faf6914cab572b04de1d4919c05665e095afcaa3
[exim.git] / doc / doc-txt / ChangeLog
1 This document describes *changes* to previous versions, that might
2 affect Exim's operation, with an unchanged configuration file. For new
3 options, and new features, see the NewStuff file next to this ChangeLog.
4
5
6 Exim version 4.93
7 -----------------
8
9 JH/01 OpenSSL: With debug enabled output keying information sufficient, server
10 side, to decode a TLS 1.3 packet capture.
11
12 JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
13 Previously the default library behaviour applied, sending two, each in
14 its own TCP segment.
15
16 JH/03 Debug output for ACL now gives the config file name and line number for
17 each verb.
18
19 JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
20
21 JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
22
23 JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
24 buffer overrun for (non-chunking) other transports.
25
26 JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
27 TLS1.3, means that a server rejecting a client certificate is not visible
28 to the client until the first read of encrypted data (typically the
29 response to EHLO). Add detection for that case and treat it as a failed
30 TLS connection attempt, so that the normal retry-in-clear can work (if
31 suitably configured).
32
33 JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
34 and/or domain. Found and fixed by Jason Betts.
35
36 JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
37 configuration). If a CNAME target was not a wellformed name pattern, a
38 crash could result.
39
40 JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
41 the OS reports them interleaved with other addresses.
42
43 JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
44 used both for input and for a verify callout, both encrypted, SMTP
45 responses being sent by the server could be lost. This resulted in
46 dropped connections and sometimes bounces generated by a peer sending
47 to this system.
48
49 JH/11 Harden plaintext authenticator against a badly misconfigured client-send
50 string. Previously it was possible to cause undefined behaviour in a
51 library routine (usually a crash). Found by "zerons".
52
53 JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no
54 output.
55
56 JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old
57 API was removed, so update to use the newer ones.
58
59 JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
60 any timeout set, is taking a long time. Previously we would hang on to a
61 rotated logfile "forever" if the input was arriving with long gaps
62 (a previous attempt to fix addressed lack, for a long time, of initial
63 input).
64
65 HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
66 shared (NFS) environment. The length of the tempfile name is now
67 4 + 16 ("hdr.$message_exim_id") which might break on file
68 systems which restrict the file name length to lower values.
69 (It was "hdr.$pid".)
70
71 HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
72 shared (NFS) environment.
73
74 HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
75 did for all versions <4.90). Notably -M, -m, --invert, -I may be
76 affected.
77
78 JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
79 on some platforms for bit 31.
80
81 JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks
82 to changes apparently associated with TLS1.3 handling some of the APIs
83 previously used were either nonfunctional or inappropriate. Strings
84 like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
85 and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
86 the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
87 This affects log line X= elements, the $tls_{in,out}_cipher variables,
88 and the use of specific cipher names in the encrypted= ACL condition.
89
90 JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
91
92 JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
93 verification result was not updated unless hosts_require_ocsp applied.
94
95 JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option
96 queue_list_requires_admin set to false, non-admin users were denied the
97 facility.
98
99 JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
100 directory-of-certs mode. Previously they were advertised despite the
101 documentation.
102
103 JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
104 A single TCP connection by a client will now hold a TLS connection open
105 for multiple message deliveries, by default. Previoud the default was to
106 not do so.
107
108 JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
109 default. If built with the facility, DANE will be used. The facility
110 SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
111
112 JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
113 is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
114 must be defined and you must still, unless you define DISABLE_TLS, manage
115 the the include-dir and library-file requirements that go with that
116 choice. Non-TLS builds are still supported.
117
118 JH/24 Fix duplicated logging of peer name/address, on a transport connection-
119 reject under TFO.
120
121 JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
122 default. If the platform supports and has the facility enabled, it will
123 be requested on all coneections.
124
125 JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
126 controlled by the build-time option SUPPORT_PIPE_CONNECT.
127
128 PP/01 Unbreak heimdal_gssapi, broken in 4.92.
129
130 JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
131 success-DSN messages. Previously the From: header was always the default
132 one for these; the option was ignored.
133
134 JH/28 Fix the timeout on smtp response to apply to the whole response.
135 Previously it was reset for every read, so a teergrubing peer sending
136 single bytes within the time limit could extend the connection for a
137 long time. Credit to Qualsys Security Advisory Team for the discovery.
138
139 JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing
140 delivery address, which leaked information of the results of local
141 forwarding. Change to the original envelope recipient address, per
142 standards.
143
144 JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
145 requested. Previously not bounce was generated and a log entry of
146 error ignored was made.
147
148 JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
149
150 JH/32 Introduce a general tainting mechanism for values read from the input
151 channel, and values derived from them. Refuse to expand any tainted
152 values, to catch one form of exploit.
153
154 JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result
155 was unused and the unexpanded text used for the test. Found and
156 fixed by Ruben Jenster.
157
158 JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open,
159 an attempt to use a TLS library read routine dereffed a nul pointer,
160 causing a segfault.
161
162 JH/35 Bug 2409: filter out-of-spec chars from callout response before using
163 them in our smtp response.
164
165 JH/36 Have the general router option retry_use_local_part default to true when
166 any of the restrictive preconditions are set (to anything). Previously it
167 was only for check_local user. The change removes one item of manual
168 configuration which is required for proper retries when a remote router
169 handles a subset of addresses for a domain.
170
171 JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
172 link count into consideration.
173
174 HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
175 caused the extension of big_buffer, the following lines were ignored.
176
177 JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
178 accordance with RFC 2308. Previously there was no expiry, so a longlived
179 receive process (eg. due to ACL delays) versus a short SOA value could
180 surprise.
181
182 HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)
183
184 JH/39 Promote DMARC support to mainline.
185
186 JH/40 Bug 2452: Add a References: header to DSNs.
187
188 JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
189 parameters. The relevant library call is documented as "Deprecated: This
190 function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
191 3.6.0, DH parameters are negotiated following RFC7919."
192
193 HS/06 Change the default of dnssec_request_domains to "*"
194
195 JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we
196 carried on and emitted a BDAT command, even when PIPELINING was not
197 active.
198
199 JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted
200 buffer was used for the filename, resulting in a trap when tainted
201 arguments (eg. $domain) were used.
202
203 JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
204 recommended to avoid a possible server-load attack. The feature can be
205 re-enabled via the openssl_options main cofiguration option.
206
207 JH/45 local_scan API: documented the current smtp_printf() call. This changed
208 for version 4.90 - adding a "more data" boolean to the arguments.
209
210
211 Exim version 4.92
212 -----------------
213
214 JH/01 Remove code calling the customisable local_scan function, unless a new
215 definition "HAVE_LOCAL_SCAN=yes" is present in the Local/Makefile.
216
217 JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in
218 non-signal-safe functions being used.
219
220 JH/03 Bug 2269: When presented with a received message having a stupidly large
221 number of DKIM-Signature headers, disable DKIM verification to avoid
222 a resource-consumption attack. The limit is set at twenty.
223
224 JH/04 Add variables $arc_domains, $arc_oldest_pass for ARC verify. Fix the
225 report of oldest_pass in ${authres } in consequence, and separate out
226 some descriptions of reasons for verification fail.
227
228 JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage
229 files in the spool were present and unlocked. A queue-runner could spot
230 them, resulting in a duplicate delivery. Fix that by doing the unlock
231 after the unlink. Investigation by Tim Stewart. Take the opportunity to
232 add more error-checking on spoolfile handling while that code is being
233 messed with.
234
235 PP/01 Refuse to open a spool data file (*-D) if it's a symlink.
236 No known attacks, no CVE, this is defensive hardening.
237
238 JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and
239 a queue-runner could start a delivery while other operations were ongoing.
240 Cutthrough delivery was a common victim, resulting in duplicate delivery.
241 Found and investigated by Tim Stewart. Fix by using the open message data
242 file handle rather than opening another, and not locally closing it (which
243 releases a lock) for that case, while creating the temporary .eml format
244 file for the MIME ACL. Also applies to "regex" and "spam" ACL conditions.
245
246 JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting
247 $sender_verify_failure/$recipient_verify_failure to "random".
248
249 JH/08 When generating a selfsigned cert, use serial number 1 since zero is not
250 legitimate.
251
252 JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd.
253 Previously this would segfault.
254
255 JH/10 Fix ARC signing for case when DKIM signing failed. Previously this would
256 segfault.
257
258 JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd
259 like zero, since the resolver should be doing this for us, But we need one
260 as a CNAME but no MX presence gets the CNAME returned; we need to check
261 that doesn't point to an MX to declare it "no MX returned" rather than
262 "error, loop". A new main option is added so the older capability of
263 following some limited number of chain links is maintained.
264
265 JH/12 Add client-ip info to non-pass iprev ${authres } lines.
266
267 JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol
268 methods. These should support TLS 1.3; they arrived with TLS 1.3 and the
269 now-deprecated earlier definitions used only specified the range up to TLS
270 1.2 (in the older-version library docs).
271
272 JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots.
273
274 JH/15 Rework TLS client-side context management. Stop using a global, and
275 explicitly pass a context around. This enables future use of TLS for
276 connections to service-daemons (eg. malware scanning) while a client smtp
277 connection is using TLS; with cutthrough connections this is quite likely.
278
279 JH/16 Fix ARC verification to do AS checks in reverse order.
280
281 JH/17 Support a "tls" option on the ${readsocket } expansion item.
282
283 JH/18 Bug 2287: Fix the protocol name (eg utf8esmtp) for multiple messages
284 using the SMTPUTF8 option on their MAIL FROM commands, in one connection.
285 Previously the "utf8" would be re-prepended for every additional message.
286
287 JH/19 Reject MAIL FROM commands with SMTPUTF8 when the facility was not advertised.
288 Previously thery were accepted, resulting in issues when attempting to
289 forward messages to a non-supporting MTA.
290
291 PP/02 Let -n work with printing macros too, not just options.
292
293 JH/20 Bug 2296: Fix cutthrough for >1 address redirection. Previously only
294 one parent address was copied, and bogus data was used at delivery-logging
295 time. Either a crash (after delivery) or bogus log data could result.
296 Discovery and analysis by Tim Stewart.
297
298 PP/03 Make ${utf8clean:} expansion operator detect incomplete final character.
299 Previously if the string ended mid-character, we did not insert the
300 promised '?' replacement.
301
302 PP/04 Documentation: current string operators work on bytes, not codepoints.
303
304 JH/21 Change as many as possible of the global flags into one-bit bitfields; these
305 should pack well giving a smaller memory footprint so better caching and
306 therefore performance. Group the declarations where this can't be done so
307 that the byte-sized flag variables are not interspersed among pointer
308 variables, giving a better chance of good packing by the compiler.
309
310 JH/22 Bug 1896: Fix the envelope from for DMARC forensic reports to be possibly
311 non-null, to avoid issues with sites running BATV. Previously reports were
312 sent with an empty envelope sender so looked like bounces.
313
314 JH/23 Bug 2318: Fix the noerror command within filters. It wasn't working.
315 The ignore_error flag wasn't being returned from the filter subprocess so
316 was not set for later routers. Investigation and fix by Matthias Kurz.
317
318 JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient,
319 and a msg:complete for the whole, when a message is manually removed using
320 -Mrm. Developement by Matthias Kurz, hacked on by JH.
321
322 JH/25 Avoid fixed-size buffers for pathnames in DB access. This required using
323 a "Gnu special" function, asprintf() in the DB utility binary builds; I
324 hope that is portable enough.
325
326 JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS. Previously it was also
327 requiring a known-CA anchor certificate; make it now rely entirely on the
328 TLSA as an anchor. Checking the name on the leaf cert against the name
329 on the A-record for the host is still done for TA (but not for EE mode).
330
331 JH/27 Fix logging of proxy address. Previously, a pointless "PRX=[]:0" would be
332 included in delivery lines for non-proxied connections, when compiled with
333 SUPPORT_SOCKS and running with proxy logging enabled.
334
335 JH/28 Bug 2314: Fire msg:fail:delivery event even when error is being ignored.
336 Developement by Matthias Kurz, tweaked by JH. While in that bit of code,
337 move the existing event to fire before the normal logging of message
338 failure so that custom logging is bracketed by normal logging.
339
340 JH/29 Bug 2322: A "fail" command in a non-system filter (file) now fires the
341 msg:fail:internal event. Developement by Matthias Kurz.
342
343 JH/30 Bug 2329: Increase buffer size used for dns lookup from 2k, which was
344 far too small for todays use of crypto signatures stored there. Go all
345 the way to the max DNS message size of 64kB, even though this might be
346 overmuch for IOT constrained device use.
347
348 JH/31 Fix a bad use of a copy function, which could be used to pointlessly
349 copy a string over itself. The library routine is documented as not
350 supporting overlapping copies, and on MacOS it actually raised a SIGABRT.
351
352 JH/32 For main options check_spool_space and check_inode_space, where the
353 platform supports 64b integers, support more than the previous 2^31 kB
354 (i.e. more than 2 TB). Accept E, P and T multipliers in addition to
355 the previous G, M, k.
356
357 JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the
358 $authenticated_fail_id variable on authentication failure. Previously
359 it was unset.
360
361 JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048. RHEL 8.0
362 OpenSSL didn't want to use such a weak key. Do for GnuTLS also, and for
363 more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to
364 GNUTLS_SEC_PARAM_MEDIUM.
365
366 JH/35 OpenSSL: fail the handshake when SNI processing hits a problem, server
367 side. Previously we would continue as if no SNI had been received.
368
369 JH/36 Harden the handling of string-lists. When a list consisted of a sole
370 "<" character, which should be a list-separator specification, we walked
371 off past the nul-terimation.
372
373 JH/37 Bug 2341: Send "message delayed" warning MDNs (restricted to external
374 causes) even when the retry time is not yet met. Previously they were
375 not, meaning that when (say) an account was over-quota and temp-rejecting,
376 and multiple senders' messages were queued, only one sender would get
377 notified on each configured delay_warning cycle.
378
379 JH/38 Bug 2351: Log failures to extract envelope addresses from message headers.
380
381 JH/39 OpenSSL: clear the error stack after an SSL_accept(). With anon-auth
382 cipher-suites, an error can be left on the stack even for a succeeding
383 accept; this results in impossible error messages when a later operation
384 actually does fail.
385
386 AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they
387 return error codes indicating retry. Under TLS1.3 this becomes required.
388
389 JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT. Previously
390 it only wrote the new authenticators, resulting in a lack of tracking of
391 peer changes of ESMTP extensions until the next cache flush.
392
393 JH/41 Fix the loop reading a message header line to check for integer overflow,
394 and more-often against header_maxsize. Previously a crafted message could
395 induce a crash of the recive process; now the message is cleanly rejected.
396
397 JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option. It had
398 been totally disabled for all of 4.91. Discovery and fix by "Mad Alex".
399
400
401 Exim version 4.91
402 -----------------
403
404 GF/01 DEFER rather than ERROR on redis cluster MOVED response.
405 When redis_servers is set to a list of > 1 element, and the Redis servers
406 in that list are in cluster configuration, convert the REDIS_REPLY_ERROR
407 case of MOVED into a DEFER case instead, thus moving the query onto the
408 next server in the list. For a cluster of N elements, all N servers must
409 be defined in redis_servers.
410
411 GF/02 Catch and remove uninitialized value warning in exiqsumm
412 Check for existence of @ARGV before looking at $ARGV[0]
413
414 JH/01 Replace the store_release() internal interface with store_newblock(),
415 which internalises the check required to safely use the old one, plus
416 the allocate and data copy operations duplicated in both (!) of the
417 extant use locations.
418
419 JH/02 Disallow '/' characters in queue names specified for the "queue=" ACL
420 modifier. This matches the restriction on the commandline.
421
422 JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
423 Previously only the last row was returned.
424
425 JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
426 we assumed that tags in the header were well-formed, and parsed the
427 element content after inspecting only the first char of the tag.
428 Assumptions at that stage could crash the receive process on malformed
429 input.
430
431 JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
432 While running the DKIM ACL we operate on the Permanent memory pool so that
433 variables created with "set" persist to the DATA ACL. Also (at any time)
434 DNS lookups that fail create cache records using the Permanent pool. But
435 expansions release any allocations made on the current pool - so a dnsdb
436 lookup expansion done in the DKIM ACL releases the memory used for the
437 DNS negative-cache, and bad things result. Solution is to switch to the
438 Main pool for expansions.
439 While we're in that code, add checks on the DNS cache during store_reset,
440 active in the testsuite.
441 Problem spotted, and debugging aided, by Wolfgang Breyha.
442
443 JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
444 When none of the hosts presented to a transport match an already-open
445 connection, close it and proceed with the list. Previously we would
446 queue the message. Spotted by Lena with Yahoo, probably involving
447 round-robin DNS.
448
449 JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
450 Previously a spurious "250 OK id=" response was appended to the proper
451 failure response.
452
453 JH/08 The "support for" informational output now, which built with Content
454 Scanning support, has a line for the malware scanner interfaces compiled
455 in. Interface can be individually included or not at build time.
456
457 JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included
458 by the template makefile "src/EDITME". The "STREAM" support for an older
459 ClamAV interface method is removed.
460
461 JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
462 rows affected is given instead).
463
464 JH/11 The runtime Berkeley DB library version is now additionally output by
465 "exim -d -bV". Previously only the compile-time version was shown.
466
467 JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
468 SMTP connection. Previously, when one had more receipients than the
469 first, an abortive onward connection was made. Move to full support for
470 multiple onward connections in sequence, handling cutthrough connection
471 for all multi-message initiating connections.
472
473 JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
474 routers. Previously, a multi-recipient message would fail to match the
475 onward-connection opened for the first recipient, and cause its closure.
476
477 JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
478 a timeout on read on a GnuTLS initiating connection, resulting in the
479 initiating connection being dropped. This mattered most when the callout
480 was marked defer_ok. Fix to keep the two timeout-detection methods
481 separate.
482
483 JH/15 Relax results from ACL control request to enable cutthrough, in
484 unsupported situations, from error to silently (except under debug)
485 ignoring. This covers use with PRDR, frozen messages, queue-only and
486 fake-reject.
487
488 HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
489
490 JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
491 metadata, resulting in a crash in free().
492
493 PP/01 Fix broken Heimdal GSSAPI authenticator integration.
494 Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
495 Broken also in d185889f4, with init system revamp.
496
497 JH/17 Bug 2113: Fix conversation closedown with the Avast malware scanner.
498 Previously we abruptly closed the connection after reading a malware-
499 found indication; now we go on to read the "scan ok" response line,
500 and send a quit.
501
502 JH/18 Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail
503 ACL. Previously, a crash would result.
504
505 JH/19 Speed up macro lookups during configuration file read, by skipping non-
506 macro text after a replacement (previously it was only once per line) and
507 by skipping builtin macros when searching for an uppercase lead character.
508
509 JH/20 DANE support moved from Experimental to mainline. The Makefile control
510 for the build is renamed.
511
512 JH/21 Fix memory leak during multi-message connections using STARTTLS. A buffer
513 was allocated for every new TLS startup, meaning one per message. Fix
514 by only allocating once (OpenSSL) or freeing on TLS-close (GnuTLS).
515
516 JH/22 Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
517 reported the original. Fix to report (as far as possible) the ACL
518 result replacing the original.
519
520 JH/23 Fix memory leak during multi-message connections using STARTTLS under
521 OpenSSL. Certificate information is loaded for every new TLS startup,
522 and the resources needed to be freed.
523
524 JH/24 Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
525
526 JH/25 Fix utf8_downconvert propagation through a redirect router. Previously it
527 was not propagated.
528
529 JH/26 Bug 2253: For logging delivery lines under PRDR, append the overall
530 DATA response info to the (existing) per-recipient response info for
531 the "C=" log element. It can have useful tracking info from the
532 destination system. Patch from Simon Arlott.
533
534 JH/27 Bug 2251: Fix ldap lookups that return a single attribute having zero-
535 length value. Previously this would segfault.
536
537 HS/02 Support Avast multiline protoocol, this allows passing flags to
538 newer versions of the scanner.
539
540 JH/28 Ensure that variables possibly set during message acceptance are marked
541 dead before release of memory in the daemon loop. This stops complaints
542 about them when the debug_store option is enabled. Discovered specifically
543 for sender_rate_period, but applies to a whole set of variables.
544 Do the same for the queue-runner and queue-list loops, for variables set
545 from spool message files. Do the same for the SMTP per-message loop, for
546 certain variables indirectly set in ACL operations.
547
548 JH/29 Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
549 as a multi-recipient message from a mailinglist manager). The coding had
550 an arbitrary cutoff number of characters while checking for more input;
551 enforced by writing a NUL into the buffer. This corrupted long / fast
552 input. The problem was exposed more widely when more pipelineing of SMTP
553 responses was introduced, and one Exim system was feeding another.
554 The symptom is log complaints of SMTP syntax error (NUL chars) on the
555 receiving system, and refused recipients seen by the sending system
556 (propating to people being dropped from mailing lists).
557 Discovered and pinpointed by David Carter.
558
559 JH/30 The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
560 replaced by the ${authresults } expansion.
561
562 JH/31 Bug 2257: Fix pipe transport to not use a socket-only syscall.
563
564 HS/03 Set a handler for SIGTERM and call exit(3) if running as PID 1. This
565 allows proper process termination in container environments.
566
567 JH/32 Bug 2258: Fix spool_wireformat in combination with LMTP transport.
568 Previously the "final dot" had a newline after it; ensure it is CR,LF.
569
570 JH/33 SPF: remove support for the "spf" ACL condition outcome values "err_temp"
571 and "err_perm", deprecated since 4.83 when the RFC-defined words
572 "temperror" and "permerror" were introduced.
573
574 JH/34 Re-introduce enforcement of no cutthrough delivery on transports having
575 transport-filters or DKIM-signing. The restriction was lost in the
576 consolidation of verify-callout and delivery SMTP handling.
577 Extend the restriction to also cover ARC-signing.
578
579 JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses)
580 in defer=pass mode supply a 450 to the initiator. Previously the message
581 would be spooled.
582
583 PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset,
584 tls_require_ciphers is used as before.
585
586 HS/03 Malware Avast: Better match the Avast multiline protocol. Add
587 "pass_unscanned". Only tmpfails from the scanner are written to
588 the paniclog, as they may require admin intervention (permission
589 denied, license issues). Other scanner errors (like decompression
590 bombs) do not cause a paniclog entry.
591
592 JH/36 Fix reinitialisation of DKIM logging variable between messages.
593 Previously it was possible to log spurious information in receive log
594 lines.
595
596 JH/37 Bug 2255: Revert the disable of the OpenSSL session caching. This
597 triggered odd behaviour from Outlook Express clients.
598
599 PP/03 Add util/renew-opendmarc-tlds.sh script for safe renewal of public
600 suffix list.
601
602 JH/38 DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form,
603 since the IETF WG has not yet settled on that versus the original
604 "bare" representation.
605
606 JH/39 Fix syslog logging for syslog_timestamp=no and log_selector +millisec.
607 Previously the millisecond value corrupted the output.
608 Fix also for syslog_pid=no and log_selector +pid, for which the pid
609 corrupted the output.
610
611
612 Exim version 4.90
613 -----------------
614
615 JH/01 Rework error string handling in TLS interface so that the caller in
616 more cases is responsible for logging. This permits library-sourced
617 string to be attached to addresses during delivery, and collapses
618 pairs of long lines into single ones.
619
620 PP/01 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
621 during configuration. Wildcards are allowed and expanded.
622
623 JH/02 Rework error string handling in DKIM to pass more info back to callers.
624 This permits better logging.
625
626 JH/03 Rework the transport continued-connection mechanism: when TLS is active,
627 do not close it down and have the child transport start it up again on
628 the passed-on TCP connection. Instead, proxy the child (and any
629 subsequent ones) for TLS via a unix-domain socket channel. Logging is
630 affected: the continued delivery log lines do not have any DNSSEC, TLS
631 Certificate or OCSP information. TLS cipher information is still logged.
632
633 JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of
634 identical IP addresses on different listening ports. Will also affect
635 "exiwhat" output.
636
637 PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers;
638 add noisy ifdef guards to special-case this sillyness.
639 Patch from Bernd Kuhls.
640
641 JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger
642 than 255 are no longer allowed.
643
644 JH/06 Default openssl_options to include +no_ticket, to reduce load on peers.
645 Disable the session-cache too, which might reduce our load. Since we
646 currrectly use a new context for every connection, both as server and
647 client, there is no benefit for these.
648 GnuTLS appears to not support tickets server-side by default (we don't
649 call gnutls_session_ticket_enable_server()) but client side is enabled
650 by default on recent versions (3.1.3 +) unless the PFS priority string
651 is used (3.2.4 +).
652
653 PP/03 Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
654 <https://reproducible-builds.org/specs/source-date-epoch/>.
655
656 JH/07 Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
657 the check for any unsuccessful recipients did not notice the limit, and
658 erroneously found still-pending ones.
659
660 JH/08 Pipeline CHUNKING command and data together, on kernels that support
661 MSG_MORE. Only in-clear (not on TLS connections).
662
663 JH/09 Avoid using a temporary file during transport using dkim. Unless a
664 transport-filter is involved we can buffer the headers in memory for
665 creating the signature, and read the spool data file once for the
666 signature and again for transmission.
667
668 JH/10 Enable use of sendfile in Linux builds as default. It was disabled in
669 4.77 as the kernel support then wasn't solid, having issues in 64bit
670 mode. Now, it's been long enough. Add support for FreeBSD also.
671
672 JH/11 Bug 2104: Fix continued use of a transport connection with TLS. In the
673 case where the routing stage had gathered several addresses to send to
674 a host before calling the transport for the first, we previously failed
675 to close down TLS in the old transport process before passing the TCP
676 connection to the new process. The new one sent a STARTTLS command
677 which naturally failed, giving a failed delivery and bloating the retry
678 database. Investigation and fix prototype from Wolfgang Breyha.
679
680 JH/12 Fix check on SMTP command input synchronisation. Previously there were
681 false-negatives in the check that the sender had not preempted a response
682 or prompt from Exim (running as a server), due to that code's lack of
683 awareness of the SMTP input buffering.
