Change log file for Exim from version 3.951 to 4.20 --------------------------------------------------- Exim version 4.20 ----------------- 1. If data for an authentication interaction was just the string "=", indicating an empty string, Exim was not setting up the numerical variable correctly. In some situations, this could cause a crash - in others, it might have passed unnoticed. 2. Changed signal(SIGTERM, command_sigterm_handler) in smtp_in.c to use os_non_restarting_signal() for tidiness; in practice this doesn't actually matter because the handler terminates the process. 3. Refactoring: (a) In some (but not all) places where Exim applies timers using alarm(), it was resetting the SIGALRM handler afterwards, but sometimes to SIG_IGN and sometimes to SIG_DFL. In other words, it was a mess. In fact, this reset is not necessary, because after alarm(0) there is no possibility of receiving a SIGLARM signal. So I've just removed them all. (b) The daemon.c module had its own SIGALRM handler, which was unnecessary. I changed it to use the handler that is used (almost) everywhere else. (c) Almost all uses of SIGALRM use the same handler, but it was being set by signal() all over the place. Now it is set at the start, and it resets itself every time it is called, so it remains enabled throughout. The few places that use a different handler reset to the "standard" one afterwards. (d) The setting of the SIGTERM handler while reading SMTP commands was done somewhat untidily. I have re-arranged the code. 4. If the building process was interrupted during the MakeLinks script, a subsequent run of 'make' gave misleading errors. I've made it a bit more robust against this case. If there appears to be a half-made set of links, an error message suggests that the user should remove the build directory and start again. 5. For compatibility with other MTAs, -f "" is now accepted as synonymous with -f "<>". 6. Upgraded to PCRE 4.1. 7. If a domain list contained @mx_any, or @mx_secondary, and the DNS contained secondary MX records for a domain, but all the other MX (higher priority) records pointed to non-existent hosts, Exim was behaving as if the domain did not match the list item. This has been fixed. 8. Upgraded eximstats to 1.27. 9. It was reported that change 4.14/46(b) caused problems on some systems with older libraries. There is now an option that can be set in Local/Makefile (or in a operating system Makefile): IPV6_USE_INET_PTON=yes If this is done, Exim reverts to using inet_pton() to convert a textual IPv6 address for actual use, instead of getaddrinfo(), as it did in versions before 4.14. Of course, this means that the additional functionality of getaddrinfo() - recognizing scoped addresses - is lost. 10. Update for PostgreSQL to match 4.14/14: after an insert, delete, or update command, the result is the number of rows affected. 11. If smtp_banner expanded to an empty string, no greeting line was sent, thus causing the client to time out. An empty 220 response is now sent. 12. An empty argument was logged as a null string by the "arguments" log selector. Now empty strings and arguments that contain whitespace are surrounded by quotes. 13. The "arguments" log selector now also logs the current working directory when Exim is called. 14. Added a couple more debugging calls to tls-openssl. 15. Changed the name of the global variable ldap_version because some LDAP library uses the same name, which causes a clash. It's now called eldap_version. While I was at it, I changed the other two global variables, ldap_default_servers and ldap_dn. 16. If an address that is verified in an ACL is redirected to a single address, Exim verifies the child (this is not new). However, the value of $address_ data that was being returned was the value from the parent. It is now the value from the child. 17. Re-arranged the code for rda_is_filter() to make it easier to add other filter types in future. 18. Removed the filter test function from filter.c and put it into its own source file, again to make things easier for multiple filter types. 19. To help those people who are maintaining a patch for dynamically loaded local_scan() functions, I have added #define LOCAL_SCAN_ABI_VERSION_MAJOR 1 #define LOCAL_SCAN_ABI_VERSION_MINOR 0 to the local_scan.h file. 20. The variables $tls_certificate_verified, $tls_cipher, and $tls_peerdn now exist even when Exim is not compiled with TLS support. 21. If an empty user name was sent by a client for a LOGIN authentication, it was not put into $1; instead, the password ended up in $1 (instead of in $2). 22. When creating a temporary file in the appendfile transport for a per-file delivery not in maildir or mailstore format (that is, in the old Smail format - I wonder if anyone uses this?), Exim was opening the file without O_EXCL, which is a bit unsafe. 23. The output from the ${stat: expansion operator was being formatted using %d which expects an integer; in many (most) systems size_t is off_t, which is actually a long or even a longlong, and in some cases this caused incorrect data to be output. The formatting is now done using %ld, with the values all explicitly cast to (long). 24. Callout caching was failing to cache a negative response to a "random" address check. 25. If a daemon was started with -qsomething and not -bd, and deliver_drop_ privilege was set, and a pid file was specified with -oP, and the pid file did not previously exist, it was created with owner exim instead of owner root. 26. verify=sender was not being allowed in a non-SMTP ACL. 27. Under some error conditions, the socket used for ident calls could be left open. 28. Added acl_smtp_helo, because some people seem to want it. 29. For hosts that match helo_verify_hosts, the error given when a MAIL command is received without HELO or EHLO has been changed from 550 to 503 (which means "bad sequence of commands"). 30. Installed PCRE 4.2. 31. The quota_size_regex option for the appendfile transport was broken in that a terminating zero was omitted from the string that was extracted for the size. If it happened that digits followed in the memory to which it was copied, an incorrect (too large) size was then used. 32. Change 4.14/32 (iv) introduced a bug in the case when the "phrase" part of a rewritten address did *not* contain any special characters. The generated address was mangled. 33. Several items of refactoring from Michael Haardt: . Introduction of "const" in a number of places . Use memcpy() instead of strncpy() in string_cat() . Add HAVE_ICONV to Linux file, for external users (Exim doesn't use it) [Later: From 4.21, Exim *does* use it.] . Preparation for adding additional types of filter file 34. Changed (incompatibly, but hopefully not so it affects anyone) the appendfile transport in the case when it is called directly as a result of a .forward or a filter file requesting a delivery to a file. Previously, any settings of "file" or "directory" were ignored in this case. Now they are used. The path received from the router is in $address_file (as before) and can therefore be included in the expansion. 35. If a "save" command in a filter specifies a non-absolute path, the value of $home/ is pre-pended. This no longer happens if $home is unset or is an empty string. It is expected that the transport will complete the path (see 34 above). If there is an error before the path is complete, the local part is logged as "save xxxx". 36. If multiple "to file" deliveries are routed to the same transport, no batching ever takes place, whatever the value of batch_max. 37. If an address was redirected to an unqualified local part preceded by a backslash, Exim was qualifying it with the qualify_domain, instead of with the incoming domain. 38. Minor rewording: header lines can be added by MAIL as well as RCPT: the debug line mentioned only RCPT. 39. DESTDIR is the more common variable that ROOT for use when installing software under a different root filing system. The Exim install script now recognizes DESTDIR first; if it is not set, ROOT is used. 40. If DESTDIR is set when installing Exim, it no longer prepends its value to the path of the system aliases file that appears in the default configuration (when a default configuration is installed). If an aliases file is actually created, its name *does* use the prefix. 41. If an item in log_file_path was an empty string, Exim wrote the log to the log directory in the spool directory. Now it takes notice of the setting of LOG_FILE_PATH in Local/Makefile, and uses the first non-empty, non-"syslog" item from that list. If there are none, it uses the ultimate default of the spool directory. 42. If there is a Reply-to: header line, but it is empty, $reply_address now contains the From: address instead of being empty. 43. Added -no-cpp-precomp to CFLAGS in OS/Makefile-Darwin. Without this, the compiler provides a string for __DATE__ that does not conform to the specification in the C standard. The option disables precompiled headers, which should not have any bad effects, as pre-compiled headers are supposedly just a performance enhancement at compile time. 44. Refactoring: as there is now a flag that specifies whether or not a home directory that is passed with an address is already expanded, we no longer need the \N...\N fudge for home directories extracted from the password data. 45. Fixed an infelicity introduced by 4.14/71: The defaulting of the prefix, suffix, and check string stuff in appendfile was happening when no directory was supplied. Now it happens if no directory is supplied AND maildir has not been specified. 46. If expansion of the serverpassword in a spa authenticator or expansion of server_condition in a plaintext authenticator is forced to fail, authentication now fails (previously it gave a temporary error, which is what happens for other expansion failures). This brings these authenticators into line with cram_md5, where expansion of server_secret has always behaved like this. 46. Added new syslog facilities (courtesy Oliver Gorwits): (i) SYSLOG_LOGS_PID and LONG_SYSLOG_LINES in src/EDITME. (ii) syslog_facility and syslog_processname main options. 47. Callout was using only the hosts from the router, ignoring the transport. This has been changed. If (a) the router does not set up hosts (e.g. it's an accept router) or (b) the smtp transport that is routed to has hosts_override set, then the transport's hosts are used for callout checking. 48. When named lists were nested, and an inner list was resolved by a lookup that saved data for, e.g. $domain_data, the data was associated with just the outer list, though both were cached, so if a subsequent test was done for the inner list, there was no domain data. Example: domainlist A = lsearch;/a/b domainlist B = lsearch;/c/d domainlist C = +A : +B A test on +C that matched, followed by a test on +A or +B would provoke this bug. Now the data is saved with both the inner and the outer lists. 49. When the log selector +address_rewrite is turned on, the log lines now show where the rewritten address came from (which header line, envelope field, or an SMTP command). 50. If an integer or fixed point configuration value is too big to fit in a 32-bit int, Exim now writes an error to the panic log and dies. 51. Unknown SMTP commands are now assumed to be ones that need synchronization; this means that a packet that contains more than one of them will cause the connection to be dropped as soon as the first one is encountered. 52. The "control" feature of ACLs was not permitted for the MAIL ACL (an oversight). It now is allowed. 53. Added the "discard" verb to ACLs. 54. Fixed a theoretical bug observed by reading the code: if local_scan() changed the number of recipients, output from the received_recipients log selector would be incorrect. 55. Added HAVE_ICONV to the os.h files for Linux, Solaris, HP-UX. This is for use in the forthcoming Sieve addition to Exim. 56. The behaviour of -t in the presence of Resent- headers has been changed, for compatibility with Sendmail and other MTAs. Previously, Exim gave an error, because it is not clear from RFC 2822 how this might be handled. It turns out that MUAs don't seem to follow what RFC 2822 says, and any MUA that uses -t with Resent- ensures that there is only one set of Resent- header lines (usually by renaming others to X-Resent-xxx). So now Exim will take recipients from all the Resent- header lines instead of the usual ones. Exim version 4.14 ----------------- 1. Found another case where SIGCHLD is being ignored (a child process for handling a filter file) and so the wait() doesn't find the subprocess. This came to light as a result of extra logging introduced as part of the 4.12/14 fix. Now Exim is careful to set SIGCHLD handling to its default (i.e. to be noticed) for this particular subprocess. (It already has this code for other cases where it uses subprocesses.) 2. If ${run appeared in part of a conditional item that was being skipped, the actual running of the command was not being skipped. 3. A bit of code tidying (refactoring): there were two functions that built strings containing a host name and ident value for logging. There is now only one. It is called in some additional places where previously just the host name and address were given, so the wording of some log lines has changed slightly. 4. Added support for Unix domain socket connection to PostgreSQL. 5. The number of unknown SMTP commands that Exim will accept before dropping a connection can now be changed by smtp_max_unknown_commands. The default value is 3. Previously, a fixed value of 5 was used. The final command is now included in the log line. 6. The standard place for chown and chgrp in Linux is /bin, not /usr/bin, as assumed by the exicyclog script. I've implemented a "look for it" feature that makes exicyclog look in /bin, /usr/bin, /usr/sbin, and /usr/etc for the commands chown, chgrp, mv, and rm if configured, and turned on this feature for Linux. This should cope with old Linuxes that use /usr/bin. 7. Implemented .ifdef etc. 8. Installed signal handlers for SIGSEGV, SIGILL, SIGFPE, and SIGBUS while running local_scan(), so that crashes therein get caught. A temporary error response is sent for an SMTP message, and the spool is cleaned up. Previously, a -D file was left lying around if there was a crash in local_scan(). 9. The ${quote: operator has been changed so that it turns newline and carriage return characters into \n and \r, respectively. 10. Added support for crypt16(). 11. Some restrictions on the use of "verify" in ACLs were too restrictive, and have been relaxed. In particular, "verify = sender" is now permitted in the ACL for the MAIL command, as well as those for RCPT and DATA. 12. If local_scan() sets up recipient or errors_to addresses that are unqualified (local parts without a domain) Exim now qualifies them using the qualify_recipient domain. 13. White space at the start of continuation lines in -be input was not being ignored. 