Update README.UPDATING; fix typos in ChangeLog/NewStuff
[exim.git] / doc / doc-txt / NewStuff
CommitLineData
495ae4b0
PH
1New Features in Exim
2--------------------
3
38a0a95f
PH
4This file contains descriptions of new features that have been added to Exim.
5Before a formal release, there may be quite a lot of detail so that people can
6test from the snapshots or the CVS before the documentation is updated. Once
7the documentation is updated, this file is reduced to a short list.
8
8d042305
JH
9Version 4.88
10------------
11
fc16abb4 12 1. The new perl_taintmode option allows to run the embedded perl
2f680c0c
HSHR
13 interpreter in taint mode.
14
fc16abb4
JH
15 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines.
16
b0d68adc
JH
17 3. Speculative debugging, via a "kill" option to the "control=debug" ACL
18 modifier.
19
6e773413
JH
20 4. New expansion item ${sha3:<string>} / ${sha3_<N>:<string>}.
21 N can be 224, 256 (default), 384, 512.
22 With GnuTLS 3.5.0 or later, only.
23
f59aaaaa 24 5. Facility for named queues: A command-line argument can specify
55e70e76 25 the queue name for a queue operation, and an ACL modifier can set
0cd5fd23
JH
26 the queue to be used for a message. A $queue_name variable gives
27 visibility.
28b3821f 28
03ca21f8
JH
29 6. New expansion operators base32/base32d.
30
44bc8f0c 31 7. The CHUNKING ESMTP extension from RFC 3030. May give some slight
7e3ce68e 32 performance increase and network load decrease. Main config option
15021e11
JH
33 chunking_advertise_hosts, and smtp transport option hosts_try_chunking
34 for control.
7e3ce68e 35
5bde3efa
ACK
36 8. LMDB lookup support, as Experimental. Patch supplied by Andrew Colin Kissa.
37
3367f8c2
JH
38 9. Expansion operator escape8bit, like escape but not touching newline etc..
39
fbbd45ff 4010. Feature macros, generated from compile options. All start with "_HAVE_"
4945f557
JH
41 and go on with some roughly recognisable name. Driver macros, for
42 router, transport and authentication drivers; names starting with "_DRVR_".
43 Option macros, for each configuration-file option; all start with "_OPT_".
44 Use the "-bP macros" command-line option to see what is present.
fbbd45ff 45
dcb72db9
JH
4611. Integer values for options can take a "G" multiplier.
47
ff5929e3
JH
4812. defer=pass option for the ACL control cutthrough_delivery, to reflect 4xx
49 returns from the target back to the initiator, rather than spooling the
50 message.
51
317e40ac
PP
5213. New built-in constants available for tls_dhparam and default changed.
53
3369a853
ACK
5414. If built with EXPERIMENTAL_QUEUEFILE, a queuefile transport, for writing
55 out copies of the message spool files for use by 3rd-party scanners.
56
fb05276a
JH
5715. A new option on the smtp transport, hosts_try_fastopen. If the system
58 supports it (on Linux it must be enabled in the kernel by the sysadmin)
59 try to use RFC 7413 "TCP Fast Open". No data is sent on the SYN segment
60 but it permits a peer that also supports the facility to send its SMTP
61 banner immediately after the SYN,ACK segment rather then waiting for
62 another ACK - so saving up to one roundtrip time. Because it requires
63 previous communication with the peer (we save a cookie from it) this
f59aaaaa 64 will only become active on frequently-contacted destinations.
fb05276a 65
8d042305 66
0d9b78be
JH
67Version 4.87
68------------
69
f38917cc
JH
70 1. The ACL conditions regex and mime_regex now capture substrings
71 into numeric variables $regex1 to 9, like the "match" expansion condition.
72
055e2cb4
JH
73 2. New $callout_address variable records the address used for a spam=,
74 malware= or verify= callout.
75
fa41615d
JH
76 3. Transports now take a "max_parallel" option, to limit concurrency.
77
fc4a7f70
JH
78 4. Expansion operators ${ipv6norm:<string>} and ${ipv6denorm:<string>}.
79 The latter expands to a 8-element colon-sep set of hex digits including
80 leading zeroes. A trailing ipv4-style dotted-decimal set is converted
81 to hex. Pure ipv4 addresses are converted to IPv4-mapped IPv6.
82 The former operator strips leading zeroes and collapses the longest
83 set of 0-groups to a double-colon.
84
240c288f
JH
85 5. New "-bP config" support, to dump the effective configuration.
86
abe1010c
JH
87 6. New $dkim_key_length variable.
88
9aa35e9c 89 7. New base64d and base64 expansion items (the existing str2b64 being a
59b87190 90 synonym of the latter). Add support in base64 for certificates.
9aa35e9c 91
62b7cd08 92 8. New main configuration option "bounce_return_linesize_limit" to
f59aaaaa 93 avoid oversize bodies in bounces. The default value matches RFC
62b7cd08
JH
94 limits.
95
3615fa9a
HSHR
96 9. New $initial_cwd expansion variable.
97
0d9b78be 98
71224040
JH
99Version 4.86
100------------
101
102 1. Support for using the system standard CA bundle.
103
104 2. New expansion items $config_file, $config_dir, containing the file
105 and directory name of the main configuration file. Also $exim_version.
106
b6fbf22d
JH
107 3. New "malware=" support for Avast.
108
cc00f4af
JH
109 4. New "spam=" variant option for Rspamd.
110
111 5. Assorted options on malware= and spam= scanners.
112
f59aaaaa 113 6. A command-line option to write a comment into the logfile.
cc00f4af 114
7eb6c37c 115 7. If built with EXPERIMENTAL_SOCKS feature enabled, the smtp transport can
3c8b3577
JH
116 be configured to make connections via socks5 proxies.
117
118 8. If built with EXPERIMENTAL_INTERNATIONAL, support is included for
119 the transmission of UTF-8 envelope addresses.
7eb6c37c 120
ed0512a1
JH
121 9. If built with EXPERIMENTAL_INTERNATIONAL, an expansion item for a commonly
122 used encoding of Maildir folder names.
123
b3ef41c9 12410. A logging option for slow DNS lookups.
846430d9 125
089fc87a
JH
12611. New ${env {<variable>}} expansion.
127
b3ef41c9
JH
12812. A non-SMTP authenticator using information from TLS client certificates.
129
10ca4f1c 13013. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS.
65463bc9 131 Patch originally by Wolfgang Breyha.