684
685 PP/04 Add commandline_checks_require_admin option.
686 Exim drops privileges sanely, various checks such as -be aren't a
687 security problem, as long as you trust local users with access to their
688 own account. When invoked by services which pass untrusted data to
689 Exim, this might be an issue. Set this option in main configuration
690 AND make fixes to the calling application, such as using `--` to stop
691 processing options.
692
693 JH/13 Do pipelining under TLS. Previously, although safe, no advantage was
694 taken. Now take care to pack both (client) MAIL,RCPT,DATA, and (server)
695 responses to those, into a single TLS record each way (this usually means
696 a single packet). As a side issue, smtp_enforce_sync now works on TLS
697 connections.
698
699 PP/05 OpenSSL/1.1: use DH_bits() for more accurate DH param sizes. This
700 affects you only if you're dancing at the edge of the param size limits.
701 If you are, and this message makes sense to you, then: raise the
702 configured limit or use OpenSSL 1.1. Nothing we can do for older
703 versions.
704
705 JH/14 For the "sock" variant of the malware scanner interface, accept an empty
706 cmdline element to get the documented default one. Previously it was
707 inaccessible.
708
709 JH/15 Fix a crash in the smtp transport caused when two hosts in succession
710 are unsuable for non-message-specific reasons - eg. connection timeout,
711 banner-time rejection.
712
713 JH/16 Fix logging of delivery remote port, when specified by router, under
714 callout/hold.
715
716 PP/06 Repair manualroute's ability to take options in any order, even if one
717 is the name of a transport.
718 Fixes bug 2140.
719
720 HS/01 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369)
721
722 JH/17 Change the list-building routines interface to use the expanding-string
723 triplet model, for better allocation and copying behaviour.
724
725 JH/18 Prebuild the data-structure for "builtin" macros, for faster startup.
726 Previously it was constructed the first time a possibly-matching string
727 was met in the configuration file input during startup; now it is done
728 during compilation.
729
730 JH/19 Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy-
731 compatible one, to avoid the (poorly documented) possibility of a config
732 file in the working directory redirecting the DB files, possibly correpting
733 some existing file. CVE-2017-10140 assigned for BDB.
734
735 JH/20 Bug 2147: Do not defer for a verify-with-callout-and-random which is not
736 cache-hot. Previously, although the result was properly cached, the
737 initial verify call returned a defer.
738
739 JH/21 Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but
740 the main verify for receipient in uncached-mode.
741
742 JH/22 Retire historical build files to an "unsupported" subdir. These are
743 defined as "ones for which we have no current evidence of testing".
744
745 JH/23 DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field,
746 if present. Previously it was ignored.
747
748 JH/24 Start using specified-initialisers in C structure init coding. This is
749 a C99 feature (it's 2017, so now considered safe).
750
751 JH/25 Use one-bit bitfields for flags in the "addr" data structure. Previously
752 if was a fixed-sized field and bitmask ops via macros; it is now more
753 extensible.
754
755 PP/07 GitHub PR 56: Apply MariaDB build fix.
756 Patch provided by Jaroslav Škarvada.
757
758 PP/08 Bug 2161: Fix regression in sieve quoted-printable handling introduced
759 during Coverity cleanups [4.87 JH/47]
760 Diagnosis and fix provided by Michael Fischer v. Mollard.
761
762 JH/26 Fix DKIM bug: when the pseudoheader generated for signing was exactly
763 the right size to place the terminating semicolon on its own folded
764 line, the header hash was calculated to an incorrect value thanks to
765 the (relaxed) space the fold became.
766
767 HS/02 Fix Bug 2130: large writes from the transport subprocess were chunked
768 and confused the parent.
769
770 JH/27 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process
771 which could crash as a result. This could lead to undeliverable messages.
772
773 JH/28 Logging: "next input sent too soon" now shows where input was truncated
774 for log purposes.
775
776 JH/29 Fix queue_run_in_order to ignore the PID portion of the message ID. This
777 matters on fast-turnover and PID-randomising systems, which were getting
778 out-of-order delivery.
779
780 JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for
781 a possibly-overlapping copy. The symptom was that "Remote host closed
782 connection in response to HELO" was logged instead of the actual 4xx
783 error for the HELO.
784
785 JH/31 Fix CHUNKING code to properly flush the unwanted chunk after an error.
786 Previously only that bufferd was discarded, resulting in SYMTP command
787 desynchronisation.
788
789 JH/32 DKIM: when a message has multiple signatures matching an identity given
790 in dkim_verify_signers, run the dkim acl once for each. Previously only
791 one run was done. Bug 2189.
792
793 JH/33 Downgrade an unfound-list name (usually a typo in the config file) from
794 "panic the current process" to "deliberately defer". The panic log is
795 still written with the problem list name; the mail and reject logs now
796 get a temp-reject line for the message that was being handled, saying
797 something like "domains check lookup or other defer". The SMTP 451
798 message is still "Temporary local problem".
799
800 JH/34 Bug 2199: Fix a use-after-free while reading smtp input for header lines.
801 A crafted sequence of BDAT commands could result in in-use memory beeing
802 freed. CVE-2017-16943.
803
804 HS/03 Bug 2201: Fix checking for leading-dot on a line during headers reading
805 from SMTP input. Previously it was always done; now only done for DATA
806 and not BDAT commands. CVE-2017-16944.
807
808 JH/35 Bug 2201: Flush received data in BDAT mode after detecting an error fatal
809 to the message (such as an overlong header line). Previously this was
810 not done and we did not exit BDAT mode. Followon from the previous item
811 though a different problem.
812
813
814 Exim version 4.89
815 -----------------
816
817 JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules
818 than -2003 did; needs libidn2 in addition to libidn.
819
820 JH/02 The path option on a pipe transport is now expanded before use.
821
822 PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections.
823 Patch provided by "Björn", documentation fix added too.
824
825 JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was
826 missing a wire-to-host endian conversion.
827
828 JH/04 Bug 2004: fix CHUNKING in non-PIPELINEING mode. Chunk data following
829 close after a BDAT command line could be taken as a following command,
830 giving a synch failure. Fix by only checking for synch immediately
831 before acknowledging the chunk.
832
833 PP/02 GitHub PR 52: many spelling fixes, which include fixing parsing of
834 no_require_dnssec option and creation of _HAVE_TRANSPORT_APPEND_MAILDIR
835 macro. Patches provided by Josh Soref.
836
837 JH/05 Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
838 Previously we did not; the RFC seems ambiguous and VRFY is not listed
839 by IANA as a service extension. However, John Klensin suggests that we
840 should.
841
842 JH/06 Bug 2017: Fix DKIM verification in -bh test mode. The data feed into
843 the dkim code may be unix-mode line endings rather than smtp wire-format
844 CRLF, so prepend a CR to any bare LF.
845
846 JH/07 Rationalise the coding for callout smtp conversations and transport ones.
847 As a side-benfit, callouts can now use PIPELINING hence fewer round-trips.
848
849 JH/08 Bug 2016: Fix DKIM verification vs. CHUNKING. Any BDAT commands after
850 the first were themselves being wrongly included in the feed into dkim
851 processing; with most chunk sizes in use this resulted in an incorrect
852 body hash calculated value.
853
854 JH/09 Bug 2014: permit inclusion of a DKIM-Signature header in a received
855 DKIM signature block, for verification. Although advised against by
856 standards it is specifically not ruled illegal.
857
858 JH/10 Bug 2025: Fix reception of (quoted) local-parts with embedded spaces.
859
860 JH/11 Bug 2029: Fix crash in DKIM verification when a message signature block is
861 missing a body hash (the bh= tag).
862
863 JH/12 Bug 2018: Re-order Proxy Protocol startup versus TLS-on-connect startup.
864 It seems that HAProxy sends the Proxy Protocol information in clear and
865 only then does a TLS startup, so do the same.
866
867 JH/13 Bug 2027: Avoid attempting to use TCP Fast Open for non-transport client
868 TCP connections (such as for Spamd) unless the daemon successfully set
869 Fast Open mode on its listening sockets. This fixes breakage seen on
870 too-old kernels or those not configured for Fast Open, at the cost of
871 requiring both directions being enabled for TFO, and TFO never being used
872 by non-daemon-related Exim processes.
873
874 JH/14 Bug 2000: Reject messages recieved with CHUNKING but with malformed line
875 endings, at least on the first header line. Try to canonify any that get
876 past that check, despite the cost.
877
878 JH/15 Angle-bracket nesting (an error inserted by broken sendmails) levels are
879 now limited to an arbitrary five deep, while parsing addresses with the
880 strip_excess_angle_brackets option enabled.
881
882 PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and
883 instead leave the unprompted TLS handshake in socket buffer for the
884 TLS library to consume.
885
886 PP/04 Bug 2018: Also handle Proxy Protocol v2 safely.
887
888 PP/05 FreeBSD compat: handle that Ports no longer create /usr/bin/perl
889
890 JH/16 Drop variables when they go out of scope. Memory management drops a whole
891 region in one operation, for speed, and this leaves assigned pointers
892 dangling. Add checks run only under the testsuite which checks all
893 variables at a store-reset and panics on a dangling pointer; add code
894 explicitly nulling out all the variables discovered. Fixes one known
895 bug: a transport crash, where a dangling pointer for $sending_ip_address
896 originally assigned in a verify callout, is re-used.
897
898 PP/06 Drop '.' from @INC in various Perl scripts.
899
900 PP/07 Switch FreeBSD iconv to always use the base-system libc functions.
901
902 PP/08 Reduce a number of compilation warnings under clang; building with
903 CC=clang CFLAGS+=-Wno-dangling-else -Wno-logical-op-parentheses
904 should be warning-free.
905
906 JH/17 Fix inbound CHUNKING when DKIM disabled at runtime.
907
908 HS/01 Fix portability problems introduced by PP/08 for platforms where
909 realloc(NULL) is not equivalent to malloc() [SunOS et al].
910
911 HS/02 Bug 1974: Fix missing line terminator on the last received BDAT
912 chunk. This allows us to accept broken chunked messages. We need a more
913 general solution here.
914
915 PP/09 Wrote util/chunking_fixqueue_finalnewlines.pl to help recover
916 already-broken messages in the queue.
917
918 JH/18 Bug 2061: Fix ${extract } corrupting an enclosing ${reduce } $value.
919
920 JH/19 Fix reference counting bug in routing-generated-address tracking.
921
922
923 Exim version 4.88
924 -----------------
925
926 JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
927 supports it and a size is available (ie. the sending peer gave us one).
928
929 JH/02 The obsolete acl condition "demime" is removed (finally, after ten
930 years of being deprecated). The replacements are the ACLs
931 acl_smtp_mime and acl_not_smtp_mime.
932
933 JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
934 a downgraded non-dane trust-anchor for the TLS connection (CA-style)
935 or even an in-clear connection were permitted. Now, if the host lookup
936 was dnssec and dane was requested then the host is only used if the
937 TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
938 MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
939 if one fails this test.
940 This means that a poorly-configured remote DNS will make it incommunicado;
941 but it protects against a DNS-interception attack on it.
942
943 JH/04 Bug 1810: make continued-use of an open smtp transport connection
944 non-noisy when a race steals the message being considered.
945
946 JH/05 If main configuration option tls_certificate is unset, generate a
947 self-signed certificate for inbound TLS connections.
948
949 JH/06 Bug 165: hide more cases of password exposure - this time in expansions
950 in rewrites and routers.
951
952 JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
953 and logged a warning sing 4.83; now they are a configuration file error.
954
955 JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
956 (lacking @domain). Apply the same qualification processing as RCPT.
957
958 JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
959
960 JH/10 Support ${sha256:} applied to a string (as well as the previous
961 certificate).
962
963 JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
964 a cutthrough deliver is pending, as we always want to make a connection.
965 This also avoids re-routing the message when later placing the cutthrough
966 connection after a verify cache hit.
967 Do not update it with the verify result either.
968
969 JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
970 when routing results in more than one destination address.
971
972 JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
973 signing (which inhibits the cutthrough capability). Previously only
974 the presence of an option was tested; now an expansion evaluating as
975 empty is permissible (obviously it should depend only on data available
976 when the cutthrough connection is made).
977
978 JH/14 Fix logging of errors under PIPELINING. Previously the log line giving
979 the relevant preceding SMTP command did not note the pipelining mode.
980
981 JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
982 Previously they were not counted.
983
984 JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
985 as one having no matching records. Previously we deferred the message
986 that needed the lookup.
987
988 JH/17 Fakereject: previously logged as a normal message arrival "<="; now
989 distinguished as "(=".
990
991 JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
992 for missing MX records. Previously it only worked for missing A records.
993
994 JH/19 Bug 1850: support Radius libraries that return REJECT_RC.
995
996 JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
997 after the data-go-ahead and data-ack. Patch from Jason Betts.
998
999 JH/21 Bug 1846: Send DMARC forensic reports for reject and quarantine results,
1000 even for a "none" policy. Patch from Tony Meyer.
1001
1002 JH/22 Fix continued use of a connection for further deliveries. If a port was
1003 specified by a router, it must also match for the delivery to be
1004 compatible.
1005
1006 JH/23 Bug 1874: fix continued use of a connection for further deliveries.
1007 When one of the recipients of a message was unsuitable for the connection
1008 (has no matching addresses), we lost track of needing to mark it
1009 deferred. As a result mail would be lost.
1010
1011 JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
1012
1013 JH/25 Decoding ACL controls is now done using a binary search; the source code
1014 takes up less space and should be simpler to maintain. Merge the ACL
1015 condition decode tables also, with similar effect.
1016
1017 JH/26 Fix problem with one_time used on a redirect router which returned the
1018 parent address unchanged. A retry would see the parent address marked as
1019 delivered, so not attempt the (identical) child. As a result mail would
1020 be lost.
1021
1022 JH/27 Fix a possible security hole, wherein a process operating with the Exim
1023 UID can gain a root shell. Credit to http://www.halfdog.net/ for
1024 discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
1025 itself :(
1026
1027 JH/28 Enable {spool,log} filesystem space and inode checks as default.
1028 Main config options check_{log,spool}_{inodes,space} are now
1029 100 inodes, 10MB unless set otherwise in the configuration.
1030
1031 JH/29 Fix the connection_reject log selector to apply to the connect ACL.
1032 Previously it only applied to the main-section connection policy
1033 options.
1034
1035 JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
1036
1037 PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
1038 by me. Added RFC7919 DH primes as an alternative.
1039
1040 PP/02 Unbreak build via pkg-config with new hash support when crypto headers
1041 are not in the system include path.
1042
1043 JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
1044 GnuTLS, when a session startup failed (eg because the client disconnected)
1045 Exim did stdio operations after fclose. This was exposed by a recent
1046 change which nulled out the file handle after the fclose.
1047
1048 JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
1049 signed directly by the cert-signing cert, rather than an intermediate
1050 OCSP-signing cert. This is the model used by LetsEncrypt.
1051
1052 JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
1053
1054 HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
1055 an incoming connection.
1056
1057 HS/02 Bug 1802: Do not half-close the connection after sending a request
1058 to rspamd.
1059
1060 HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
1061 fallback to "prime256v1".
1062
1063 JH/34 SECURITY: Use proper copy of DATA command in error message.
1064 Could leak key material. Remotely exploitable. CVE-2016-9963.
1065
1066
1067 Exim version 4.87
1068 -----------------
1069
1070 JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
1071 and 3.4.4 - once the server is enabled to respond to an OCSP request
1072 it does even when not requested, resulting in a stapling non-aware
1073 client dropping the TLS connection.
1074
1075 TF/01 Code cleanup: Overhaul the debug_selector and log_selector machinery to
1076 support variable-length bit vectors. No functional change.
1077
1078 TF/02 Improve the consistency of logging incoming and outgoing interfaces.
1079 The I= interface field on outgoing lines is now after the H= remote
1080 host field, same as incoming lines. There is a separate
1081 outgoing_interface log selector which allows you to disable the
1082 outgoing I= field.
1083
1084 JH/02 Bug 728: Close logfiles after a daemon-process "exceptional" log write.
1085 If not running log_selector +smtp_connection the mainlog would be held
1086 open indefinitely after a "too many connections" event, including to a
1087 deleted file after a log rotate. Leave the per net connection logging
1088 leaving it open for efficiency as that will be quickly detected by the
1089 check on the next write.
1090
1091 HS/01 Bug 1671: Fix post transport crash.
1092 Processing the wait-<transport> messages could crash the delivery
1093 process if the message IDs didn't exist for some reason. When
1094 using 'split_spool_directory=yes' the construction of the spool
1095 file name failed already, exposing the same netto behaviour.
1096
1097 JH/03 Bug 425: Capture substrings in $regex1, $regex2 etc from regex &
1098 mime_regex ACL conditions.
1099
1100 JH/04 Bug 1686: When compiled with EXPERIMENTAL_DSN_INFO: Add extra information
1101 to DSN fail messages (bounces): remote IP, remote greeting, remote response
1102 to HELO, local diagnostic string.
1103
1104 JH/05 Downgrade message for a TLS-certificate-based authentication fail from
1105 log line to debug. Even when configured with a tls authenticator many
1106 client connections are expected to not authenticate in this way, so
1107 an authenticate fail is not an error.
1108
1109 HS/02 Add the Exim version string to the process info. This way exiwhat
1110 gives some more detail about the running daemon.
1111
1112 JH/06 Bug 1395: time-limit caching of DNS lookups, to the TTL value. This may
1113 matter for fast-change records such as DNSBLs.
1114
1115 JH/07 Bug 1678: Always record an interface option value, if set, as part of a
1116 retry record, even if constant. There may be multiple transports with
1117 different interface settings and the retry behaviour needs to be kept
1118 distinct.
1119
1120 JH/08 Bug 1586: exiqgrep now refuses to run if there are unexpected arguments.
1121
1122 JH/09 Bug 1700: ignore space & tab embedded in base64 during decode.
1123
1124 JH/10 Bug 840: fix log_defer_output option of pipe transport
1125
1126 JH/11 Bug 830: use same host for all RCPTS of a message, even under
1127 hosts_randomize. This matters a lot when combined with mua_wrapper.
1128
1129 JH/12 Bug 1706: percent and underbar characters are no longer escaped by the
1130 ${quote_pgsql:<string>} operator.
1131
1132 JH/13 Bug 1708: avoid misaligned access in cached lookup.
1133
1134 JH/14 Change header file name for freeradius-client. Relevant if compiling
1135 with Radius support; from the Gentoo tree and checked under Fedora.
1136
1137 JH/15 Bug 1712: Introduce $prdr_requested flag variable
1138
1139 JH/16 Bug 1714: Permit an empty string as expansion result for transport
1140 option transport_filter, meaning no filtering.
1141
1142 JH/17 Bug 1713: Fix non-PDKIM_DEBUG build. Patch from Jasen Betts.
1143
1144 JH/18 Bug 1709: When built with TLS support, the tls_advertise_hosts option now
1145 defaults to "*" (all hosts). The variable is now available when not built
1146 with TLS, default unset, mainly to enable keeping the testsuite sane.
1147 If a server certificate is not supplied (via tls_certificate) an error is
1148 logged, and clients will find TLS connections fail on startup. Presumably
1149 they will retry in-clear.
1150 Packagers of Exim are strongly encouraged to create a server certificate
1151 at installation time.
1152
1153 HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency
1154 with the $config_file variable.
1155
1156 JH/19 Two additional event types: msg:rcpt:defer and msg:rcpt:host:defer. Both
1157 in transport context, after the attempt, and per-recipient. The latter type
1158 is per host attempted. The event data is the error message, and the errno
1159 information encodes the lookup type (A vs. MX) used for the (first) host,
1160 and the trailing two digits of the smtp 4xx response.
1161
1162 GF/01 Bug 1715: Fix for race condition in exicyclog, where exim could attempt
1163 to write to mainlog (or rejectlog, paniclog) in the window between file
1164 creation and permissions/ownership being changed. Particularly affects
1165 installations where exicyclog is run as root, rather than exim user;
1166 result is that the running daemon panics and dies.
1167
1168 JH/20 Bug 1701: For MySQL lookups, support MySQL config file option group names.
1169
1170 JH/21 Bug 1720: Add support for priority groups and weighted-random proxy
1171 selection for the EXPERIMENTAL_SOCKS feature, via new per-proxy options
1172 "pri" and "weight". Note that the previous implicit priority given by the
1173 list order is no longer honoured.
1174
1175 JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalization
1176 for DKIM processing.
1177
1178 JH/23 Move SOCKS5 support from Experimental to mainline, enabled for a build
1179 by defining SUPPORT_SOCKS.
1180
1181 JH/26 Move PROXY support from Experimental to mainline, enabled for a build
1182 by defining SUPPORT_PROXY. Note that the proxy_required_hosts option
1183 is renamed to hosts_proxy, and the proxy_{host,target}_{address,port}.
1184 variables are renamed to proxy_{local,external}_{address,port}.
1185
1186 JH/27 Move Internationalisation support from Experimental to mainline, enabled
1187 for a build by defining SUPPORT_I18N
1188
1189 JH/28 Bug 1745: Fix redis lookups to handle (quoted) spaces embedded in parts
1190 of the query string, and make ${quote_redis:} do that quoting.
1191
1192 JH/29 Move Events support from Experimental to mainline, enabled by default
1193 and removable for a build by defining DISABLE_EVENT.
1194
1195 JH/30 Updated DANE implementation code to current from Viktor Dukhovni.
1196
1197 JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly
1198 cached by the daemon.
1199
1200 JH/32 Move Redis support from Experimental to mainline, enabled for a build
1201 by defining LOOKUP_REDIS. The libhiredis library is required.
1202
1203 JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit
1204 keys are given for lookup.
1205
1206 JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM
1207 support, by using OpenSSL or GnuTLS library ones. This means DKIM is
1208 only supported when built with TLS support. The PolarSSL SHA routines
1209 are still used when the TLS library is too old for convenient support.
1210
1211 JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option
1212 openssl_options), for security. OpenSSL forces this from version 1.1.0
1213 server-side so match that on older versions.
1214
1215 JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh
1216 allocation for $value could be released as the expansion processing
1217 concluded, but leaving the global pointer active for it.
1218
1219 JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response,
1220 and to use the domains and local_parts ACL conditions.
1221
1222 JH/38 Fix cutthrough bug with body lines having a single dot. The dot was
1223 incorrectly not doubled on cutthrough transmission, hence seen as a
1224 body-termination at the receiving system - resulting in truncated mails.
1225 Commonly the sender saw a TCP-level error, and retransmitted the message
1226 via the normal store-and-forward channel. This could result in duplicates
1227 received - but deduplicating mailstores were liable to retain only the
1228 initial truncated version.
1229
1230 JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64.
1231
1232 JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS.
1233
1234 JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While
1235 we're in there, support oversigning also; bug 1309.
1236
1237 JH/42 Bug 1796: Fix error logged on a malware scanner connection failure.
1238
1239 HS/04 Add support for keep_environment and add_environment options.
1240
1241 JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain;
1242 either intentional arithmetic overflow during PRNG, or testing config-
1243 induced overflows.
1244
1245 JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough
1246 delivery resulted in actual delivery. Cancel cutthrough before DATA
1247 stage.
1248
1249 JH/45 Fix cutthrough, when connection not opened by verify and target hard-
1250 rejects a recipient: pass the reject to the originator.
1251
1252 JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs.
1253 Many were false-positives and ignorable, but it's worth fixing the
1254 former class.
1255
1256 JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also
1257 for the new environment-manipulation done at startup. Move the routines
1258 from being local to tls.c to being global via the os.c file.
1259
1260 JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing
1261 an extract embedded as result-arg for a map, the first arg for extract
1262 is unavailable so we cannot tell if this is a numbered or keyed
1263 extraction. Accept either.
1264
1265
1266 Exim version 4.86
1267 -----------------
1268
1269 JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
1270 expanded.
1271
1272 JH/02 The smtp transport option "multi_domain" is now expanded.
1273
1274 JH/03 The smtp transport now requests PRDR by default, if the server offers
1275 it.
1276
1277 JH/04 Certificate name checking on server certificates, when exim is a client,
1278 is now done by default. The transport option tls_verify_cert_hostnames
1279 can be used to disable this per-host. The build option
1280 EXPERIMENTAL_CERTNAMES is withdrawn.
1281
1282 JH/05 The value of the tls_verify_certificates smtp transport and main options
1283 default to the word "system" to access the system default CA bundle.
1284 For GnuTLS, only version 3.0.20 or later.
1285
1286 JH/06 Verification of the server certificate for a TLS connection is now tried
1287 (but not required) by default. The verification status is now logged by
1288 default, for both outbound TLS and client-certificate supplying inbound
1289 TLS connections
1290
1291 JH/07 Changed the default rfc1413 lookup settings to disable calls. Few
1292 sites use this now.
1293
1294 JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery
1295 Status Notification (bounce) messages are now MIME format per RFC 3464.
1296 Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised
1297 under the control of the dsn_advertise_hosts option, and routers may
1298 have a dsn_lasthop option.
1299
1300 JH/09 A timeout of 2 minutes is now applied to all malware scanner types by
1301 default, modifiable by a malware= option. The list separator for
1302 the options can now be changed in the usual way. Bug 68.
1303
1304 JH/10 The smtp_receive_timeout main option is now expanded before use.
1305
1306 JH/11 The incoming_interface log option now also enables logging of the
1307 local interface on delivery outgoing connections.
1308
1309 JH/12 The cutthrough-routing facility now supports multi-recipient mails,
1310 if the interface and destination host and port all match.
1311
1312 JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
1313 /defer_ok option.
1314
1315 JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd.
1316 Patch from Andrew Lewis.
1317
1318 JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition)
1319 now supports optional time-restrictions, weighting, and priority
1320 modifiers per server. Patch originally by <rommer@active.by>.
1321
1322 JH/16 The spamd_address main option now supports a mixed list of local
1323 and remote servers. Remote servers can be IPv6 addresses, and
1324 specify a port-range.
1325
1326 JH/17 Bug 68: The spamd_address main option now supports an optional
1327 timeout value per server.
1328
1329 JH/18 Bug 1581: Router and transport options headers_add/remove can
1330 now have the list separator specified.
1331
1332 JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
1333 option values.