14. Previously, if a MySQL query was issued that did not request any data (an insert, update, or delete command), Exim gave a lookup error and deferred. This case is now recognized, and the result of the lookup is now the number of rows affected. 15. A configuration error is given if tls_try_verify_hosts is set and tls_verify_certificates is not set. (Exim already did this for tls_verify_hosts.) 16. Exim was trying to create a non-existent hints database even when it was just opening it for reading. It called the creating function with the O_RDONLY and O_CREAT flags. This works with many DB libraries, but it not with DB 1.85, where a subsequent attempt to use the database gave the error "Inappropriate file type or format". Exim now creates hints databases only when it wants to open them for writing. 17. If an ACL condition test set a default "message" value without a "log_message" value, and there were no overriding messages in the ACL itself, no message was logged. The user message is now logged. 18. If callout made a connection, but it was dropped before the initial welcome response was received, Exim logged "response to initial connection was" with no further text. It now logs that the connection was dropped. The wording of the logging for callout defers has been slightly changed so as to reduce duplication. 19. When multiple messages were sent using TLS over one connection, the additional required EHLO that follows STARTTLS was being counted as a nonmail command, and thus causing a problem if there were a lot of messages. Similarly, a new AUTH that followed STARTTLS was being counted. It is now possible to run with smtp_accept_max_nonmail set to zero in these and other "normal" circumstances. 20. During verify=sender, global rewriting rules are applied to the sender address, and if it changes, $sender_address becomes the rewritten version. Unfortunately, it was not getting updated until after the routers had been run, so that if a router referred to $sender_address while verifying a sender, the unrewritten value was used. 21. The "random address" callout test was being done after the other tests. This is silly, because if the host accepts all local parts, there isn't any point in doing the other, more specific, tests. I changed things around so that the "random" test (if configured) is done first. 22. Expanded the wording for callout failures when MAIL FROM:<> or RCPT TO the a postmaster address are rejected. Also include these words when a rejection happens because of caching (when there isn't an actual SMTP command/result to reflect). 23. A new router condition called "address_test" (default true) can be used to skip routers when testing addresses using -bt (compare no_verify). This can be a convenience when your first router sends stuff to an external scanner. 24. Testing for deliver_queue_load_max was happening inside the delivery sub-process, when it could have happened outside, in the queue runner (thus saving one process). This was a hangover from Exim 3, where there were other load tests to be done. The code has been tidied. 25. Code tidy: the driver_info generic structure contained a field that might, on 64-bit systems, not have been compatible with the fields in the structures of which it is supposed to be a subset. It turns out that this field and another are not actually used generically, so removing them from the structure solves the problem. 26. Added server_advertise_condition to authenticators. 27. The exim_checkaccess utility wasn't sending a HELO command; this matters now that it's possible to have an ACL that checks HELO/EHLO. 27. Added the ldap_version option to force a specific LDAP version. 28. Renamed the variable verify_address in exim.c as verify_address_mode, because it had the same name as the verify_address() function, which was confusing. 29. Added authenticated_sender to the smtp transport. 30. When the skip_syntax_errors option is applied to a filter file, it covers all filtering errors, some of which may not be strictly "syntax" (for example, failure to open a log file). The wording of the message has been changed to use "error" instead of "syntax error", to reduce confusion. Also the subject of the message sent by syntax_errors_to is now "error(s) in forwarding or filtering" instead of "syntax error(s) in address expansion". 31. Added -restore-times to the exim_lock utility. 32. Changes to the handling of the "phrase" parts of email addresses: (i) Re-organized the code to use a supplied instead of an implied buffer, and a length instead of expecting a terminated string. (ii) Changed from using the macro mac_isprint() to an explicit test for ASCII non-printing characters, because the macro pays attention to print_topbitchars, which is not correct here. (iii) If a rewritten address contained a "phrase" (whether or not the "w" flag was present on the rewrite rule), but the actual address was unqualified (had no domain) and was expected to be qualified by the "Q" flag, Exim screwed up and created an illegal address. (iv) When a header address is rewritten by a rule that includes the "w" flag, the parts of the address outside <> are now encoded according to RFC 2047 if necessary (assuming ISO-8859-1 encoding). 33. Added the ${rfc2047 and ${from_utf8 expansion operators. 34. The file names used for maildir deliveries have been changed, to accomodate operating systems that may re-use a PID within one second. The file name now include the microsecond time fraction, and the delivery process does not exit until the clock is at least one microsecond after the time used in the file name. The code copes with the clock going backwards (it waits till time catches up). 35. The rules for creating message ids have been changed to allow for the fact that a PID may be re-used within one second. As part of this change, the range of localhost_number has been reduced to 0-16 for most systems, and 0-10 for those with case-insensitive file systems (Cygwin, Darwin). 36. Code tidy: there was a local count of non-TCP/IP messages that duplicated the global receive_messagecount (used for accept_queue_per_connection). 37. verify = header_syntax was allowing unqualified addresses in all cases. Now it allows them only for locally generated messages and from hosts that match sender_unqualified_hosts or recipient_unqualified_hosts, respectively. 38. If PAM was called with an empty first string, it called the data function to get the user name, thereby getting the second string by mistake. If this was also null (empty passwords are permitted), there was an infinite loop. An empty user name is not now passed to PAM; authentication is forcibly failed instead. Also, if the end of the list of strings is reached, an empty string is passed back just once; a subsequent call for data provokes an error response. 39. If a reverse DNS lookup yields an empty string, treat it as if the lookup failed. (Apparently such records have been seen. Sigh.) 40. Added the -bnq command line option to suppress automatic qualification of addresses in locally submitted messages. 41. Header texts supplied by options to the autoreply transport may now contain newlines that are followed by whitespace. (This was allowed from a filter, but not from the transport.) 42. Patch for < > problems in eximstats 1.23. 43. Re-arranged the code to make it easier in future to add additional filter types. 44. Added support for changing the connection timeout in LDAP; this is something that's available in Netscape SDK 4.1. Exim uses the given value if LDAP_X_OPT_CONNECT_TIMEOUT is defined. 45. When Exim was setting a daemon listener on multiple interfaces, including listening on "all IPv6" and "all IPv4" interfaces, it was binding all the sockets, and then calling listen() for each of them. On some IP stacks, a listen for "all IPv4" fails after listening for "all IPv6" because a single socket catches both kinds of call. Exim coped with this, but it turns out that on a USAGI-patched Linux, this logic doesn't work unless the "listen", as well as the "bind" has been done for the IPv6 socket first. The order of the functions has now been changed. Instead of "bind, bind ... listen, listen..." it now does "bind, listen, bind, listen, ...". Also, the failure happens in the bind() rather than in the listen(), so there are now two checks, which hopefully will handle all kinds of IP stack. 46. IPv6 addresses have "scopes", and a host with multiple interfaces can, in principle, have the same link-local addresses on different interfaces. Thus, they need to be distinguished, and a convention of using a percent sign followed by something (often the interface name) is being used, for example: 3ffe:2101:12:1:a00:20ff:fe86:a061%eth0. Two changes have been made to accommodate this: (a) A percent sign followed by an arbitrary string is allowed at the end of an IPv6 address. (b) Exim calls getaddrinfo() instead of inet_pton() to convert a textual IPv6 address for actual use. This function recognizes the percent convention in some operating systems. 47. Additional debugging inserted for the case of forced failure when expanding an item in a list. 48. A new debugging selector +expand has been added. This is not included in the default set of selectors. It requests detailed debugging information for string expansions. 49. Failure to open the main log results in a panic-die, but the original line that was being logged could be lost. It is now output to stderr if there is a stderr file. 50. When Exim starts, it checks for the existence of its spool directory, and creates it if necessary. Unfortunately, it was doing this after the code for logging arguments. Thus, if the spool did not exist, trouble ensued. 51. The log line for an ACL warning after a sender verify callout failure was not showing the details, unlike the log line for a deny. They are now shown in a similar way. 52. For reasons lost in the mists of time, when a pipe transport was run, the environment variable MESSAGE_ID was set to the message ID preceded by 'E' (the form used in Message-ID: header lines). The 'E' has been removed. 53. Updated the QNX configuration files for QNX 6.2.0. 54. The "*@" type partial matching for single-key lookups was broken in releases after 4.10. Exim looked for *@xxx but, if that failed, it wasn't going on to look for "*". 55. Included eximstats 1.25 in the source tree. 56. Changed log wording from "Authentication failed" to " authenticator failed", where is the name of the authenticator. 57. gcc 3.2.2 warned about a selection of places where string casts were needed. 58. Exim monitor: the use of one_time redirection could cause addresses to be displayed with incorrect "parent" addresses after the one_time re-arrangement had taken place. They should be shown with no parents, because the parentage has been removed. 59. Arranged to keep independent timestamps for postmaster and random checks in callouts, and not to do unnecessary tests for postmaster when testing individual addresses. 60. Incorporated PCRE release 4.0. 61. Added ${hex2b64: operator. 62. Added $tod_zulu. 63. Added ${strlen: operator. 64. Added ${stat: operator. 65. When Exim is receiving multiple messages on a single connection, and spinning off delivery processess, it sets the SIGCHLD signal handling to SIG_IGN, because it doesn't want to wait for these processes. However, because on some OS this didn't work, it also has a paranoid call to waitpid() in the loop to reap any children that have finished. Some versions of Linux now complain (to the system log) about this "illogical" call to waitpid(). I have therefore put it inside a conditional compilation, and arranged for it to be omitted for Linux. 66. Added settable variables $acl_c0 - $acl_c9 and $acl_m0 - $acl_m9 for use during ACL processing. 67. Added "defer" command to system filter. 68. X options such as -bg or -geometry that were added to an eximon command were being lost as a result of a bug introduced by 4.12/6. 69. The "more" and "unseen" generic router options can now be expanded strings. 70. The "once_repeat" option in the autoreply transport is now an expanded string. 71. If maildir_format is set on an appendfile transport that is referenced from an file_transport setting in a redirect router, it forces maildir delivery, even if the path given in the filter does not end with '/'. 72. Fixed three bugs in ${readsocket: (i) If the operation failed, and a failure string was given, "}}" was erroneously added to it. (ii) If the operation succeeded, but a failure string was present, "}" was added to the expanded data. (iii) The alarm for the timeout was set with signal() instead of with os_non_restarting_signal(), which meant that it only worked on those OS whose default is not to restart an interrupted system call. 73. A complete host name (no wildcards) in a host list causes a forward lookup for the IP address. If this failed, Exim was behaving as if the host didn't match the list, instead of giving an error (as it does when a reverse lookup fails). 74. If router_home_directory was passed on as a home directory for a local transport, it was being re-expanded in the transport. This has been changed so that the expanded value is passed from the router to the transport, and no re-expansion takes place. 75. When a redirect router generated a pipe, file, or autoreply, the values of $domain_data and $localpart_data were not being propagated to the transport. 76. The macros MESSAGE_ID_LENGTH and SPOOL_DATA_START_OFFSET are now defined in local_scan.h so that they are available to local_scan() functions. 77. Changes to the SMTP PIPELINING support: (1) Exim used always to accept pipelined commands, even when it hadn't advertised PIPELINING (i.e. when EHLO had not been received). Now it objects unless PIPELINING has been advertised. (2) Advertising PIPELINING to specific hosts can be disabled via the new option pipelining_advertise_hosts. 78. The acl_smtp_connect ACL was not being run for -bs input when no IP address was supplied via -oMa. 79. A "mail" command in a filter could cause a crash if the list of recipients for the "to:" line was excessively long - this showed up in a reply to a message with a ridiculously long Reply_to: header line. 80. Added allow_utf8_domains. 81. Added $rh_ and $rheader for "raw" header expansion. 82. Added smtp_accept_max_nonmail_hosts. 83. Extended ${stat (see 64 above) to add smode=symbolic mode. 84. Added default logging for host and IP lookup failures, with a log selector called host_lookup_failed to turn it off. 85. Added header_maxsize and header_line_maxsize. 86. If a RCPT ACL made use of "verify = sender" without callout, followed by another use with callout, and the callout failed, the caching was broken such that for a subsequent RCPT command, the first callout failed incorrectly. The caching of sender verification has been fixed so that it now remembers that the routing succeeded even when the callout fails. 87. Added errno and strerror(errno) to the log line for a failure to lock the -D file when receiving a message. 