10ca4f1c 132
09b80b4e
JH
13314. Main option "dns_trust_aa" for trusting your local nameserver at the
134 same level as DNSSEC.
135
7eb6c37c 136
533fe9b8
TL
137Version 4.85
138------------
139
140 1. If built with EXPERIMENTAL_DANE feature enabled, Exim will follow the
f59aaaaa 141 DANE SMTP draft to assess a secure chain of trust of the certificate
533fe9b8
TL
142 used to establish the TLS connection based on a TLSA record in the
143 domain of the sender.
144
145 2. The EXPERIMENTAL_TPDA feature has been renamed to EXPERIMENTAL_EVENT
146 and several new events have been created. The reason is because it has
147 been expanded beyond just firing events during the transport phase. Any
148 existing TPDA transport options will have to be rewritten to use a new
149 $event_name expansion variable in a condition. Refer to the
150 experimental-spec.txt for details and examples.
151
152 3. The EXPERIMENTAL_CERTNAMES features is an enhancement to verify that
153 server certs used for TLS match the result of the MX lookup. It does
154 not use the same mechanism as DANE.
155
156
1f0ebb98
TL
157Version 4.84
158------------
159
160
6ece2e77
TL
161Version 4.83
162------------
163
a3c86431
TL
164 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be
165 configured to expect an initial header from a proxy that will make the
166 actual external source IP:host be used in exim instead of the IP of the
167 proxy that is connecting to it.
168
770747fd
MFM
169 2. New verify option header_names_ascii, which will check to make sure
170 there are no non-ASCII characters in header names. Exim itself handles
171 those non-ASCII characters, but downstream apps may not, so Exim can
172 detect and reject if those characters are present.
173
b9c2e32f
AR
174 3. New expansion operator ${utf8clean:string} to replace malformed UTF8
175 codepoints with valid ones.
176
b1f8e4f8
JH
177 4. New malware type "sock". Talks over a Unix or TCP socket, sending one
178 command line and matching a regex against the return data for trigger
007a2dee 179 and a second regex to extract malware_name. The mail spoolfile name can
b1f8e4f8
JH
180 be included in the command line.
181
dc4dc04e
JH
182 5. The smtp transport now supports options "tls_verify_hosts" and
183 "tls_try_verify_hosts". If either is set the certificate verification
184 is split from the encryption operation. The default remains that a failed
185 verification cancels the encryption.
214042d2 186
deae092e
HS
187 6. New SERVERS override of default ldap server list. In the ACLs, an ldap
188 lookup can now set a list of servers to use that is different from the
189 default list.
190
8d91c6dc
LT
191 7. New command-line option -C for exiqgrep to specify alternate exim.conf
192 file when searching the queue.
193
f2de3a33 194 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that.
2b4a568d 195
578897ea
JH
196 9. Support for DNSSEC on outbound connections.
197
9d1c15ef 19810. New variables "tls_(in,out)_(our,peer)cert" and expansion item
6a8a60e0 199 "certextract" to extract fields from them. Hash operators md5 and sha1
9ef9101c
JH
200 work over them for generating fingerprints, and a new sha256 operator
201 for them added.
9d1c15ef 202
8ccd00b1
JH
20311. PRDR is now supported dy default.
204
f2de3a33
JH
20512. OCSP stapling is now supported by default.
206
20713. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output
208 Delivery Status Notification messages in MIME format, and negociate
209 DSN features per RFC 3461.
210
6ece2e77 211
2c422e6f 212Version 4.82
98a90c36
PP
213------------
214
215 1. New command-line option -bI:sieve will list all supported sieve extensions
216 of this Exim build on standard output, one per line.
217 ManageSieve (RFC 5804) providers managing scripts for use by Exim should
218 query this to establish the correct list to include in the protocol's
219 SIEVE capability line.
220
12f69989
PP
221 2. If the -n option is combined with the -bP option, then the name of an
222 emitted option is not output, only the value (if visible to you).
223 For instance, "exim -n -bP pid_file_path" should just emit a pathname
224 followed by a newline, and no other text.
225
54c90be1
PP
226 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now
227 has a "tls_dh_min_bits" option, to set the minimum acceptable number of
228 bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites)
229 acceptable for security. (Option accepted but ignored if using OpenSSL).
230 Defaults to 1024, the old value. May be lowered only to 512, or raised as
231 far as you like. Raising this may hinder TLS interoperability with other
232 sites and is not currently recommended. Lowering this will permit you to
233 establish a TLS session which is not as secure as you might like.
234
235 Unless you really know what you are doing, leave it alone.
236
1f4a55da 237 4. If not built with DISABLE_DNSSEC, Exim now has the main option
0fbd9bff 238 dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
1f4a55da
PP
239 to send the DO flag to your recursive resolver. If you have a recursive
240 resolver, which can set the Authenticated Data (AD) flag in results, Exim
0fbd9bff
PP
241 can now detect this. Exim does not perform validation itself, instead
242 relying upon a trusted path to the resolver.
1f4a55da
PP
243
244 Current status: work-in-progress; $sender_host_dnssec variable added.
245
36a3ae5f
PP
246 5. DSCP support for outbound connections: on a transport using the smtp driver,
247 set "dscp = ef", for instance, to cause the connections to have the relevant
13363eba
PP
248 DSCP (IPv4 TOS or IPv6 TCLASS) value in the header.
249
250 Similarly for inbound connections, there is a new control modifier, dscp,
251 so "warn control = dscp/ef" in the connect ACL, or after authentication.
252
253 Supported values depend upon system libraries. "exim -bI:dscp" to list the
254 ones Exim knows of. You can also set a raw number 0..0x3F.
36a3ae5f 255
f4ee74ac
PP
256 6. The -G command-line flag is no longer ignored; it is now equivalent to an
257 ACL setting "control = suppress_local_fixups". The -L command-line flag
258 is now accepted and forces use of syslog, with the provided tag as the
259 process name. A few other flags used by Sendmail are now accepted and
260 ignored.
261
976b7e9f
JH
262 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery"
263 ACL modifier; works for single-recipient mails which are recieved on and
264 deliverable via SMTP. Using the connection made for a recipient verify,
265 if requested before the verify, or a new one made for the purpose while
266 the inbound connection is still active. The bulk of the mail item is copied
267 direct from the inbound socket to the outbound (as well as the spool file).
268 When the source notifies the end of data, the data acceptance by the destination
269 is negociated before the acceptance is sent to the source. If the destination
270 does not accept the mail item, for example due to content-scanning, the item
271 is not accepted from the source and therefore there is no need to generate
272 a bounce mail. This is of benefit when providing a secondary-MX service.