1334
1335 JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
1336 under OpenSSL.
1337
1338 JH/21 Support for the A6 type of dns record is withdrawn.
1339
1340 JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
1341 rather than the verbs used.
1342
1343 JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
1344 from 255 to 1024 chars.
1345
1346 JH/24 Verification callouts now attempt to use TLS by default.
1347
1348 HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
1349 are generic router options now. The defaults didn't change.
1350
1351 JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
1352 Original patch from Alexander Shikoff, worked over by JH.
1353
1354 HS/02 Bug 1575: exigrep falls back to autodetection of compressed
1355 files if ZCAT_COMMAND is not executable.
1356
1357 JH/26 Bug 1539: Add timeout/retry options on dnsdb lookups.
1358
1359 JH/27 Bug 286: Support SOA lookup in dnsdb lookups.
1360
1361 JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN.
1362 Normally benign, it bites when the pair was led to by a CNAME;
1363 modern usage is to not canonicalize the domain to a CNAME target
1364 (and we were inconsistent anyway for A-only vs AAAA+A).
1365
1366 JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards.
1367
1368 JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse,
1369 when evaluating $sender_host_dnssec.
1370
1371 JH/31 Check the HELO verification lookup for DNSSEC, adding new
1372 $sender_helo_dnssec variable.
1373
1374 JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve.
1375
1376 JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log.
1377
1378 JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues.
1379
1380 JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was
1381 documented as working, but never had. Support all but $spam_report.
1382
1383 JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
1384 added for tls authenticator.
1385
1386 HS/03 Add perl_taintmode main config option
1387
1388
1389 Exim version 4.85
1390 -----------------
1391
1392 TL/01 When running the test suite, the README says that variables such as
1393 no_msglog_check are global and can be placed anywhere in a specific
1394 test's script, however it was observed that placement needed to be near
1395 the beginning for it to behave that way. Changed the runtest perl
1396 script to read through the entire script once to detect and set these
1397 variables, reset to the beginning of the script, and then run through
1398 the script parsing/test process like normal.
1399
1400 TL/02 The BSD's have an arc4random API. One of the functions to induce
1401 adding randomness was arc4random_stir(), but it has been removed in
1402 OpenBSD 5.5. Detect this OpenBSD version and skip calling this
1403 function when detected.
1404
1405 JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now
1406 cause callback expansion.
1407
1408 TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that
1409 syntax errors in an expansion can be treated as a string instead of
1410 logging or causing an error, due to the internal use of bool_lax
1411 instead of bool when processing it.
1412
1413 JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for
1414 server certificates when making smtp deliveries.
1415
1416 JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups.
1417
1418 JH/04 Add ${sort {list}{condition}{extractor}} expansion item.
1419
1420 TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep.
1421
1422 TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups.
1423 Merged patch from Sebastian Wiedenroth.
1424
1425 JH/05 Fix results-pipe from transport process. Several recipients, combined
1426 with certificate use, exposed issues where response data items split
1427 over buffer boundaries were not parsed properly. This eventually
1428 resulted in duplicates being sent. This issue only became common enough
1429 to notice due to the introduction of connection certificate information,
1430 the item size being so much larger. Found and fixed by Wolfgang Breyha.
1431
1432 JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed
1433 size buffer was used, resulting in syntax errors when an expansion
1434 exceeded it.
1435
1436 JH/07 Add support for directories of certificates when compiled with a GnuTLS
1437 version 3.3.6 or later.
1438
1439 JH/08 Rename the TPDA experimental facility to Event Actions. The #ifdef
1440 is EXPERIMENTAL_EVENT, the main-configuration and transport options
1441 both become "event_action", the variables become $event_name, $event_data
1442 and $event_defer_errno. There is a new variable $verify_mode, usable in
1443 routers, transports and related events. The tls:cert event is now also
1444 raised for inbound connections, if the main configuration event_action
1445 option is defined.
1446
1447 TL/06 In test suite, disable OCSP for old versions of openssl which contained
1448 early OCSP support, but no stapling (appears to be less than 1.0.0).
1449
1450 JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on
1451 server certificate names available under the smtp transport option
1452 "tls_verify_cert_hostname" now do not permit multi-component wildcard
1453 matches.
1454
1455 JH/10 Time-related extraction expansions from certificates now use the main
1456 option "timezone" setting for output formatting, and are consistent
1457 between OpenSSL and GnuTLS compilations. Bug 1541.
1458
1459 JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047-
1460 encoded parameter in the incoming message. Bug 1558.
1461
1462 JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now
1463 include certificate info, eximon was claiming there were spoolfile
1464 syntax errors.
1465
1466 JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return.
1467
1468 JH/14 Log delivery-related information more consistently, using the sequence
1469 "H=<name> [<ip>]" wherever possible.
1470
1471 TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which
1472 are problematic for Debian distribution, omit them from the release
1473 tarball.
1474
1475 JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature.
1476
1477 JH/16 Fix string representation of time values on 64bit time_t architectures.
1478 Bug 1561.
1479
1480 JH/17 Fix a null-indirection in certextract expansions when a nondefault
1481 output list separator was used.
1482
1483
1484 Exim version 4.84
1485 -----------------
1486 TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static
1487 checkers that were complaining about end of non-void function with no
1488 return.
1489
1490 JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers.
1491 This was a regression introduced in 4.83 by another bugfix.
1492
1493 JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled.
1494
1495 TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when
1496 EXPERIMENTAL_DSN is enabled. Fix from Wolfgang Breyha.
1497
1498
1499 Exim version 4.83
1500 -----------------
1501
1502 TF/01 Correctly close the server side of TLS when forking for delivery.
1503
1504 When a message was received over SMTP with TLS, Exim failed to clear up
1505 the incoming connection properly after forking off the child process to
1506 deliver the message. In some situations the subsequent outgoing
1507 delivery connection happened to have the same fd number as the incoming
1508 connection previously had. Exim would try to use TLS and fail, logging
1509 a "Bad file descriptor" error.
1510
1511 TF/02 Portability fix for building lookup modules on Solaris when the xpg4
1512 utilities have not been installed.
1513
1514 JH/01 Fix memory-handling in use of acl as a conditional; avoid free of
1515 temporary space as the ACL may create new global variables.
1516
1517 TL/01 LDAP support uses per connection or global context settings, depending
1518 upon the detected version of the libraries at build time.
1519
1520 TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection
1521 to extract and use the src ip:port in logging and expansions as if it
1522 were a direct connection from the outside internet. PPv2 support was
1523 updated based on HAProxy spec change in May 2014.
1524
1525 JH/02 Add ${listextract {number}{list}{success}{fail}}.
1526
1527 TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents.
1528 Properly escape header and check for NULL return.
1529
1530 PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok
1531 not dns_use_dnssec.
1532
1533 JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp.
1534
1535 TL/04 Add verify = header_names_ascii check to reject email with non-ASCII
1536 characters in header names, implemented as a verify condition.
1537 Contributed by Michael Fischer v. Mollard.
1538
1539 TL/05 Rename SPF condition results err_perm and err_temp to standardized
1540 results permerror and temperror. Previous values are deprecated but
1541 still accepted. In a future release, err_perm and err_temp will be
1542 completely removed, which will be a backward incompatibility if the
1543 ACL tests for either of these two old results. Patch contributed by
1544 user bes-internal on the mailing list.
1545
1546 JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau.
1547
1548 JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log
1549 selectors, in both main and reject logs.
1550
1551 JH/06 Log outbound-TLS and port details, subject to log selectors, for a
1552 failed delivery.
1553
1554 JH/07 Add malware type "sock" for talking to simple daemon.
1555
1556 JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport.
1557
1558 JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in
1559 routers/transports under cutthrough routing.
1560
1561 JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative
1562 numbers. Touch up "bool" conditional to keep the same definition.
1563
1564 TL/06 Remove duplicated language in spec file from 4.82 TL/16.
1565
1566 JH/11 Add dnsdb tlsa lookup. From Todd Lyons.
1567
1568 JH/12 Expand items in router/transport headers_add or headers_remove lists
1569 individually rather than the list as a whole. Bug 1452.
1570
1571 Required for reasonable handling of multiple headers_ options when
1572 they may be empty; requires that headers_remove items with embedded
1573 colons must have them doubled (or the list-separator changed).
1574
1575 TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly
1576 view the policy declared in the DMARC record. Currently, $dmarc_status
1577 is a combined value of both the record presence and the result of the
1578 analysis.
1579
1580 JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455.
1581
1582 JH/14 New options dnssec_request_domains, dnssec_require_domains on the
1583 dnslookup router and the smtp transport (applying to the forward
1584 lookup).
1585
1586 TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list
1587 of ldap servers used for a specific lookup. Patch provided by Heiko
1588 Schlichting.
1589
1590 JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups.
1591 New variable $lookup_dnssec_authenticated for observability.
1592
1593 TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use.
1594 Patch submitted by Lars Timman.
1595
1596 JH/19 EXPERIMENTAL_OCSP support under GnuTLS. Bug 1459.
1597
1598 TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim.
1599 Requires trusted mode and valid format message id, aborts otherwise.
1600 Patch contributed by Heiko Schlichting.
1601
1602 JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item
1603 certextract with support for various fields. Bug 1358.
1604
1605 JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling
1606 is requested by default, modifiable by smtp transport option
1607 hosts_request_ocsp.
1608
1609 JH/22 Expansion operators ${md5:string} and ${sha1:string} can now
1610 operate on certificate variables to give certificate fingerprints
1611 Also new ${sha256:cert_variable}.
1612
1613 JH/23 The PRDR feature is moved from being Experimental into the mainline.
1614
1615 TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from
1616 Christian Aistleitner.
1617
1618 JH/24 The OCSP stapling feature is moved from Experimental into the mainline.
1619
1620 TL/12 Bug 1444: Fix improper \r\n sequence handling when writing spool
1621 file. Patch from Wolfgang Breyha.
1622
1623 JH/25 Expand the coverage of the delivery $host and $host_address to
1624 client authenticators run in verify callout. Bug 1476.
1625
1626 JH/26 Port service names are now accepted for tls_on_connect_ports, to
1627 align with daemon_smtp_ports. Bug 72.
1628
1629 TF/03 Fix udpsend. The ip_connectedsocket() function's socket type
1630 support and error reporting did not work properly.
1631
1632 TL/13 Bug 1495: Exiqgrep check if -C config file specified on cli exists
1633 and is readable. Patch from Andrew Colin Kissa.
1634
1635 TL/14 Enhance documentation of ${run expansion and how it parses the
1636 commandline after expansion, particularly in the case when an
1637 unquoted variable expansion results in an empty value.
1638
1639 JH/27 The TLS SNI feature was broken in 4.82. Fix it.
1640
1641 PP/02 Fix internal collision of T_APL on systems which support RFC3123
1642 by renaming away from it. Addresses GH issue 15, reported by
1643 Jasper Wallace.
1644
1645 JH/28 Fix parsing of MIME headers for parameters with quoted semicolons.
1646
1647 TL/15 SECURITY: prevent double expansion in math comparison functions
1648 (can expand unsanitized data). Not remotely exploitable.
1649 CVE-2014-2972
1650
1651
1652 Exim version 4.82
1653 -----------------
1654
1655 PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities.
1656
1657 PP/02 Make -n do something, by making it not do something.
1658 When combined with -bP, the name of an option is not output.
1659
1660 PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured
1661 by GnuTLS.
1662
1663 PP/04 First step towards DNSSEC, provide $sender_host_dnssec for
1664 $sender_host_name and config options to manage this, and basic check
1665 routines.
1666
1667 PP/05 DSCP support for outbound connections and control modifier for inbound.
1668
1669 PP/06 Cyrus SASL: set local and remote IP;port properties for driver.
1670 (Only plugin which currently uses this is kerberos4, which nobody should
1671 be using, but we should make it available and other future plugins might
1672 conceivably use it, even though it would break NAT; stuff *should* be
1673 using channel bindings instead).
1674
1675 PP/07 Handle "exim -L <tag>" to indicate to use syslog with tag as the process
1676 name; added for Sendmail compatibility; requires admin caller.
1677 Handle -G as equivalent to "control = suppress_local_fixups" (we used to
1678 just ignore it); requires trusted caller.
1679 Also parse but ignore: -Ac -Am -X<logfile>
1680 Bugzilla 1117.
1681
1682 TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing.
1683
1684 TL/02 Add +smtp_confirmation as a default logging option.
1685
1686 TL/03 Bugzilla 198 - Implement remove_header ACL modifier.
1687 Patch by Magnus Holmgren from 2007-02-20.
1688
1689 TL/04 Bugzilla 1281 - Spec typo.
1690 Bugzilla 1283 - Spec typo.
1691 Bugzilla 1290 - Spec grammar fixes.
1692
1693 TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation.
1694
1695 TL/06 Add Experimental DMARC support using libopendmarc libraries.
1696
1697 TL/07 Fix an out of order global option causing a segfault. Reported to dev
1698 mailing list by by Dmitry Isaikin.
1699
1700 JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support.
1701
1702 JH/02 Support "G" suffix to numbers in ${if comparisons.
1703
1704 PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL.
1705
1706 NM/01 Bugzilla 1197 - Spec typo
1707 Bugzilla 1196 - Spec examples corrections
1708
1709 JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
1710
1711 PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called
1712 gnutls_enable_pkcs11, but renamed to more accurately indicate its
1713 function.
1714
1715 PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC.
1716 Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
1717
1718 JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition
1719 "acl {{name}{arg}...}", and optional args on acl condition
1720 "acl = name arg..."
1721
1722 JH/05 Permit multiple router/transport headers_add/remove lines.
1723
1724 JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination.
1725
1726 JH/07 Avoid using a waiting database for a single-message-only transport.
1727 Performance patch from Paul Fisher. Bugzilla 1262.
1728
1729 JH/08 Strip leading/trailing newlines from add_header ACL modifier data.
1730 Bugzilla 884.
1731
1732 JH/09 Add $headers_added variable, with content from use of ACL modifier
1733 add_header (but not yet added to the message). Bugzilla 199.
1734
1735 JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line.
1736 Pulled from Bugzilla 817 by Wolfgang Breyha.
1737
1738 PP/11 SECURITY: protect DKIM DNS decoding from remote exploit.
1739 CVE-2012-5671
1740 (nb: this is the same fix as in Exim 4.80.1)
1741
1742 JH/11 Add A= logging on delivery lines, and a client_set_id option on
1743 authenticators.
1744
1745 JH/12 Add optional authenticated_sender logging to A= and a log_selector
1746 for control.
1747
1748 PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29.
1749
1750 PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not
1751 advertise SMTP AUTH mechanism to us, instead of a generic
1752 protocol violation error. Also, make Exim more robust to bad
1753 data from the Dovecot auth socket.
1754
1755 TF/01 Fix ultimate retry timeouts for intermittently deliverable recipients.
1756
1757 When a queue runner is handling a message, Exim first routes the
1758 recipient addresses, during which it prunes them based on the retry
1759 hints database. After that it attempts to deliver the message to
1760 any remaining recipients. It then updates the hints database using
1761 the retry rules.
1762
1763 So if a recipient address works intermittently, it can get repeatedly
1764 deferred at routing time. The retry hints record remains fresh so the
1765 address never reaches the final cutoff time.
1766
1767 This is a fairly common occurrence when a user is bumping up against
1768 their storage quota. Exim had some logic in its local delivery code
1769 to deal with this. However it did not apply to per-recipient defers
1770 in remote deliveries, e.g. over LMTP to a separate IMAP message store.
1771
1772 This change adds a proper retry rule check during routing so that the
1773 final cutoff time is checked against the message's age. We only do
1774 this check if there is an address retry record and there is not a
1775 domain retry record; this implies that previous attempts to handle
1776 the address had the retry_use_local_parts option turned on. We use
1777 this as an approximation for the destination being like a local
1778 delivery, as in LMTP.
1779
1780 I suspect this new check makes the old local delivery cutoff check
1781 redundant, but I have not verified this so I left the code in place.
1782
1783 TF/02 Correct gecos expansion when From: is a prefix of the username.
1784
1785 Test 0254 submits a message to Exim with the header
1786
1787 Resent-From: f
1788
1789 When I ran the test suite under the user fanf2, Exim expanded
1790 the header to contain my full name, whereas it should have added
1791 a Resent-Sender: header. It erroneously treats any prefix of the
1792 username as equal to the username.
1793
1794 This change corrects that bug.
1795
1796 GF/01 DCC debug and logging tidyup
1797 Error conditions log to paniclog rather than rejectlog.
1798 Debug lines prefixed by "DCC: " to remove any ambiguity.
1799
1800 TF/03 Avoid unnecessary rebuilds of lookup-related code.
1801
1802 PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server.
1803 Bug spotted by Jeremy Harris; was flawed since initial commit.
1804 Would have resulted in OCSP responses post-SNI triggering an Exim
1805 NULL dereference and crash.
1806
1807 JH/13 Add $router_name and $transport_name variables. Bugzilla 308.
1808
1809 PP/15 Define SIOCGIFCONF_GIVES_ADDR for GNU Hurd.
1810 Bug detection, analysis and fix by Samuel Thibault.
1811 Bugzilla 1331, Debian bug #698092.
1812
1813 SC/01 Update eximstats to watch out for senders sending 'HELO [IpAddr]'
1814
1815 JH/14 SMTP PRDR (http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt).
1816 Server implementation by Todd Lyons, client by JH.
1817 Only enabled when compiled with EXPERIMENTAL_PRDR. A new
1818 config variable "prdr_enable" controls whether the server
1819 advertises the facility. If the client requests PRDR a new
1820 acl_data_smtp_prdr ACL is called once for each recipient, after
1821 the body content is received and before the acl_smtp_data ACL.
1822 The client is controlled by both of: a hosts_try_prdr option
1823 on the smtp transport, and the server advertisement.
1824 Default client logging of deliveries and rejections involving
1825 PRDR are flagged with the string "PRDR".
1826
1827 PP/16 Fix problems caused by timeouts during quit ACLs trying to double
1828 fclose(). Diagnosis by Todd Lyons.
1829
1830 PP/17 Update configure.default to handle IPv6 localhost better.
1831 Patch by Alain Williams (plus minor tweaks).
1832 Bugzilla 880.
1833
1834 PP/18 OpenSSL made graceful with empty tls_verify_certificates setting.
1835 This is now consistent with GnuTLS, and is now documented: the
1836 previous undocumented portable approach to treating the option as
1837 unset was to force an expansion failure. That still works, and
1838 an empty string is now equivalent.
1839
1840 PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it
1841 clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag,
1842 not performing validation itself.
1843
1844 PP/20 Added force_command boolean option to pipe transport.
1845 Patch from Nick Koston, of cPanel Inc.
1846
1847 JH/15 AUTH support on callouts (and hence cutthrough-deliveries).
1848 Bugzilla 321, 823.
1849
1850 TF/04 Added udpsend ACL modifier and hexquote expansion operator
1851
1852 PP/21 Fix eximon continuous updating with timestamped log-files.
1853 Broken in a format-string cleanup in 4.80, missed when I repaired the
1854 other false fix of the same issue.
1855 Report and fix from Heiko Schlichting.
1856 Bugzilla 1363.
1857
1858 PP/22 Guard LDAP TLS usage against Solaris LDAP variant.
1859 Report from Prashanth Katuri.
1860
1861 PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options.
1862 It's SecureTransport, so affects any MacOS clients which use the
1863 system-integrated TLS libraries, including email clients.
1864
1865 PP/24 Fix segfault from trying to fprintf() to a NULL stdio FILE* if
1866 using a MIME ACL for non-SMTP local injection.
1867 Report and assistance in diagnosis by Warren Baker.
1868
1869 TL/08 Adjust exiqgrep to be case-insensitive for sender/receiver.
1870
1871 JH/16 Fix comparisons for 64b. Bugzilla 1385.
1872
1873 TL/09 Add expansion variable $authenticated_fail_id to keep track of
1874 last id that failed so it may be referenced in subsequent ACL's.
1875
1876 TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
1877 Alexander Miroch.
1878
1879 TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
1880 ldap library initialization, allowing self-signed CA's to be
1881 used. Also properly sets require_cert option later in code by
1882 using NULL (global ldap config) instead of ldap handle (per
1883 session). Bug diagnosis and testing by alxgomz.
1884
1885 TL/12 Enhanced documentation in the ratelimit.pl script provided in
1886 the src/util/ subdirectory.
1887
1888 TL/13 Bug 1031 - Imported transport SQL logging patch from Axel Rau
1889 renamed to Transport Post Delivery Action by Jeremy Harris, as
1890 EXPERIMENTAL_TPDA.
1891
1892 TL/14 Bugzilla 1217 - Redis lookup support has been added. It is only enabled
1893 when Exim is compiled with EXPERIMENTAL_REDIS. A new config variable
1894 redis_servers = needs to be configured which will be used by the redis
1895 lookup. Patch from Warren Baker, of The Packet Hub.
1896
1897 TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard Hall.
1898
1899 TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a
1900 hostname or reverse DNS when processing a host list. Used suggestions
1901 from multiple comments on this bug.
1902
1903 TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey.
1904
1905 TL/18 Had previously added a -CONTINUE option to runtest in the test suite.
1906 Missed a few lines, added it to make the runtest require no keyboard
1907 interaction.
1908
1909 TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite
1910 contains upper case chars. Make router use caseful_local_part.
1911
1912 TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS
1913 support when GnuTLS has been built with p11-kit.
1914
1915
1916 Exim version 4.80.1
1917 -------------------
1918
1919 PP/01 SECURITY: protect DKIM DNS decoding from remote exploit.
1920 CVE-2012-5671
1921 This, or similar/improved, will also be change PP/11 of 4.82.
1922
1923
1924 Exim version 4.80
1925 -----------------
1926
1927 PP/01 Handle short writes when writing local log-files.
1928 In practice, only affects FreeBSD (8 onwards).
1929 Bugzilla 1053, with thanks to Dmitry Isaikin.
1930
1931 NM/01 Bugzilla 949 - Documentation tweak
1932
1933 NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps
1934 improved.
1935
1936 NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
1937
1938 PP/02 Implemented gsasl authenticator.
1939
1940 PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option.
1941
1942 PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
1943 `pkg-config foo` for cflags/libs.
1944
1945 PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
1946 with rest of GSASL and with heimdal_gssapi.
1947
1948 PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
1949 `pkg-config foo` for cflags/libs for the TLS implementation.
1950
1951 PP/07 New expansion variable $tls_bits; Cyrus SASL server connection
1952 properties get this fed in as external SSF. A number of robustness
1953 and debugging improvements to the cyrus_sasl authenticator.
1954
1955 PP/08 cyrus_sasl server now expands the server_realm option.
1956
1957 PP/09 Bugzilla 1214 - Log authentication information in reject log.
1958 Patch by Jeremy Harris.
1959
1960 PP/10 Added dbmjz lookup type.
1961
1962 PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid.
1963
1964 PP/12 MAIL args handles TAB as well as SP, for better interop with
1965 non-compliant senders.
1966 Analysis and variant patch by Todd Lyons.
1967
1968 NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated
1969 Bug report from Lars Müller <lars@samba.org> (via SUSE),
1970 Patch from Dirk Mueller <dmueller@suse.com>
1971
1972 PP/13 tls_peerdn now print-escaped for spool files.
1973 Observed some $tls_peerdn in wild which contained \n, which resulted
1974 in spool file corruption.
1975
1976 PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
1977 values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
1978 or write after TLS renegotiation, which otherwise led to messages
1979 "Got SSL error 2".
1980
1981 TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted
1982 as a tracking header (ie: a signed header comes before the signature).
1983 Patch from Wolfgang Breyha.
1984
1985 JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
1986 comma-sep list; embedded commas doubled.
1987
1988 JH/02 Refactored ACL "verify =" logic to table-driven dispatch.
1989
1990 PP/15 LDAP: Check for errors of TLS initialisation, to give correct
1991 diagnostics.
1992 Report and patch from Dmitry Banschikov.
1993
1994 PP/16 Removed "dont_insert_empty_fragments" from "openssl_options".
1995 Removed SSL_clear() after SSL_new() which led to protocol negotiation
1996 failures. We appear to now support TLS1.1+ with Exim.
1997
1998 PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
1999 lets Exim select keys and certificates based upon TLS SNI from client.
2000 Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly
2001 before an outbound SMTP session. New log_selector, +tls_sni.
2002
2003 PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid
2004 NULL dereference. Report and patch from Alun Jones.
2005
2006 PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage
2007 on less well tested platforms). Obviates NetBSD pkgsrc patch-ac.
2008 Not seeing resolver debug output on NetBSD, but suspect this is a
2009 resolver implementation change.
2010
2011 PP/20 Revert part of NM/04, it broke log_path containing %D expansions.
2012 Left warnings. Added "eximon gdb" invocation mode.
2013
2014 PP/21 Defaulting "accept_8bitmime" to true, not false.
2015
2016 PP/22 Added -bw for inetd wait mode support.
2017
2018 PP/23 Added PCRE_CONFIG=yes support to Makefile for using pcre-config to
2019 locate the relevant includes and libraries. Made this the default.
2020
2021 PP/24 Fixed headers_only on smtp transports (was not sending trailing dot).
2022 Bugzilla 1246, report and most of solution from Tomasz Kusy.
2023
2024 JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
2025 This may cause build issues on older platforms.
2026
2027 PP/25 Revamped GnuTLS support, passing tls_require_ciphers to
2028 gnutls_priority_init, ignoring Exim options gnutls_require_kx,
2029 gnutls_require_mac & gnutls_require_protocols (no longer supported).
2030 Added SNI support via GnuTLS too.
2031 Made ${randint:..} supplier available, if using not-too-old GnuTLS.
2032
2033 PP/26 Added EXPERIMENTAL_OCSP for OpenSSL.
2034
2035 PP/27 Applied dnsdb SPF support patch from Janne Snabb.
2036 Applied second patch from Janne, implementing suggestion to default
2037 multiple-strings-in-record handling to match SPF spec.
2038
2039 JH/04 Added expansion variable $tod_epoch_l for a higher-precision time.
2040
2041 PP/28 Fix DCC dcc_header content corruption (stack memory referenced,
2042 read-only, out of scope).