88. If router with check_local_user set up a local delivery, and no user was specified on the transport, and errors_to on the router specified an address whose verification also invoked check_local_user, the wrong uid/gid was used for the transport. It used the uid/gid of the errors_to address instead of the uid/gid of the original local part. 89. If log_file_path=:syslog was set, to use the default log path and also syslog, and check_log_space was also set, Exim was confused, and refused to accept messages, giving the error "cannot find slash in ". 90. If a router stripped a prefix or a suffix from a local part, and then routed that address to an smtp or lmtp transport, the address that was sent in the RCPT command did not have the affixes stripped. 91. For BSMTP delivery by appendfile or pipe, the address given in the RCPT command did not preserve the case of the envelope address, as it is supposed to. Exim version 4.13 ----------------- There was no 4.13. I accidentally put out a fixed version of 4.12 (a typo was discovered very soon after release) that verified itself as 4.13. This too was hastily fixed, but it seems best not to use the number, to avoid confusion. Exim version 4.12 ----------------- 1. Update to change 4.11/82: for the max number of processes, set RLIM_INFINITY if it is defined. 2. An expansion ${run{xxx}} where xxx was a successful command that produced no output caused Exim to crash. 3. Some artificial delays of 1 second existed when running in the test harness, to ensure repeatability of debugging output. Now that we have the millisleep() function, these can be shorter. 4. Change 4.11/30 below overlooked the case when an address gets a 4xx response from a server. Because this isn't a host problem, the host does not get delayed, and it gets tried every time the address is OK'd for routing, with the same response. However, if hosts_max_try is set, because not all the hosts were tried, the address does not time out. I've changed things so that if there is a 4xx response to a RCPT command, the host in question does not count towards hosts_max_try if the message is older than the host's maximum retry time. This means that other hosts are always tried in this circumstance; if the address gets 4xx errors from all of them, it will eventually time out. 5. If a retry rule for a host had no actual retry times specified, it could cause a crash when checking the ultimate address timeout. (Very old bug, spotted in passing, so probably never bothered anybody.) 6. Change 135 below broke the following scripts when a list of configuration files was given: exicyclog, exim_checkaccess, eximon, exinext, and exiwhat. In practice, if exim_path was not specified in the configuration file (a common case), things would probably work OK. However, the use of CONFIGURE_FILE_USE_NODE definitely did not work. These scripts have now been updated to fix this problem. They now search for the configuration file in the same way Exim itself does: for each name in the list, the "noded" file is tried first, then the unsuffixed file. 7. If a WARN verb in an ACL did not specify an explicit "message" modifier, and was triggered by a failing sender or recipient verification, the response that would have been sent as an SMTP message for a DENY verb was incorrectly being added to the message's headers. 8. I screwed up change 4.11/155. For lookup types whose names were prefixes of other lookup types (e.g. nis and nisplus, dbm and dbmnz), the new search function didn't do the correct comparison, meaning that the wrong lookup type could be found. 9. Solaris seems to be one of the LDAPs that doesn't have the lud_scheme member of the LDAPURLDesc structure. Since the check that is made on it is only to double check that a path is given for ldapi, I've just removed the test in the Solaris case. 10. The modified TextPop.c source in the Exim monitor had declarations of errno and sys_nerr which never were actually referenced. The second of these caused trouble on Darwin, so I've removed both of them. Why were they there? Who knows? This is ancient X code... 11. The DEFER ACL verb crashed if no "message" modifier was set. 12. The check on incoming messages that gives the error "too many non-mail commands" was too strict. In the case of Exim sending to Exim, when the client has queued messages for the server and is using TLS, it will close and re-initialize TLS between messages (because the client has to hand the SMTP connection to a new process). STARTTLS was being counted as a non-mail command, and therefore could cause the limit to be hit. The revised code now allows for one RSET, one HELO or EHLO, and one STARTTLS between each message without counting them as non-mail commands. (One RSET was previously allowed - I *had* spotted that case.) 13. Some log lines for rejections by ACL were putting ident values in parentheses instead of using U= after H=. (There are some other lines that do use parens, typically when the host name appears without H= within a message. This whole area could perhaps do with tidying up.) 14. When processing a redirection file happens in a subprocess (typically so that a .forward file is processed as the user), Exim was assuming that a call to wait() would always reap the subprocess, and it was failing to check the result. In theory, a signal of some sort occurring at the wrong time could break this assumption - the process was then left unreaped, and could possibly be picked up later during deliveries, thus confusing that code ("processes got out of step"). This is conjecture - I haven't got a definite test of this. However, I have fixed the code to repeat the wait after a signal. 15. When Exim was waiting for a remote delivery subprocess, and the waitpid() call found a process that was not in the list of remote delivery processes, Exim gave up waiting for remote processes. It is probably better just to ignore the unexpected process (though, of course, write to the main and panic logs) and to wait for another process, and so that is what now happens. If the error situation is caused by failed waiting logic for routing or local delivery processes, this approach will minimize bad behaviour, I hope. Exim version 4.11 ----------------- 1. Ignore trailing spaces after numbers in expansion comparisons such as ${if > { 5 } { 4 } ... (leading spaces were already ignored). 2. Two variables, $warnmsg_delay, and $warnmsg_recipients, had got left with their old Exim 3 names, when I meant to change to "warn_message", along with the warn_message_file option. They have now been changed. The old names remain as synonyms, but will be undocumented in due course. 3. The message "This message was created automatically by mail delivery software (Exim)." still confuses people. If they are sufficiently Internet- ignorant, they think the message has come from exim.org. At first, I changed thw wording to "This message was created automatically by mail delivery software (Exim) running on a mail server handling mail for ." in the hope that that might be better. However, in testing that still proved confusing on servers handling multiple domains. The message has now reverted to the original, simple wording: "This message was created automatically by mail delivery software." 4. It has been discovered that, under Linux, when a process and its children are being traced by "strace -f", the children are stolen from the parent while they are being traced. A call to waitpid(-1,&x,NOHANG), which Exim uses to test for the completion of "any of my children" in a non-blocking manner, returns as if there are no children in existence. Exim used treat this as a serious unexpected error state. What it does now is to use kill(pid,0) to check explicitly for the continued existence of any of its children. If it finds any, it assumes it is being traced, and proceeds as if the return from waitpid() had been "none of your children have finished yet". If it can't find any children, it gives the error as before. 5. When Exim creates hints databases and their lock files as root, it needs to change their ownership to exim. In Exim 3, the function to open a hints database wasn't called as root very often, and the check "are we running as root?" would usually fail. However, because Exim 4 eschews the use of seteuid(), it runs all its routing as root, and this always calls the hints database opening function. It wasn't noticing when it was actually creating the database, and so it was running chmod() on all the files in the db directory every time. This does no harm, of course, but wastes resources. Exim now detects when the database was already in existence by opening without O_CREAT at first. If this succeeds, it doesn't do the root test. 6. The line in MakeLinks that creates a link for direct.c had been accidentally left in (cf 4.03/6). 7. The value of $0 in the replacement in a rewriting rule was being corrupted, leading to incorrect results or error diagnostics. 8. Added support for ldapi:// URLs to the LDAP lookups (OpenLDAP only). Also, re-organized the code to use ldap_initialize() with OpenLDAP in all cases (it seems to be preferred). 9. With OpenLDAP 2.0.25, ldaps:// doesn't seem to work unless the LDAP protocol level is set to 3. This is now standard in the Exim code, as v3 has been around for 5 years now. Testing ldaps:// is now included in the Exim test suite. Although earlier versions claimed to support it, I rather suspect that it never worked. 10. Inserted some checking of the syntax of the IP address given as the first argument to the exim_checkaccess utility. This gives a better error message, especially in the case when somebody gets the arguments in the wrong order. 11. Improved the panic log entry if an unsupported format type is passed to string_vformat() (now gives the whole format string, not just the little bit that's wrong). 12. Ever since its early days, Exim has checked the syntax of non-SMTP addresses according to RFC [2]822 rules, rather than the stricter RFC [2]821 rules that it uses for SMTP. This allows for a wider set of characters in domains. This has now caused a problem, because I forgot about it when making some changes to the format of spool files (see 3.953/44, 4.03/10, and 4.04/1). I can't believe that anybody actually makes use of this feature (which isn't documented), so I have removed it. All domains must now conform to RFC [2]821 rules. A non-SMTP message with a domain that would previously have been accepted will now be bounced. 13. If widening a domain in a dnslookup router made it syntactically invalid, the error message quoted the original domains instead of the widened domain. 14. During a queue run initiated by -R or -S (or by -i when the use of message logs is disabled), if Exim encountered a message with certain characteristics (including text for $local_scan_data, and the setting of the "manually thawed" flag), this data was not correctly reset for subsequent messages. So if they didn't have those settings themselves, strange things could occur. 15. With the "percent hack" enabled for percenthack.domain, if a message had two addresses such as X%some.domain@percenthack.domain and X@some.domain, Exim was not recognizing the duplication, and was making two deliveries instead of one. 16. The output from verification (for -bv and VRFY) used to list a child address when verification was applied to children (this happens, for example, for aliases that generate just a single child). Now it lists only the original address. 17. Changes 34 and 35 of 4.10 did not wholly solve problems with widened domains. The following bug still existed: . A recipient address was abbreviated (e.g. one component). . A dnslookup router caused it to be widened. . The new domain was a local domain. . The address was redirected to itself. At this point, Exim thought it was a duplicate, and discarded it. This whole thing turned out to be a large can of worms, so I have reworked the address widening code. This should get rid of all these problems. Widening now appears similar to redirection, with the unwidened address becoming a proper parent address. As part of this, there has been some general re-organization of the way addresses are handled. 18. When a filter generated only "unseen" deliveries, the normal delivery that happened subsequently lost any value of address_data that was previously set. The handling of values like that that are propagated from parents to children has been reworked. 19. Added smtp_return_error_details and the check_postmaster option for address verification callouts. 20. Long SMTP responses (from ACL messages or wherever) are now automatically split up into multi-line responses if possible. The split happens at an occurrence of ": " if present after 40 characters. Otherwise it happens at the last space before 75 characters. Existing newlines in the message are taken into account. 21. When verify = header_sender is set, a different error message is now given if a syntax is detected, as opposed to failure to verify. 22. Extended the general mechanism for ${quote_lookuptype:...} expansions by allowing for an option to be given after the lookup name, for example ${quote_ldap_dn:...}. Unrecognized options cause errors. 23. Re-worked the quote_ldap expansion items to provide two different kinds of quoting, since the requirements of filter strings and DNs are different. Sigh. Arranged for the DN given in the USER= setting to be de-URL-quoted because not all libraries do it themselves. 24. The handling of responses from LDAP searches wasn't right. It was detecting situations of the form "ldap_result failed internally or couldn't provide you with a message" but not "the server has reported a problem with your search". This has now been tidied up (thanks, Brian). Problems of the latter kind are now handled as follows: (1) For LDAP_SIZELIMIT_EXCEEDED, the truncated list of results is returned. This is what happened before. (2) For a small set of errors that, in effect, mean "that object does not, or cannot, exist in the database", the lookup fails. This is also as before. (3) For other problems, the lookup defers, giving the LDAP error. 25. Added $ldap_dn to hold the DN of the last entry retrieved in the most recent LDAP lookup. 26. Exim was not checking for the LDAP_INVALID_CREDENTIALS error when ldap_bind() failed during an ldapauth call. With (at least) OpenLDAP2, the connection to the server doesn't happen until ldap_bind(), so failures to connect were being treated as authentication failures, and given hard errors. Now, all errors other than LDAP_INVALID_CREDENTIALS are treated the same way for all calls to ldap_bind(), whether ldaputh or otherwise. They lead to temporary errors - if there are more servers, they will be tried. 27. If there was a reference to a non-existent named list, for example, a setting such as "senders = +something", but no lists of that type were actually defined, Exim misbehaved. For an address list, it treated the name as a domain list. For a domain list, it just didn't match. Now it gives a panic error about a non-existent named list (as it always did if there were named lists of the appropriate type). The error now tells you what type of list it thought it was looking for. 28. When -bt or -bv is used by a non-admin user, and there is some kind of DEFER (e.g. database unreachable), details of the failure are no longer given, because they may include private data such as the password for an LDAP lookup. 