273 The downside is that delays are under the control of the ultimate destination
274 system not your own.
275
276 The Recieved-by: header on items delivered by cutthrough is generated
042eb971 277 early in reception rather than at the end; this will affect any timestamp
976b7e9f
JH
278 included. The log line showing delivery is recorded before that showing
279 reception; it uses a new ">>" tag instead of "=>".
06a6f4ed 280
976b7e9f
JH
281 To support the feature, verify-callout connections can now use ESMTP and TLS.
282 The usual smtp transport options are honoured, plus a (new, default everything)
283 hosts_verify_avoid_tls.
284
285 New variable families named tls_in_cipher, tls_out_cipher etc. are introduced
286 for specific access to the information for each connection. The old names
287 are present for now but deprecated.
288
fcc8e047 289 Not yet supported: IGNOREQUOTA, SIZE, PIPELINING.
976b7e9f 290
a64a3dfa
JH
291 8. New expansion operators ${listnamed:name} to get the content of a named list
292 and ${listcount:string} to count the items in a list.
98a90c36 293
2519e60d 294 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
a5f239e4
PP
295 rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
296 modules. For some situations this is desirable, but we expect admin in
297 those situations to know they want the feature. More commonly, it means
298 that GUI user modules get loaded and are broken by the setuid Exim being
299 unable to access files specified in environment variables and passed
300 through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
301 unless this new option is set.
302
2519e60d
TL
303 Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
304 so have also added a build option which can be used to build Exim with GnuTLS
305 but without trying to use any kind of PKCS11 support. Uncomment this in the
306 Local/Makefile:
307
308 AVOID_GNUTLS_PKCS11=yes
309
3e8abda0 31010. The "acl = name" condition on an ACL now supports optional arguments.
bef3ea7f
JH
311 New expansion item "${acl {name}{arg}...}" and expansion condition
312 "acl {{name}{arg}...}" are added. In all cases up to nine arguments
313 can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
314 Variable $acl_narg contains the number of arguments. If the ACL sets
315 a "message =" value this becomes the result of the expansion item,
316 or the value of $value for the expansion condition. If the ACL returns
317 accept the expansion condition is true; if reject, false. A defer
318 return results in a forced fail.
a5f239e4 319
846726c5
JH
32011. Routers and transports can now have multiple headers_add and headers_remove
321 option lines. The concatenated list is used.
322
e7568d51
TL
32312. New ACL modifier "remove_header" can remove headers before message gets
324 handled by routers/transports.
325
3a796370
JH
32613. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured),
327 "aaaa" and "a" lookups is done and the full set of results returned.
328
362145b5 32914. New expansion variable $headers_added with content from ACL add_header
85ffcba6 330 modifier (but not yet added to message).
362145b5 331
bd0fff00 33215. New 8bitmime status logging option for received messages. Log field "M8S".
3c0a92dc 333
c8e2fc1e
JH
33416. New authenticated_sender logging option, adding to log field "A".
335
181d9bf8 33617. New expansion variables $router_name and $transport_name. Useful
f59aaaaa 337 particularly for debug_print as -bt command-line option does not
2a47f028 338 require privilege whereas -d does.
181d9bf8 339
fd98a5c6
JH
34018. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a
341 proposed extension to SMTP from Eric Hall.
342
700d22f3
PP
34319. The pipe transport has gained the force_command option, to allow
344 decorating commands from user .forward pipe aliases with prefix
345 wrappers, for instance.
346
fcc8e047
JH
34720. Callout connections can now AUTH; the same controls as normal delivery
348 connections apply.
349
b1f37849
TL
35021. Support for DMARC, using opendmarc libs, can be enabled. It adds new
351 options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file.
352 It adds new expansion variables $dmarc_ar_header, $dmarc_status,
353 $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier
354 dmarc_status. It adds new control flags dmarc_disable_verify and
355 dmarc_enable_forensic.
356
35722. Add expansion variable $authenticated_fail_id, which is the username
358 provided to the authentication method which failed. It is available
359 for use in subsequent ACL processing (typically quit or notquit ACLs).
360
7142daca
PP
36123. New ACL modifer "udpsend" can construct a UDP packet to send to a given
362 UDP host and port.
363
36424. New ${hexquote:..string..} expansion operator converts non-printable
365 characters in the string to \xNN form.
366
1a7b746d
TL
36725. Experimental TPDA (Transport Post Delivery Action) function added.
368 Patch provided by Axel Rau.
369
4dd78911
TL
37026. Experimental Redis lookup added. Patch provided by Warren Baker.
371
181d9bf8 372
b1770b6e 373Version 4.80
c1e794ba
PP
374------------
375
376 1. New authenticator driver, "gsasl". Server-only (at present).
377 This is a SASL interface, licensed under GPL, which can be found at
378 http://www.gnu.org/software/gsasl/.
379 This system does not provide sources of data for authentication, so
3b4f55a3 380 careful use needs to be made of the conditions in Exim.
c1e794ba 381
97753960
PP
382 2. New authenticator driver, "heimdal_gssapi". Server-only.
383 A replacement for using cyrus_sasl with Heimdal, now that $KRB5_KTNAME
384 is no longer honoured for setuid programs by Heimdal. Use the
385 "server_keytab" option to point to the keytab.
386
252e0c7b
PP
387 3. The "pkg-config" system can now be used when building Exim to reference
388 cflags and library information for lookups and authenticators, rather
389 than having to update "CFLAGS", "AUTH_LIBS", "LOOKUP_INCLUDE" and
7e6a8985
PP
390 "LOOKUP_LIBS" directly. Similarly for handling the TLS library support
391 without adjusting "TLS_INCLUDE" and "TLS_LIBS".
252e0c7b 392
6a6084f8
PP
393 In addition, setting PCRE_CONFIG=yes will query the pcre-config tool to
394 find the headers and libraries for PCRE.
395
f1e05cc7 396 4. New expansion variable $tls_bits.
20aa9dbd 397
4a6a987a
PP
398 5. New lookup type, "dbmjz". Key is an Exim list, the elements of which will
399 be joined together with ASCII NUL characters to construct the key to pass
3b4f55a3
PP
400 into the DBM library. Can be used with gsasl to access sasldb2 files as
401 used by Cyrus SASL.
4a6a987a 402
da3ad30d
PP
403 6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1.