2043 Patch from Wolfgang Breyha, report from Stuart Northfield.
2044
2045 PP/29 Fix three issues highlighted by clang analyser static analysis.
2046 Only crash-plausible issue would require the Cambridge-specific
2047 iplookup router and a misconfiguration.
2048 Report from Marcin Mirosław.
2049
2050 PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
2051
2052 PP/31 %D in printf continues to cause issues (-Wformat=security), so for
2053 now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
2054 As part of this, removing so much warning spew let me fix some minor
2055 real issues in debug logging.
2056
2057 PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing
2058 assignment on my part. Fixed.
2059
2060 PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit
2061 of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by
2062 Janne Snabb (who went above and beyond: thank you).
2063
2064 PP/34 Validate tls_require_ciphers on startup, since debugging an invalid
2065 string otherwise requires a connection and a bunch more work and it's
2066 relatively easy to get wrong. Should also expose TLS library linkage
2067 problems.
2068
2069 PP/35 Pull in <features.h> on Linux, for some portability edge-cases of
2070 64-bit ${eval} (JH/03).
2071
2072 PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of
2073 GNU libc to support some of the 64-bit stuff, should not lead to
2074 conflicts. Defined before os.h is pulled in, so if a given platform
2075 needs to override this, it can.
2076
2077 PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought
2078 protection layer was required, which is not implemented.
2079 Bugzilla 1254, patch from Wolfgang Breyha.
2080
2081 PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built
2082 into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make
2083 tls_dhparam take prime identifiers. Also unbreak combination of
2084 OpenSSL+DH_params+TLSSNI.
2085
2086 PP/39 Disable SSLv2 by default in OpenSSL support.
2087
2088
2089 Exim version 4.77
2090 -----------------
2091
2092 PP/01 Solaris build fix for Oracle's LDAP libraries.
2093 Bugzilla 1109, patch from Stephen Usher.
2094
2095 TF/01 HP/UX build fix: avoid arithmetic on a void pointer.
2096
2097 TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o
2098 whitespace trailer
2099
2100 TF/02 Fix a couple more cases where we did not log the error message
2101 when unlink() failed. See also change 4.74-TF/03.
2102
2103 TF/03 Make the exiwhat support code safe for signals. Previously Exim might
2104 lock up or crash if it happened to be inside a call to libc when it
2105 got a SIGUSR1 from exiwhat.
2106
2107 The SIGUSR1 handler appends the current process status to the process
2108 log which is later printed by exiwhat. It used to use the general
2109 purpose logging code to do this, but several functions it calls are
2110 not safe for signals.
2111
2112 The new output code in the SIGUSR1 handler is specific to the process
2113 log, and simple enough that it's easy to inspect for signal safety.
2114 Removing some special cases also simplifies the general logging code.
2115 Removing the spurious timestamps from the process log simplifies
2116 exiwhat.
2117
2118 TF/04 Improved ratelimit ACL condition.
2119
2120 The /noupdate option has been deprecated in favour of /readonly which
2121 has clearer semantics. The /leaky, /strict, and /readonly update modes
2122 are mutually exclusive. The update mode is no longer included in the
2123 database key; it just determines when the database is updated. (This
2124 means that when you upgrade Exim will forget old rate measurements.)
2125
2126 Exim now checks that the per_* options are used with an update mode that
2127 makes sense for the current ACL. For example, when Exim is processing a
2128 message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify
2129 per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you
2130 must specify per_mail/readonly. If you omit the update mode it defaults to
2131 /leaky where that makes sense (as before) or /readonly where required.
2132
2133 The /noupdate option is now undocumented but still supported for
2134 backwards compatibility. It is equivalent to /readonly except that in
2135 ACLs where /readonly is required you may specify /leaky/noupdate or
2136 /strict/noupdate which are treated the same as /readonly.
2137
2138 A useful new feature is the /count= option. This is a generalization
2139 of the per_byte option, so that you can measure the throughput of other
2140 aggregate values. For example, the per_byte option is now equivalent
2141 to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }.
2142
2143 The per_rcpt option has been generalized using the /count= mechanism
2144 (though it's more complicated than the per_byte equivalence). When it is
2145 used in acl_smtp_rcpt, the per_rcpt option adds recipients to the
2146 measured rate one at a time; if it is used later (e.g. in acl_smtp_data)
2147 or in a non-SMTP ACL it adds all the recipients in one go. (The latter
2148 /count=$recipients_count behaviour used to work only in non-SMTP ACLs.)
2149 Note that using per_rcpt with a non-readonly update mode in more than
2150 one ACL will cause the recipients to be double-counted. (The per_mail
2151 and per_byte options don't have this problem.)
2152
2153 The handling of very low rates has changed slightly. If the computed rate
2154 is less than the event's count (usually one) then this event is the first
2155 after a long gap. In this case the rate is set to the same as this event's
2156 count, so that the first message of a spam run is counted properly.
2157
2158 The major new feature is a mechanism for counting the rate of unique
2159 events. The new per_addr option counts the number of different
2160 recipients that someone has sent messages to in the last time period. It
2161 behaves like per_rcpt if all the recipient addresses are different, but
2162 duplicate recipient addresses do not increase the measured rate. Like
2163 the /count= option this is a general mechanism, so the per_addr option
2164 is equivalent to per_rcpt/unique=$local_part@$domain. You can, for
2165 example, measure the rate that a client uses different sender addresses
2166 with the options per_mail/unique=$sender_address. There are further
2167 details in the main documentation.
2168
2169 TF/05 Removed obsolete $Cambridge$ CVS revision strings.
2170
2171 TF/06 Removed a few PCRE remnants.
2172
2173 TF/07 Automatically extract Exim's version number from tags in the git
2174 repository when doing development or release builds.
2175
2176 PP/02 Raise smtp_cmd_buffer_size to 16kB.
2177 Bugzilla 879. Patch from Paul Fisher.
2178
2179 PP/03 Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
2180 Heavily based on revision 40f9a89a from Simon Arlott's tree.
2181 Bugzilla 97.
2182
2183 PP/04 Use .dylib instead of .so for dynamic library loading on MacOS.
2184
2185 PP/05 Variable $av_failed, true if the AV scanner deferred.
2186 Bugzilla 1078. Patch from John Horne.
2187
2188 PP/06 Stop make process more reliably on build failure.
2189 Bugzilla 1087. Patch from Heiko Schlittermann.
2190
2191 PP/07 Make maildir_use_size_file an _expandable_ boolean.
2192 Bugzilla 1089. Patch from Heiko Schlittermann.
2193
2194 PP/08 Handle ${run} returning more data than OS pipe buffer size.
2195 Bugzilla 1131. Patch from Holger Weiß.
2196
2197 PP/09 Handle IPv6 addresses with SPF.
2198 Bugzilla 860. Patch from Wolfgang Breyha.
2199
2200 PP/10 GnuTLS: support TLS 1.2 & 1.1.
2201 Bugzilla 1156.
2202 Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler].
2203 Bugzilla 1095.
2204
2205 PP/11 match_* no longer expand right-hand-side by default.
2206 New compile-time build option, EXPAND_LISTMATCH_RHS.
2207 New expansion conditions, "inlist", "inlisti".
2208
2209 PP/12 fix uninitialised greeting string from PP/03 (smtps client support).
2210
2211 PP/13 shell and compiler warnings fixes for RC1-RC4 changes.
2212
2213 PP/14 fix log_write() format string regression from TF/03.
2214 Bugzilla 1152. Patch from Dmitry Isaikin.
2215
2216
2217 Exim version 4.76
2218 -----------------
2219
2220 PP/01 The new ldap_require_cert option would segfault if used. Fixed.
2221
2222 PP/02 Harmonised TLS library version reporting; only show if debugging.
2223 Layout now matches that introduced for other libraries in 4.74 PP/03.
2224
2225 PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
2226
2227 PP/04 New "dns_use_edns0" global option.
2228
2229 PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid.
2230 Bugzilla 1098.
2231
2232 PP/06 Extra paranoia around buffer usage at the STARTTLS transition.
2233 nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
2234
2235 TK/01 Updated PolarSSL code to 0.14.2.
2236 Bugzilla 1097. Patch from Andreas Metzler.
2237
2238 PP/07 Catch divide-by-zero in ${eval:...}.
2239 Fixes bugzilla 1102.
2240
2241 PP/08 Condition negation of bool{}/bool_lax{} did not negate. Fixed.
2242 Bugzilla 1104.
2243
2244 TK/02 Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a
2245 format-string attack -- SECURITY: remote arbitrary code execution.
2246
2247 TK/03 SECURITY - DKIM signature header parsing was double-expanded, second
2248 time unintentionally subject to list matching rules, letting the header
2249 cause arbitrary Exim lookups (of items which can occur in lists, *not*
2250 arbitrary string expansion). This allowed for information disclosure.
2251
2252 PP/09 Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
2253 INT_MIN/-1 -- value coerced to INT_MAX.
2254
2255
2256 Exim version 4.75
2257 -----------------
2258
2259 NM/01 Workaround for PCRE version dependency in version reporting
2260 Bugzilla 1073
2261
2262 TF/01 Update valgrind.h and memcheck.h to copies from valgrind-3.6.0.
2263 This fixes portability to compilers other than gcc, notably
2264 Solaris CC and HP-UX CC. Fixes Bugzilla 1050.
2265
2266 TF/02 Bugzilla 139: Avoid using the += operator in the modular lookup
2267 makefiles for portability to HP-UX and POSIX correctness.
2268
2269 PP/01 Permit LOOKUP_foo enabling on the make command-line.
2270 Also via indented variable definition in the Makefile.
2271 (Debugging by Oliver Heesakkers).
2272
2273 PP/02 Restore caching of spamd results with expanded spamd_address.
2274 Patch from author of expandable spamd_address patch, Wolfgang Breyha.
2275
2276 PP/03 Build issue: lookups-Makefile now exports LC_ALL=C
2277 Improves build reliability. Fix from: Frank Elsner
2278
2279 NM/02 Fix wide character breakage in the rfc2047 coding
2280 Fixes bug 1064. Patch from Andrey N. Oktyabrski
2281
2282 NM/03 Allow underscore in dnslist lookups
2283 Fixes bug 1026. Patch from Graeme Fowler
2284
2285 PP/04 Bugzilla 230: Support TLS-enabled LDAP (in addition to ldaps).
2286 Code patches from Adam Ciarcinski of NetBSD.
2287
2288 NM/04 Fixed exiqgrep to cope with mailq missing size issue
2289 Fixes bug 943.
2290
2291 PP/05 Bugzilla 1083: when lookup expansion defers, escape the output which
2292 is logged, to avoid truncation. Patch from John Horne.
2293
2294 PP/06 Bugzilla 1042: implement freeze_signal on pipe transports.
2295 Patch from Jakob Hirsch.
2296
2297 PP/07 Bugzilla 1061: restrict error messages sent over SMTP to not reveal
2298 SQL string expansion failure details.
2299 Patch from Andrey Oktyabrski.
2300
2301 PP/08 Bugzilla 486: implement %M datestamping in log filenames.
2302 Patch from Simon Arlott.
2303
2304 PP/09 New lookups functionality failed to compile on old gcc which rejects
2305 extern declarations in function scope.
2306 Patch from Oliver Fleischmann
2307
2308 PP/10 Use sig_atomic_t for flags set from signal handlers.
2309 Check getgroups() return and improve debugging.
2310 Fixed developed for diagnosis in bug 927 (which turned out to be
2311 a kernel bug).
2312
2313 PP/11 Bugzilla 1055: Update $message_linecount for maildir_tag.
2314 Patch from Mark Zealey.
2315
2316 PP/12 Bugzilla 1056: Improved spamd server selection.
2317 Patch from Mark Zealey.
2318
2319 PP/13 Bugzilla 1086: Deal with maildir quota file races.
2320 Based on patch from Heiko Schlittermann.
2321
2322 PP/14 Bugzilla 1019: DKIM multiple signature generation fix.
2323 Patch from Uwe Doering, sign-off by Michael Haardt.
2324
2325 NM/05 Fix to spam.c to accommodate older gcc versions which dislike
2326 variable declaration deep within a block. Bug and patch from
2327 Dennis Davis.
2328
2329 PP/15 lookups-Makefile IRIX compatibility coercion.
2330
2331 PP/16 Make DISABLE_DKIM build knob functional.
2332
2333 NM/06 Bugzilla 968: child_open_uid: restore default SIGPIPE handler
2334 Patch by Simon Arlott
2335
2336 TF/03 Fix valgrind.h portability to C89 compilers that do not support
2337 variable argument macros. Our copy now differs from upstream.
2338
2339
2340 Exim version 4.74
2341 -----------------
2342
2343 TF/01 Failure to get a lock on a hints database can have serious
2344 consequences so log it to the panic log.
2345
2346 TF/02 Log LMTP confirmation messages in the same way as SMTP,
2347 controlled using the smtp_confirmation log selector.
2348
2349 TF/03 Include the error message when we fail to unlink a spool file.
2350
2351 DW/01 Bugzilla 139: Support dynamically loaded lookups as modules.
2352 With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux
2353 for maintaining out-of-tree patches for some time.
2354
2355 PP/01 Bugzilla 139: Documentation and portability issues.
2356 Avoid GNU Makefile-isms, let Exim continue to build on BSD.
2357 Handle per-OS dynamic-module compilation flags.
2358
2359 PP/02 Let /dev/null have normal permissions.
2360 The 4.73 fixes were a little too stringent and complained about the
2361 permissions on /dev/null. Exempt it from some checks.
2362 Reported by Andreas M. Kirchwitz.
2363
2364 PP/03 Report version information for many libraries, including
2365 Exim version information for dynamically loaded libraries. Created
2366 version.h, now support a version extension string for distributors
2367 who patch heavily. Dynamic module ABI change.
2368
2369 PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a
2370 privilege escalation vulnerability whereby the Exim run-time user
2371 can cause root to append content of the attacker's choosing to
2372 arbitrary files.
2373
2374 PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code.
2375 (Wolfgang Breyha)
2376
2377 PP/06 Bugzilla 1071: fix delivery logging with untrusted macros.
2378 If dropping privileges for untrusted macros, we disabled normal logging
2379 on the basis that it would fail; for the Exim run-time user, this is not
2380 the case, and it resulted in successful deliveries going unlogged.
2381 Fixed. Reported by Andreas Metzler.
2382
2383
2384 Exim version 4.73
2385 -----------------
2386
2387 PP/01 Date: & Message-Id: revert to normally being appended to a message,
2388 only prepend for the Resent-* case. Fixes regression introduced in
2389 Exim 4.70 by NM/22 for Bugzilla 607.
2390
2391 PP/02 Include check_rfc2047_length in configure.default because we're seeing
2392 increasing numbers of administrators be bitten by this.
2393
2394 JJ/01 Added DISABLE_DKIM and comment to src/EDITME
2395
2396 PP/03 Bugzilla 994: added openssl_options main configuration option.
2397
2398 PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads.
2399
2400 PP/05 Bugzilla 834: provide a permit_coredump option for pipe transports.
2401
2402 PP/06 Adjust NTLM authentication to handle SASL Initial Response.
2403
2404 PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but
2405 without a peer certificate, leading to a segfault because of an
2406 assumption that peers always have certificates. Be a little more
2407 paranoid. Problem reported by Martin Tscholak.
2408
2409 PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
2410 filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
2411 NB: ClamAV planning to remove STREAM in "middle of 2010".
2412 CL also introduces -bmalware, various -d+acl logging additions and
2413 more caution in buffer sizes.
2414
2415 PP/09 Implemented reverse_ip expansion operator.
2416
2417 PP/10 Bugzilla 937: provide a "debug" ACL control.
2418
2419 PP/11 Bugzilla 922: Documentation dusting, patch provided by John Horne.
2420
2421 PP/12 Bugzilla 973: Implement --version.
2422
2423 PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0.
2424
2425 PP/14 Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
2426
2427 PP/15 Bugzilla 816: support multiple condition rules on Routers.
2428
2429 PP/16 Add bool_lax{} expansion operator and use that for combining multiple
2430 condition rules, instead of bool{}. Make both bool{} and bool_lax{}
2431 ignore trailing whitespace.
2432
2433 JJ/02 prevent non-panic DKIM error from being sent to paniclog
2434
2435 JJ/03 added tcp_wrappers_daemon_name to allow host entries other than
2436 "exim" to be used
2437
2438 PP/17 Fix malware regression for cmdline scanner introduced in PP/08.
2439 Notification from Dr Andrew Aitchison.
2440
2441 PP/18 Change ClamAV response parsing to be more robust and to handle ClamAV's
2442 ExtendedDetectionInfo response format.
2443 Notification from John Horne.
2444
2445 PP/19 OpenSSL 1.0.0a compatibility const-ness change, should be backwards
2446 compatible.
2447
2448 PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http:
2449 XSL and documented dependency on system catalogs, with examples of how
2450 it normally works.
2451
2452 DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store
2453 access.
2454
2455 DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour
2456 of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a
2457 configuration file which is writeable by the Exim user or group.
2458
2459 DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability
2460 of configuration files to cover files specified with the -C option if
2461 they are going to be used with root privileges, not just the default
2462 configuration file.
2463
2464 DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY
2465 option (effectively making it always true).
2466
2467 DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration
2468 files to be used while preserving root privileges.
2469
2470 DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure
2471 that rogue child processes cannot use them.
2472
2473 PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim
2474 run-time user, instead of root.
2475
2476 PP/28 Add WHITELIST_D_MACROS option to let some macros be overridden by the
2477 Exim run-time user without dropping privileges.
2478
2479 DW/29 Remove use of va_copy() which breaks pre-C99 systems. Duplicate the
2480 result string, instead of calling string_vformat() twice with the same
2481 arguments.
2482
2483 DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not
2484 for other users. Others should always drop root privileges if they use
2485 -C on the command line, even for a whitelisted configure file.
2486
2487 DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes.
2488
2489 NM/01 Fixed bug #1002 - Message loss when using multiple deliveries
2490
2491
2492 Exim version 4.72
2493 -----------------
2494
2495 JJ/01 installed exipick 20100104.1, adding $max_received_linelength,
2496 $data_path, and $header_path variables; fixed documentation bugs and
2497 typos
2498
2499 JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow
2500 exipick to access non-standard spools, including the "frozen" queue
2501 (Finput)
2502
2503 NM/01 Bugzilla 965: Support mysql stored procedures.
2504 Patch from Alain Williams
2505
2506 NM/02 Bugzilla 961: Spacing fix (syntax error) on Makefile directives for NetBSD
2507
2508 NM/03 Bugzilla 955: Documentation fix for max_rcpts.
2509 Patch from Andreas Metzler
2510
2511 NM/04 Bugzilla 954: Fix for unknown responses from Dovecot authenticator.
2512 Patch from Kirill Miazine
2513
2514 NM/05 Bugzilla 671: Added umask to procmail example.
2515
2516 JJ/03 installed exipick 20100323.0, fixing doc bug
2517
2518 NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail
2519 directory. Notification and patch from Dan Rosenberg.
2520
2521 TK/01 PDKIM: Upgrade PolarSSL files to upstream version 0.12.1.
2522
2523 TK/02 Improve log output when DKIM signing operation fails.
2524
2525 MH/01 Treat the transport option dkim_domain as a colon separated
2526 list, not as a single string, and sign the message with each element,
2527 omitting multiple occurences of the same signer.
2528
2529 NM/07 Null terminate DKIM strings, Null initialise DKIM variable
2530 Bugzilla 985, 986. Patch by Simon Arlott
2531
2532 NM/08 Bugzilla 967. dnsdb DNS TXT record bug fix (DKIM-related)
2533 Patch by Simon Arlott
2534
2535 PP/01 Bugzilla 989: CVE-2010-2024 - work round race condition on
2536 MBX locking. Notification from Dan Rosenberg.
2537
2538
2539 Exim version 4.71
2540 -----------------
2541
2542 TK/01 Bugzilla 912: Fix DKIM segfault on empty headers/body.
2543
2544 NM/01 Bugzilla 913: Documentation fix for gnutls_* options.
2545
2546 NM/02 Bugzilla 722: Documentation for randint. Better randomness defaults.
2547
2548 NM/03 Bugzilla 847: Enable DNSDB lookup by default.
2549
2550 NM/04 Bugzilla 915: Flag broken perl installation during build.
2551
2552
2553 Exim version 4.70
2554 -----------------
2555
2556 TK/01 Added patch by Johannes Berg that expands the main option
2557 "spamd_address" if it starts with a dollar sign.
2558
2559 TK/02 Write list of recipients to X-Envelope-Sender header when building
2560 the mbox-format spool file for content scanning (suggested by Jakob
2561 Hirsch).
2562
2563 TK/03 Added patch by Wolfgang Breyha that adds experimental DCC
2564 (http://www.dcc-servers.net/) support via dccifd. Activated by
2565 setting EXPERIMENTAL_DCC=yes in Local/Makefile.
2566
2567 TK/04 Bugzilla 673: Add f-protd malware scanner support. Patch submitted
2568 by Mark Daniel Reidel <mr@df.eu>.
2569
2570 NM/01 Bugzilla 657: Embedded PCRE removed from the exim source tree.
2571 When building exim an external PCRE library is now needed -
2572 PCRE is a system library on the majority of modern systems.
2573 See entry on PCRE_LIBS in EDITME file.
2574
2575 NM/02 Bugzilla 646: Removed unwanted C/R in Dovecot authenticator
2576 conversation. Added nologin parameter to request.
2577 Patch contributed by Kirill Miazine.
2578
2579 TF/01 Do not log submission mode rewrites if they do not change the address.
2580
2581 TF/02 Bugzilla 662: Fix stack corruption before exec() in daemon.c.
2582
2583 NM/03 Bugzilla 602: exicyclog now handles panic log, and creates empty
2584 log files in place. Contributed by Roberto Lima.
2585
2586 NM/04 Bugzilla 667: Close socket used by dovecot authenticator.
2587
2588 TF/03 Bugzilla 615: When checking the local_parts router precondition
2589 after a local_part_suffix or local_part_prefix option, Exim now
2590 does not use the address's named list lookup cache, since this
2591 contains cached lookups for the whole local part.
2592
2593 NM/05 Bugzilla 521: Integrated SPF Best Guess support contributed by
2594 Robert Millan. Documentation is in experimental-spec.txt.
2595
2596 TF/04 Bugzilla 668: Fix parallel build (make -j).
2597
2598 NM/05.2 Bugzilla 437: Prevent Maildir aux files being created with mode 000.
2599
2600 NM/05.3 Bugzilla 598: Improvement to Dovecot authenticator handling.
2601 Patch provided by Jan Srzednicki.
2602
2603 TF/05 Leading white space used to be stripped from $spam_report which
2604 wrecked the formatting. Now it is preserved.
2605
2606 TF/06 Save $spam_score, $spam_bar, and $spam_report in spool files, so
2607 that they are available at delivery time.
2608
2609 TF/07 Fix the way ${extract is skipped in the untaken branch of a conditional.
2610
2611 TF/08 TLS error reporting now respects the incoming_interface and
2612 incoming_port log selectors.
2613
2614 TF/09 Produce a more useful error message if an SMTP transport's hosts
2615 setting expands to an empty string.
2616
2617 NM/06 Bugzilla 744: EXPN did not work under TLS.
2618 Patch provided by Phil Pennock.
2619
2620 NM/07 Bugzilla 769: Extraneous comma in usage fprintf
2621 Patch provided by Richard Godbee.
2622
2623 NM/08 Fixed erroneous documentation references to smtp_notquit_acl to be
2624 acl_smtp_notquit, added index entry.
2625
2626 NM/09 Bugzilla 787: Potential buffer overflow in string_format.
2627 Patch provided by Eugene Bujak.
2628
2629 NM/10 Bugzilla 770: Problem on some platforms modifying the len parameter to
2630 accept(). Patch provided by Maxim Dounin.
2631
2632 NM/11 Bugzilla 749: Preserve old behaviour of blanks comparing equal to zero.
2633 Patch provided by Phil Pennock.
2634
2635 NM/12 Bugzilla 497: Correct behaviour of exiwhat when no config exists.
2636
2637 NM/13 Bugzilla 590: Correct handling of Resent-Date headers.
2638 Patch provided by Brad "anomie" Jorsch.
2639
2640 NM/14 Bugzilla 622: Added timeout setting to transport filter.
2641 Patch provided by Dean Brooks.
2642
2643 TK/05 Add native DKIM support (does not depend on external libraries).
2644
2645 NM/15 Bugzilla 854: Removed code that symlinks to pcre as its no longer useful.
2646 Patch provided by Graeme Fowler.
2647
2648 NM/16 Bugzilla 851: Documentation example syntax fix.
2649
2650 NM/17 Changed NOTICE file to remove references to embedded PCRE.
2651
2652 NM/18 Bugzilla 894: Fix issue with very long lines including comments in
2653 lsearch.
2654
2655 NM/19 Bugzilla 745: TLS version reporting.
2656 Patch provided by Phil Pennock.
2657
2658 NM/20 Bugzilla 167: bool: condition support.
2659 Patch provided by Phil Pennock.
2660
2661 NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken
2662 clients. Patch provided by Phil Pennock.
2663
2664 NM/22 Bugzilla 607: prepend (not append) Resent-Message-ID and Resent-Date.
2665 Patch provided by Brad "anomie" Jorsch.
2666
2667 NM/23 Bugzilla 687: Fix misparses in eximstats.
2668 Patch provided by Heiko Schlittermann.
2669
2670 NM/24 Bugzilla 688: Fix exiwhat to handle log_selector = +pid.
2671 Patch provided by Heiko Schlittermann.
2672
2673 NM/25 Bugzilla 727: Use transport mode as default mode for maildirsize file.
2674 plus update to original patch.