29. The logic for using a remote host name as a key for looking up retry rules in preference to the domain of the email address was broken. It wouldn't find such retry rules. 30. There were some problems with the action of hosts_max_try in the smtp transport where there were indeed more hosts available than the limit. (a) Exim used to time out an address out if all the hosts that were tried were past their retry limits, ignoring the state of any hosts that were not tried because the hosts_max_try limit was reached. Now it won't time out an address unless all its hosts are actually considered and are past their retry limits. (b) Hosts that are past their retry limits are no longer counted for hosts_max_try. This means that when some hosts are in this state, a greater number of hosts are tried than before, but this is the only way to ensure that all hosts are considered before timing out an address. (c) When the hosts_max_try limit is reached, Exim now looks down the host list to see if there is a subsequent host with a different MX. If there is, that host is used next, and the current host is not counted. More details in NewStuff. 31. The source for spa authentication (taken from the Samba project) used the type "int16". This has caused compilation problems in some systems that happen to have a different definition of it. (Naughty, naughty, non- standard.) I've renamed all the defined types by adding "x" on the end. 32. When a delivery that used authentication was run with -v (which an unprivileged user can use) it included the authentication data when it showed the SMTP transaction. Such data is now replaced by asterisks in any reflection of the SMTP commands. This also applies if the command is logged as a result of an error response. 33. Some little problems in queue runs: (a) The reading end of the synchronising pipe was being left open in the delivery subprocess. This caused no harm, but used up a file descriptor till that series of deliveries was done. (b) If the load level got high enough to abandon a queue run, the synchronizing pipe was accidentally not closed. Normally, this wouldn't matter, because the queue runner process would finish any way, but... (c) If split_spool_directory was set without queue_run_in_order, the code for abandoning a queue run because of too high load didn't stop cleanly. Instead, it went on to look at the remaining subdirectories. Each one would then notice the high load, and abort. Not only was this a waste of time, but because of (b) above, it used up one file descriptor per subdirectory. With up to 62 subdirectories, this could hit the limit of file descriptors if it was as low as 64 (which it sometimes is). 34. Added SYSTEM_ALIASES_FILE to the build-time configuration, and the ability to set ROOT= when installing. Removed installation instructions for the info version of the overview document, because that document no longer exists for Exim 4. 35. Added a total line to exiqsumm. 36. convert4r4 can now handle "optional" for single-key lookups in aliasfile directors. 37. Change 4.03/25 (making convert4r4 double colons in require_files lists) was incomplete. It worked for routers, but not for directors. 38. After verify=recipient in an ACL, the value of $address_data is the last value that was set while routing the address. 39. Included eximstats 1.22. 40. If a delivery of another message over an existing SMTP connection yields DEFER, we do NOT set up retry data for the host. This covers the case when there are delays in routing the addresses in the second message that are so long that the server times out. This is alleviated by not routing addresses that previously had routing defers when handling an existing connection, but even so, this case may occur (e.g. if a previously happily routed address starts giving routing defers). If the host is genuinely down, another non-continued message delivery will notice it soon enough. 41. Added quota_directory to appendfile. 42. Changed the order of processing configuration input lines. Previously, it was comment, .include, continuation, macro expansion, comment again (in case a macro turned a logical line into a comment). This meant that macros could not be used in .include lines. The order is now macro, comment, .include, continuation. That is, macro expansion is done on physical lines, not on logical lines. 43. Improved the error message if an option-setting line in the configuration does not start with a letter. (It used to say 'option "" unknown'.) 44. Allow -D to set a macro to the empty string. Previously it would have moved on to the next commandline item. This seems pointless. Either -DXX or -DXX= sets an empty string. 45. Changed OS/Makefile-FreeBSD thus: EXIWHAT_MULTIKILL_CMD='killall -m' EXIWHAT_MULTIKILL_ARG='^exim($$|-[0-9.]+-[0-9]+$$)' This is because, with the Exim standard installation using a symbolic link, the name of the running program is not "exim" but (e.g.) "exim-4.10-1". 46. An Exim server now accepts AUTH or STARTTLS commands only if their availability has been advertised in response to EHLO. 47. A few source changes to avoid warnings from very picky compilers that don't complain about unset variables when the only setting is by passing the address to another function. 48. Added -d+pid to force the adding of the pid to all debug lines. Default it on when the daemon is run with any debugging turned on. (Pids are still automatically added when multiple deliveries are run in parallel.) 49. Included Matt Hubbard's exiqgrep utility. 50. Give error for two routers, transports, or authenticators with the same name. (It already caught duplicate ACLs.) 51. If a host has more than MAX_INTERFACES interfaces (common for hosts with a slew of virtual interfaces), and Exim had to find the list of local interfaces, it ran off the end of the list that the ioctl returned. I had assumed the length would be set to correspond to the amount of data returned - but in at least one OS it is set to the actual number of interfaces, even if they don't all fit in the buffer. 52. Nit-picking changes to store.c. It was assuming the length of the storeblock structure would be a multiple of the alignment, which is almost certainly "always" true. However, just in case it might not be it is now rounded up. For some long-forgotten reason, Exim was getting blocks of store of the size (8192 - alignment), which seems strange. I've changed it to plain 8192. 53. Added functions to compute SHA-1 digests, added the ${sha1: expansion operator, added support for {sha1} to crypteq. 54. When local_scan() times out, include the message size in the log line. 55. If a pipe transport had no command specified, and the address also had no command associated with it, the transport process crashed. Now it defers with a suitable message. 56. An Exim server output mangled junk if it received a HELP command on an TLS-encrypted session. 57. The output from -bV (and at the start of debugging) now lists the optional items included in the binary (which routers, etc). The debugging output now includes the name of the configuration file at its start. 58. Added support for GnuTLS as an alternative to OpenSSL. 59. Give a configuration error if tls_verify_hosts is set, but tls_verify_ certificates is not set. It doesn't make sense to require some hosts to verify if there's nothing to verify against. 60. A pipe transport may now have temp_errors = * to specify that all errors are to be treated as temporary. 61. The lmtp transport can now handle delivery to Unix domain sockets. 62. Added support for flock() to appendfile, for those operating situations that need it. Not all OS support flock(). 63. It seems that host lists obtained from MX records often turn out to have duplicate IP addresses, especially for large sites with many MXs and many hosts. Exim now removes duplicate IP addresses. (Previously, it removed only duplicate names.) 64. If ${readfile was inside a substring that was not part of the final expansion value (because its condition wasn't met), Exim still tried to read the file. This made an "exists" test for the file useless. 65. Added ${readsocket to the expansion facilities. 66. It is now possible to set errors_to to the empty string in routers. 67. Added disable_logging as a generic transport and a generic router option. 68. Applied Stefan Traby's patch to support threaded Perl. As I don't have a threaded Perl, I can't test that this fixed the problem, but it doesn't appear to break the non-threaded case. 69. For SPA (NTLM) client authentication, the options are now expanded. 70. Added support for SPA server authentication, courtesy of Tom Kistner. 71. Latest versions of TCPwrappers use the macro HAVE_IPV6 inside the tcpd.h header, it appears, and this clashes with Exim's use of that macro. Renaming it for Exim is an incompatible change, so instead I've just arranged that HAVE_IPV6 is undefined while including the tcpd.h header. 72. Mac OS 10.2 (Darwin) has IP option support that looks like the later versions of glibc, but without the __GLIBC__ macro setting. I've added a new macro called DARWIN_IP_OPTIONS, and tidied up the code in smtp_in.c to simplify the handling of the three different ways of doing this. 73. If no "subject" keyword is given for a "vacation" command in a filter, the subject now defaults to "On vacation". 74. Exim now counts the number of "non-mail" commands in an SMTP session, and drops the connection if there are too many. The new option smtp_accept_max_nonmail option defines "too many". This catches some DoS attempts and things like repeated failing AUTHs. 75. Installed configuration files for OpenUNIX. 76. When a TLS session was started over a TCP/IP connection for LMTP, Exim was sending EHLO instead of LHLO after the encrypted channel was established. 77. When an address that was being verified routed to an smtp transport whose protocol was set to LMTP, the SMTP callout used EHLO instead of LHLO. 78. Installed eximstats 1.23 in the distribution. 79. Installed a new set of Cygwin-specific files from Pierre Humblet. 80. Added caching for callout verification. 81. Added datestamped logs and $tod_logfile. 82. When Exim starts up with root privilege, set a high limit (1000) for the number of files that can be open and the number of processes that can be created (on systems where this is possible), in case Exim is called from a restricted environment. 83. Minor bugfix in appendfile: when renaming failed for a file whose name was extended with a tag, the untagged name was shown in the error message. 84. If Exim's retry configuration was changed so as to bounce a certain delivery failure immediately, for example to bounce quota errors: * quota and there were messages on the queue that had previously been deferred because of this error, Exim crashed when trying to deliver them in a queue run. Now it will make one more delivery attempt and bounce on failure. 85. Fixed an obscure problem that arose when (a) an address was redirected to itself, AND (b) the message was not delivered at the first attempt, AND (c) the pattern of redirection was changed at the next delivery attempt. When an address is redirected to the same address, Exim labels the new address as "2nd generation", and so on, in order to distinguish these homonym addresses from each other. Previously, it recorded the delivery of a homonym address as a delivery of the appropriate generation. This does not work if the generation numbers change at the next delivery attempt. The symptoms can be either duplicated deliveries, or missing deliveries, depending on the configuration. A real-life example is a configuration that takes "unseen" copies of messages at certain times only, because an "unseen" router in effect does a redirection to a modified address (the unseen delivery) and to the original address (for normal delivery). Thus the normal delivery can be either the 1st or 2nd generation, depending on whether or not the unseen router is triggered at the time of delivery. The fix is not to record a delivery to a homonym address as such, but instead to record a delivery to the original address by the final transport. If the same address is subsequently routed to the same transport (whichever generation it now is), the delivery is discarded because it has already happened. Homonym addresses that are themselves redirected are now never recorded as "done", but non-homonym addresses are unaffected, so they are marked when all their children are complete (as before), thus saving an unnecessary subsequent expansion. The fix causes more routing processing to be done when homonyms are in use and a message is not delivered at the first attempt, but this is not expected to be very common, and the extra processing isn't all that much. 86. Make sure Exim doesn't overrun the buffer if an oversize packet is received from a nameserver. 87. Added argument-expanding versions of hash, length, nhash, and substr expansions. 88. The API for Berkeley DB changed at release 4.1. Exim now supports this release. 89. When a host was looked up using gethostbyname() (or the more recent getipnodebyname() on IPv6 systems), Exim was not inspecting the error code on failure. Thus, any failure was treated as "host not found". Exim now checks for temporary errors, so the behaviour of "byname" and "bydns" lookups in this respect should be the same. However, on some OS it has been observed that getipnodebyname() gives HOST_NOT_FOUND for names for which a DNS lookup gives TRY_AGAIN. See also change 125 below. 90. Minor rewording of ACL error for attempted header check after RCPT. 91. When USE_GDBM was set, exim_dbmbuild wasn't working properly (still assumed NDBM compatible interface); similarly in dbmdb lookups when ownership was being tested. 92. If a Reply-To: header contained newlines and was used to generate recipients for an autoreply, the log line for the autoreply "delivery" had unwanted newlines. Such newlines are now turned into spaces. 93. When a redirect router that has the "file" option set discovers that the file does not exist (the ENOENT error), it tries to stat() the parent directory, as a check against unmounted NFS directories. If the parent can't be statted, delivery is deferred. However, it seems wrong to do this check if ignore_enotdir is set, because that option tells Exim to ignore the error "something on the path is not a directory" (the ENOTDIR error). In fact, it seems that some operating systems give ENOENT where others give ENOTDIR, so this is a confusing area. 94. When the rejectlog was cycled, an existing Exim process was not noticing, and was therefore not opening a new file. 95. If expansion of an address_data setting was forced to fail, and debugging was enabled, a debugging statement tried to print an undefined value instead of the string that was being expanded. This could cause a crash. 