404
405 Avoid release 1.0.1a if you can. Note that the default value of
406 "openssl_options" is no longer "+dont_insert_empty_fragments", as that
407 increased susceptibility to attack. This may still have interoperability
408 implications for very old clients (see version 4.31 change 37) but
409 administrators can choose to make the trade-off themselves and restore
410 compatibility at the cost of session security.
411
7be682ca
PP
412 7. Use of the new expansion variable $tls_sni in the main configuration option
413 tls_certificate will cause Exim to re-expand the option, if the client
414 sends the TLS Server Name Indication extension, to permit choosing a
415 different certificate; tls_privatekey will also be re-expanded. You must
416 still set these options to expand to valid files when $tls_sni is not set.
3f0945ff
PP
417
418 The SMTP Transport has gained the option tls_sni, which will set a hostname
419 for outbound TLS sessions, and set $tls_sni too.
420
421 A new log_selector, +tls_sni, has been added, to log received SNI values
422 for Exim as a server.
423
9cbad13b
PP
424 8. The existing "accept_8bitmime" option now defaults to true. This means
425 that Exim is deliberately not strictly RFC compliant. We're following
426 Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default.
427 Those who disagree, or know that they are talking to mail servers that,
428 even today, are not 8-bit clean, need to turn off this option.
429
9ee44efb
PP
430 9. Exim can now be started with -bw (with an optional timeout, given as
431 -bw<timespec>). With this, stdin at startup is a socket that is
432 already listening for connections. This has a more modern name of
433 "socket activation", but forcing the activated socket to fd 0. We're
434 interested in adding more support for modern variants.
435
eae0036b 43610. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffix
97d17305
JH
437 for numbers indicates multiplication by 1024^3.
438
17c76198
PP
43911. The GnuTLS support has been revamped; the three options gnutls_require_kx,
440 gnutls_require_mac & gnutls_require_protocols are no longer supported.
441 tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority
442 string, documentation for which is at:
42bfef1e 443 http://www.gnutls.org/manual/html_node/Priority-Strings.html
17c76198
PP
444
445 SNI support has been added to Exim's GnuTLS integration too.
446
af3498d6
PP
447 For sufficiently recent GnuTLS libraries, ${randint:..} will now use
448 gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness.
449
53947857 45012. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file
3f7eeb86
PP
451 is now available. If the contents of the file are valid, then Exim will
452 send that back in response to a TLS status request; this is OCSP Stapling.
453 Exim will not maintain the contents of the file in any way: administrators
454 are responsible for ensuring that it is up-to-date.
455
456 See "experimental-spec.txt" for more details.
457
eae0036b
PP
45813. ${lookup dnsdb{ }} supports now SPF record types. They are handled
459 identically to TXT record lookups.
460
2605c55b 46114. New expansion variable $tod_epoch_l for higher-precision time.
c1e794ba 462
3375e053
PP
46315. New global option tls_dh_max_bits, defaulting to current value of NSS
464 hard-coded limit of DH ephemeral bits, to fix interop problems caused by
465 GnuTLS 2.12 library recommending a bit count higher than NSS supports.
466
a799883d
PP
46716. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier.
468 Option can now be a path or an identifier for a standard prime.
469 If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23".
470 Set to "historic" to get the old GnuTLS behaviour of auto-generated DH
471 primes.
472
3ecab157 47317. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS).
f0f5a555
PP
474 Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL
475 install was not built with OPENSSL_NO_SSL2 ("no-ssl2").
476
9e45c72b 477
3ce96ada
TF
478Version 4.77
479------------
480
481 1. New options for the ratelimit ACL condition: /count= and /unique=.
482 The /noupdate option has been replaced by a /readonly option.
483
061b7ebd
PP
484 2. The SMTP transport's protocol option may now be set to "smtps", to
485 use SSL-on-connect outbound.
486
9e949f00
PP
487 3. New variable $av_failed, set true if the AV scanner deferred; ie, when
488 there is a problem talking to the AV scanner, or the AV scanner running.
489
39257585
PP
490 4. New expansion conditions, "inlist" and "inlisti", which take simple lists
491 and check if the search item is a member of the list. This does not
492 support named lists, but does subject the list part to string expansion.
493
494 5. Unless the new EXPAND_LISTMATCH_RHS build option is set when Exim was
495 built, Exim no longer performs string expansion on the second string of
496 the match_* expansion conditions: "match_address", "match_domain",
497 "match_ip" & "match_local_part". Named lists can still be used.
498
7c6d71af 499
e97d1f08
PP
500Version 4.76
501------------
502
503 1. The global option "dns_use_edns0" may be set to coerce EDNS0 usage on
504 or off in the resolver library.
505
506
bc19a55b
PP
507Version 4.75
508------------
509
510 1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there
511 is now LDAP/TLS support, given sufficiently modern OpenLDAP client
512 libraries. The following global options have been added in support of
513 this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key,
514 ldap_cipher_suite, ldap_require_cert, ldap_start_tls.
515
2fe76745
PP
516 2. The pipe transport now takes a boolean option, "freeze_signal", default
517 false. When true, if the external delivery command exits on a signal then
518 Exim will freeze the message in the queue, instead of generating a bounce.
519
f1e5fef5
PP
520 3. Log filenames may now use %M as an escape, instead of %D (still available).
521 The %M pattern expands to yyyymm, providing month-level resolution.
522
332f5cf3
PP
523 4. The $message_linecount variable is now updated for the maildir_tag option,
524 in the same way as $message_size, to reflect the real number of lines,
525 including any header additions or removals from transport.
526
29cfeb94
PP
527 5. When contacting a pool of SpamAssassin servers configured in spamd_address,
528 Exim now selects entries randomly, to better scale in a cluster setup.
529
bc19a55b 530
a01ba081
PP
531Version 4.74
532------------
533
1670ef10
PP
534 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux)
535 the flaw permitted the Exim run-time user to cause root to append to
536 arbitrary files of the attacker's choosing, with the content based
537 on content supplied by the attacker.
538
539 2. Exim now supports loading some lookup types at run-time, using your
a01ba081
PP
540 platform's dlopen() functionality. This has limited platform support
541 and the intention is not to support every variant, it's limited to
542 dlopen(). This permits the main Exim binary to not be linked against
543 all the libraries needed for all the lookup types.
