fix an introduced bug.
f951fd57 3180
ddfcd446
PH
3181PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer.
3182
d45b1de8
PH
3183PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}.
3184
3185PH/08 An error is now given if message_size_limit is specified negative.
3186
38a0a95f 3187PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables
641cb756 3188 to be given (somewhat) arbitrary names.
38a0a95f 3189
a2405d83
JJ
3190JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced
3191 in 4.64-PH/09.
3192
3193JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions,
3194 miscellaneous code fixes
3195
6ea85e9a
PH
3196PH/10 Added the log_reject_target ACL modifier to specify where to log
3197 rejections.
3198
26da7e20
PH
3199PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_
3200 hostname. This is wrong, because it relates to the incoming message (and
3201 probably the interface on which it is arriving) and not to the outgoing
3202 callout (which could be using a different interface). This has been
3203 changed to use the value of the helo_data option from the smtp transport
3204 instead - this is what is used when a message is actually being sent. If
3205 there is no remote transport (possible with a router that sets up host
3206 addresses), $smtp_active_hostname is used.
6ea85e9a 3207
14aa5a05 3208PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various
7befa435 3209 tweaks were necessary in order to get it to work (see also 21 below):
14aa5a05
PH
3210 (a) The code assumed that strncpy() returns a negative number on buffer
3211 overflow, which isn't the case. Replaced with Exim's string_format()
3212 function.
3213 (b) There were several signed/unsigned issues. I just did the minimum
3214 hacking in of casts. There is scope for a larger refactoring.
3215 (c) The code used strcasecmp() which is not a standard C function.
3216 Replaced with Exim's strcmpic() function.
3217 (d) The code set only $1; it now sets $auth1 as well.
3218 (e) A simple test gave the error "authentication client didn't specify
3219 service in request". It would seem that Dovecot has changed its
3220 interface. Fortunately there's a specification; I followed it and
3221 changed what the client sends and it appears to be working now.
3222
ff75a1f7
PH
3223PH/13 Added $message_headers_raw to provide the headers without RFC 2047
3224 decoding.
3225
e6f6568e
PH
3226PH/14 Corrected misleading output from -bv when -v was also used. Suppose the
3227 address A is aliased to B and C, where B exists and C does not. Without
3228 -v the output is "A verified" because verification stops after a
3229 successful redirection if more than one address is generated. However,
3230 with -v the child addresses are also verified. Exim was outputting "A
3231 failed to verify" and then showing the successful verification for C,
3232 with its parentage. It now outputs "B failed to verify", showing B's
3233 parentage before showing the successful verification of C.
3234
d6f6e0dc
PH
3235PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to