2675
2676 NM/26 Bugzilla 799: Documentation correction for ratelimit.
2677
2678 NM/27 Bugzilla 802: Improvements to local interface IP addr detection.
2679 Patch provided by David Brownlee.
2680
2681 NM/28 Bugzilla 807: Improvements to LMTP delivery logging.
2682
2683 NM/29 Bugzilla 862, 866, 875: Documentation bugfixes.
2684
2685 NM/30 Bugzilla 888: TLS documentation bugfixes.
2686
2687 NM/31 Bugzilla 896: Dovecot buffer overrun fix.
2688
2689 NM/32 Bugzilla 889: Change all instances of "expr" in shell scripts to "expr --"
2690 Unlike the original bugzilla I have changed all shell scripts in src tree.
2691
2692 NM/33 Bugzilla 898: Transport filter timeout fix.
2693 Patch by Todd Rinaldo.
2694
2695 NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches.
2696 Patch by Serge Demonchaux.
2697
2698 NM/35 Bugzilla 39: Base64 decode bug fixes.
2699 Patch by Jakob Hirsch.
2700
2701 NM/36 Bugzilla 909: Correct connect() call in dcc code.
2702
2703 NM/37 Bugzilla 910: Correct issue with relaxed/simple handling.
2704
2705 NM/38 Bugzilla 908: Removed NetBSD3 support as no longer needed.
2706
2707 NM/39 Bugzilla 911: Fixed MakeLinks build script.
2708
2709
2710 Exim version 4.69
2711 -----------------
2712
2713 TK/01 Add preliminary DKIM support. Currently requires a forked version of
2714 ALT-N's libdkim that I have put here:
2715 http://duncanthrax.net/exim-experimental/
2716
2717 Note to Michael Haardt: I had to rename some vars in sieve.c. They
2718 were called 'true' and it seems that C99 defines that as a reserved
2719 keyword to be used with 'bool' variable types. That means you could
2720 not include C99-style headers which use bools without triggering
2721 build errors in sieve.c.
2722
2723 NM/01 Bugzilla 592: --help option is handled incorrectly if exim is invoked
2724 as mailq or other aliases. Changed the --help handling significantly
2725 to do whats expected. exim_usage() emits usage/help information.
2726
2727 SC/01 Added the -bylocaldomain option to eximstats.
2728
2729 NM/02 Bugzilla 619: Defended against bad data coming back from gethostbyaddr.
2730
2731 NM/03 Bugzilla 613: Documentation fix for acl_not_smtp.
2732
2733 NM/04 Bugzilla 628: PCRE update to 7.4 (work done by John Hall).
2734
2735
2736 Exim version 4.68
2737 -----------------
2738
2739 PH/01 Another patch from the Sieve maintainer.
2740
2741 PH/02 When an IPv6 address is converted to a string for single-key lookup
2742 in an address list (e.g. for an item such as "net24-dbm;/net/works"),
2743 dots are used instead of colons so that keys in lsearch files need not
2744 contain colons. This was done some time before quoting was made available
2745 in lsearch files. However, iplsearch files do require colons in IPv6 keys
2746 (notated using the quote facility) so as to distinguish them from IPv4
2747 keys. This meant that lookups for IP addresses in host lists did not work
2748 for iplsearch lookups.
2749
2750 This has been fixed by arranging for IPv6 addresses to be expressed with
2751 colons if the lookup type is iplsearch. This is not incompatible, because
2752 previously such lookups could never work.
2753
2754 The situation is now rather anomalous, since one *can* have colons in
2755 ordinary lsearch keys. However, making the change in all cases is
2756 incompatible and would probably break a number of configurations.
2757
2758 TK/01 Change PRVS address formatting scheme to reflect latests BATV draft
2759 version.
2760
2761 MH/01 The "spam" ACL condition code contained a sscanf() call with a %s
2762 conversion specification without a maximum field width, thereby enabling
2763 a rogue spamd server to cause a buffer overflow. While nobody in their
2764 right mind would setup Exim to query an untrusted spamd server, an
2765 attacker that gains access to a server running spamd could potentially
2766 exploit this vulnerability to run arbitrary code as the Exim user.
2767
2768 TK/02 Bugzilla 502: Apply patch to make the SPF-Received: header use
2769 $primary_hostname instead of what libspf2 thinks the hosts name is.
2770
2771 MH/02 The dsearch lookup now uses lstat(2) instead of stat(2) to look for
2772 a directory entry by the name of the lookup key. Previously, if a
2773 symlink pointed to a non-existing file or a file in a directory that
2774 Exim lacked permissions to read, a lookup for a key matching that
2775 symlink would fail. Now it is enough that a matching directory entry
2776 exists, symlink or not. (Bugzilla 503.)
2777
2778 PH/03 The body_linecount and body_zerocount variables are now exported in the
2779 local_scan API.
2780
2781 PH/04 Added the $dnslist_matched variable.
2782
2783 PH/05 Unset $tls_cipher and $tls_peerdn before making a connection as a client.
2784 This means they are set thereafter only if the connection becomes
2785 encrypted.
2786
2787 PH/06 Added the client_condition to authenticators so that some can be skipped
2788 by clients under certain conditions.
2789
2790 PH/07 The error message for a badly-placed control=no_multiline_responses left
2791 "_responses" off the end of the name.
2792
2793 PH/08 Added -Mvc to output a copy of a message in RFC 2822 format.
2794
2795 PH/09 Tidied the code for creating ratelimiting keys, creating them explicitly
2796 (without spaces) instead of just copying the configuration text.
2797
2798 PH/10 Added the /noupdate option to the ratelimit ACL condition.
2799
2800 PH/11 Added $max_received_linelength.
2801
2802 PH/12 Added +ignore_defer and +include_defer to host lists.
2803
2804 PH/13 Installed PCRE version 7.2. This needed some changes because of the new
2805 way in which PCRE > 7.0 is built.
2806
2807 PH/14 Implemented queue_only_load_latch.
2808
2809 PH/15 Removed an incorrect (int) cast when reading the value of SIZE in a
2810 MAIL command. The effect was to mangle the value on 64-bit systems.
2811
2812 PH/16 Another patch from the Sieve maintainer.
2813
2814 PH/17 Added the NOTQUIT ACL, based on a patch from Ted Cooper.
2815
2816 PH/18 If a system quota error occurred while trying to create the file for
2817 a maildir delivery, the message "Mailbox is full" was not appended to the
2818 bounce if the delivery eventually timed out. Change 4.67/27 below applied
2819 only to a quota excession during the actual writing of the file.
2820
2821 PH/19 It seems that peer DN values may contain newlines (and other non-printing
2822 characters?) which causes problems in log lines. The DN values are now
2823 passed through string_printing() before being added to log lines.
2824
2825 PH/20 Added the "servers=" facility to MySQL and PostgreSQL lookups. (Oracle
2826 and InterBase are left for another time.)
2827
2828 PH/21 Added message_body_newlines option.
2829
2830 PH/22 Guard against possible overflow in moan_check_errorcopy().
2831
2832 PH/23 POSIX allows open() to be a macro; guard against that.
2833
2834 PH/24 If the recipient of an error message contained an @ in the local part
2835 (suitably quoted, of course), incorrect values were put in $domain and
2836 $local_part during the evaluation of errors_copy.
2837
2838
2839 Exim version 4.67
2840 -----------------
2841
2842 MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address
2843 is unset (happens when testing with -bh and -oMi isn't used). Thanks to
2844 Jan Srzednicki.
2845
2846 PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not
2847 issue a MAIL command.
2848
2849 PH/02 In an ACL statement such as
2850
2851 deny dnslists = X!=127.0.0.2 : X=127.0.0.2
2852
2853 if a client was not listed at all, or was listed with a value other than
2854 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list,
2855 the condition was not true (as it should be), so access was not denied.
2856 The bug was that the ! inversion was incorrectly passed on to the second
2857 item. This has been fixed.
2858
2859 PH/03 Added additional dnslists conditions == and =& which are different from
2860 = and & when the dns lookup returns more than one IP address.
2861
2862 PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the
2863 cipher suites used by GnuTLS. These options are ignored by OpenSSL.
2864
2865 PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_
2866 FSYNC, which compiles an option called disable_fsync that allows for
2867 bypassing fsync(). The documentation is heavily laced with warnings.
2868
2869 SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket.
2870
2871 PH/06 Some tidies to the infrastructure of the Test Suite that is concerned
2872 with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT
2873 to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile,
2874 including adding "make clean"; (3) Added -fPIC when compiling the test
2875 dynamically loaded module, to get rid of a warning.
2876
2877 MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce
2878 message fails, move_frozen_messages = true and ignore_bounce_errors_after
2879 = 0s. The bug is otherwise harmless.
2880
2881 PH/07 There was a bug in the dovecot authenticator such that the value of
2882 $auth1 could be overwritten, and so not correctly preserved, after a
2883 successful authentication. This usually meant that the value preserved by
2884 the server_setid option was incorrect.
2885
2886 PH/08 Added $smtp_count_at_connection_start, deliberately with a long name.
2887
2888 PH/09 Installed PCRE release 7.0.
2889
2890 PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being
2891 run for batched SMTP input. It is now run at the start of every message
2892 in the batch. While fixing this I discovered that the process information
2893 (output by running exiwhat) was not always getting set for -bs and -bS
2894 input. This is fixed, and it now also says "batched" for BSMTP.
2895
2896 PH/11 Added control=no_pipelining.
2897
2898 PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's
2899 patch, slightly modified), and move the expansion of helo_data till after
2900 the connection is made in the smtp transport (so it can use these
2901 values).
2902
2903 PH/13 Added ${rfc2047d: to decoded RFC 2047 strings.
2904
2905 PH/14 Added log_selector = +pid.
2906
2907 PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set.
2908
2909 PH/16 Add ${if forany and ${if forall.
2910
2911 PH/17 Added dsn_from option to vary the From: line in DSNs.
2912
2913 PH/18 Flush SMTP output before performing a callout, unless control =
2914 no_callout_flush is set.
2915
2916 PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender
2917 was true (the default) a successful delivery failed to delete the retry
2918 item, thus causing premature timeout of the address. The bug is now
2919 fixed.
2920
2921 PH/20 Added hosts_avoid_pipelining to the smtp transport.
2922
2923 PH/21 Long custom messages for fakedefer and fakereject are now split up
2924 into multiline responses in the same way that messages for "deny" and
2925 other ACL rejections are.
2926
2927 PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep,
2928 with slight modification.
2929
2930 PH/23 Applied sieve patches from the maintainer "tracking the latest notify
2931 draft, changing the syntax and factoring some duplicate code".
2932
2933 PH/24 When the log selector "outgoing_port" was set, the port was shown as -1
2934 for deliveries of the second and subsequent messages over the same SMTP
2935 connection.
2936
2937 PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and
2938 ${reduce, with only minor "tidies".
2939
2940 SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match.
2941
2942 PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its
2943 expansion side effects.
2944
2945 PH/27 When a message times out after an over-quota error from an Exim-imposed
2946 quota, the bounce message says "mailbox is full". This message was not
2947 being given when it was a system quota that was exceeded. It now should
2948 be the same.
2949
2950 MH/03 Made $recipients available in local_scan(). local_scan() already has
2951 better access to the recipient list through recipients_list[], but
2952 $recipients can be useful in postmaster-provided expansion strings.
2953
2954 PH/28 The $smtp_command and $smtp_command_argument variables were not correct
2955 in the case of a MAIL command with additional options following the
2956 address, for example: MAIL FROM:<foo@bar> SIZE=1234. The option settings
2957 were accidentally chopped off.
2958
2959 PH/29 SMTP synchronization checks are implemented when a command is read -
2960 there is a check that no more input is waiting when there shouldn't be
2961 any. However, for some commands, a delay in an ACL can mean that it is
2962 some time before the response is written. In this time, more input might
2963 arrive, invalidly. So now there are extra checks after an ACL has run for
2964 HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when
2965 pipelining has not been advertised.
2966
2967 PH/30 MH's patch to allow iscntrl() characters to be list separators.
2968
2969 PH/31 Unlike :fail:, a custom message specified with :defer: was not being
2970 returned in the SMTP response when smtp_return_error_details was false.
2971 This has been fixed.
2972
2973 PH/32 Change the Dovecot authenticator to use read() and write() on the socket
2974 instead of the C I/O that was originally supplied, because problems were
2975 reported on Solaris.
2976
2977 PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in
2978 Exim which did not show up earlier: it was assuming that a call to
2979 SSL_CTX_set_info_callback() might give an error value. In fact, there is
2980 no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback()
2981 was a macro that became an assignment, so it seemed to work. This has
2982 changed to a proper function call with a void return, hence the compile
2983 error. Exim's code has been fixed.
2984
2985 PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit
2986 cpus.
2987
2988 PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify".
2989
2990 PH/36 Applied John Jetmore's patch to add -v functionality to exigrep.
2991
2992 PH/37 If a message is not accepted after it has had an id assigned (e.g.
2993 because it turns out to be too big or there is a timeout) there is no
2994 "Completed" line in the log. When some messages of this type were
2995 selected by exigrep, they were listed as "not completed". Others were
2996 picked up by some special patterns. I have improved the selection
2997 criteria to be more general.
2998
2999 PH/38 The host_find_failed option in the manualroute router can now be set
3000 to "ignore", to completely ignore a host whose IP address cannot be
3001 found. If all hosts are ignored, the behaviour is controlled by the new
3002 host_all_ignored option.
3003
3004 PH/39 In a list of hosts for manualroute, if one item (either because of multi-
3005 homing or because of multiple MX records with /mx) generated more than
3006 one IP address, and the following item turned out to be the local host,
3007 all the secondary addresses of the first item were incorrectly removed
3008 from the list, along with the local host and any following hosts (which
3009 is what is supposed to happen).
3010
3011 PH/40 When Exim receives a message, it writes the login name, uid, and gid of
3012 whoever called Exim into the -H file. In the case of the daemon it was
3013 behaving confusingly. When first started, it used values for whoever
3014 started the daemon, but after a SIGHUP it used the Exim user (because it
3015 calls itself on a restart). I have changed the code so that it now always
3016 uses the Exim user.
3017
3018 PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a
3019 message are rejected with the same error (e.g. no authentication or bad
3020 sender address), and a DATA command is nevertheless sent (as can happen
3021 with PIPELINING or a stupid MUA), the error message that was given to the
3022 RCPT commands is included in the rejection of the DATA command. This is
3023 intended to be helpful for MUAs that show only the final error to their
3024 users.
3025
3026 PH/42 Another patch from the Sieve maintainer.
3027
3028 SC/02 Eximstats - Differentiate between permanent and temporary rejects.
3029 Eximstats - Fixed some broken HTML links and added missing column headers
3030 (Jez Hancock).
3031 Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email
3032 columns for Rejects, Temp Rejects, Ham, and Spam rows.
3033
3034 SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables.
3035
3036 PH/43 Yet another patch from the Sieve maintainer.
3037
3038 PH/44 I found a way to check for a TCP/IP connection going away before sending
3039 the response to the final '.' that terminates a message, but only in the
3040 case where the client has not sent further data following the '.'
3041 (unfortunately, this is allowed). However, in many cases there won't be
3042 any further data because there won't be any more messages to send. A call
3043 to select() can be used: if it shows that the input is "ready", there is
3044 either input waiting, or the socket has been closed. An attempt to read
3045 the next input character can distinguish the two cases. Previously, Exim
3046 would have sent an OK response which the client would never have see.
3047 This could lead to message repetition. This fix should cure that, at
3048 least in a lot of common cases.
3049
3050 PH/45 Do not advertise STARTTLS in response to HELP unless it would be
3051 advertised in response to EHLO.
3052
3053
3054 Exim version 4.66
3055 -----------------
3056
3057 PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one
3058 fixed by 4.65/MH/01 (is this a record?) are fixed:
3059
3060 (i) An empty string was always treated as zero by the numeric comparison
3061 operators. This behaviour has been restored.
3062
3063 (ii) It is documented that the numeric comparison operators always treat
3064 their arguments as decimal numbers. This was broken in that numbers
3065 starting with 0 were being interpreted as octal.
3066
3067 While fixing these problems I realized that there was another issue that
3068 hadn't been noticed. Values of message_size_limit (both the global option
3069 and the transport option) were treated as octal if they started with 0.
3070 The documentation was vague. These values are now always treated as
3071 decimal, and I will make that clear in the documentation.
3072
3073
3074 Exim version 4.65
3075 -----------------
3076
3077 TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with
3078 Linux large file support (_FILE_OFFSET_BITS=64) on older glibc
3079 versions. (#438)
3080
3081 MH/01 Don't check that the operands of numeric comparison operators are
3082 integers when their expansion is in "skipping" mode (fixes bug
3083 introduced by 4.64-PH/07).
3084
3085 PH/01 If a system filter or a router generates more than SHRT_MAX (32767)
3086 child addresses, Exim now panics and dies. Previously, because the count
3087 is held in a short int, deliveries were likely to be lost. As such a
3088 large number of recipients for a single message is ridiculous
3089 (performance will be very, very poor), I have chosen to impose a limit
3090 rather than extend the field.
3091
3092
3093 Exim version 4.64
3094 -----------------
3095
3096 TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a
3097 leftover -K file (the existence of which was triggered by #402).
3098 While we were at it, introduced process PID as part of the -K
3099 filename. This should rule out race conditions when creating
3100 these files.
3101
3102 TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing
3103 processing considerably. Previous code took too long for large mails,
3104 triggering a timeout which in turn triggers #401.
3105
3106 TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used
3107 in the DK code in transports.c. sendfile() is not really portable,
3108 hence the _LINUX specificness.
3109
3110 TF/01 In the add_headers option to the mail command in an Exim filter,
3111 there was a bug that Exim would claim a syntax error in any
3112 header after the first one which had an odd number of characters
3113 in the field name.
3114
3115 PH/01 If a server that rejects MAIL FROM:<> was the target of a sender
3116 callout verification, Exim cached a "reject" for the entire domain. This
3117 is correct for most verifications, but it is not correct for a recipient
3118 verification with use_sender or use_postmaster set, because in that case
3119 the callout does not use MAIL FROM:<>. Exim now distinguishes the special
3120 case of MAIL FROM:<> rejection from other early rejections (e.g.
3121 rejection of HELO). When verifying a recipient using a non-null MAIL
3122 address, the cache is ignored if it shows MAIL FROM:<> rejection.
3123 Whatever the result of the callout, the value of the domain cache is
3124 left unchanged (for any other kind of callout, getting as far as trying
3125 RCPT means that the domain itself is ok).
3126
3127 PH/02 Tidied a number of unused variable and signed/unsigned warnings that
3128 gcc 4.1.1 threw up.
3129
3130 PH/03 On Solaris, an unexpectedly close socket (dropped connection) can
3131 manifest itself as EPIPE rather than ECONNECT. When tidying away a
3132 session, the daemon ignores ECONNECT errors and logs others; it now
3133 ignores EPIPE as well.
3134
3135 PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c
3136 (quoted-printable decoding).
3137
3138 PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and
3139 later the small subsequent patch to fix an introduced bug.
3140
3141 PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer.
3142
3143 PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}.
3144
3145 PH/08 An error is now given if message_size_limit is specified negative.
3146
3147 PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables
3148 to be given (somewhat) arbitrary names.
3149
3150 JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced
3151 in 4.64-PH/09.
3152
3153 JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions,
3154 miscellaneous code fixes
3155
3156 PH/10 Added the log_reject_target ACL modifier to specify where to log
3157 rejections.
3158
3159 PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_
3160 hostname. This is wrong, because it relates to the incoming message (and
3161 probably the interface on which it is arriving) and not to the outgoing
3162 callout (which could be using a different interface). This has been
3163 changed to use the value of the helo_data option from the smtp transport
3164 instead - this is what is used when a message is actually being sent. If
3165 there is no remote transport (possible with a router that sets up host
3166 addresses), $smtp_active_hostname is used.
3167
3168 PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various
3169 tweaks were necessary in order to get it to work (see also 21 below):
3170 (a) The code assumed that strncpy() returns a negative number on buffer
3171 overflow, which isn't the case. Replaced with Exim's string_format()
3172 function.
3173 (b) There were several signed/unsigned issues. I just did the minimum
3174 hacking in of casts. There is scope for a larger refactoring.
3175 (c) The code used strcasecmp() which is not a standard C function.
3176 Replaced with Exim's strcmpic() function.
3177 (d) The code set only $1; it now sets $auth1 as well.
3178 (e) A simple test gave the error "authentication client didn't specify
3179 service in request". It would seem that Dovecot has changed its
3180 interface. Fortunately there's a specification; I followed it and
3181 changed what the client sends and it appears to be working now.
3182
3183 PH/13 Added $message_headers_raw to provide the headers without RFC 2047
3184 decoding.
3185
3186 PH/14 Corrected misleading output from -bv when -v was also used. Suppose the
3187 address A is aliased to B and C, where B exists and C does not. Without
3188 -v the output is "A verified" because verification stops after a
3189 successful redirection if more than one address is generated. However,
3190 with -v the child addresses are also verified. Exim was outputting "A
3191 failed to verify" and then showing the successful verification for C,
3192 with its parentage. It now outputs "B failed to verify", showing B's
3193 parentage before showing the successful verification of C.
3194
3195 PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to
3196 look up a TXT record in a specific list after matching in a combined
3197 list.
3198
3199 PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and
3200 RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when
3201 they consult the DNS. I had assumed they would set it the way they
3202 wanted; and indeed my experiments on Linux seem to show that in some
3203 cases they do (I could influence IPv6 lookups but not IPv4 lookups).
3204 To be on the safe side, however, I have now made the interface to
3205 host_find_byname() similar to host_find_bydns(), with an argument
3206 containing the DNS resolver options. The host_find_byname() function now
3207 sets these options at its start, just as host_find_bydns() does. The smtp
3208 transport options dns_qualify_single and dns_search_parents are passed to
3209 host_find_byname() when gethostbyname=TRUE in this transport. Other uses
3210 of host_find_byname() use the default settings of RES_DEFNAMES
3211 (qualify_single) but not RES_DNSRCH (search_parents).
3212
3213 PH/17 Applied (a modified version of) Nico Erfurth's patch to make
3214 spool_read_header() do less string testing, by means of a preliminary
3215 switch on the second character of optional "-foo" lines. (This is
3216 overdue, caused by the large number of possibilities that now exist.
3217 Originally there were few.) While I was there, I also converted the
3218 str(n)cmp tests so they don't re-test the leading "-" and the first
3219 character, in the hope this might squeeze out yet more improvement.
3220
3221 PH/18 Two problems with "group" syntax in header lines when verifying: (1) The
3222 flag allowing group syntax was set by the header_syntax check but not
3223 turned off, possible causing trouble later; (2) The flag was not being
3224 set at all for the header_verify test, causing "group"-style headers to
3225 be rejected. I have now set it in this case, and also caused header_
3226 verify to ignore an empty address taken from a group. While doing this, I
3227 came across some other cases where the code for allowing group syntax
3228 while scanning a header line wasn't quite right (mostly, not resetting
3229 the flag correctly in the right place). These bugs could have caused
3230 trouble for malformed header lines. I hope it is now all correct.
3231
3232 PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called
3233 with the "reply" argument non-NULL. The code, however (which originally
3234 came from elsewhere) had *some* tests for NULL when it wrote to *reply,
3235 but it didn't always do it. This confused somebody who was copying the
3236 code for some other use. I have removed all the tests.
3237
3238 PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a
3239 feature that was used to support insecure browsers during the U.S. crypto
3240 embargo. It requires special client support, and Exim is probably the
3241 only MTA that supported it -- and would never use it because real RSA is
3242 always available. This code has been removed, because it had the bad
3243 effect of slowing Exim down by computing (never used) parameters for the
3244 RSA_EXPORT functionality.
3245
3246 PH/21 On the advice of Timo Sirainen, added a check to the dovecot
3247 authenticator to fail if there's a tab character in the incoming data
3248 (there should never be unless someone is messing about, as it's supposed
3249 to be base64-encoded). Also added, on Timo's advice, the "secured" option
3250 if the connection is using TLS or if the remote IP is the same as the
3251 local IP, and the "valid-client-cert option" if a client certificate has
3252 been verified.
3253
3254 PH/22 As suggested by Dennis Davis, added a server_condition option to *all*
3255 authenticators. This can be used for authorization after authentication
3256 succeeds. (In the case of plaintext, it servers for both authentication
3257 and authorization.)
3258
3259 PH/23 Testing for tls_required and lost_connection in a retry rule didn't work
3260 if any retry times were supplied.
3261
3262 PH/24 Exim crashed if verify=helo was activated during an incoming -bs
3263 connection, where there is no client IP address to check. In this
3264 situation, the verify now always succeeds.
3265
3266 PH/25 Applied John Jetmore's -Mset patch.
3267
3268 PH/26 Added -bem to be like -Mset, but loading a message from a file.
3269
3270 PH/27 In a string expansion for a processed (not raw) header when multiple
3271 headers of the same name were present, leading whitespace was being
3272 removed from all of them, but trailing whitespace was being removed only
3273 from the last one. Now trailing whitespace is removed from each header
3274 before concatenation. Completely empty headers in a concatenation (as
3275 before) are ignored.
3276
3277 PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John
3278 Jetmore). It would have mis-read ACL variables from pre-4.61 spool files.
3279
3280 PH/29 [Removed. This was a change that I later backed out, and forgot to
3281 correct the ChangeLog entry (that I had efficiently created) before
3282 committing the later change.]
3283
3284 PH/30 Exim was sometimes attempting to deliver messages that had suffered
3285 address errors (4xx response to RCPT) over the same connection as other
3286 messages routed to the same hosts. Such deliveries are always "forced",
3287 so retry times are not inspected. This resulted in far too many retries
3288 for the affected addresses. The effect occurred only when there were more
3289 hosts than the hosts_max_try setting in the smtp transport when it had
3290 the 4xx errors. Those hosts that it had tried were not added to the list
3291 of hosts for which the message was waiting, so if all were tried, there
3292 was no problem. Two fixes have been applied:
3293
3294 (i) If there are any address or message errors in an SMTP delivery, none
3295 of the hosts (tried or untried) are now added to the list of hosts
3296 for which the message is waiting, so the message should not be a
3297 candidate for sending over the same connection that was used for a
3298 successful delivery of some other message. This seems entirely
3299 reasonable: after all the message is NOT "waiting for some host".
3300 This is so "obvious" that I'm not sure why it wasn't done
3301 previously. Hope I haven't missed anything, but it can't do any
3302 harm, as the worst effect is to miss an optimization.