544
545
77bb000f
PP
546Version 4.73
547------------
548
2cfd3221
PP
549 NOTE: this version is not guaranteed backwards-compatible, please read the
550 items below carefully
551
77bb000f
PP
552 1. A new main configuration option, "openssl_options", is available if Exim
553 is built with SSL support provided by OpenSSL. The option allows
554 administrators to specify OpenSSL options to be used on connections;
555 typically this is to set bug compatibility features which the OpenSSL
556 developers have not enabled by default. There may be security
557 consequences for certain options, so these should not be changed
558 frivolously.
559
a29e5231
PP
560 2. A new pipe transport option, "permit_coredumps", may help with problem
561 diagnosis in some scenarios. Note that Exim is typically installed as
562 a setuid binary, which on most OSes will inhibit coredumps by default,
43236f35 563 so that safety mechanism would have to be overridden for this option to
a29e5231
PP
564 be able to take effect.
565
8544e77a
PP
566 3. ClamAV 0.95 is now required for ClamAV support in Exim, unless
567 Local/Makefile sets: WITH_OLD_CLAMAV_STREAM=yes
568 Note that this switches Exim to use a new API ("INSTREAM") and a future
569 release of ClamAV will remove support for the old API ("STREAM").
570
571 The av_scanner option, when set to "clamd", now takes an optional third
572 part, "local", which causes Exim to pass a filename to ClamAV instead of
573 the file content. This is the same behaviour as when clamd is pointed at
574 a Unix-domain socket. For example:
575
576 av_scanner = clamd:192.0.2.3 1234:local
577
491fab4c
PP
578 ClamAV's ExtendedDetectionInfo response format is now handled.
579
8544e77a
PP
580 4. There is now a -bmalware option, restricted to admin users. This option
581 takes one parameter, a filename, and scans that file with Exim's
582 malware-scanning framework. This is intended purely as a debugging aid
583 to ensure that Exim's scanning is working, not to replace other tools.
a9622bc6
PP
584 Note that the ACL framework is not invoked, so if av_scanner references
585 ACL variables without a fallback then this will fail.
8544e77a 586
83e029d5
PP
587 5. There is a new expansion operator, "reverse_ip", which will reverse IP
588 addresses; IPv4 into dotted quad, IPv6 into dotted nibble. Examples:
589
590 ${reverse_ip:192.0.2.4}
591 -> 4.2.0.192
592 ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3}
593 -> 3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2
594
ed7f7860
PP
595 6. There is a new ACL control called "debug", to enable debug logging.
596 This allows selective logging of certain incoming transactions within
597 production environments, with some care. It takes two options, "tag"
598 and "opts"; "tag" is included in the filename of the log and "opts"
599 is used as per the -d<options> command-line option. Examples, which
600 don't all make sense in all contexts:
601
602 control = debug
603 control = debug/tag=.$sender_host_address
604 control = debug/opts=+expand+acl
605 control = debug/tag=.$message_exim_id/opts=+expand
606
10385c15
PP
607 7. It has always been implicit in the design and the documentation that
608 "the Exim user" is not root. src/EDITME said that using root was
609 "very strongly discouraged". This is not enough to keep people from
610 shooting themselves in the foot in days when many don't configure Exim
611 themselves but via package build managers. The security consequences of
612 running various bits of network code are severe if there should be bugs in
613 them. As such, the Exim user may no longer be root. If configured
614 statically, Exim will refuse to build. If configured as ref:user then Exim
615 will exit shortly after start-up. If you must shoot yourself in the foot,
616 then henceforth you will have to maintain your own local patches to strip
617 the safeties off.
618
06a6f4ed 619 8. There is a new expansion condition, bool_lax{}. Where bool{} uses the ACL
6a8de854
PP
620 condition logic to determine truth/failure and will fail to expand many
621 strings, bool_lax{} uses the router condition logic, where most strings
622 do evaluate true.
623 Note: bool{00} is false, bool_lax{00} is true.
624
06a6f4ed 625 9. Routers now support multiple "condition" tests.
532be449 626
5dc43717
JJ
62710. There is now a runtime configuration option "tcp_wrappers_daemon_name".
628 Setting this allows an admin to define which entry in the tcpwrappers
629 config file will be used to control access to the daemon. This option
630 is only available when Exim is built with USE_TCP_WRAPPERS. The
631 default value is set at build time using the TCP_WRAPPERS_DAEMON_NAME
632 build option.
633
79d4bc3d
PP
63411. [POSSIBLE CONFIG BREAKAGE] The default value for system_filter_user is now
635 the Exim run-time user, instead of root.
636
2cfd3221
PP
63712. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and
638 is forced on. This is mitigated by the new build option
90b6341f 639 TRUSTED_CONFIG_LIST which defines a list of configuration files which
7f7f0545
DW
640 are trusted; one per line. If a config file is owned by root and matches
641 a pathname in the list, then it may be invoked by the Exim build-time
642 user without Exim relinquishing root privileges.
2cfd3221
PP
643
64413. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically
645 trusted to supply -D<Macro[=Value]> overrides on the command-line. Going
90b6341f
DW
646 forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that
647 include the main config. As a transition mechanism, we are temporarily
648 providing a work-around: the new build option WHITELIST_D_MACROS provides
43236f35 649 a colon-separated list of macro names which may be overridden by the Exim
90b6341f
DW
650 run-time user. The values of these macros are constrained to the regex
651 ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values).
2cfd3221 652
77bb000f 653
3fc596e4
NM
654Version 4.72
655------------
656
b26eacf1
PP
657 1. TWO SECURITY FIXES: one relating to mail-spools which are globally
658 writable, the other to locking of MBX folders (not mbox).
659
660 2. MySQL stored procedures are now supported.
661
662 3. The dkim_domain transport option is now a list, not a single string, and
663 messages will be signed for each element in the list (discarding
664 duplicates).
665
666 4. The 4.70 release unexpectedly changed the behaviour of dnsdb TXT lookups
667 in the presence of multiple character strings within the RR. Prior to 4.70,
668 only the first string would be returned. The dnsdb lookup now, by default,
669 preserves the pre-4.70 semantics, but also now takes an extended output
8f425947
PP
670 separator specification. The separator can be followed by a semicolon, to
671 concatenate the individual text strings together with no join character,
672 or by a comma and a second separator character, in which case the text
673 strings within a TXT record are joined on that second character.