96. When Berkeley DB version 3 or higher is in use, a callback function is now set up to log DB error messages that are passed back. 97. The conditions in the Makefile for rebuilding the exim_dbmbuild utility were wrong, leading to failures to rebuild when it should have done. 98. Added -no_chown and -no_symlink options to the exim_install script. Also arranged for the environment variable INSTALL_ARG to be passed over from "make install". 99. Exim sets the IPV6_V6ONLY option on IPv6 listening sockets on operating systems that support it. The call to setsockopt() to do this had SOL_SOCKET instead of IPPROTO_IPV6 as its second argument (and so wouldn't work). 100. When a frozen message was timed out by timeout_frozen_after, the system filter was incorrectly being run for the message before it was thrown away. 101. If a filter used $thisaddress in an argument to a pipe command, its value was not inserted where expected, because the expansion of a pipe command does not happen till transport time, and $thisaddress was not being saved. It is now saved (along with $1, $2, etc, which were already being saved), and reinstated at transport time. 102. Added host grouping for randomizing to manualroute and smtp. A host list that is randomized by manualroute is never re-randomized by smtp. Two host lists that are randomized by manualroute are now treated as "the same" when checking for possible multiple deliveries in one SMTP transaction (this was always true for MX'd host lists). 103. Added "randomize" and "no_randomize" options to manualroute. 104. Added ${hmac expansion item. 105. When compiling with gcc, make use of its facility for checking printf-like function calls (debug_printf and smtp_printf). This would have found the problem in 95 above. It actually found a number of missing casts to (int) in debug lines, and one spurious additional argument. 106. Created an ACKNOWLEDGEMENTS file, which I will endeavour to update in future. 107. Minor modification to Makefile: when a command that starts off "cd xxx;" is followed by another command (on the next line), put the first one in parentheses so that if a "clever" make program amalgamates them, the change of directory is turned off when it should be. 108. If log_timezone is set true, the timestamps in log files now include the timezone offset. A new variable $tod_zone contains the offset. The exigrep utility has been updated to handle timestamps with offsets. The eximstats version included with this release (1.23) has been patched to handle timestamps with offsets. There is also a new -utc option that specifies the timestamps are in UTC. The Exim monitor has been modified so that it omits the zone offset from its display. 109. If the expansion of an errors_to option is forced to fail, the option is ignored. 110. Added $load_average. 111. Added router_home_directory generic router option. 112. Exim crashed on an attempt to check senders or sender domains in an ACL other than after RCPT or DATA. It's now a temporary error. 113. \r was omitted before \n in the SMTP failure response for EHLO/HELO argument checking. 114. On receiving EHLO or HELO, Exim was resetting its state before checking the validity of the command. However, RFC 2821 says that the state should not be changed if an invalid EHLO/HELO is received, so Exim has been changed to conform. This applies mainly when there is more than one EHLO/HELO command in a session. 115. When an Exim root process wrote to a log file, and the log file did not already exist, Exim used to create it as root, and then change its ownership to exim:exim. This could lead to a race condition if several processes were trying to log things at the same time; this happens especially when the exiwhat utility is used. I've changed things so that, if an Exim root process needs to create a log file, it does so in a subprocess that is running as exim:exim. 116. When running filter tests (-bf and -bF) Exim now changes the current directory to "/" so that any assumptions about a particular current directory are false. 117. The appendfile transport was doing the quota_threshold check before actually writing the message. However, the act of writing the message could make it longer by the addition of prefix, suffix, or additional headers. This meant that quota warning could be missed if the basic length of a message kept the mailbox below the threshold, but the transport additions took it over. The warning threshold check is now done after writing the message, when an accurate size is known. 118. If all verifications for verify = header_sender deferred, the log was "temporarily rejected after DATA", without saying why. Now it adds "all attempts to verify a sender in a header line deferred". 119. Added message_id_header_domain option. 120. Ignore message_id_header_text forced expansion failure. 121. Typos: "uknown" in acl.c; missing NULL initialized in drtables.c. 122. When return_size_limit was set greater than zero but smaller than an Exim transport buffer size (so that only one buffer would be written), a message that was longer than the limit could be omitted from the bounce entirely under some circumstances. In other cases, the final buffer full before truncation could be omitted. 123. The inode variables in log.c were of type int with -1 for unset; they have been changed to ino_t with 0 for unset. 124. There are two Makefiles for NetBSD (for different object formats). They were originally supplied in a format where one .included the other. The problem with this has finally surfaced: when processing the Makefile to build config.h, the inclusion isn't seen. The easy way out has been taken: there are now two fully independent files. At the same time, HAVE_IPV6 has been added to both of them. 125. Changed the default way of finding an IP address in both the manualroute and queryprogram routers. Exim now does a DNS lookup; if that yields HOST_NOT_FOUND, it tries calling getipnodebyname() (or gethostbyname()). See also change 89 above. 126. Fixed a race bug in the loop that waits for a delivery subprocess to complete. After reading all the data from, and then closing, the pipe, it assumed that a call to waitpid() for the known pid would always return status for that process. An unfortunately timed signal (e.g. SIGUSR1 from exiwhat) could cause waitpid() to return -1/EINTR instead. The effect of this was to remain in the loop and call FD_SET() with an argument of -1. On Solaris it caused a crash; on other systems it might have looped. 127. If an ACL that was read from a file was used in more than one message in a single SMTP transaction, Exim could crash or misbehave in arbitrary ways. The problem was that the ACL was remembered in memory that was thrown away at the end of the first message. In fixing this, I've done a bit of refactoring of the way memory allocation works, to provide a non-malloc allocator for small blocks of data that must be kept for the life of the process. There's a new function store_get_perm() and I've reintroduced a second storage pool (previously dropped on the 3->4 conversion). A number of instances of malloc calls for small amounts of memory have been changed to use this instead. It might be a tad more efficient. Then again, it might not... 128. A similar problem to 127: memory corruption could occur for multiple messages in one SMTP connection if the data from DNS black list lookups was being used in log or user messages, e.g. references to $dnslists_text. 129. Blanks lines and comments are now ignored in ACLs that are read from files. 130. Two instances of missing \n in debug output. 131. The new debugging tag +timestamp causes a timestamp to be added to each debug output line. 132. Some debug information is written in multiple calls to debug_printf(), with a newline only on the last one. When debugging multiple simultaneous processes, the pid was added to each debug text, and for this reason, a newline was always forced. Now Exim buffers up debug output until the newline is reached, which makes things look much tidier. Also, if there are internal newlines and prefix data such as a pid or timestamp are being added, the prefix is inserted at the internal newlines. 133. When running in the test harness, arrange to overwrite all memory that is released or freed, so that bugs are more easily found. This picked up the following bug: 134. Expansion error messages were left in released store, so could have been overwritten - but in fact most are used immediately, before this happened. 135. A list of configuration files can be given; the first one that exists is used. 136. Moved the code that ensures that newly-created hints databases and their lockfiles are owned by exim:exim so that it runs before the test for successful opening, because a case was reported where the file itself was created, but the DBM library returned an opening error. 137. If an address is redirected to just one child address, verification continues with the child address. However, if verification of the child failed because of (for example) a :fail: redirection, the error message did not get passed back as it would have been had the original address failed. The error information is now passed back for both fail and defer responses. 138. Added $rcpt_defer_count and $rcpt_fail_count. 139. Added "rejected_header" log selector. 140. Added the cannot_route_message generic router option. 141. Change 87 above introduced a bug in the expansion of substrings when the offset was greater than the length of the string, for example ${substr_1:}. Exim crashed instead of returning an empty string. 142. Added extra features to ACLs: the "drop" and "defer" verbs, and the "delay" and "control" modifiers (the latter with "freeze" and "queue_only"). 143. If Exim failed to create a log file, it used to try to create the superior directories only if the logs were being written in the spool directory. Now it tries in all cases, but always from a process running as the exim user. 144. Added $authentication_failed. 145. Added $host_data for use in ACLs. 146. Added new ACLs for non-SMTP messages, SMTP connection, MAIL, and STARTTLS. 147. Added a number of new features to the local_scan() API: Access to debug_printf() and the local_scan debug selector Direct access to the message_id variable LOCAL_SCAN_REJECT_NOLOGHDR and LOCAL_SCAN_TEMPREJECT_NOLOGHDR Access to store_get_perm() and store_pool (see 127 above) Access to expand_string_message Option settings in the main configuration file LOCAL_SCAN_ACCEPT_FREEZE and LOCAL_SCAN_ACCEPT_QUEUE LOG_PANIC to write to the panic log Access to host_checking Supporting functions lss_match_xxx() for matching lists 148. Minor security problem involving pid_file_path (admin user could get root) has been fixed. 149. When an ACL contained a sender_domains condition with a reference to a named domain list, the result of the check was not being cached (an oversight). 150. Allowed for quoted keys in lsearch lookups; this makes it possible to have whitespace and colons in keys. 151. Added wildlsearch lookup. 152. Yet another new set of configuration files for Cygwin from Pierre Humblet. 153. Ensure that log_file_path contains at most one instance of %s and one instance of %D and no other % characters. 154. Added $tls_certificate_verified. 155. Now that the list of lookup types has got so long (and more are in prospect) arrange to search it by binary chop instead of linear search. 156. Added passwd lookup. 157. Added simple arithmetic in expansion strings. 158. Added the ability to vary what is appended for partial lookups. 159. Made base 64 encode/decode functions available to local_scan. Exim version 4.10 ----------------- 1. Added HAVE_SA_LEN=YES to the OS/Makefile-Darwin file, because it needs it (unsurprising, as it's based on FreeBSD). 2. Removed the HTML versions of the PCRE and pcretest documentation from the distribution tarbundle, and instead included them in the HTML tarbundle, linked to the overall index file. 3. The code for computing load averages was broken in 64-bit Solaris. 4. Make the default ACL refuse local parts that start with a dot. 5. LDAP binds with an empty password are considered anonymous regardless of the username and will succeed in most configurations. Exim has been changed so that the LDAP authentication (the ${if ldapauth... condition) always fails when an empty password is used. 6. Remove quoting from rbl_domains when used in an ACL by the convert4r4 script. 7. A lookup entry in a list that had spaces after the lookup type, e.g. "lsearch; /etc/relaydomains" was including the space as part of the file name. 8. Give an error if EXIM_USER or EXIM_GROUP contains control characters (it happened when somebody had CRLF terminations in Local/Makefile, which messed up the "unknown user" error message). 9. Ensure recipient address appears in log line for internal pipe problems during redirection. 10. Tidies to code for calls to fork(): (a) 3 typos of "<=" that should have been "<" (but would have no actual effect). (b) 2 cases of fork() failures not being logged: during -M for multiple messages, and for auto-delivery of incoming messages. 11. A reference to any header line that contains addresses (e.g. $h_to:) caused a crash if the header was empty. Change 46 for 4.05 introduced this bug. 12. If a system filter file was defined as a non-absolute path, but system_ filter_user was undefined, Exim's behaviour was undefined. It could, for example, discard all deliveries, thinking the system filter had overridden them all. Delivery is now deferred, with a message written to the panic log. 13. If a redirection file (or system filter file when system_filter_user was set) was defined as a non-absolute path containing no slash characters, Exim crashed. 14. Added $rcpt_count, containing the number of RCPT commands received during an SMTP transaction. This differs from $recipients_count when some of the RCPTs are rejected. 15. Added $pid, containing the pid of the current process. 16. Fixed uninitialized variable warning in eximstats for relayed messages when there was no sending host name (logged as H=[n.n.n.n]). There's no change of output. 17. The exiqusumm script failed horribly if it encountered a message that had been on the queue for 100 days or more. 18. Added the message_logs option for suppressing the writing of message logs. 19. Allow local_scan() to change the errors_to setting on recipient addresses. (This was made trivially possible because of change 10 in 4.03.) 20. Convert4r4 changed: if forbid_pipe is set on a forwardfile director, also set forbid_filter_run on the generated redirect router. 21. In the Makefile, $(INCLUDE) was preceding the -I. item that refers to Exim's own include files. This caused a conflict with an external library that also happened to have a config.h file. Exim saw the wrong file, and chaos ensued. I've moved the -I. item in the relevant lines so that it comes before $(INCLUDE). 