3303
3304 (ii) If, despite (i), such a delivery is accidentally attempted, the
3305 routing retry time is respected, so at least it doesn't keep
3306 hammering the server.
3307
3308 PH/31 Installed Andrew Findlay's patch to close the writing end of the socket
3309 in ${readsocket because some servers need this prod.
3310
3311 PH/32 Added some extra debug output when updating a wait-xxx database.
3312
3313 PH/33 The hint "could be header name not terminated by colon", which has been
3314 given for certain expansion errors for a long time, was not being given
3315 for the ${if def:h_colon_omitted{... case.
3316
3317 PH/34 The spec says: "With one important exception, whenever a domain list is
3318 being scanned, $domain contains the subject domain." There was at least
3319 one case where this was not true.
3320
3321 PH/35 The error "getsockname() failed: connection reset by peer" was being
3322 written to the panic log as well as the main log, but it isn't really
3323 panic-worthy as it just means the connection died rather early on. I have
3324 removed the panic log writing for the ECONNRESET error when getsockname()
3325 fails.
3326
3327 PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue
3328 runs only) independently of the message's sender address. This meant
3329 that, if the 4xx error was in fact related to the sender, a different
3330 message to the same recipient with a different sender could confuse
3331 things. In particular, this can happen when sending to a greylisting
3332 server, but other circumstances could also provoke similar problems.
3333 I have changed the default so that the retry time for these errors is now
3334 based a combination of the sender and recipient addresses. This change
3335 can be overridden by setting address_retry_include_sender=false in the
3336 smtp transport.
3337
3338 PH/37 For LMTP over TCP/IP (the smtp transport), error responses from the
3339 remote server are returned as part of bounce messages. This was not
3340 happening for LMTP over a pipe (the lmtp transport), but now it is the
3341 same for both kinds of LMTP.
3342
3343 PH/38 Despite being documented as not happening, Exim was rewriting addresses
3344 in header lines that were in fact CNAMEs. This is no longer the case.
3345
3346 PH/39 If -R or -S was given with -q<time>, the effect of -R or -S was ignored,
3347 and queue runs started by the daemon processed all messages. This has
3348 been fixed so that -R and -S can now usefully be given with -q<time>.
3349
3350 PH/40 Import PCRE release 6.7 (fixes some bugs).
3351
3352 PH/41 Add bitwise logical operations to eval (courtesy Brad Jorsch).
3353
3354 PH/42 Give an error if -q is specified more than once.
3355
3356 PH/43 Renamed the variables $interface_address and $interface_port as
3357 $received_ip_address and $received_port, to make it clear that these
3358 values apply to message reception, and not to the outgoing interface when
3359 a message is delivered. (The old names remain recognized, of course.)
3360
3361 PH/44 There was no timeout on the connect() call when using a Unix domain
3362 socket in the ${readsocket expansion. There now is.
3363
3364 PH/45 Applied a modified version of Brad Jorsch's patch to allow "message" to
3365 be meaningful with "accept".
3366
3367 SC/01 Eximstats V1.43
3368 Bug fix for V1.42 with -h0 specified. Spotted by Chris Lear.
3369
3370 SC/02 Eximstats V1.44
3371 Use a glob alias rather than an array ref in the generated
3372 parser. This improves both readability and performance.
3373
3374 SC/03 Eximstats V1.45 (Marco Gaiarin / Steve Campbell)
3375 Collect SpamAssassin and rejection statistics.
3376 Don't display local sender or destination tables unless
3377 there is data to show.
3378 Added average volumes into the top table text output.
3379
3380 SC/04 Eximstats V1.46
3381 Collect data on the number of addresses (recipients)
3382 as well as the number of messages.
3383
3384 SC/05 Eximstats V1.47
3385 Added 'Message too big' to the list of mail rejection
3386 reasons (thanks to Marco Gaiarin).
3387
3388 SC/06 Eximstats V1.48
3389 Mainlog lines which have GMT offsets and are too short to
3390 have a flag are now skipped.
3391
3392 SC/07 Eximstats V1.49 (Alain Williams)
3393 Added the -emptyok flag.
3394
3395 SC/08 Eximstats V1.50
3396 Fixes for obtaining the IP address from reject messages.
3397
3398 JJ/03 exipick.20061117.2, made header handling as similar to exim as possible
3399 (added [br]h_ prefixes, implemented RFC2047 decoding. Fixed
3400 whitespace changes from 4.64-PH/27
3401
3402 JJ/04 exipick.20061117.2, fixed format and added $message_headers_raw to
3403 match 4.64-PH/13
3404
3405 JJ/05 exipick.20061117.2, bug fixes (error out sooner when invalid criteria
3406 are found, allow negative numbers in numeric criteria)
3407
3408 JJ/06 exipick.20061117.2, added new $message_body_missing variable
3409
3410 JJ/07 exipick.20061117.2, added $received_ip_address and $received_port
3411 to match changes made in 4.64-PH/43
3412
3413 PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm.
3414
3415 PH/47 Put in an explicit test for a DNS lookup of an address record where the
3416 "domain" is actually an IP address, and force a failure. This locks out
3417 those revolvers/nameservers that support "A-for-A" lookups, in
3418 contravention of the specifications.
3419
3420 PH/48 When a host name was looked up from an IP address, and the subsequent
3421 forward lookup of the name timed out, the host name was left in
3422 $sender_host_name, contrary to the specification.
3423
3424 PH/49 Although default lookup types such as lsearch* or cdb*@ have always been
3425 restricted to single-key lookups, Exim was not diagnosing an error if
3426 * or *@ was used with a query-style lookup.
3427
3428 PH/50 Increased the value of DH_BITS in tls-gnu.c from 768 to 1024.
3429
3430 MH/01 local_scan ABI version incremented to 1.1. It should have been updated
3431 long ago, but noone interested enough thought of it. Let's just say that
3432 the "1.1" means that there are some new functions that weren't there at
3433 some point in the past.
3434
3435 PH/51 Error processing for expansion failure of helo_data from an smtp
3436 transport during callout processing was broken.
3437
3438 PH/52 Applied John Jetmore's patch to allow tls-on-connect and STARTTLS to be
3439 tested/used via the -bh/-bhc/-bs options.
3440
3441 PH/53 Added missing "#include <time.h>" to pcre/pcretest.c (this was a PCRE
3442 bug, fixed in subsequent PCRE releases).
3443
3444 PH/54 Applied Robert Bannocks' patch to avoid a problem with references that
3445 arises when using the Solaris LDAP libraries (but not with OpenLDAP).
3446
3447 PH/55 Check for a ridiculously long file name in exim_dbmbuild.
3448
3449
3450 Exim version 4.63
3451 -----------------
3452
3453 SC/01 Use a glob alias rather than an array ref in eximstats generated
3454 parser. This improves both readability and performance.
3455
3456 SC/02 Collect SpamAssassin and rejection statistics in eximstats.
3457 Don't display local sender or destination tables in eximstats unless
3458 there is data to show.
3459 Added average volumes into the eximstats top table text output.
3460
3461 SC/03 Collect data on the number of addresses (recipients) as well
3462 as the number of messages in eximstats.
3463
3464 TF/01 Correct an error in the documentation for the redirect router. Exim
3465 does (usually) call initgroups() when daemonizing.
3466
3467 TF/02 Call initgroups() when dropping privilege in exim.c, so that Exim runs
3468 with consistent privilege compared to when running as a daemon.
3469
3470 TF/03 Note in the spec that $authenticated_id is not set for local
3471 submissions from trusted users.
3472
3473 TF/04 The ratelimit per_rcpt option now works correctly in acl_not_smtp.
3474 Thanks to Dean Brooks <dean@iglou.com> for the patch.
3475
3476 TF/05 Make it easier to get SMTP authentication and TLS/SSL support working
3477 by adding some example configuration directives to the default
3478 configuration file. A little bit of work is required to uncomment the
3479 directives and define how usernames and passwords are checked, but
3480 there is now a framework to start from.
3481
3482 PH/01 Added #define LDAP_DEPRECATED 1 to ldap.c because some of the "old"
3483 functions that Exim currently uses aren't defined in ldap.h for OpenLDAP
3484 without this. I don't know how relevant this is to other LDAP libraries.
3485
3486 PH/02 Add the verb name to the "unknown ACL verb" error.
3487
3488 PH/03 Magnus Holmgren's patch for filter_prepend_home.
3489
3490 PH/03 Fixed Bugzilla #101: macro definition between ACLs doesn't work.
3491
3492 PH/04 Applied Magnus Holmgren's patch to fix Bugzilla #98: transport's home
3493 directory not expanded when it should be if an expanded home directory
3494 was set for the address (which is overridden by the transport).
3495
3496 PH/05 Applied Alex Kiernan's patch to fix Bugzilla #99: a problem with
3497 libradius.
3498
3499 PH/06 Added acl_not_smtp_start, based on Johannes Berg's patch, and set the
3500 bit to forbid control=suppress_local_fixups in the acl_not_smtp ACL,
3501 because it is too late at that time, and has no effect.
3502
3503 PH/07 Changed ${quote_pgsql to quote ' as '' instead of \' because of a
3504 security issue with \' (bugzilla #107). I could not use the
3505 PQescapeStringConn() function, because it needs a PGconn value as one of
3506 its arguments.
3507
3508 PH/08 When testing addresses using -bt, indicate those final addresses that
3509 are duplicates that would not cause an additional delivery. At least one
3510 person was confused, thinking that -bt output corresponded to deliveries.
3511 (Suppressing duplicates isn't a good idea as you lose the information
3512 about possibly different redirections that led to the duplicates.)
3513
3514 PH/09 Applied patch from Erik to use select() instead of poll() in spam.c on
3515 systems where poll() doesn't work, in particular OS X.
3516
3517 PH/10 Added more information to debugging output for retry time not reached.
3518
3519 PH/11 Applied patch from Arkadiusz Miskiewicz to apply a timeout to read
3520 operations in malware.c.
3521
3522 PH/12 Applied patch from Magnus Holmgren to include the "h" tag in Domain Keys
3523 signatures.
3524
3525 PH/13 If write_rejectlog was set false when logging was sent to syslog with
3526 syslog_duplication set false, log lines that would normally be written
3527 both the the main log and to the reject log were not written to syslog at
3528 all.
3529
3530 PH/14 In the default configuration, change the use of "message" in ACL warn
3531 statements to "add_header".
3532
3533 PH/15 Diagnose a filter syntax error for "seen", "unseen", or "noerror" if not
3534 not followed by a command (e.g. "seen endif").
3535
3536 PH/16 Recognize SMTP codes at the start of "message" in ACLs and after :fail:
3537 and :defer: in a redirect router. Add forbid_smtp_code to suppress the
3538 latter.
3539
3540 PH/17 Added extra conditions to the default value of delay_warning_condition
3541 so that it is now:
3542
3543 ${if or { \
3544 { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} } \
3545 { match{$h_precedence:}{(?i)bulk|list|junk} } \
3546 { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} } \
3547 }{no}{yes}}
3548
3549 The Auto-Submitted: and various List- headers are standardised, whereas I
3550 don't think Precedence: ever was.
3551
3552 PH/18 Refactored debugging code in route_finduser() to show more information,
3553 in particular, the error code if getpwnam() issues one.
3554
3555 PH/19 Added PQsetClientEncoding(conn, "SQL_ASCII") to the pgsql code module.
3556 This is apparently needed in addition to the PH/07 change above to avoid
3557 any possible encoding problems.
3558
3559 PH/20 Perl can change the locale. Exim was resetting it after a ${perl call,
3560 but not after initializing Perl.
3561
3562 PH/21 Added a call to PQsetNoticeProcessor() to catch pgsql "notices" and
3563 output them only if debugging. By default they are written stderr,
3564 apparently, which is not desirable.
3565
3566 PH/22 Added Alain Williams' LDAP patch to support setting REFERRALS=off on
3567 queries.
3568
3569 JJ/01 exipick: added --reverse (and -R synonym), --random, --size, --sort and
3570 --not options
3571
3572 JJ/02 exipick: rewrote --help documentation to hopefully make more clear.
3573
3574 PH/23 Made -oMaa and -oMt work with -bh and -bs to pretend the connection is
3575 authenticated or an ident call has been made. Suppress the default
3576 values for $authenticated_id and $authenticated_sender (but permit -oMai
3577 and -oMas) when testing with -bh.
3578
3579 PH/24 Re-jigged the order of the tests in the default configuration so that the
3580 tests for valid domains and recipients precede the DNS black list and CSA
3581 tests, on the grounds that those ones are more expensive.
3582
3583 PH/25 Exim was not testing for a space following SMTP commands such as EHLO
3584 that require one. Thus, EHLORHUBARB was interpreted as a valid command.
3585 This bug exists in every version of Exim that I still have, right back to
3586 0.12.
3587
3588 PH/26 (n)wildlsearch lookups are documented as being done case-insensitively.
3589 However, an attempt to turn on case-sensitivity in a regex key by
3590 including (?-i) didn't work because the subject string was already
3591 lowercased, and the effects were non-intuitive. It turns out that a
3592 one-line patch can be used to allow (?-i) to work as expected.
3593
3594
3595 Exim version 4.62
3596 -----------------
3597
3598 TF/01 Fix the add_header change below (4.61 PH/55) which had a bug that (amongst
3599 other effects) broke the use of negated acl sub-conditions.
3600
3601 PH/01 ${readsocket now supports Internet domain sockets (modified John Jetmore
3602 patch).
3603
3604 PH/02 When tcp-wrappers is called from Exim, it returns only "deny" or "allow".
3605 "Deny" causes Exim to reject the incoming connection with a 554 error.
3606 Unfortunately, if there is a major crisis, such as a disk failure,
3607 tcp-wrappers gives "deny", whereas what one would like would be some
3608 kind of temporary error. A kludge has been added to help with this.
3609 Before calling hosts_ctl(), errno is set zero. If the result is "deny", a
3610 554 error is used if errno is still zero or contains ENOENT (which occurs
3611 if either of the /etc/hosts.{allow,deny} files is missing). Otherwise, a
3612 451 error is used.
3613
3614 PH/03 Add -lutil to the default FreeBSD LIBS setting.
3615
3616 PH/04 Change PH/19 for 4.61 was too wide. It should not be applied to host
3617 errors. Otherwise a message that provokes a temporary error (when other
3618 messages do not) can cause a whole host to time out.
3619
3620 PH/05 Batch deliveries by appendfile and pipe transports did not work when the
3621 addresses were routed directly to files or pipes from a redirect router.
3622 File deliveries just didn't batch; pipe deliveries might have suffered
3623 odd errors.
3624
3625 PH/06 A failure to get a lock for a hints database would erroneously always say
3626 "Failed to get write lock", even when it was really a read lock.
3627
3628 PH/07 The appendfile transport was creating MBX lock files with a fixed mode
3629 of 0600. This has been changed to use the value of the lockfile_mode
3630 option (which defaults to 0600).
3631
3632 PH/08 Applied small patch from the Sieve maintainer.
3633
3634 PH/09 If maildir_quota_directory_regex was set to exclude (say) the .Trash
3635 folder from quota calculations, a direct delivery into this folder messed
3636 up the contents of the maildirsize file. This was because the regex was
3637 used only to exclude .Trash (or whatever) when the size of the mailbox
3638 was calculated. There was no check that a delivery was happening into an
3639 excluded directory. This bug has been fixed by ignoring all quota
3640 processing for deliveries into excluded directories.
3641
3642 PH/10 Added the maildirfolder_create_regex option to appendfile.
3643
3644
3645 Exim version 4.61
3646 -----------------
3647
3648 PH/01 The code for finding all the local interface addresses on a FreeBSD
3649 system running IPv6 was broken. This may well have applied to all BSD
3650 systems, as well as to others that have similar system calls. The broken
3651 code found IPv4 interfaces correctly, but gave incorrect values for the
3652 IPv6 interfaces. In particular, ::1 was not found. The effect in Exim was
3653 that it would not match correctly against @[] and not recognize the IPv6
3654 addresses as local.
3655
3656 PH/02 The ipliteral router was not recognizing addresses of the form user@
3657 [ipv6:....] because it didn't know about the "ipv6:" prefix.
3658
3659 PH/03 Added disable_ipv6.
3660
3661 PH/04 Changed $reply_address to use the raw form of the headers instead of the
3662 decoded form, because it is most often used to construct To: headers
3663 lines in autoreplies, and the decoded form may well be syntactically
3664 invalid. However, $reply_address has leading white space removed, and all
3665 newlines turned into spaces so that the autoreply transport does not
3666 grumble.
3667
3668 PH/05 If group was specified without a user on a router, and no group or user
3669 was specified on a transport, the group from the router was ignored.
3670
3671 PH/06 Increased the number of ACL variables to 20 of each type, and arranged
3672 for visible compile-time settings that can be used to change these
3673 numbers, for those that want even more. Backwards compatibility with old
3674 spool files has been maintained. However, going back to a previous Exim
3675 release will lost any variables that are in spool files.
3676
3677 PH/07 Two small changes when running in the test harness: increase delay when
3678 passing a TCP/IP connection to a new process, in case the original
3679 process has to generate a bounce, and remove special handling of
3680 127.0.0.2 (sic), which is no longer necessary.
3681
3682 PH/08 Changed debug output of dbfn_open() flags from numbers to names, so as to
3683 be the same on different OS.
3684
3685 PH/09 Moved a debug statement in filter processing to avoid a race problem when
3686 testing.
3687
3688 JJ/01 exipick: fixed bug where -b (brief) output option showed "Vars:"
3689 whether --show-vars was specified or not
3690
3691 JJ/02 exipick: Added support for new ACL variable spool format introduced
3692 in 4.61-PH/06
3693
3694 PH/10 Fixed another bug related to PH/04 above: if an incoming message had a
3695 syntactically invalid From: or Reply-to: line, and a filter used this to
3696 generate an autoreply, and therefore failed to obtain an address for the
3697 autoreply, Exim could try to deliver to a non-existent relative file
3698 name, causing unrelated and misleading errors. What now happens is that
3699 it logs this as a hard delivery error, but does not attempt to create a
3700 bounce message.
3701
3702 PH/11 The exinext utility has a -C option for testing purposes, but although
3703 the given file was scanned by exinext itself; it wasn't being passed on
3704 when Exim was called.
3705
3706 PH/12 In the smtp transport, treat an explicit ECONNRESET error the same as
3707 an end-of-file indication when reading a command response.
3708
3709 PH/13 Domain literals for IPv6 were not recognized unless IPv6 support was
3710 compiled. In many other places in Exim, IPv6 addresses are always
3711 recognized, so I have changed this. It also means that IPv4 domain
3712 literals of the form [IPV4:n.n.n.n] are now always recognized.
3713
3714 PH/14 When a uid/gid is specified for the queryprogram router, it cannot be
3715 used if the router is not running as root, for example, when verifying at
3716 ACL time, or when using -bh. The debugging output from this situation was
3717 non-existent - all you got was a failure to exec. I have made two
3718 changes:
3719
3720 (a) Failures to set uid/gid, the current directory, or a process leader
3721 in a subprocess such as that created by queryprogram now generate
3722 suitable debugging output when -d is set.
3723
3724 (b) The queryprogram router detects when it is not running as root,
3725 outputs suitable debugging information if -d is set, and then runs
3726 the subprocess without attempting to change uid/gid.
3727
3728 PH/15 Minor change to Makefile for building test_host (undocumented testing
3729 feature).
3730
3731 PH/16 As discussed on the list in Nov/Dec: Exim no longer looks at the
3732 additional section of a DNS packet that returns MX or SRV records.
3733 Instead, it always explicitly searches for A/AAAA records. This avoids
3734 major problems that occur when a DNS server includes only records of one
3735 type (A or AAAA) in an MX/SRV packet. A byproduct of this change has
3736 fixed another bug: if SRV records were looked up and the corresponding
3737 address records were *not* found in the additional section, the port
3738 values from the SRV records were lost.
3739
3740 PH/17 If a delivery to a pipe, file, or autoreply was deferred, Exim was not
3741 using the correct key (the original address) when searching the retry
3742 rules in order to find which one to use for generating the retry hint.
3743
3744 PH/18 If quota_warn_message contains a From: header, Exim now refrains from
3745 adding the default one. Similarly, if it contains a Reply-To: header, the
3746 errors_reply_to option, if set, is not used.
3747
3748 PH/19 When calculating a retry time, Exim used to measure the "time since
3749 failure" by looking at the "first failed" field in the retry record. Now
3750 it does not use this if it is later than than the arrival time of the
3751 message. Instead it uses the arrival time. This makes for better
3752 behaviour in cases where some deliveries succeed, thus re-setting the
3753 "first failed" field. An example is a quota failure for a huge message
3754 when small messages continue to be delivered. Without this change, the
3755 "time since failure" will always be short, possible causing more frequent
3756 delivery attempts for the huge message than are intended.
3757 [Note: This change was subsequently modified - see PH/04 for 4.62.]
3758
3759 PH/20 Added $auth1, $auth2, $auth3 to contain authentication data (as well as
3760 $1, $2, $3) because the numerical variables can be reset during some
3761 expansion items (e.g. "match"), thereby losing the authentication data.
3762
3763 PH/21 Make -bV show the size of off_t variables so that the test suite can
3764 decide whether to run tests for quotas > 2G.
3765
3766 PH/22 Test the values given for quota, quota_filecount, quota_warn_threshold,
3767 mailbox_size, and mailbox_filecount in the appendfile transport. If a
3768 filecount value is greater than 2G or if a quota value is greater than 2G
3769 on a system where the size of off_t is not greater than 4, a panic error
3770 is given.
3771
3772 PH/23 When a malformed item such as 1.2.3/24 appears in a host list, it can
3773 never match. The debug and -bh output now contains an explicit error
3774 message indicating a malformed IPv4 address or mask.
3775
3776 PH/24 An host item such as 1.2.3.4/abc was being treated as the IP address
3777 1.2.3.4 without a mask. Now it is not recognized as an IP address, and
3778 PH/23 above applies.
3779
3780 PH/25 Do not write to syslog when running in the test harness. The only
3781 occasion when this arises is a failure to open the main or panic logs
3782 (for which there is an explicit test).
3783
3784 PH/26 Added the /no_tell option to "control=freeze".
3785
3786 PH/27 If a host name lookup failed very early in a connection, for example, if
3787 the IP address matched host_lookup and the reverse lookup yielded a name
3788 that did not have a forward lookup, an error message of the form "no IP
3789 address found for host xxx.xxx.xxx (during SMTP connection from NULL)"
3790 could be logged. Now it outputs the IP address instead of "NULL".
3791
3792 PH/28 An enabling patch from MH: add new function child_open_exim2() which
3793 allows the sender and the authenticated sender to be set when
3794 submitting a message from within Exim. Since child_open_exim() is
3795 documented for local_scan(), the new function should be too.
3796
3797 PH/29 In GnuTLS, a forced expansion failure for tls_privatekey was not being
3798 ignored. In both GnuTLS and OpenSSL, an expansion of tls_privatekey that
3799 results in an empty string is now treated as unset.
3800
3801 PH/30 Fix eximon buffer overflow bug (Bugzilla #73).
3802
3803 PH/31 Added sender_verify_fail logging option.
3804
3805 PH/32 In November 2003, the code in Exim that added an empty Bcc: header when
3806 needed by RFC 822 but not by RFC 2822 was commented out. I have now
3807 tidied the source and removed it altogether.
3808
3809 PH/33 When a queue run was abandoned because the load average was too high, a
3810 log line was always written; now it is written only if the queue_run log
3811 selector is set. In addition, the log line for abandonment now contains
3812 information about the queue run such as the pid. This is always present
3813 in "start" and "stop" lines but was omitted from the "abandon" line.
3814
3815 PH/34 Omit spaces between a header name and the colon in the error message that
3816 is given when verify = headers_syntax fails (if there are lots of them,
3817 the message gets confusing).
3818
3819 PH/35 Change the default for dns_check_names_pattern to allow slashes within
3820 names, as there are now some PTR records that contain slashes. This check
3821 is only to protect against broken name servers that fall over on strange
3822 characters, so the fact that it applies to all lookups doesn't matter.
3823
3824 PH/36 Now that the new test suite is complete, we can remove some of the
3825 special code in Exim that was needed for the old test suite. For example,
3826 sorting DNS records because real resolvers return them in an arbitrary
3827 order. The new test suite's fake resolver always returns records in the
3828 same order.
3829
3830 PH/37 When running in the test harness, use -odi for submitted messages (e.g.
3831 bounces) except when queue_only is set, to avoid logging races between
3832 the different processes.
3833
3834 PH/38 Panic-die if .include specifies a non-absolute path.
3835
3836 PH/39 A tweak to the "H" retry rule from its user.
3837
3838 JJ/03 exipick: Removed parentheses from 'next' and 'last' calls that specified
3839 a label. They prevented compilation on older perls.
3840
3841 JJ/04 exipick: Refactored code to prevent implicit split to @_ which caused
3842 a warning to be raised on newish perls.
3843
3844 JJ/05 exipick: Fixed bug where -bpc always showed a count of all messages
3845 on queue. Changes to match documented behaviour of showing count of
3846 messages matching specified criteria.
3847
3848 PH/40 Changed the default ident timeout from 30s to 5s.
3849
3850 PH/41 Added support for the use of login_cap features, on those BSD systems
3851 that have them, for controlling the resources used by pipe deliveries.
3852
3853 PH/42 The content-scanning code uses fopen() to create files in which to put
3854 message data. Previously it was not paying any attention to the mode of
3855 the files. Exim runs with umask(0) because the rest of the code creates
3856 files with open(), and sets the required mode explicitly. Thus, these
3857 files were ending up world-writeable. This was not a big issue, because,
3858 being within the spool directory, they were not world-accessible. I have
3859 created a function called modefopen, which takes an additional mode
3860 argument. It sets umask(777), creates the file, chmods it to the required
3861 mode, then resets the umask. All the relevant calls to fopen() in the
3862 content scanning code have been changed to use this function.
3863
3864 PH/43 If retry_interval_max is set greater than 24 hours, it is quietly reset
3865 to 24 hours. This avoids potential overflow problems when processing G
3866 and H retry rules. I suspect nobody ever tinkers with this value.