674 Administrators are reminded that DNS provides no ordering guarantees
675 between multiple records in an RRset. For example:
b26eacf1
PP
676
677 foo.example. IN TXT "a" "b" "c"
678 foo.example. IN TXT "d" "e" "f"
679
680 ${lookup dnsdb{>/ txt=foo.example}} -> "a/d"
681 ${lookup dnsdb{>/; txt=foo.example}} -> "def/abc"
8f425947 682 ${lookup dnsdb{>/,+ txt=foo.example}} -> "a+b+c/d+e+f"
b26eacf1 683
3fc596e4 684
f33253cc
NM
685Version 4.70 / 4.71
686-------------------
65a7d8c3 687
7c6d71af 688 1. Native DKIM support without an external library.
a8c8d6b5
JJ
689 (Note that if no action to prevent it is taken, a straight upgrade will
690 result in DKIM verification of all signed incoming emails. See spec
691 for details on conditionally disabling)
7c6d71af
NM
692
693 2. Experimental DCC support via dccifd (contributed by Wolfgang Breyha).
65a7d8c3 694
f33253cc 695 3. There is now a bool{} expansion condition which maps certain strings to
7d9f747b 696 true/false condition values (most likely of use in conjunction with the
f33253cc
NM
697 and{} expansion operator).
698
699 4. The $spam_score, $spam_bar and $spam_report variables are now available
700 at delivery time.
701
702 5. exim -bP now supports "macros", "macro_list" or "macro MACRO_NAME" as
703 options, provided that Exim is invoked by an admin_user.
704
705 6. There is a new option gnutls_compat_mode, when linked against GnuTLS,
706 which increases compatibility with older clients at the cost of decreased
707 security. Don't set this unless you need to support such clients.
708
709 7. There is a new expansion operator, ${randint:...} which will produce a
710 "random" number less than the supplied integer. This randomness is
711 not guaranteed to be cryptographically strong, but depending upon how
712 Exim was built may be better than the most naive schemes.
713
714 8. Exim now explicitly ensures that SHA256 is available when linked against
715 OpenSSL.
716
717 9. The transport_filter_timeout option now applies to SMTP transports too.
718
65a7d8c3 719
7d9f747b
PP
720Version 4.69
721------------
722
723 1. Preliminary DKIM support in Experimental.
724
725
2b85bce7
PH
726Version 4.68
727------------
728
729 1. The body_linecount and body_zerocount C variables are now exported in the
730 local_scan API.
731
93655c46
PH
732 2. When a dnslists lookup succeeds, the key that was looked up is now placed
733 in $dnslist_matched. When the key is an IP address, it is not reversed in
734 this variable (though it is, of course, in the actual lookup). In simple
735 cases, for example:
736
737 deny dnslists = spamhaus.example
738
739 the key is also available in another variable (in this case,
740 $sender_host_address). In more complicated cases, however, this is not
741 true. For example, using a data lookup might generate a dnslists lookup
742 like this:
743
744 deny dnslists = spamhaus.example/<|192.168.1.2|192.168.6.7|...
745
746 If this condition succeeds, the value in $dnslist_matched might be
747 192.168.6.7 (for example).
748
6c512171
PH
749 3. Authenticators now have a client_condition option. When Exim is running as
750 a client, it skips an authenticator whose client_condition expansion yields
751 "0", "no", or "false". This can be used, for example, to skip plain text
752 authenticators when the connection is not encrypted by a setting such as:
753
754 client_condition = ${if !eq{$tls_cipher}{}}
755
756 Note that the 4.67 documentation states that $tls_cipher contains the
757 cipher used for incoming messages. In fact, during SMTP delivery, it
758 contains the cipher used for the delivery. The same is true for
759 $tls_peerdn.
760
a96603a0
PH
761 4. There is now a -Mvc <message-id> option, which outputs a copy of the
762 message to the standard output, in RFC 2822 format. The option can be used
763 only by an admin user.
764
8f240103
PH
765 5. There is now a /noupdate option for the ratelimit ACL condition. It
766 computes the rate and checks the limit as normal, but it does not update
767 the saved data. This means that, in relevant ACLs, it is possible to lookup
768 the existence of a specified (or auto-generated) ratelimit key without
769 incrementing the ratelimit counter for that key.
770
771 In order for this to be useful, another ACL entry must set the rate
772 for the same key somewhere (otherwise it will always be zero).
773
774 Example:
775
776 acl_check_connect:
777 # Read the rate; if it doesn't exist or is below the maximum
778 # we update it below
779 deny ratelimit = 100 / 5m / strict / noupdate
780 log_message = RATE: $sender_rate / $sender_rate_period \
781 (max $sender_rate_limit)
782
783 [... some other logic and tests...]
784
785 warn ratelimit = 100 / 5m / strict / per_cmd
786 log_message = RATE UPDATE: $sender_rate / $sender_rate_period \
787 (max $sender_rate_limit)
788 condition = ${if le{$sender_rate}{$sender_rate_limit}}
789
790 accept
791
d677b2f2
PH
792 6. The variable $max_received_linelength contains the number of bytes in the
793 longest line that was received as part of the message, not counting the
794 line termination character(s).
795
d52120f2
PH
796 7. Host lists can now include +ignore_defer and +include_defer, analagous to
797 +ignore_unknown and +include_unknown. These options should be used with
798 care, probably only in non-critical host lists such as whitelists.
799
8669f003
PH
800 8. There's a new option called queue_only_load_latch, which defaults true.
801 If set false when queue_only_load is greater than zero, Exim re-evaluates
802 the load for each incoming message in an SMTP session. Otherwise, once one
803 message is queued, the remainder are also.
804
4f054c63 805 9. There is a new ACL, specified by acl_smtp_notquit, which is run in most
8f128379
PH
806 cases when an SMTP session ends without sending QUIT. However, when Exim
807 itself is is bad trouble, such as being unable to write to its log files,
808 this ACL is not run, because it might try to do things (such as write to
809 log files) that make the situation even worse.
810
811 Like the QUIT ACL, this new ACL is provided to make it possible to gather
812 statistics. Whatever it returns (accept or deny) is immaterial. The "delay"
813 modifier is forbidden in this ACL.
814
815 When the NOTQUIT ACL is running, the variable $smtp_notquit_reason is set
816 to a string that indicates the reason for the termination of the SMTP
817 connection. The possible values are:
818
819 acl-drop Another ACL issued a "drop" command
820 bad-commands Too many unknown or non-mail commands
821 command-timeout Timeout while reading SMTP commands
822 connection-lost The SMTP connection has been lost
823 data-timeout Timeout while reading message data
824 local-scan-error The local_scan() function crashed
825 local-scan-timeout The local_scan() function timed out
826 signal-exit SIGTERM or SIGINT
827 synchronization-error SMTP synchronization error
828 tls-failed TLS failed to start
829
830 In most cases when an SMTP connection is closed without having received
831 QUIT, Exim sends an SMTP response message before actually closing the
832 connection. With the exception of acl-drop, the default message can be
833 overridden by the "message" modifier in the NOTQUIT ACL. In the case of a
834 "drop" verb in another ACL, it is the message from the other ACL that is
835 used.