22. Added $acl_verify_message to contain any existing user message when expanding the "message" modifier in an ACL. 23. Changed the default argument for egrep when called in exiwhat to find Exim processes. It is now ' exim( |$$|-)' instead of ' exim( |$$)' so that it works on OS where the true file name appears. 24. In the plaintext authenticator, server_prompts was not being expanded, as documented. It now is. 25. The exinext script was outputting in an incorrect format for routing delays. It said "deliver" when it should have said "route", and the layout of the text was screwed up. In fact, "deliver" is not the right word anyway. I've changed it to "transport". Also removed redundant code for "directing" delays, because these can't occur in Exim 4. 26. Fixed some problems concerned with retrying address errors in remote deliveries: (a) I'd overlooked temporary address errors, and assumed that all the retry items would be for host errors, and therefore on the first address when multiple RCPTs were involved. Consequently, no retry record was written for second and subsequent addresses if they received a 4xx error. Thus, these addresses wouldn't be delayed after such a delivery failure. (b) A temporary address error causes a routing delay; when the address is eventually tried again, and routing succeeds, the retry record is flagged for deletion. If the address gets another temporary error, the retry record got updated, and then deleted. Thus, temporary address errors were not being delayed and would be tried on every queue run. 27. A minor code tidy for the CRAM-MD5 authenticator. 28. Some OS have a command to select processes by the name of the command they are running, and send a signal to them. Linux and FreeBSD have "killall"; Solaris has "pkill" (it also has "killall", but that does something disastrously different). Using such a command makes "exiwhat" more efficient, and reduces the chances of it trying to signal a non-existent process. There are now two build-time parameters, EXIWHAT_MULTIKILL_CMD and EXIWHAT_MULTIKILL_ARG, which can be set to enable this feature to be used. They are defined in the OS-specific files for Linux, FreeBSD, and Solaris. See OS/Makefile-Default for more details. 29. As part of tidying up for 28, changed the name of the build-time parameter EXIWHAT_KILL_ARG to EXIWHAT_KILL_SIGNAL so that its name makes more sense when used in both kinds of exiwhat processing. 30. By default, the daemon doesn't write a pid file if -bd is not used (i.e. if only -q is used). The -oP didn't override this - it was ignored. It now overrides the default and causes a pid file to be written. 31. The values of $local_part, $domain, etc. were not being set during the expansion of shadow_condition in a local transport. 32. The convert4r4 script failed when macros that had continuation lines were present in the Exim 3 configuration file. It inserted junk lines into the output and gave uninitialized variable errors. 33. The convert4r4 script discards (with a comment) a setting of "rewrite" on a smartuser director that has no setting of new_address when it turns it into an "accept" router. 34. When an alias generated an address with a single-component domain, and routing that domain caused it to be widened, Exim remembered only that it had delivered to the widened domain. If any other addresses were deferred, so that another delivery attempt happened later, Exim re-delivered to the widened address, because it checked only the original address. When this kind of widening happens, Exim now checks for previous delivery. 35. A delivery was silently discarded under the following specific circumstances: . The original address is x@a.b.c, where a.b.c is the local host; . a.b.c is recognized as a local domain, and the address is redirected to x@a; . a is not recognized as a local domain, causing the address to be processed by a dnslookup router; . the router widens the address to a.b.c, routes it, and discovers it is the local host. Exim realized that because the domain had been widened, it might have become a local domain, so it arranged to re-route from scratch, using the new domain. However, because the original address was the same address, it thought it had already dealt with it. 36. A space at the start of an LDAP query in an expansion (after the opening curly) was provoking a syntax error. 37. A syntax error in the data of an ldapauth expansion caused the condition to be false without an LDAP query even being tried. Now it causes the expansion to fail. 38. Ensure that an incomplete config.h is removed when the buildconfig program gives an error. Otherwise, if the error is a non-existent Exim user, and the admin fixes this by creating the user (and not modifying any files), Exim will try to use the broken config.h next time. 39. A call with an argument of the form "-D=xxxx" (i.e. omitting the macro name) caused Exim to loop. It now reports an error. 40. If an ACL tested an address for being in a named domain list (e.g. +relay_domains) and then called for recipient verification, and the recipient was rewritten, the cache for remembering matching domain lists was not being cleared after the rewrite, leading to potential routing (and therefore verification) errors. Furthermore, the rewritten address would (incorrectly) have been used for any subsequent address checking within the ACL. 41. If an address such as a%b@c was processed using the "percent hack" and then transmitted over SMTP, Exim was sending "RCPT TO:" instead of "RCPT TO:". 42. A revised Makefile-CYGWIN file from Pierre Humblet. 43. If local_scan() rejected a -bS message, it wasn't handling the error in the way -bS errors should be handled. Exim version 4.05 ----------------- 1. In the log display in Eximon, put the insert point (caret) at the start of the last line instead of at the end, because this stops unwanted horizontal scrolling when certain X libraries are used. 2. A malformed spool file with an incorrect number of recipients (which should never occur, of course) could cause eximon (and probably exim) to crash. 3. Updated Cygwin Makefile and os.h (minor tweaks). 4. Setting allow_domain_literals=true was not allowing domain literal addresses in the -f command line option. 5. Added debugging output for removing and adding header lines at transport time. 6. On systems where SA_NOCLDWAIT is defined, changed from using signal( SIGCHLD, SIG_DFL) to using sigaction(), with flags explicitly set zero, to ensure that SA_NOCLDWAIT is definitely off. This fixes a bug in AIX where subprocesses were disappearing without being turned into zombies for Exim to reap. There was a previous report of the error "remote delivery process count got out of step" on a Linux box that was never resolved. It is possible that this change fixes that too. 7. Other applications that support IPv6 have been coded to choose IPv6 addresses in preference to IPv4 addresses where possible. This is encouraged, in order to speed up the use of IPv6. Exim has now been changed to do likewise when it looks up IP addresses from host names. This applies both to hosts that have more than one IP address, and to MX records with equal preference values when the hosts they point to have both IPv4 and IPv6 addresses. Within one preference value, Exim will try all the IPv6 addresses before any IPv4 addresses, even when some of the IPv4 addresses belong to hosts that also have IPv6 addresses. 8. When Exim sent HELO after EHLO was rejected, or when it sent a second EHLO after starting a TLS session, it used the primary host name as the argument, instead of the expansion of the helo_data option. 9. Exim was failing to batch addresses for local delivery when errors_to was set on the router to the same string for each address, in the case when the string involved some kind of expansion (that ended up with the same value each time). If the string was fixed (i.e. no expansion) the batching was not blocked. In other words, I was testing the addresses of the strings but forgetting to compare the content. The same problem was not present for remote deliveries, but the code was written out instead of using a subroutine that now exists for this purpose, so I tidied that code. 10. When Exim passes a connected TCP/IP socket to a new Exim process in order to deliver another message on the same connection, it closes down TLS, because it can't pass on the state information that is required by the OpenSSL package. The new process then tries to start up TLS again. Unfortunately, not all servers handle this - and, it has to be said, it is a bit of a dubious interpretation of the RFC. (Exim as a server copes OK, needless to say.) The problem is that the server may just die or give an invalid response, causing a retry delay to occur. The option hosts_nopass_tls was invented to help with this, but an automatic way of testing has been invented. What now happens is that Exim sends a new EHLO after shutting down TLS, before passing the socket on. This in itself reduces the dubiousness of the procedure. If there isn't an OK response, Exim doesn't try to pass the socket on. 11. There was inconsistency in the way failures to set up TLS sessions in the smtp transport were handled when the host was not in hosts_require_tls. It deferred for 4xx responses to STARTTLS, but tried in clear if the actual TLS negotiation failed. It now does the same thing in both cases, and what this is can be controlled by the new option tls_tempfail_tryclear. This defaults true, causing a retry in clear to occur. If it is set false, these kinds of temporary failure cause a defer (for that host; if there are other hosts, they are tried). 12. Tidying. When starting up a new delivery process to deliver another message over an existing SMTP connection, pass over the IP address as well as the host name. This saves having to get the IP address from the socket. 13. Added "#define base_62 36" to OS/os.h-Darwin because the MacOS X operating system has case-insensitive file names. 14. Tidies to rewriting code: (1) It was getting an unnecessarily large block of memory for a rewritten header. (2) Removed some unnecessary debugging code that just duplicated log output. 15. In an expansion like "${if {${mask:xxxx}}{yyyy}}" Exim still tried to perform the masking operation even when the condition was false and the yield was "yyyy". This could fail when "xxxx" wasn't a valid string for the masking operation. Some other operators (e.g. base62) could fail in a similar way. All string operations are now skipped when processing the unused substring of a condition. 16. If a verification of a sender address in a header (caused by verify = header_sender in an ACL) caused the address in the header to be rewritten (typically because a DNS lookup had widened the domain), the newline at the end of the header got lost, thereby causing two headers to be run together. Sometimes, but not always, this caused a "spool format error". 17. A user wanted to use "save" in a filter file with a non-absolute path, and to set file_transport to a non-appendfile transport that made use of $address_file for its own purposes. This didn't work because Exim was distinguishing between file and autoreplies by the leading '/' of the former. It now checks for the leading '>' of the latter instead. 18. The "accept" router was forcing log_as_local instead of just defaulting it. 19. Exim crashed while verifying a recipient in an ACL if the address was verified by a dnslookup router that widened the domain. 20. When checking the parameters returned from an ident call, Exim was assuming that the format would be textually identical to the values it sent, including the white space. This is not always the case, causing Exim to discard returned ident data that it should have been accepting. 21. Typo (space missing) in "failed to expand condition" error message. 22. The option of specifying an individual transport in a route_data or route_list option of the manualroute router wasn't working. Such settings were being completely ignored. 23. The memory management was poor when building up a string from a lookup that retrieved a large number of data items that had to be concatenated, for example, an alias lookup in a database that returned thousands of addresses. In extreme cases, this could grind the host to a halt. (Compare change 8 for 4.00, which was a similar effect.) Two changes have been made to improve matters: (a) For longer strings, it extends them in bigger chunks, thus requiring fewer extensions. (b) It is now able to release some unwanted memory when a string is copied out of it into a larger block. 24. There was a small error in the memory sizes quoted when -d+memory was used and emptied memory blocks were released. 25. When helo[_try]_verify was set, Exim crashed if the reverse DNS lookup gave a temporary error when trying to look up the host name. It now tries to check with a forward DNS lookup (as it does when the reverse lookup can't find a name). For helo_verify, a temporary error is now given if verification failed, but the host name lookup gave a temporary error. (As before, a permanent error is given if there is no host name available.) 26. When checking quotes for maildir++ format, if the directory name was given with a trailing slash in the "directory" option of the appendfile transport, Exim got the quota calculation wrong because it scanned the final directory instead of the parent directory. 27. The "quota_xxx" error facility for retry rules was broken in Exim 4 if the mailbox had not been read for more than approximately 10 hours. 28. If a router with "unseen" had a setting of address_data, the value was not passed on to subsequent routers for the continuing processing of the address. It now is. 29. If a daemon was started with (e.g.) -qff15m, it omitted the second 'f' when starting queue runners. Likewise, if the flags included 'i', this was omitted. 30. Some operating systems log warnings if exec() happens without the standard input, output, and error file descriptors existing. The worry is that the called program will open some file which will be allocated one of these fds. Another bit of code might assume it can write an error message to stderr, or whatever. Exim was calling itself to regain privilege for delivery without these fds set, thus provoking the warning. Of course, it didn't make use of them itself, but the exposure was there for libraries it might be using. The code has been changed to ensure that, if any of the file descriptors 0, 1, or 2 does not exist at the time of a call to exec(), they are opened to /dev/null. 31. A delivery process could loop under the unusual combination of the following circumstances: (1) A delivery process had envelope_to_add set for its transport. (2) The delivery was for a child address of an envelope address that also had another child. (3) This other child had been discarded because it was a duplicate of a second envelope address. (4) The second envelope address had generated a child that was discarded because it was a duplicate of the first envelope address. 