3867
3868 PH/44 Added STRIP_COMMAND=/usr/bin/strip to the FreeBSD Makefile.
3869
3870 PH/45 When the plaintext authenticator is running as a client, the server's
3871 challenges are checked to ensure they are valid base64 strings. By
3872 default, the authentication attempt is cancelled if an invalid string is
3873 received. Setting client_ignore_invalid_base64 true ignores these errors.
3874 The decoded challenge strings are now placed in $auth1, $auth2, etc. as
3875 they are received. Thus, the responses can be made to depend on the
3876 challenges. If an invalid string is ignored, an empty string is placed in
3877 the variable.
3878
3879 PH/46 Messages that are created by the autoreply transport now contains a
3880 References: header, in accordance with RFCs 2822 and 3834.
3881
3882 PH/47 Added authenticated_sender_force to the smtp transport.
3883
3884 PH/48 The ${prvs expansion was broken on systems where time_t was long long.
3885
3886 PH/49 Installed latest patch from the Sieve maintainer.
3887
3888 PH/50 When an Exim quota was set without a file count quota, and mailbox_size
3889 was also set, the appendfile transport was unnecessarily scanning a
3890 directory of message files (e.g. for maildir delivery) to find the count
3891 of files (along with the size), even though it did not need this
3892 information. It now does the scan only if it needs to find either the
3893 size of the count of files.
3894
3895 PH/51 Added ${time_eval: to convert Exim time strings into seconds.
3896
3897 PH/52 Two bugs concerned with error handling when the smtp transport is
3898 used in LMTP mode:
3899
3900 (i) Exim was not creating retry information for temporary errors given
3901 for individual recipients after the DATA command when the smtp transport
3902 was used in LMTP mode. This meant that they could be retried too
3903 frequently, and not timed out correctly.
3904
3905 (ii) Exim was setting the flag that allows error details to be returned
3906 for LMTP errors on RCPT commands, but not for LMTP errors for individual
3907 recipients that were returned after the DATA command.
3908
3909 PH/53 This is related to PH/52, but is more general: for any failing address,
3910 when detailed error information was permitted to be returned to the
3911 sender, but the error was temporary, then after the final timeout, only
3912 "retry timeout exceeded" was returned. Now it returns the full error as
3913 well as "retry timeout exceeded".
3914
3915 PH/54 Added control=allow_auth_unadvertised, as it seems there are clients that
3916 do this, and (what is worse) MTAs that accept it.
3917
3918 PH/55 Added the add_header modified to ACLs. The use of "message" with "warn"
3919 will now be deprecated.
3920
3921 PH/56 New os.c-cygwin from the Cygwin maintainer.
3922
3923 JJ/06 exipick: added --unsorted option to allow unsorted output in all output
3924 formats (previously only available in exim formats via -bpr, -bpru,
3925 and -bpra. Now also available in native and exiqgrep formats)
3926
3927 JJ/07 exipick: added --freeze and --thaw options to allow faster interaction
3928 with very large, slow to parse queues
3929
3930 JJ/08 exipick: added ! as generic prefix to negate any criteria format
3931
3932 JJ/09 exipick: miscellaneous performance enhancements (~24% improvements)
3933
3934 PH/57 Tidies in SMTP dialogue display in debug output: (i) It was not showing
3935 responses to authentication challenges, though it was showing the
3936 challenges; (ii) I've removed the CR characters from the debug output for
3937 SMTP output lines.
3938
3939 PH/58 Allow for the insertion of a newline as well as a space when a string
3940 is turned into more than one encoded-word during RFC 2047 encoding. The
3941 Sieve code now uses this.
3942
3943 PH/59 Added the following errors that can be detected in retry rules: mail_4xx,
3944 data_4xx, lost_connection, tls_required.
3945
3946 PH/60 When a VRFY deferred or FAILED, the log message rather than the user
3947 message was being sent as an SMTP response.
3948
3949 PH/61 Add -l and -k options to exicyclog.
3950
3951 PH/62 When verifying, if an address was redirected to one new address, so that
3952 verification continued, and the new address failed or deferred after
3953 having set something in $address_data, the value of $address_data was not
3954 passed back to the ACL. This was different to the case when no
3955 redirection occurred. The value is now passed back in both cases.
3956
3957 PH/63 Changed the macro HAVE_LOGIN_CAP (see PH/41 for this release above) to
3958 HAVE_SETCLASSRESOURCES because there are different APIs in use that all
3959 use login_cap.h, so on its own it isn't the distinguishing feature. The
3960 new name refers directly to the setclassresources() function.
3961
3962 PH/65 Added configuration files for NetBSD3.
3963
3964 PH/66 Updated OS/Makefile-HP-UX for gcc 4.1.0 with HP-UX 11.
3965
3966 PH/67 Fixed minor infelicity in the sorting of addresses to ensure that IPv6
3967 is preferred over IPv4.
3968
3969 PH/68 The bounce_return_message and bounce_return_body options were not being
3970 honoured for bounces generated during the reception of non-SMTP messages.
3971 In particular, this applied to messages rejected by the ACL. This bug has
3972 been fixed. However, if bounce_return_message is true and bounce_return_
3973 body is false, the headers that are returned for a non-SMTP message
3974 include only those that have been read before the error was detected.
3975 (In the case of an ACL rejection, they have all been read.)
3976
3977 PH/69 The HTML version of the specification is now built in a directory called
3978 spec_html instead of spec.html, because the latter looks like a path with
3979 a MIME-type, and this confuses some software.
3980
3981 PH/70 Catch two compiler warnings in sieve.c.
3982
3983 PH/71 Fixed an obscure and subtle bug (thanks Alexander & Matthias). The
3984 function verify_get_ident() calls ip_connect() to connect a socket, but
3985 if the "connect()" function timed out, ip_connect() used to close the
3986 socket. However, verify_get_ident() also closes the socket later, and in
3987 between Exim writes to the log, which may get opened at this point. When
3988 the socket was closed in ip_connect(), the log could get the same file
3989 descriptor number as the socket. This naturally causes chaos. The fix is
3990 not to close the socket in ip_connect(); the socket should be closed by
3991 the function that creates it. There was only one place in the code where
3992 this was missing, in the iplookup router, which I don't think anybody now
3993 uses, but I've fixed it anyway.
3994
3995 PH/72 Make dns_again_means_nonexist apply to lookups using gethostbyname() as
3996 well as to direct DNS lookups. Otherwise the handling of names in host
3997 lists is inconsistent and therefore confusing.
3998
3999
4000 Exim version 4.60
4001 -----------------
4002
4003 PH/01 Two changes to the default runtime configuration:
4004
4005 (1) Move the checks for relay_from_hosts and authenticated clients from
4006 after to before the (commented out) DNS black list checks.
4007
4008 (2) Add control=submission to the relay_from_hosts and authenticated
4009 clients checks, on the grounds that messages accepted by these
4010 statements are most likely to be submissions.
4011
4012 PH/02 Several tidies to the handling of ${prvs and ${prvscheck:
4013
4014 (1) Generate an error if the third argument for the ${prvs expansion is
4015 not a single digit.
4016
4017 (2) Treat a missing third argument of ${prvscheck as if it were an empty
4018 string.
4019
4020 (3) Reset the variables that are obtained from the first argument of
4021 ${prvscheck and used in the second argument before leaving the code,
4022 because their memory is reclaimed, so using them afterwards may do
4023 silly things.
4024
4025 (4) Tidy up the code for expanding the arguments of ${prvscheck one by
4026 one (it's much easier than Tom thought :-).
4027
4028 (5) Because of (4), we can now allow for the use of $prvscheck_result
4029 inside the third argument.
4030
4031 PH/03 For some reason, the default setting of PATH when running a command from
4032 a pipe transport was just "/usr/bin". I have changed it to
4033 "/bin:/usr/bin".
4034
4035 PH/04 SUPPORT_TRANSLATE_IP_ADDRESS and MOVE_FROZEN_MESSAGES did not cause
4036 anything to be listed in the output from -bV.
4037
4038 PH/05 When a filter generated an autoreply, the entire To: header line was
4039 quoted in the delivery log line, like this:
4040
4041 => >A.N.Other <ano@some.domain> <original@ddress> ...
4042
4043 This has been changed so that it extracts the operative address. There
4044 may be more than one such address. If so, they are comma-separated, like
4045 this:
4046
4047 => >ano@some.domain,ona@other.domain <original@ddress> ...
4048
4049 PH/06 When a client host used a correct literal IP address in a HELO or EHLO
4050 command, (for example, EHLO [1.2.3.4]) and the client's IP address was
4051 not being looked up in the rDNS to get a host name, Exim was showing the
4052 IP address twice in Received: lines, even though the IP addresses were
4053 identical. For example:
4054
4055 Received: from [1.2.3.4] (helo=[1.2.3.4])
4056
4057 However, if the real host name was known, it was omitting the HELO data
4058 if it matched the actual IP address. This has been tidied up so that it
4059 doesn't show the same IP address twice.
4060
4061 PH/07 When both +timestamp and +memory debugging was on, the value given by
4062 $tod_xxx expansions could be wrong, because the tod_stamp() function was
4063 called by the debug printing, thereby overwriting the timestamp buffer.
4064 Debugging no longer uses the tod_stamp() function when +timestamp is set.
4065
4066 PH/08 When the original message was included in an autoreply transport, it
4067 always said "this is a copy of the message, including all the headers",
4068 even if body_only or headers_only was set. It now gives an appropriate
4069 message.
4070
4071 PH/09 Applied a patch from the Sieve maintainer which:
4072
4073 o fixes some comments
4074 o adds the (disabled) notify extension core
4075 o adds some debug output for the result of if/elsif tests
4076 o points to the current vacation draft in the documentation
4077 and documents the missing references header update
4078
4079 and most important:
4080
4081 o fixes a bug in processing the envelope test (when testing
4082 multiple envelope elements, the last element determined the
4083 result)
4084
4085 PH/10 Exim was violating RFC 3834 ("Recommendations for Automatic Responses to
4086 Electronic Mail") by including:
4087
4088 Auto-submitted: auto-generated
4089
4090 in the messages that it generates (bounce messages and others, such as
4091 warnings). In the case of bounce messages for non-SMTP messages, there was
4092 also a typo: it was using "Auto_submitted" (underscore instead of
4093 hyphen). Since every message generated by Exim is necessarily in response
4094 to another message, thes have all been changed to:
4095
4096 Auto-Submitted: auto-replied
4097
4098 in accordance with these statements in the RFC:
4099
4100 The auto-replied keyword:
4101
4102 - SHOULD be used on messages sent in direct response to another
4103 message by an automatic process,
4104
4105 - MUST NOT be used on manually-generated messages,
4106
4107 - MAY be used on Delivery Status Notifications (DSNs) and Message
4108 Disposition Notifications (MDNs),
4109
4110 - MUST NOT be used on messages generated by automatic or periodic
4111 processes, except for messages which are automatic responses to
4112 other messages.
4113
4114 PH/11 Added "${if def:sender_address {(envelope-from <$sender_address>)\n\t}}"
4115 to the default Received: header definition.
4116
4117 PH/12 Added log selector acl_warn_skipped (default on).
4118
4119 PH/13 After a successful wildlsearch lookup, discard the values of numeric
4120 variables because (a) they are in the wrong storage pool and (b) even if
4121 they were copied, it wouldn't work properly because of the caching.
4122
4123 PH/14 Add check_rfc2047_length to disable enforcement of RFC 2047 length
4124 checking when decoding. Apparently there are clients that generate
4125 overlong encoded strings. Why am I not surprised?
4126
4127 PH/15 If the first argument of "${if match_address" was not empty, but did not
4128 contain an "@" character, Exim crashed. Now it writes a panic log message
4129 and treats the condition as false.
4130
4131 PH/16 In autoreply, treat an empty string for "once" the same as unset.
4132
4133 PH/17 A further patch from the Sieve maintainer: "Introduce the new Sieve
4134 extension "envelope-auth". The code is finished and in agreement with
4135 other implementations, but there is no documentation so far and in fact,
4136 nobody wrote the draft yet. This extension is currently #undef'ed, thus
4137 not changing the active code.
4138
4139 Print executed "if" and "elsif" statements when debugging is used. This
4140 helps a great deal to understand what a filter does.
4141
4142 Document more things not specified clearly in RFC3028. I had all this
4143 sorted out, when out of a sudden new issues came to my mind. Oops."
4144
4145 PH/18 Exim was not recognizing the "net-" search type prefix in match_ip lists
4146 (Bugzilla #53).
4147
4148 PH/19 Exim expands the IPv6 address given to -bh to its full non-abbreviated
4149 canonical form (as documented). However, after a host name lookup from
4150 the IP address, check_host() was doing a simple string comparison with
4151 addresses acquired from the DNS when checking that the found name did
4152 have the original IP as one of its addresses. Since any found IPv6
4153 addresses are likely to be in abbreviated form, the comparison could
4154 fail. Luckily, there already exists a function for doing the comparison
4155 by converting both addresses to binary, so now that is used instead of
4156 the text comparison.
4157
4158 PH/20 There was another similar case to PH/19, when a complete host name was
4159 given in a host list; looking up its IP address could give an abbreviated
4160 form, whereas the current host's name might or might not be abbreviated.
4161 The same fix has been applied.
4162
4163
4164 Exim version 4.54
4165 -----------------
4166
4167 PH/01 The ${base62: operator adjusted itself to base 36 when BASE_62 was
4168 set to 36 (for Darwin and Cygwin), but the ${base62d: operator did not.
4169 It now does.
4170
4171 PH/02 Two minor problems detected in Cygwin: the os.{c,h} files had lost */ on
4172 the CVS lines, and there was a missing #if HAVE_IPV6 in host.c.
4173
4174 PH/03 Typo: missing ".o" in src/pcre/Makefile.
4175
4176 PH/04 Tighten up "personal" tests: Instead of testing for any "List-"
4177 header line, restrict the check to what is listed in RFCs 2369 and 2929.
4178 Also, for "Auto-Submitted", treat anything other than "no" as
4179 non-personal, in accordance with RFC 3834. (Previously it treated
4180 anything starting "auto-" as non-personal.)
4181
4182 TF/01 The control=submission/name=... option had a problem with syntax
4183 errors if the name included a slash character. The /name= option
4184 now slurps the rest of the string, so it can include any characters
4185 but it must come last in the list of options (after /sender_retain
4186 or /domain=).
4187
4188 PH/05 Some modifications to the interface to the fake nameserver for the new
4189 testing suite.
4190
4191
4192
4193 Exim version 4.53
4194 -----------------
4195
4196 TK/01 Added the "success_on_redirect" address verification option. See
4197 NewStuff for rationale and an example.
4198
4199 PH/01 Added support for SQLite, basic code supplied by David Woodhouse.
4200
4201 PH/02 Patch to exigrep to allow it to work on syslog lines.
4202
4203 PH/03 When creating an mbox file for a virus/spam scan, use fseek() instead of
4204 fread() to skip over the body file's header line, because in Cygwin the
4205 header line is locked and is inaccessible.
4206
4207 PH/04 Added $message_exim_id, ultimately to replace $message_id (they will both
4208 co-exist for some time) to make it clear that it is the Exim ID that is
4209 referenced, not the Message-ID: header line.
4210
4211 PH/05 Replaced all Tom's calls to snprintf() with calls to the internal
4212 string_format() function, because snprintf() does not exist on all
4213 operating systems.
4214
4215 PH/06 The use of forbid_filter_existstest now also locks out the use of the
4216 ${stat: expansion item.
4217
4218 PH/07 Changed "SMTP protocol violation: synchronization error" into "SMTP
4219 protocol synchronization error", to keep the pedants happy.
4220
4221 PH/08 Arrange for USE_INET_NTOA_FIX to be set in config.h for AIX systems as
4222 well as for IRIX systems, when gcc is being used. See the host.c source
4223 file for comments.
4224
4225 PH/09 Installed latest Cygwin configuration files from the Cygwin maintainer.
4226
4227 PH/10 Named domain lists were not working if used in a queue_smtp_domains
4228 setting.
4229
4230 PH/11 Added support for the IGNOREQUOTA extension to LMTP, both to the lmtp
4231 transport and to the smtp transport in LMTP mode.
4232
4233 TK/02 Remove one case of BASE64 error detection FTTB (undocumented anyway).
4234
4235 PH/12 There was a missing call to search_tidyup() before the fork() in rda.c to
4236 run a filter in a subprocess. This could lead to confusion in subsequent
4237 lookups in the parent process. There should also be a search_tidyup() at
4238 the end of the subprocess.
4239
4240 PH/13 Previously, if "verify = helo" was set in an ACL, the condition was true
4241 only if the host matched helo_try_verify_hosts, which caused the
4242 verification to occur when the EHLO/HELO command was issued. The ACL just
4243 tested the remembered result. Now, if a previous verification attempt has
4244 not happened, "verify = helo" does it there and then.
4245
4246 JJ/01 exipick: added $message_exim_id variable (see 4.53-PH/04)
4247
4248 TK/03 Fix log output including CR from clamd.
4249
4250 PH/14 A reference to $reply_address when Reply-to: was empty and From: did not
4251 exist provoked a memory error which could cause a segfault.
4252
4253 PH/15 Installed PCRE 6.2
4254
4255 PH/17 Defined BIND_8_COMPAT in the Darwin os.h file.
4256
4257 PH/18 Reversed 4.52/PH/17 because the HP-UX user found it wasn't the cause
4258 of the problem. Specifically, suggested +O2 rather than +O1 for the
4259 HP-UX compiler.
4260
4261 PH/19 Added sqlite_lock_timeout option (David Woodhouse's patch).
4262
4263 PH/20 If a delivery was routed to a non-standard port by means of an SRV
4264 record, the port was not correctly logged when the outgoing_port log
4265 selector was set (it logged the transort's default port).
4266
4267 PH/21 Added support for host-specific ports to manualroute, queryprogram,
4268 fallback_hosts, and "hosts" in the smtp transport.
4269
4270 PH/22 If the log selector "outgoing_port" is set, the port is now also given on
4271 host errors such as "Connection refused".
4272
4273 PH/23 Applied a patch to fix problems with exim-4.52 while doing radius
4274 authentication with radiusclient 0.4.9:
4275
4276 - Error returned from rc_read_config was caught wrongly
4277 - Username/password not passed on to radius server due to wrong length.
4278
4279 The presumption is that some radiusclient API changes for 4.51/PH/17
4280 were not taken care of correctly. The code is still untested by me (my
4281 Linux distribution still has 0.3.2 of radiusclient), but it was
4282 contributed by a Radius user.
4283
4284 PH/24 When doing a callout, the value of $domain wasn't set correctly when
4285 expanding the "port" option of the smtp transport.
4286
4287 TK/04 MIME ACL: Fix buffer underrun that occurs when EOF condition is met
4288 while reading a MIME header. Thanks to Tom Hughes for a patch.
4289
4290 PH/24 Include config.h inside local_scan.h so that configuration settings are
4291 available.
4292
4293 PH/25 Make $smtp_command_argument available after all SMTP commands. This means
4294 that in an ACL for RCPT (for example), you can examine exactly what was
4295 received.
4296
4297 PH/26 Exim was recognizing IPv6 addresses of the form [IPv6:....] in EHLO
4298 commands, but it was not correctly comparing the address with the actual
4299 client host address. Thus, it would show the EHLO address in Received:
4300 header lines when this was not necessary.
4301
4302 PH/27 Added the % operator to ${eval:}.
4303
4304 PH/28 Exim tries to create and chdir to its spool directory when it starts;
4305 it should be ignoring failures (because with -C, for example, it has lost
4306 privilege). It wasn't ignoring creation failures other than "already
4307 exists".
4308
4309 PH/29 Added "crypteq" to the list of supported features that Exim outputs when
4310 -bV or -d is used.
4311
4312 PH/30 Fixed (presumably very longstanding) bug in exim_dbmbuild: if it failed
4313 because an input line was too long, either on its own, or by virtue of
4314 too many continuations, the temporary file was not being removed, and the
4315 return code was incorrect.
4316
4317 PH/31 Missing "BOOL" in function definition in filtertest.c.
4318
4319 PH/32 Applied Sieve patches from the maintainer.
4320
4321 TK/05 Domainkeys: Accomodate for a minor API change in libdomainkeys 0.67.
4322
4323 PH/33 Added "verify = not_blind".
4324
4325 PH/34 There are settings for CHOWN_COMMAND and MV_COMMAND that can be used in
4326 Local/Makefile (with some defaults set). These are used in built scripts
4327 such as exicyclog, but they have never been used in the exim_install
4328 script (though there are many overriding facilities there). I have
4329 arranged that the exim_install script now takes note of these two
4330 settings.
4331
4332 PH/35 Installed configuration files for Dragonfly.
4333
4334 PH/36 When a locally submitted message by a trusted user did not contain a
4335 From: header, and the sender address was obtained from -f or from an SMTP
4336 MAIL command, and the trusted user did not use -F to supply a sender
4337 name, $originator_name was incorrectly used when constructing a From:
4338 header. Furthermore, $originator_name was used for submission mode
4339 messages from external hosts without From: headers in a similar way,
4340 which is clearly wrong.
4341
4342 PH/37 Added control=suppress_local_fixups.
4343
4344 PH/38 When log_selector = +received_sender was set, and the addition of the
4345 sender made the log line's construction buffer exactly full, or one byte
4346 less than full, an overflow happened when the terminating "\n" was
4347 subsequently added.
4348
4349 PH/39 Added a new log selector, "unknown_in_list", which provokes a log entry
4350 when the result of a list match is failure because a DNS lookup failed.
4351
4352 PH/40 RM_COMMAND is now used in the building process.
4353
4354 PH/41 Added a "distclean" target to the top-level Makefile; it deletes all
4355 the "build-* directories that it finds.
4356
4357 PH/42 (But a TF fix): In a domain list, Exim incorrectly matched @[] if the IP
4358 address in a domain literal was a prefix of an interface address.
4359
4360 PH/43 (Again a TF fix): In the dnslookup router, do not apply widen_domains
4361 when verifying a sender address, unless rewrite_headers is false.
4362
4363 PH/44 Wrote a long comment about why errors_to addresses are verified as
4364 recipients, not senders.
4365
4366 TF/01 Add missing LIBS=-lm to OS/Makefile-OpenBSD which was overlooked when
4367 the ratelimit ACL was added.
4368
4369 PH/45 Added $smtp_command for the full command (cf $smtp_command_argument).
4370
4371 PH/46 Added extra information about PostgreSQL errors to the error string.
4372
4373 PH/47 Added an interface to a fake DNS resolver for use by the new test suite,
4374 avoiding the need to install special zones in a real server. This is
4375 backwards compatible; if it can't find the fake resolver, it drops back.
4376 Thus, both old and new test suites can be run.
4377
4378 TF/02 Added util/ratelimit.pl
4379
4380 TF/03 Minor fix to the ratelimit code to improve its behaviour in case the
4381 clock is set back in time.
4382
4383 TF/04 Fix the ratelimit support in exim_fixdb. Patch provided by Brian
4384 Candler <B.Candler@pobox.com>.
4385
4386 TF/05 The fix for PH/43 was not completely correct; widen_domains is always
4387 OK for addresses that are the result of redirections.
4388
4389 PH/48 A number of further additions for the benefit of the new test suite,
4390 including a fake gethostbyname() that interfaces to the fake DNS resolver
4391 (see PH/47 above).
4392
4393 TF/06 The fix for widen_domains has also been applied to qualify_single and
4394 search_parents which are the other dnslookup options that can cause
4395 header rewrites.
4396
4397 PH/49 Michael Haardt's randomized retrying, but as a separate retry parameter
4398 type ("H").
4399
4400 PH/50 Make never_users, trusted_users, admin_groups, trusted_groups expandable.
4401
4402 TF/07 Exim produced the error message "an SRV record indicated no SMTP
4403 service" if it encountered an MX record with an empty target hostname.
4404 The message is now "an MX or SRV record indicated no SMTP service".
4405
4406 TF/08 Change PH/13 introduced the possibility that verify=helo may defer,
4407 if the DNS of the sending site is misconfigured. This is quite a
4408 common situation. This change restores the behaviour of treating a
4409 helo verification defer as a failure.
4410
4411 PH/51 If self=fail was set on a router, the bounce message did not include the
4412 actual error message.
4413
4414
4415 Exim version 4.52
4416 -----------------
4417
4418 TF/01 Added support for Client SMTP Authorization. See NewStuff for details.
4419
4420 PH/01 When a transport filter timed out in a pipe delivery, and the pipe
4421 command itself ended in error, the underlying message about the transport
4422 filter timeout was being overwritten with the pipe command error. Now the
4423 underlying error message should be appended to the second error message.
4424
4425 TK/01 Fix poll() being unavailable on Mac OSX 10.2.
4426
4427 PH/02 Reduce the amount of output that "make" produces by default. Full output
4428 can still be requested.
4429
4430 PH/03 The warning log line about a condition test deferring for a "warn" verb
4431 was being output only once per connection, rather than after each
4432 occurrence (because it was using the same function as for successful
4433 "warn" verbs). This seems wrong, so I have changed it.
4434
4435 TF/02 Two buglets in acl.c which caused Exim to read a few bytes of memory that
4436 it should not have, which might have caused a crash in the right
4437 circumstances, but probably never did.
4438
4439 PH/04 Installed a modified version of Tony Finch's patch to make submission
4440 mode fix the return path as well as the Sender: header line, and to
4441 add a /name= option so that you can make the user's friendly name appear
4442 in the header line.
4443
4444 TF/03 Added the control = fakedefer ACL modifier.
4445
4446 TF/04 Added the ratelimit ACL condition. See NewStuff for details. Thanks to
4447 Mark Lowes for thorough testing.
4448
4449 TK/02 Rewrote SPF support to work with libspf2 versions >1.2.0.
4450
4451 TK/03 Merged latest SRS patch from Miles Wilton.
4452
4453 PH/05 There's a shambles in IRIX6 - it defines EX_OK in unistd.h which conflicts
4454 with the definition in sysexits.h (which is #included earlier).