836
b7670459
PH
83710. For MySQL and PostgreSQL lookups, it is now possible to specify a list of
838 servers with individual queries. This is done by starting the query with
839 "servers=x:y:z;", where each item in the list may take one of two forms:
840
841 (1) If it is just a host name, the appropriate global option (mysql_servers
842 or pgsql_servers) is searched for a host of the same name, and the
843 remaining parameters (database, user, password) are taken from there.
844
845 (2) If it contains any slashes, it is taken as a complete parameter set.
846
847 The list of servers is used in exactly the same was as the global list.
848 Once a connection to a server has happened and a query has been
849 successfully executed, processing of the lookup ceases.
850
851 This feature is intended for use in master/slave situations where updates
852 are occurring, and one wants to update a master rather than a slave. If the
853 masters are in the list for reading, you might have:
854
855 mysql_servers = slave1/db/name/pw:slave2/db/name/pw:master/db/name/pw
856
857 In an updating lookup, you could then write
858
859 ${lookup mysql{servers=master; UPDATE ...}
860
861 If, on the other hand, the master is not to be used for reading lookups:
862
863 pgsql_servers = slave1/db/name/pw:slave2/db/name/pw
864
865 you can still update the master by
866
867 ${lookup pgsql{servers=master/db/name/pw; UPDATE ...}
868
ddea74fa
PH
86911. The message_body_newlines option (default FALSE, for backwards
870 compatibility) can be used to control whether newlines are present in
871 $message_body and $message_body_end. If it is FALSE, they are replaced by
872 spaces.
873
2b85bce7 874
b4ed4da0
PH
875Version 4.67
876------------
877
878 1. There is a new log selector called smtp_no_mail, which is not included in
879 the default setting. When it is set, a line is written to the main log
880 whenever an accepted SMTP connection terminates without having issued a
4aa45c31 881 MAIL command.
b4ed4da0 882
431b7361 883 2. When an item in a dnslists list is followed by = and & and a list of IP
4aa45c31
PH
884 addresses, the behaviour was not clear when the lookup returned more than
885 one IP address. This has been solved by the addition of == and =& for "all"
93655c46 886 rather than the default "any" matching.
431b7361 887
4aa45c31
PH
888 3. Up till now, the only control over which cipher suites GnuTLS uses has been
889 for the cipher algorithms. New options have been added to allow some of the
890 other parameters to be varied.
431b7361 891
4aa45c31
PH
892 4. There is a new compile-time option called ENABLE_DISABLE_FSYNC. When it is
893 set, Exim compiles a runtime option called disable_fsync.
431b7361 894
4aa45c31 895 5. There is a new variable called $smtp_count_at_connection_start.
431b7361 896
4aa45c31 897 6. There's a new control called no_pipelining.
cf8b11a5 898
41c7c167 899 7. There are two new variables called $sending_ip_address and $sending_port.
4aa45c31 900 These are set whenever an SMTP connection to another host has been set up.
41c7c167
PH
901
902 8. The expansion of the helo_data option in the smtp transport now happens
4aa45c31 903 after the connection to the server has been made.
41c7c167 904
9c57cbc0 905 9. There is a new expansion operator ${rfc2047d: that decodes strings that
4aa45c31 906 are encoded as per RFC 2047.
9c57cbc0 907
f3f065bb
PH
90810. There is a new log selector called "pid", which causes the current process
909 id to be added to every log line, in square brackets, immediately after the
910 time and date.
911
047bdd8c 91211. Exim has been modified so that it flushes SMTP output before implementing
4c590bd1
PH
913 a delay in an ACL. It also flushes the output before performing a callout,
914 as this can take a substantial time. These behaviours can be disabled by
915 obeying control = no_delay_flush or control = no_callout_flush,
4aa45c31 916 respectively, at some earlier stage of the connection.
047bdd8c 917
0ce9abe6 91812. There are two new expansion conditions that iterate over a list. They are
4aa45c31 919 called forany and forall.
0ce9abe6 920
0e22dfd1
PH
92113. There's a new global option called dsn_from that can be used to vary the
922 contents of From: lines in bounces and other automatically generated
923 messages ("delivery status notifications" - hence the name of the option).
0e22dfd1 924
4aa45c31 92514. The smtp transport has a new option called hosts_avoid_pipelining.
c51b8e75 926
75b1493f 92715. By default, exigrep does case-insensitive matches. There is now a -I option
4aa45c31 928 that makes it case-sensitive.
29f89cad 929
4aa45c31
PH
93016. A number of new features ("addresses", "map", "filter", and "reduce") have
931 been added to string expansions to make it easier to process lists of
932 items, typically addresses.
29f89cad 933
c3611384
PH
93417. There's a new ACL modifier called "continue". It does nothing of itself,
935 and processing of the ACL always continues with the next condition or
936 modifier. It is provided so that the side effects of expanding its argument
4aa45c31 937 can be used.
c3611384 938
ec95d1a6 93918. It is now possible to use newline and other control characters (those with
4aa45c31 940 values less than 32, plus DEL) as separators in lists.
ec95d1a6 941
b2d5182b
PH
94219. The exigrep utility now has a -v option, which inverts the matching
943 condition.
944
c456d9bb 94520. The host_find_failed option in the manualroute router can now be set to
4aa45c31 946 "ignore".
c456d9bb 947
b4ed4da0
PH
948
949Version 4.66
950------------
951
952No new features were added to 4.66.
953
954
955Version 4.65
956------------
957
958No new features were added to 4.65.
959
38a0a95f
PH
960
961Version 4.64
962------------
963
af561417
PH
964 1. ACL variables can now be given arbitrary names, as long as they start with
965 "acl_c" or "acl_m" (for connection variables and message variables), are at
966 least six characters long, with the sixth character being either a digit or
883335dc 967 an underscore.
af561417
PH
968
969 2. There is a new ACL modifier called log_reject_target. It makes it possible
883335dc 970 to specify which logs are used for messages about ACL rejections.
af561417
PH
971
972 3. There is a new authenticator called "dovecot". This is an interface to the
973 authentication facility of the Dovecot POP/IMAP server, which can support a
883335dc 974 number of authentication methods.
af561417
PH
975
976 4. The variable $message_headers_raw provides a concatenation of all the
977 messages's headers without any decoding. This is in contrast to
978 $message_headers, which does RFC2047 decoding on the header contents.
