[exim.git] / doc / doc-txt / IncompatibleChanges

Preamble
========

Normally The Exim Maintainers ensure that a configuration which works
with version N will work with version N+1, within a major version number
(eg, 4).

Occasionally this will not be the case; usually, those changes will be
at the end of a long notice period where admins have been encouraged to
move away and even then, we are hesitant to fully break things without
strong cause to move away.

This does not apply to "experimental" features, which can be withdrawn
or changed with little notice, although we still endeavour to limit
that.  We may choose to note those changes here too.

The most likely cause of a backwards-incompatible change is a security
improvement, where the benefits for everyone strongly outweigh the needs
of the few.


Changes
=======

Exim version 4.73
-----------------

 * The Exim run-time user can no longer be root; this was always
   strongly discouraged, but is now prohibited both at build and
   run-time.  If you need Exim to run routinely as root, you'll need to
   patch the source and accept the risk.  Here be dragons.

 * Exim will no longer accept a configuration file owned by the Exim
   run-time user, unless that account is explicitly the value in
   CONFIGURE_OWNER, which we discourage.  Exim now checks to ensure that
   files are not writable by other accounts.

 * The ALT_CONFIG_ROOT_ONLY build option is no longer optional and is forced
   on; the Exim user can, by default, no longer use -C/-D and retain privilege.
   Two new build options mitigate this.

    * TRUSTED_CONFIG_LIST defines a file containing a whitelist of config
      files that are trusted to be selected by the Exim user; one per line.
      This is the recommended approach going forward.

    * WHITELIST_D_MACROS defines a colon-separated list of macro names which
      the Exim run-time user may safely pass without dropping privileges.
      Because changes to this involve a recompile, this is not the recommended
      approach but may ease transition.  The values of the macros, when
      overriden, are constrained to match this regex: ^[A-Za-z0-9_/.-]*$

 * The system_filter_user option now defaults to the Exim run-time user,
   rather than root.  You can still set it explicitly to root and this
   can be done with prior versions too, letting you roll versions
   without needing to change this configuration option.

 * ClamAV must be at least version 0.95 unless WITH_OLD_CLAMAV_STREAM is
   defined at build time.
Commit	Line	Data
79d4bc3d PP	1	Preamble
	2	========
	3
	4	Normally The Exim Maintainers ensure that a configuration which works
	5	with version N will work with version N+1, within a major version number
	6	(eg, 4).
	7
	8	Occasionally this will not be the case; usually, those changes will be
	9	at the end of a long notice period where admins have been encouraged to
	10	move away and even then, we are hesitant to fully break things without
	11	strong cause to move away.
	12
	13	This does not apply to "experimental" features, which can be withdrawn
	14	or changed with little notice, although we still endeavour to limit
	15	that. We may choose to note those changes here too.
	16
	17	The most likely cause of a backwards-incompatible change is a security
	18	improvement, where the benefits for everyone strongly outweigh the needs
	19	of the few.
	20
	21
	22	Changes
	23	=======
	24
	25	Exim version 4.73
	26	-----------------
	27
	28	* The Exim run-time user can no longer be root; this was always
	29	strongly discouraged, but is now prohibited both at build and
	30	run-time. If you need Exim to run routinely as root, you'll need to
	31	patch the source and accept the risk. Here be dragons.
	32
	33	* Exim will no longer accept a configuration file owned by the Exim
	34	run-time user, unless that account is explicitly the value in
	35	CONFIGURE_OWNER, which we discourage. Exim now checks to ensure that
	36	files are not writable by other accounts.
	37
2cfd3221 PP	38	* The ALT_CONFIG_ROOT_ONLY build option is no longer optional and is forced
	39	on; the Exim user can, by default, no longer use -C/-D and retain privilege.
	40	Two new build options mitigate this.
	41
90b6341f	42	* TRUSTED_CONFIG_LIST defines a file containing a whitelist of config
7f7f0545 DW	43	files that are trusted to be selected by the Exim user; one per line.
7f7f0545 DW	44	This is the recommended approach going forward.
2cfd3221 PP	45
	46	* WHITELIST_D_MACROS defines a colon-separated list of macro names which
	47	the Exim run-time user may safely pass without dropping privileges.
	48	Because changes to this involve a recompile, this is not the recommended
	49	approach but may ease transition. The values of the macros, when
	50	overriden, are constrained to match this regex: ^[A-Za-z0-9_/.-]*$
79d4bc3d PP	51
	52	* The system_filter_user option now defaults to the Exim run-time user,
	53	rather than root. You can still set it explicitly to root and this
	54	can be done with prior versions too, letting you roll versions
	55	without needing to change this configuration option.
	56
2cfd3221 PP	57	* ClamAV must be at least version 0.95 unless WITH_OLD_CLAMAV_STREAM is
	58	defined at build time.
	59