32. The -bp option was failing to notice delivered addresses that were in the -J file but had not yet made it into the -H file. (This got broken between Exim 3 and Exim 4.) 33. If "query" or "queries" in aliasfile director, or "route_query" or "route_queries" in a domainlist router were enclosed in quotes, the convert4r4 script was not removing the quotes before inserting the query into an expansion string, leading to invalid queries within the string. 34. If more than two addresses were being delivered in a batch (either local or remote deliveries), and they all had the same, non-empty value for $self_hostname, but had different domains, Exim crashed. (This is rare, because the use of "self=pass", which is the only way $self_hostname gets set, is rare.) 35. If $message_headers was used in a context where there were no headers (e.g. while verifying an address before receiving a message), it caused an "unknown variable" error. Now it just returns an empty string. 36. Exim was not diagnosing missing time units letters in times on retry rules. It was treating such malformed times as "-1", which caused the rules to misbehave. 37. Added some debugging output to the CRAM-MD5 server code. 38. In the appendfile transport, check for a file name supplied by redirection by checking for "not pipe and not autoreply" instead of looking for a leading '/' in the "address". 39. The os.h file for Darwin defined CRYPT_H, which apparently is wrong. 40. The "condition" condition in ACLs has been tightened up. Formerly, anything other than an empty string, "0", "no" or "false" was treated as "true". Now it insists on "yes", "true", or a non-zero number. 41. Change 22 of 4.02 has been improved; somebody mailed me the correct code to get an error message when ldap_result() doesn't set a result. 42. Update convert4r4 to recognize "ldap:" in require_files, and double the colon. 43. Added "protocol violation" to the "SMTP synchronization" error message, to make it clearer what it is complaining about. 44. Change 26 of 4.03 was incomplete. The same problem could arise if a lookup failed while checking the pre-conditions of a router that was subsequently run. This can happen for negated conditions such as "domains = !". 45. Somebody managed to set up a configuration that crashed buildconfig such that it left a half-built config.h but did not stop the build process. I can't reproduce it, but I have added a check after building config.h to test for the presence of its last line ("/* End of config.h */"). 46. Added a .PHONY target to the Makefile to be tidy for GNU make. (It should be ignored by other versions). 45. When Exim uses Berkeley DB version 3 or 4 to create a DBM file, it creates it in hashed format. Previously, it opened these files for reading in the same format. Now it opens them as "unknown", which means that other formats can be accommodated when using DB files for auxiliary data. 46. When concatenating header lines that may contain lists of addresses (From:, To:, etc.) as a result of references to $h_from: etc., a comma is now inserted at the concatenation point. Without it, the use of "if foranyaddress" fails on such headers, which is dangerous. 47. The code for ratelimiting MAIL commands was triggering on the count of messages received, instead of the number of MAIL commands (which is not the same thing if no message is accepted in a transaction). The smtp_accept_ max_per_connection limit has also been changed to use the count of MAIL commands instead of the count of messages accepted. 48. There was a typo in the exiwhat script which broke it if the esoteric CONFIGURE_FILE_USE_NODE option was in use. Exim version 4.04 ----------------- 1. Fix 10 for 4.03 had a bug in it, which could cause problems when converting from an earlier 4.xx release with delayed "one_time" messages on the spool. 4.03 incorrectly complains about spool format errors (and refuses to process these messages). 2. Changed the status of the text widgets in the monitor from Append to Edit, because this matters on some versions of X. 3. Change 22 for 4.03 turns out to be misguided. Luckily it is controlled by a compile-time macro. I have removed the settings from OS/os.h-Linux that made it try to use these functions. Exim version 4.03 ----------------- 1. Change 12 for 4.02 overlooked one case where 256 should have been replaced by MAX_LOCALHOST_NUMBER. 2. Timeouts (etc) in dnslist lookups were not behaving as documented; they were deferring (causing 4xx errors) instead of behaving as if the host was not in the list. This has been fixed. In addition, some new special items may appear in dns lists, to control what happens in this case. The items are +include_unknown, +exclude_unknown, and +defer_unknown. 3. Added #include to OS/os.h-QNX because it was reported that this was needed, in order to get O_NDELAY. 4. Added #define BASE_62 36 to OS/os.h-Cygwin. 5. Change 8 for 4.02 overlooked the fact that "directory" need not be set if the directory name is coming from a filter or forwarding file. The check has now been moved from initialization time to run time. Thus, it happens later, but it still helps to diagnose the problem. 6. The file direct.c had been accidentally left in the distribution. 7. When a new process was forked to deliver another message down an existing SMTP connection, a pipe file descriptor was accidentally left open. This meant that if there was a long chain of such processes, the number of open file descriptors increased by one for each process, and if there were sufficient, the limit of open descriptors could be reached, causing various problems. 8. When an address was being checked with -bt and the routing involved an errors_to setting whose address verification also involved an errors_to setting, Exim got into a verifying loop. It shouldn't verify an errors_to setting when already verifying, but got this wrong if it started from -bt. 9. Tidied up some compiler warnings when compiling with TCP wrappers. 10. When a child address was promoted to a toplevel address by "one_time" after a deferred delivery, it was not remembering any "errors_to" address that was set by the routers that processed the original address. Consequently, the subsequent delivery had (incorrectly) the original sender address in the envelope. Exim now remembers the "errors_to" address with the new toplevel address and reinstates it for the next delivery. 11. When Exim received a message other than from the daemon, there were two situations in which it did not re-exec itself for delivery: when it was running as root, or when it was running in an unprivileged mode. This was an attempt to save some resources (very early Exims ran as root more often) but has turned out to be pretty rare. A bug has been discovered in this case: if the incoming message was on a TLS session (from inetd, for example), but the outgoing delivery was on an unencrypted SMTP connection, Exim got confused. The effect was minimal: it sent two EHLO commands, but otherwise worked. Multiple EHLOs are not an error, according to the RFCs, but there was at least one broken MTA that objected. This error would have occurred only when synchronous delivery (-odi or -odf) was specified. While sorting this out, I have abandoned the logic that did a delivery without forking in the interests of simplicity. This was an even rarer case: it only happened when Exim was running as root or in an unprivileged mode AND synchronous delivery was specified. 12. Change references to /bin/rm in the Makefile to plain rm. 13. If EXIM_PERL was set in Local/Makefile, but PERL_COMMAND was set to a command that was not a file, or if it was set to a non-existent file, the build process carried on trying to build Perl support, but without the relevant variables for the Perl libraries, etc., which is disastrous. In fact, the build process shouldn't have been using PERL_COMMAND; that is a value for screwing into utility scripts. The build process assumes a suitable PATH for things like rm, mv, etc., which have xxx_COMMAND variables for scripts. So I've changed it to use just "perl". It now bombs out if "perl --version" doesn't produce some output. 14. Changed the #includes in perl.c for the Perl headers to use <> instead of "" because this is apparently better usage. 15. Added local_scan_timeout to apply a timeout to local_scan(). 16. Recognize IPv6 addresses as IP addresses, even when Exim is not compiled with IPv6 support. 17. When verifying a HELO/EHLO name, Exim was not checking the alias host names it obtained from calling gethostbyaddr(). In many cases, this didn't cause any unwanted rejections because as a last resort Exim does a forward lookup on the HELO name to see if any of its IP addresses matches. But it fixing the bug saves the unnecessary additional lookup. 18. Added "domains = ! +local_domains" to the commented-out ipliteral router in the default configuration. 19. Default sender_host_aliases to an empty alias list, instead of NULL. This is just for tidiness; the way it was coded, it didn't cause any problems. 20. Added -tls-on-connect, which starts a TLS session without waiting for STARTTLS. This supports older clients that used a different port. 21. Added support for the Cyrus pwcheck daemon. 22. Arranged to use getipnodebyaddr() instead of gethostbyaddr() in systems with IPv6 support that have this function, because gethostbyaddr() doesn't work for IPv6 addresses on all systems (it does on some). 23. Header lines added by "warn" statements in the ACL for RCPT are saved up to be added after the message's header has been received. Previously, Exim was saving up all added headers, from both RCPT and DATA, until the very end. Now it adds those from RCPT before the DATA ACL is obeyed, so that they can be accessed from within the DATA ACL. 24. Changed TLS initialization to use SSL_CTX_use_certificate_chain_file() instead of SSL_CTX_use_certificate_file(). This means that the file can contain the whole chain of certificates that authenticate the server. 25. Updated convert4r4 to check for colons that look as if they are part of expansion items in require_files lists (e.g. ${lc:xxxx}). In Exim 3, the whole list was expanded before splitting up, but in Exim 4, the splitting happens first, so such colons must be doubled. The conversion script now doubles such colons, and outputs a warning message. The test for one of these colons is a match against "\$\{\w+:". 26. If, while verifying a recipient address, a router was skipped because a lookup did not succeed, and the following router suffered a temporary failure (e.g. a timeout), the log line for the temporary rejection showed the error from the first router instead of from the second. 27. Exim crashed if a dnslists test was obeyed in an ACL for an SMTP message from the local host. Now it just fails to match the list. Exim version 4.02 ----------------- 1. Bug in string expansion: if a "fail" substring of a conditional contained another conditional that used the "fail" facility, Exim didn't swallow the right number of closing parentheses in the case when the original condition succeeded (i.e. when the condition containing the "fail" should be skipped). 2. helo_verify_hosts wasn't working when comparing host names. 3. When delivering down an existing SMTP connection, the error "Unexpectedly no free subprocess slot" was sometimes given for other addresses in the message. 4. Binary zeroes in the message body are now turned into spaces in the contents of $message_body and $message_body_end. 5. If the value of a field in a MySQL result was SQL NULL, and more than one field was selected, Exim crashed. 6. It seems that many OS treat 0.0.0.0 as meaning the local host, typically making it behave like 127.0.0.1. Since there have been incidents where this was found in the DNS, two changes have been made: (a) Added 0.0.0.0 to the ignore_target_hosts setting in the default configuration. (b) Unconditionally recognize 0.0.0.0 as the local host while routing. 7. Added helo_allow_chars so people can let in underscores if they really have to. Sigh. 8. Give configuration error if "maildir_format" or "mailstore_format" is specified for appendfile without specifying "directory". 9. When return_path was expanded in an smtp transport, the values of $local_part and $domain were not set up. 10. The optimization for sending multiple copies of a single message over one SMTP connection when there are lots of recipients (but too many for one copy of the message) was messing up in the case when max_rcpt was set to 1 (for VERP). It would send lots of copies with one RCPT each, correctly, but because the transport was passed more than one address, $local_part and $domain weren't set. Since setting max_rcpt to 1 is almost always associated with VERP (or at least, you do it because you want to use $domain or $local_part), I've made that a special case where the optimization is disabled. 11. Cygwin has case-insensitive file names. Therefore, we can't use base 62 numbers for Exim's identifiers. We have to use base 36 instead. Luckily 6 base 36 digits are still plenty enough to hold the time for some years to come. There's now a macro that is set either to 62 or 36, but the names and documentation still talk about "base 62". 12. Added build-time variable MAX_LOCALHOST_NUMBER (default 256) to allow the localhost number to be traded off against the maximum number of messages one process can receive in one second. This is relevant only when localhost_number is set. It may be useful for Cygwin, where the maximum sequence number is much less when up to 256 hosts are allowed. 13. Extended MySQL server data to allow for the specification of an alternate Unix domain socket. 14. Give error if too many slashes in mysql_servers or pgsql_servers item. 15. Changed the wording "debug string overflowed buffer" to "debug string too long - truncated" to make it clearer that it's not a big disaster. 16. Now that I finally understand the difference between the resolver's returns HOST_NOT_FOUND and NO_DATA, I've optimized Exim's DNS lookup so that if an MX lookup gets HOST_NOT_FOUND, it doesn't bother to try to look up an address record. Only if it gets NO_DATA does it do that. 17. The contents of Envelope-To: were not correct in cases when more than one envelope address was redirected to a single delivery address via an intermediate address, because the duplication was detected at the intermediate stage, but the checking for Envelope-To: only looked at duplicates of the final address. 18. If a message with the -N flag was on the spool, and was selected during a queue run by -R or -S, the -N flag was incorrectly passed on to all subsequent messages, leading to their being thrown away. 19. Remove unnecessary check for the local host when looking up host names in host lists. 