979
883335dc
PH
980 5. In a DNS black list, if two domain names, comma-separated, are given, the
981 second is used first to do an initial check, making use of any IP value
982 restrictions that are set. If there is a match, the first domain is used,
983 without any IP value restrictions, to get the TXT record.
af561417 984
883335dc 985 6. All authenticators now have a server_condition option.
af561417
PH
986
987 7. There is a new command-line option called -Mset. It is useful only in
988 conjunction with -be (that is, when testing string expansions). It must be
989 followed by a message id; Exim loads the given message from its spool
883335dc 990 before doing the expansions.
af561417
PH
991
992 8. Another similar new command-line option is called -bem. It operates like
883335dc
PH
993 -be except that it must be followed by the name of a file that contains a
994 message.
af561417
PH
995
996 9. When an address is delayed because of a 4xx response to a RCPT command, it
997 is now the combination of sender and recipient that is delayed in
883335dc 998 subsequent queue runs until its retry time is reached.
af561417
PH
999
100010. Unary negation and the bitwise logical operators and, or, xor, not, and
883335dc 1001 shift, have been added to the eval: and eval10: expansion items.
48c7f9e2 1002
194cc0e4
PH
100311. The variables $interface_address and $interface_port have been renamed
1004 as $received_ip_address and $received_port, to make it clear that they
1005 relate to message reception rather than delivery. (The old names remain
1006 available for compatibility.)
1007
883335dc
PH
100812. The "message" modifier can now be used on "accept" and "discard" acl verbs
1009 to vary the message that is sent when an SMTP command is accepted.
4e88a19f 1010
495ae4b0 1011
4608d683
PH
1012Version 4.63
1013------------
1014
10151. There is a new Boolean option called filter_prepend_home for the redirect
38a0a95f 1016 router.
4608d683 1017
45b91596
PH
10182. There is a new acl, set by acl_not_smtp_start, which is run right at the
1019 start of receiving a non-SMTP message, before any of the message has been
38a0a95f 1020 read.
45b91596 1021
a5bd321b
PH
10223. When an SMTP error message is specified in a "message" modifier in an ACL,
1023 or in a :fail: or :defer: message in a redirect router, Exim now checks the
38a0a95f 1024 start of the message for an SMTP error code.
a5bd321b 1025
6ec97b1b 10264. There is a new parameter for LDAP lookups called "referrals", which takes
38a0a95f 1027 one of the settings "follow" (the default) or "nofollow".
6ec97b1b 1028
e22ca4ac
JJ
10295. Version 20070721.2 of exipick now included, offering these new options:
1030 --reverse
1031 After all other sorting options have bee processed, reverse order
1032 before displaying messages (-R is synonym).
1033 --random
1034 Randomize order of matching messages before displaying.
1035 --size
1036 Instead of displaying the matching messages, display the sum
1037 of their sizes.
1038 --sort <variable>[,<variable>...]
1039 Before displaying matching messages, sort the messages according to
1040 each messages value for each variable.
1041 --not
1042 Negate the value for every test (returns inverse output from the
1043 same criteria without --not).
1044
4608d683 1045
1cce3af8
PH
1046Version 4.62
1047------------
1048
10491. The ${readsocket expansion item now supports Internet domain sockets as well
1050 as Unix domain sockets. If the first argument begins "inet:", it must be of
1051 the form "inet:host:port". The port is mandatory; it may be a number or the
1052 name of a TCP port in /etc/services. The host may be a name, or it may be an
1053 IP address. An ip address may optionally be enclosed in square brackets.
1054 This is best for IPv6 addresses. For example:
1055
1056 ${readsocket{inet:[::1]:1234}{<request data>}...
1057
1058 Only a single host name may be given, but if looking it up yield more than
1059 one IP address, they are each tried in turn until a connection is made. Once
1060 a connection has been made, the behaviour is as for ${readsocket with a Unix
1061 domain socket.
1062
f7fd3850
PH
10632. If a redirect router sets up file or pipe deliveries for more than one
1064 incoming address, and the relevant transport has batch_max set greater than
1065 one, a batch delivery now occurs.
1066
d6629cdc
PH
10673. The appendfile transport has a new option called maildirfolder_create_regex.
1068 Its value is a regular expression. For a maildir delivery, this is matched
1069 against the maildir directory; if it matches, Exim ensures that a
1070 maildirfolder file is created alongside the new, cur, and tmp directories.
1071
1cce3af8 1072
7e66e54d
PH
1073Version 4.61
1074------------
1075
4f578862
PH
1076The documentation is up-to-date for the 4.61 release. Major new features since
1077the 4.60 release are:
1078
1079. An option called disable_ipv6, to disable the use of IPv6 completely.
1080
1081. An increase in the number of ACL variables to 20 of each type.
1082
1083. A change to use $auth1, $auth2, and $auth3 in authenticators instead of $1,
1084 $2, $3, (though those are still set) because the numeric variables get used
1085 for other things in complicated expansions.
1086
843a41e8 1087. The default for rfc1413_query_timeout has been changed from 30s to 5s.
4f578862
PH
1088
1089. It is possible to use setclassresources() on some BSD OS to control the
1090 resources used in pipe deliveries.
1091
1092. A new ACL modifier called add_header, which can be used with any verb.
1093
1094. More errors are detectable in retry rules.
1095
1096There are a number of other additions too.
71fafd95 1097
7e66e54d 1098
425ae40f 1099Version 4.60
b5aea5e1
PH
1100------------
1101
425ae40f
PH
1102The documentation is up-to-date for the 4.60 release. Major new features since
1103the 4.50 release are:
1a46a8c5 1104
425ae40f 1105. Support for SQLite.
1a46a8c5 1106
425ae40f 1107. Support for IGNOREQUOTA in LMTP.
1a46a8c5 1108
425ae40f 1109. Extensions to the "submission mode" features.
1a46a8c5 1110
425ae40f 1111. Support for Client SMTP Authorization (CSA).
1a46a8c5 1112
425ae40f 1113. Support for ratelimiting hosts and users.
b5aea5e1 1114
425ae40f 1115. New expansion items to help with the BATV "prvs" scheme.
b5aea5e1 1116
425ae40f 1117. A "match_ip" condition, that matches an IP address against a list.
35edf2ff 1118
425ae40f 1119There are many more minor changes.
495ae4b0
PH
1120
1121****