4455 Fortunately, Exim does not actually use EX_OK. The code used to try to
4456 preserve the sysexits.h value, by assuming that macro definitions were
4457 scanned for macro replacements. I have been disabused of this notion,
4458 so now the code just undefines EX_OK before #including unistd.h.
4459
4460 PH/06 There is a timeout for writing blocks of data, set by, e.g. data_timeout
4461 in the smtp transport. When a block could not be written in a single
4462 write() function, the timeout was being re-applied to each part-write.
4463 This seems wrong - if the receiver was accepting one byte at a time it
4464 would take for ever. The timeout is now adjusted when this happens. It
4465 doesn't have to be particularly precise.
4466
4467 TK/04 Added simple SPF lookup method in EXPERIMENTAL_SPF. See NewStuff for
4468 details. Thanks to Chris Webb <chris@arachsys.com> for the patch!
4469
4470 PH/07 Added "fullpostmaster" verify option, which does a check to <postmaster>
4471 without a domain if the check to <postmaster@domain> fails.
4472
4473 SC/01 Eximstats: added -xls and the ability to specify output files
4474 (patch written by Frank Heydlauf).
4475
4476 SC/02 Eximstats: use FileHandles for outputting results.
4477
4478 SC/03 Eximstats: allow any combination of xls, txt, and html output.
4479
4480 SC/04 Eximstats: fixed display of large numbers with -nvr option
4481
4482 SC/05 Eximstats: fixed merging of reports with empty tables.
4483
4484 SC/06 Eximstats: added the -include_original_destination flag
4485
4486 SC/07 Eximstats: removed tabs and trailing whitespace.
4487
4488 TK/05 Malware: Improve on aveserver error handling. Patch from Alex Miller.
4489
4490 TK/06 MBOX spool code: Add real "From " MBOX separator line
4491 so the .eml file is really in mbox format (even though
4492 most programs do not really care). Patch from Alex Miller.
4493
4494 TK/07 MBOX spool code: Add X-Envelope-From: and X-Envelope-To: headers.
4495 The latter is generated from $received_to and is only set if the
4496 message has one envelope recipient. SA can use these headers,
4497 obviously out-of-the-box. Patch from Alex Miller.
4498
4499 PH/08 The ${def test on a variable was returning false if the variable's
4500 value was "0", contrary to what the specification has always said!
4501 The result should be true unless the variable is empty.
4502
4503 PH/09 The syntax error of a character other than { following "${if
4504 def:variable_name" (after optional whitespace) was not being diagnosed.
4505 An expansion such as ${if def:sender_ident:{xxx}{yyy}} in which an
4506 accidental colon was present, for example, could give incorrect results.
4507
4508 PH/10 Tidied the code in a number of places where the st_size field of a stat()
4509 result is used (not including appendfile, where other changes are about
4510 to be made).
4511
4512 PH/11 Upgraded appendfile so that quotas larger than 2G are now supported.
4513 This involved changing a lot of size variables from int to off_t. It
4514 should work with maildirs and everything.
4515
4516 TK/08 Apply fix provided by Michael Haardt to prevent deadlock in case of
4517 spamd dying while we are connected to it.
4518
4519 TF/05 Fixed a ${extract error message typo reported by Jeremy Harris
4520 <jgh@wizmail.org>
4521
4522 PH/12 Applied Alex Kiernan's patch for the API change for the error callback
4523 function for BDB 4.3.
4524
4525 PH/13 Changed auto_thaw such that it does not apply to bounce messages.
4526
4527 PH/14 Imported PCRE 6.0; this was more than just a trivial operation because
4528 the sources for PCRE have been re-arranged and more files are now
4529 involved.
4530
4531 PH/15 The code I had for printing potentially long long variables in PH/11
4532 above was not the best (it lost precision). The length of off_t variables
4533 is now inspected at build time, and an appropriate printing format (%ld
4534 or %lld) is chosen and #defined by OFF_T_FMT. We also define LONGLONG_T
4535 to be "long long int" or "long int". This is needed for the internal
4536 formatting function string_vformat().
4537
4538 PH/16 Applied Matthew Newton's patch to exicyclog: "If log_file_path is set in
4539 the configuration file to be ":syslog", then the script "guesses" where
4540 the logs files are, rather than using the compiled in default. In our
4541 case the guess is not the same as the compiled default, so the script
4542 suddenly stopped working when I started to use syslog. The patch checks
4543 to see if log_file_path is "". If so, it attempts to read it from exim
4544 with no configuration file to get the compiled in version, before it
4545 falls back to the previous guessing code."
4546
4547 TK/09 Added "prvs" and "prvscheck" expansion items. These help a lot with
4548 implementing BATV in an Exim configuration. See NewStuff for the gory
4549 details.
4550
4551 PH/17 Applied Michael Haardt's patch for HP-UX, affecting only the os.h and
4552 Makefile that are specific to HP-UX.
4553
4554 PH/18 If the "use_postmaster" option was set for a recipient callout together
4555 with the "random" option, the postmaster address was used as the MAIL
4556 FROM address for the random test, but not for the subsequent recipient
4557 test. It is now used for both.
4558
4559 PH/19 Applied Michael Haardt's patch to update Sieve to RFC3028bis. "The
4560 patch removes a few documentation additions to RFC 3028, because the
4561 latest draft now contains them. It adds the new en;ascii-case comparator
4562 and a new error check for 8bit text in MIME parts. Comparator and
4563 require names are now matched exactly. I enabled the subaddress
4564 extension, but it is not well tested yet (read: it works for me)."
4565
4566 PH/20 Added macros for time_t as for off_t (see PH/15 above) and used them to
4567 rework some of the code of TK/09 above to avoid the hardwired use of
4568 "%lld" and "long long". Replaced the call to snprintf() with a call to
4569 string_vformat().
4570
4571 PH/21 Added some other messages to those in 4.51/PH/42, namely "All relevant MX
4572 records point to non-existent hosts", "retry timeout exceeded", and
4573 "retry time not reached for any host after a long failure period".
4574
4575 PH/22 Fixed some oversights/typos causing bugs when Exim is compiled with
4576 experimental DomainKeys support:
4577
4578 (1) The filter variables $n0-$n9 and $sn0-$sn9 were broken.
4579 (2) On an error such as an illegally used "control", the wrong name for
4580 the control was given.
4581
4582 These problems did NOT occur unless DomainKeys support was compiled.
4583
4584 PH/23 Added daemon_startup_retries and daemon_startup_sleep.
4585
4586 PH/24 Added ${if match_ip condition.
4587
4588 PH/25 Put debug statements on either side of calls to EXIM_DBOPEN() for hints
4589 databases so that it will be absolutely obvious if a crash occurs in the
4590 DB library. This is a regular occurrence (often caused by mis-matched
4591 db.h files).
4592
4593 PH/26 Insert a lot of missing (void) casts for functions such as chown(),
4594 chmod(), fcntl(), sscanf(), and other functions from stdio.h. These were
4595 picked up on a user's system that detects such things. There doesn't seem
4596 to be a gcc warning option for this - only an attribute that has to be
4597 put on the function's prototype. It seems that in Fedora Core 4 they have
4598 set this on a number of new functions. No doubt there will be more in due
4599 course.
4600
4601 PH/27 If a dnslookup or manualroute router is set with verify=only, it need not
4602 specify a transport. However, if an address that was verified by such a
4603 router was the subject of a callout, Exim crashed because it tried to
4604 read the rcpt_include_affixes from the non-existent transport. Now it
4605 just assumes that the setting of that option is false. This bug was
4606 introduced by 4.51/PH/31.
4607
4608 PH/28 Changed -d+all to exclude +memory, because that information is very
4609 rarely of interest, but it makes the output a lot bigger. People tend to
4610 do -d+all out of habit.
4611
4612 PH/29 Removed support for the Linux-libc5 build, as it is obsolete and the
4613 code in os-type was giving problems when libc.so lives in lib64, like on
4614 x86_64 Fedora Core.
4615
4616 PH/30 Exim's DNS code uses the original T_xxx names for DNS record times. These
4617 aren't the modern standard, and it seems that some systems' include files
4618 don't always have them. Exim was already checking for some of the newer
4619 ones like T_AAAA, and defining it itself. I've added checks for all the
4620 record types that Exim uses.
4621
4622 PH/31 When using GnuTLS, if the parameters cache file did not exist, Exim was
4623 not automatically generating a new one, as it is supposed to. This
4624 prevented TLS from working. If the file did exist, but contained invalid
4625 data, a new version was generated, as expected. It was only the case of a
4626 non-existent file that was broken.
4627
4628 TK/10 Domainkeys: Fix a bug in verification that caused a crash in conjunction
4629 with a change in libdomainkeys > 0.64.
4630
4631 TK/11 Domainkeys: Change the logic how the "testing" policy flag is retrieved
4632 from DNS. If the selector record carries the flag, it now has
4633 precedence over the domain-wide flag.
4634
4635 TK/12 Cleared some compiler warnings related to SPF, SRS and DK code.
4636
4637 PH/32 In mua_wrapper mode, if an smtp transport configuration error (such as
4638 the use of a port name that isn't defined in /etc/services) occurred, the
4639 message was deferred as in a normal delivery, and thus remained on the
4640 spool, instead of being failed because of the mua_wrapper setting. This
4641 is now fixed, and I tidied up some of the mua_wrapper messages at the
4642 same time.
4643
4644 SC/08 Eximstats: whilst parsing the mainlog(s), store information about
4645 the messages in a hash of arrays rather than using individual hashes.
4646 This is a bit cleaner and results in dramatic memory savings, albeit
4647 at a slight CPU cost.
4648
4649 SC/09 Eximstats: added the -show_rt<list> and the -show_dt<list> flags
4650 as requested by Marc Sherman.
4651
4652 SC/10 Eximstats: added histograms for user specified patterns as requested
4653 by Marc Sherman.
4654
4655 SC/11 Eximstats: v1.43 - bugfix for pattern histograms with -h0 specified.
4656
4657 PH/33 Patch from the Cygwin maintainer to add "b" to all occurences of
4658 fopen() in the content-scanning modules that did not already have it.
4659
4660
4661 Exim version 4.51
4662 -----------------
4663
4664 TK/01 Added Yahoo DomainKeys support via libdomainkeys. See
4665 doc/experimental-spec.txt for details. (http://domainkeys.sf.net)
4666
4667 TK/02 Fix ACL "control" statement not being available in MIME ACL.
4668
4669 TK/03 Fix ACL "regex" condition not being available in MIME ACL.
4670
4671 PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used
4672 to test Sieve filters that use "vacation".
4673
4674 PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch
4675 that changes the way the GnuTLS parameters are stored in the cache file.
4676 The new format can be generated externally. For backward compatibility,
4677 if the data in the cache doesn't make sense, Exim assumes it has read an
4678 old-format file, and it generates new data and writes a new file. This
4679 means that you can't go back to an older release without removing the
4680 file.
4681
4682 PH/03 A redirect router that has both "unseen" and "one_time" set does not
4683 work if there are any delivery delays because "one_time" forces the
4684 parent to be marked "delivered", so its unseen clone is never tried
4685 again. For this reason, Exim now forbids the simultaneous setting of
4686 these two options.
4687
4688 PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are
4689 redirected to themselves ("homonym" addresses). Read the long ChangeLog
4690 entry if you want to know the details. The fix, however, neglected to
4691 consider the case when local delivery batching is involved. The test for
4692 "previously delivered" was not happening when checking to see if an
4693 address could be batched with a previous (undelivered) one; under
4694 certain circumstances this could lead to multiple deliveries to the same
4695 address.
4696
4697 PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T
4698 in its include files, and this causes problems building Exim.
4699
4700 PH/06 A number of "verify =" ACL conditions have no options (e.g. verify =
4701 header_syntax) but Exim was just ignoring anything given after a slash.
4702 In particular, this caused confusion with an attempt to use "verify =
4703 reverse_host_lookup/defer_ok". An error is now given when options are
4704 supplied for verify items that do not have them. (Maybe reverse_host_
4705 lookup should have a defer_ok option, but that's a different point.)
4706
4707 PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as
4708 defined by RFC 821) to 2048, because there were problems with some AUTH
4709 commands, and RFC 1869 says the size should be increased for extended
4710 SMTP commands that take arguments.
4711
4712 PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony
4713 Finch).
4714
4715 PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an
4716 "unknown" error; now it says that the functionality isn't in the binary.
4717
4718 PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in
4719 an address' error message when a string expansion fails (syntax or
4720 whatever). Otherwise the password may appear in the log. Following change
4721 PH/42 below, there is no longer a chance of it appearing in a bounce
4722 message.
4723
4724 PH/11 Installed exipick version 20050225.0 from John Jetmore.
4725
4726 PH/12 If the last host in a fallback_hosts list was multihomed, only the first
4727 of its addresses was ever tried. (Bugzilla bug #2.)
4728
4729 PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed
4730 the result incorrectly in the debug output. (It correctly added a newline
4731 to what was transported.)
4732
4733 TF/01 Added $received_time.
4734
4735 PH/14 Modified the default configuration to add an acl_smtp_data ACL, with
4736 commented out examples of how to interface to a virus scanner and to
4737 SpamAssassin. Also added commented examples of av_scanner and
4738 spamd_address settings.
4739
4740 PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions
4741 and controls are allowed in which ACLs. There were a couple of minor
4742 errors. Some of the entries in the conditions table (which is a table of
4743 where they are NOT allowed) were getting very unwieldy; rewrote them as a
4744 negation of where the condition IS allowed.
4745
4746 PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer.
4747
4748 PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the
4749 header file does not have a version number, so I've had to invent a new
4750 value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new
4751 API. The code is untested by me (my Linux distribution still has 0.3.2 of
4752 radiusclient), but it was contributed by a Radius user.
4753
4754 PH/18 Installed Lars Mainka's patch for the support of CRL collections in
4755 files or directories, for OpenSSL.
4756
4757 PH/19 When an Exim process that is running as root has to create an Exim log
4758 file, it does so in a subprocess that runs as exim:exim so as to get the
4759 ownership right at creation (otherwise, other Exim processes might see
4760 the file with the wrong ownership). There was no test for failure of this
4761 fork() call, which would lead to the process getting stuck as it waited
4762 for a non-existent subprocess. Forks do occasionally fail when resources
4763 run out. I reviewed all the other calls to fork(); they all seem to check
4764 for failure.
4765
4766 PH/20 When checking for unexpected SMTP input at connect time (before writing
4767 the banner), Exim was not dealing correctly with a non-positive return
4768 from the read() function. If the client had disconnected by this time,
4769 the result was a log entry for a synchronization error with an empty
4770 string after "input=" when read() returned zero. If read() returned -1
4771 (an event I could not check), uninitialized data bytes were printed.
4772 There were reports of junk text (parts of files, etc) appearing after
4773 "input=".
4774
4775 PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages.
4776
4777 PH/22 Added support for macro redefinition, and (re)definition in between
4778 driver and ACL definitions.
4779
4780 PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then
4781 forgetting to use the resulting value; it was using the unexpanded value.
4782
4783 PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it
4784 hadn't been configured. The fix is from Juergen Kreileder, who
4785 understands it better than I do:
4786
4787 "Here's what I see happening with three configured cyrus_sasl
4788 authenticators configured (plain, login, cram-md5):
4789
4790 On startup auth_cyrus_sasl_init() gets called for each of these.
4791 This means three calls to sasl_listmech() without a specified mech_list.
4792 => SASL tests which mechs of all available mechs actually work
4793 => three warnings about OTP not working
4794 => the returned list contains: plain, login, cram-md5, digest-md5, ...
4795
4796 With the patch, sasl_listmech() also gets called three times. But now
4797 SASL's mech_list option is set to the server_mech specified in the the
4798 authenticator. Or in other words, the answer from sasl_listmech()
4799 gets limited to just the mech you're testing for (which is different
4800 for each call.)
4801 => the return list contains just 'plain' or 'login', 'cram-md5' or
4802 nothing depending on the value of ob->server_mech.
4803
4804 I've just tested the patch: Authentication still works fine,
4805 unavailable mechs specified in the exim configuration are still
4806 caught, and the auth.log warnings about OTP are gone."
4807
4808 PH/25 When debugging is enabled, the contents of the command line are added
4809 to the debugging output, even when log_selector=+arguments is not
4810 specified.
4811
4812 PH/26 Change scripts/os-type so that when "uname -s" returns just "GNU", the
4813 answer is "GNU", and only if the return is "GNU/something" is the answer
4814 "Linux".
4815
4816 PH/27 $acl_verify_message is now set immediately after the failure of a
4817 verification in an ACL, and so is available in subsequent modifiers. In
4818 particular, the message can be preserved by coding like this:
4819
4820 warn !verify = sender
4821 set acl_m0 = $acl_verify_message
4822
4823 Previously, $acl_verify_message was set only while expanding "message"
4824 and "log_message" when a very denied access.
4825
4826 PH/28 Modified OS/os.c-Linux with
4827
4828 -#ifndef OS_LOAD_AVERAGE
4829 +#if !defined(OS_LOAD_AVERAGE) && defined(__linux__)
4830
4831 to make Exim compile on kfreebsd-gnu. (I'm totally confused about the
4832 nomenclature these days.)
4833
4834 PH/29 Installed patch from the Sieve maintainer that adds the options
4835 sieve_useraddress and sieve_subaddress to the redirect router.
4836
4837 PH/30 In these circumstances:
4838 . Two addresses routed to the same list of hosts;
4839 . First host does not offer TLS;
4840 . First host accepts first address;
4841 . First host gives temporary error to second address;
4842 . Second host offers TLS and a TLS session is established;
4843 . Second host accepts second address.
4844 Exim incorrectly logged both deliveries with the TLS parameters (cipher
4845 and peerdn, if requested) that were in fact used only for the second
4846 address.
4847
4848 PH/31 When doing a callout as part of verifying an address, Exim was not paying
4849 attention to any local part prefix or suffix that was matched by the
4850 router that accepted the address. It now behaves in the same way as it
4851 does for delivery: the affixes are removed from the local part unless
4852 rcpt_include_affixes is set on the transport.
4853
4854 PH/32 Add the sender address, as F=<...>, to the log line when logging a
4855 timeout during the DATA phase of an incoming message.
4856
4857 PH/33 Sieve envelope tests were broken for match types other than :is. I have
4858 applied a patch sanctioned by the Sieve maintainer.
4859
4860 PH/34 Change 4.50/80 broke Exim in that it could no longer handle cases where
4861 the uid or gid is negative. A case of a negative gid caused this to be
4862 noticed. The fix allows for either to be negative.
4863
4864 PH/35 ACL_WHERE_MIME is now declared unconditionally, to avoid too much code
4865 clutter, but the tables that are indexed by ACL_WHERE_xxx values had been
4866 overlooked.
4867
4868 PH/36 The change PH/12 above was broken. Fixed it.
4869
4870 PH/37 Exim used to check for duplicate addresses in the middle of routing, on
4871 the grounds that routing the same address twice would always produce the
4872 same answer. This might have been true once, but it is certainly no
4873 longer true now. Routing a child address may depend on the previous
4874 routing that produced that child. Some complicated redirection strategies
4875 went wrong when messages had multiple recipients, and made Exim's
4876 behaviour dependent on the order in which the addresses were given.
4877
4878 I have moved the duplicate checking until after the routing is complete.
4879 Exim scans the addresses that are assigned to local and remote
4880 transports, and removes any duplicates. This means that more work will be
4881 done, as duplicates will always all be routed, but duplicates are
4882 presumably rare, so I don't expect this is of any significance.
4883
4884 For deliveries to pipes, files, and autoreplies, the duplicate checking
4885 still happens during the routing process, since they are not going to be
4886 routed further.
4887
4888 PH/38 Installed a patch from Ian Freislich, with the agreement of Tom Kistner.
4889 It corrects a timeout issue with spamd. This is Ian's comment: "The
4890 background is that sometimes spamd either never reads data from a
4891 connection it has accepted, or it never writes response data. The exiscan
4892 spam.[ch] uses a 3600 second timeout on spamd socket reads, further, it
4893 blindly assumes that writes won't block so it may never time out."
4894
4895 PH/39 Allow G after quota size as well as K and M.
4896
4897 PH/40 The value set for $authenticated_id in an authenticator may not contain
4898 binary zeroes or newlines because the value is written to log lines and
4899 to spool files. There was no check on this. Now the value is run through
4900 the string_printing() function so that such characters are converted to
4901 printable escape sequences.
4902
4903 PH/41 $message_linecount is a new variable that contains the total number of
4904 lines in the message. Compare $body_linecount, which is the count for the
4905 body only.
4906
4907 PH/42 Exim no longer gives details of delivery errors for specific addresses in
4908 bounce and delay warning messages, except in certain special cases, which
4909 are as follows:
4910
4911 (a) An SMTP error message from a remote host;
4912 (b) A message specified in a :fail: redirection;
4913 (c) A message specified in a "fail" command in a system filter;
4914 (d) A message specified in a FAIL return from the queryprogram router;
4915 (e) A message specified by the cannot_route_message router option.
4916
4917 In these cases only, Exim does include the error details in bounce and
4918 warning messages. There are also a few cases where bland messages such
4919 as "unrouteable address" or "local delivery error" are given.
4920
4921 PH/43 $value is now also set for the "else" part of a ${run expansion.
4922
4923 PH/44 Applied patch from the Sieve maintainer: "The vacation draft is still
4924 being worked on, but at least Exim now implements the latest version to
4925 play with."
4926
4927 PH/45 In a pipe transport, although a timeout while waiting for the pipe
4928 process to complete was treated as a delivery failure, a timeout while
4929 writing the message to the pipe was logged, but erroneously treated as a
4930 successful delivery. Such timeouts include transport filter timeouts. For
4931 consistency with the overall process timeout, these timeouts are now
4932 treated as errors, giving rise to delivery failures by default. However,
4933 there is now a new Boolean option for the pipe transport called
4934 timeout_defer, which, if set TRUE, converts the failures into defers for
4935 both kinds of timeout. A transport filter timeout is now identified in
4936 the log output.
4937
4938 PH/46 The "scripts/Configure-config.h" script calls "make" at one point. On
4939 systems where "make" and "gmake" are different, calling "gmake" at top
4940 level broke things. I've arranged for the value of $(MAKE) to be passed
4941 from the Makefile to this script so that it can call the same version of
4942 "make".
4943
4944
4945 A note about Exim versions 4.44 and 4.50
4946 ----------------------------------------
4947
4948 Exim 4.50 was meant to be the next release after 4.43. It contains a lot of
4949 changes of various kinds. As a consequence, a big documentation update was
4950 needed. This delayed the release for rather longer than seemed good, especially
4951 in the light of a couple of (minor) security issues. Therefore, the changes
4952 that fixed bugs were backported into 4.43, to create a 4.44 maintenance
4953 release. So 4.44 and 4.50 are in effect two different branches that both start
4954 from 4.43.
4955
4956 I have left the 4.50 change log unchanged; it contains all the changes since
4957 4.43. The change log for 4.44 is below; many of its items are identical to
4958 those for 4.50. This seems to be the most sensible way to preserve the
4959 historical information.
4960
4961
4962 Exim version 4.50
4963 -----------------
4964
4965 1. Minor wording change to the doc/README.SIEVE file.
4966
4967 2. Change 4.43/35 introduced a bug: if quota_filecount was set, the
4968 computation of the current number of files was incorrect.
4969
4970 3. Closing a stable door: arrange to panic-die if setitimer() ever fails. The
4971 bug fixed in 4.43/37 would have been diagnosed quickly if this had been in
4972 place.
4973
4974 4. Give more explanation in the error message when the command for a transport
4975 filter fails to execute.
4976
4977 5. There are several places where Exim runs a non-Exim command in a
4978 subprocess. The SIGUSR1 signal should be disabled for these processes. This
4979 was being done only for the command run by the queryprogram router. It is
4980 now done for all such subprocesses. The other cases are: ${run, transport
4981 filters, and the commands run by the lmtp and pipe transports.
4982
4983 6. Added CONFIGURE_GROUP build-time option.
4984
4985 7. Some older OS have a limit of 256 on the maximum number of file
4986 descriptors. Exim was using setrlimit() to set 1000 as a large value
4987 unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these
4988 systems. I've change it so that if it can't get 1000, it tries for 256.
4989
4990 8. "control=submission" was allowed, but had no effect, in a DATA ACL. This
4991 was an oversight, and furthermore, ever since the addition of extra
4992 controls (e.g. 4.43/32), the checks on when to allow different forms of
4993 "control" were broken. There should now be diagnostics for all cases when a
4994 control that does not make sense is encountered.
4995
4996 9. Added the /retain_sender option to "control=submission".
4997
4998 10. $recipients is now available in the predata ACL (oversight).
4999
5000 11. Tidy the search cache before the fork to do a delivery from a message
5001 received from the command line. Otherwise the child will trigger a lookup
5002 failure and thereby defer the delivery if it tries to use (for example) a
5003 cached ldap connection that the parent has called unbind on.
5004
5005 12. If verify=recipient was followed by verify=sender in a RCPT ACL, the value
5006 of $address_data from the recipient verification was clobbered by the
5007 sender verification.
5008
5009 13. The value of address_data from a sender verification is now available in
5010 $sender_address_data in subsequent conditions in the ACL statement.
5011
5012 14. Added forbid_sieve_filter and forbid_exim_filter to the redirect router.
5013
5014 15. Added a new option "connect=<time>" to callout options, to set a different
5015 connection timeout.
5016
5017 16. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0
5018 was its contents. (It was OK if the option was not defined at all.)
5019
5020 17. A "Completed" log line is now written for messages that are removed from
5021 the spool by the -Mrm option.
5022
5023 18. New variables $sender_verify_failure and $recipient_verify_failure contain
5024 information about exactly what failed.
5025
5026 19. Added -dd to debug only the daemon process.
5027
5028 20. Incorporated Michael Haardt's patch to ldap.c for improving the way it
5029 handles timeouts, both on the server side and network timeouts. Renamed the
5030 CONNECT parameter as NETTIMEOUT (but kept the old name for compatibility).
5031
5032 21. The rare case of EHLO->STARTTLS->HELO was setting the protocol to "smtp".
5033 It is now set to "smtps".
5034