20. If tls_certificate is supplied, but tls_privatekey is not, assume that both are in the tls_certificate file. 21. If a router set transport_current_directory or transport_home_directory to something that involved an LDAP lookup, and there was more than one local delivery to be done for a single message, all but the first got deferred because the LDAP connection for those variables got opened in the superior process, but closed in the first subprocess. The second subprocess then assumed it was still open. We now ensure that each subprocess starts with a clean slate (everything closed down) so that it can open and close its own connections as needed. 22. After a failure of ldap_result(), Exim was calling ldap_result2error() in order to get an error message. However, it appears that it shouldn't do this if the value of result variable is NULL. As I can't find any way of getting an error message out of LDAP in this circumstance, Exim now just gives says "ldap_result failed and result is NULL". 23. If a message arrives over a TLS connection via inetd, close down the SSL library in the subprocess for message delivery (but don't molest the parent's SSL connection). Exim version 4.01 ----------------- 1. When setting TCP_NODELAY, the call to setsockopt() was using SOL_SOCKET instead of IPPROTO_TCP, which caused excessive logging on some systems. 2. Changed the Makefile for Cygwin to set EXIM_USER and EXIM_GROUP to 0. 3. The SMTP rewriting facility was broken. 4. There was some malformatting in the spec.txt file (the other formats were OK). 5. Made convert4r4 change "bydns_a" into "bydns" in route_list options, and to do the same for "bydns_mx", but in this case to comment that it won't work the same (and to suggest a workaround). 6. Removed redundant code in deliver.c for indicating when a reused SMTP connection had been closed in a subprocess - this was being done twice. 7. Change 2 of 3.164 removed Exim's explicit checking that a reverse DNS lookup yielded a name whose forwarded lookup gave the original IP address, because I thought that gethostbyaddr() did this automatically (it seems to on some systems). There is hard evidence that I was wrong, so this test has been put back, and in a better form, because it now checks alias names. This means that the verify=reverse_host_lookup condition in an ACL reduces to requiring that the host name has been looked up, since the checks it previously did are not always applied. 8. When sender verification fails, the error associated with it is given by default before the 550 error for the first RCPT command. Not everybody wants to see this. There is now an option (no_details) that suppresses it. 9. The patterns in rewriting rules with the 'S' flag were not being expanded. For consistency with other patterns (and the documentation), this has been changed. 10. "domainlist", "hostlist", and "addresslist" weren't recognized if the immediately following character was a tab rather than a space. 11. The rules for writing daemon pid files have changed. A new option -oP has been added to provide a way of specifying a pid file path on the command line. Exim now writes a pid file when -bd is used, unless -oX is specified without -oP. 12. The version number of OpenSSL was included in the response to the STARTTLS command - a legacy from the original contributed code that doesn't seem sensible. It no longer appears, and I took it out of the debug output as well because that was the only place left, and the code to compute it was "mysterious magic" that didn't seem worth keeping. 13. When another message was processed in order to send it down an existing SMTP connection, Exim was doing the routing for all the addresses. Even if called from a delivery from a queue runner, this doesn't count as "in a queue run", so retry times were not being inspected. If the message had a large number of recipients, and several of them timed out while routing, the delay could be so large that the server at the other end of the SMTP connection would time out. To avoid this happening, Exim now skips routing for any addresses that have a domain retry time set for routing, whether or not that retry time has arrived, when dealing with a pre-existing SMTP connection. This will be "right" pretty well all of the time, and even when it is "wrong", the only consequence will be some delay. (This doesn't apply to "address" retry times, because those are usually the result of 4xx errors, not timeouts.) 14. Added words to the initial output from -bh pointing out that no ident callback is done. 15. The convert4r4 script wasn't getting it quite right with an aliasfile director that had a "transport" setting. It was missing the "yes/no" in the "condition" setting. Exim version 4.00 ----------------- 1. Changed the name of debug_print for authenticators (3.953/38) to server_debug_print because it applies only when the authenticator is running as a server. 2. Forgot to change DB_ to EXIMDB_ in the Cygwin Makefile. 3. There were still a couple of uses of vfork() when passing a socket to a new delivery process. The use of vfork() is not recommended these days, so I changed them to fork(). 4. Added the spa authentication mechanism, using the code contributed by Marc Prud'hommeaux (and mostly taken from the Samba project). This supports Microsoft's "Secure Password Authentication", but only as a client. 5. queryprogram had current_directory unset, but used "/" when it was unset. It is tidier just to make the default "/" and have done with it. 6. When a delivery is run with -v, the -v flag is no longer passed on to new processes that are started in order to send other messages on existing SMTP connections. This prevents non-admin users from seeing these other deliveries. Admin users can specify a higher level of debugging, and when this is done, the debugging selection is passed on. 7. Increased the increment for dynamic strings from 50 to 100. 8. When Exim was building a dynamic string for $header_xxx from a number of headers of the same name, or for $message_headers, it was using the dynamic string function which is designed for use with relatively short strings. If a pathological message had an enormous header, it chewed up memory at a ridiculous rate. The code has been rewritten so that it does not do this. With a 64K header string (there's a limit set at 64K) it now just gets one 64K buffer. Previously it used a large number of megabytes to build such a string, and some system filter processing ran machines into the ground on messages with huge headers. 9. The work for 8 involved a small amount of other "refactoring" in the expansion functions. 10. If "headers add" or "headers remove" were used in a system filter, the headers didn't actually get changed when testing with -bF. This could affect later commands in the filter that referred to the headers. 11. Two system filter bugs: (a) The system filter was always being run as root, even if system_filter_user was set. (b) When the system filter was not run as root, changes to the header lines by "headers add" or "headers remove" were being lost. Because of (a), (b) would never have bitten. 12. Some "refactoring" in the daemon: (a) Removed redundant statement smtp_in=NULL. (b) The test for fork failure for a delivery process was not quite in the right place. (c) Added main and panic logging for receive and delivery fork failures. (d) Check for fdopen() failure, and don't try to continue, but ensure the sockets get closed. (e) Log fclose() failures. 13. Added the "/data" facility to ACL dnslists so as to make it easy to use, for example, the domain lookup of rfc-ignorant.org. 14. Refactored the code in the daemon to use a vector of structures instead of two separate vectors for storing the pid of a spawned accepting process and the corresponding IP address of the client. (This is to make it easier to add other things.) 15. If EXIM_USER or EXIM_GROUP were set to the empty string in Local/Makefile, the uid or gid were set to zero, which is unsafe. These settings now cause an error message at build time. 16. check_ancestor was doing its check case-sensitively, which meant that it did not work with some configurations when redirecting changed the case of the local part. Now check_ancestor respects the setting of caseful_local_part on the router which routed the ancestor address. 17. The check for router looping (whether the current router had previously routed the same address) was always being done case-insensitively. It should do the local part check case-sensitively when caseful_local_part is set for that router. 18. Added helo_try_verify_hosts, which is like helo_verify_hosts except that it doesn't reject failing HELO/EHLO. Instead the verification state can be testing in an ACL by verify=helo. 19. When echoing log writes from a parallel remote delivery process to the debug output, the pid of the parallel process was being omitted. 20. In an ACL run for a RCPT command, the values of $domain and $local_part were becoming unset after a sender or recipient verification. 21. Exim crashed if called with -C followed by a ridiculously long string. 22. Some other potential points of trouble caused by pathological input data have been defended. 23. If hosts_randomize was set on an smtp transport, the randomizing code had a bug which could put the delivery process into a tight loop. Exim version 3.953 ------------------ 1. Exim was not terminating the names of named lists in memory. It got away with this on systems where newly malloc()d store is zeroed (always a bad practice). When running in its test harness, Exim now ensures that all new memory from malloc is filled with a non-zero value. This will help pick up bugs like this in future. (I haven't made it do it always, for performance reasons.) 2. When skip_syntax_errors was set on a redirect router, and a forward file (NOT a filter file) contained only invalid addresses, the message was discarded. The router now declines, as it does for invalid filter files. Thus, the address is passed on unless no_more is set. 3. When an address containing upper case letters in the local part was deferred, eximon showed the lowercased version with the caseful version as a "parent", as well as the original caseful version in its queue list. 4. When hide_child_in_errmsg was set on a redirect router, bounce messages still showed the failed addresses in the X-Failed-Recipients: header line. 5. Change 6 for 3.952 should also have included SIGTERM. 6. exim -bP +something was searching only the domain lists. It now searches all lists for a matching name. 7. If Local/Makefile contains more than one of USE_DB, USE_GDBM, or USE_TDB, give a build-time error. When it does contain one of them, arrange for any OS default for any other one to be overridden. (The code expects at most one of these to be defined.) 8. When a value for transport_home_directory is taken from the password information, wrap it in \N...\N so that it isn't expanded in the transport. This affects Cygwin, where home directories may contain $ characters. 9. Fixed an occasional crash when autoreply was sending a message created by a user's filter file. It was referencing uninitialized memory. (The prophylactic mentioned in 1 above made it a hard error.) 10. The "run" and "readfile" expansion items could sometimes return extra junk characters (yet another uninitialized memory bug). 11. The lockout options forbid_filter_existstest etc. were not propagating to the expansion of files sent as part of "mail" messages from users' filter files. 12. Another unterminated string bug: when an ACL was read from a file dynamically it wasn't properly terminated. 13. Cached pgsql connections weren't being re-used, leading to a potential build-up of open connections. 14. $message_headers is supposed to be limited to 64K in length, but it wasn't so limited if an individual header line was longer than 64K. 15. An individual header line, or concatenation of multiple identically- named header lines, inserted by $h_xxxx is supposed to be limited to 64K in length, but it wasn't so limited if the only header line was longer than 64K. 16. A syntactically incorrect setting of -d... is now treated as a command line syntax error (message to stderr, return code 1), without any entry on the log. 17. Modifications to the exim_install script: (a) Scan the combined Makefile in the build directory instead of messing around scanning its individual constituent files. (b) Use sed instead of a pipe of grep, tail and cuts. This allows better control, but has to be very simple sed in order to work on Solaris. (c) Allow for the setting of EXE to add a subscript to executables for the benefit of Cygwin. (d) Use -c instead of -b with "cut" because the "cut" in BSD/OS doesn't grok -b. 18. Changes for Cygwin: (a) Update scripts/os-type to recognize CYGWIN. (b) Arrange (via the Uopen() macro) for all calls to open() to have the O_BINARY flag, to avoid CRLF problems. (c) If OS_INIT is defined, call it at the very start of Exim's execution. (d) When resolver debugging is enabled, set _res.options |= RES_DEBUG before calling res_init() as well as after, because that generates some debugging info during initialization. 19. Make the initial call to os_getloadavg() in exim.c conditional on LOAD_AVG_NEEDS_ROOT because it is done just to initialize os_getloadavg() on systems that require the first call to be done as root. It should be called only when messages are being received; it was being called unnecessarily in some cases. 20. If Exim failed to open its retry hints database at routing time, it crashed during a subsequent local delivery. 21. If Exim is neither setuid root nor called by root, there is no need to attempt to drop root privilege when it is not needed. 22. I'd forgotten to remove the check for the presence of %s in pid_file_path when it was set at run time. 23. If a transport filter crashed, or yielded a non-zero return code during an SMTP delivery, Exim was not aborting the delivery. This led to multiple partial deliveries of the message until the transport filter was fixed. 24. Do not try alternate hosts if a transport filter crashes or yields a non-zero return during an SMTP delivery. 25. When exim -be is reading input lines from stdin, backslash can now be used for continuations. This makes it easier to test expansions from a configuration file by cut and paste, and long expansions in general. 26. The file src/auths/xtextdecode.c was incorrectly named xtestdecode.c, but because the MakeLinks script built a symbolic link that worked, this mistake didn't actually show up. 27. When Exim is delivering another message down an existing connection, remote_max_parallel should be forced to 1; this wasn't happening, though it would have caused a problem only if a message had more than 100 recipients routed to the host. 28. When there was a problem while delivering down an existing connection, such that the transport process closed the connection, this fact wasn't getting communicated to the calling delivery process, which might have tried to do more deliveries on the same connection. This would only have caused a problem if there were more than 100 recipients to the same host. 29. The ${extract} action, with a negative field number that selected the first field in a string, could return junk characters at the start of the extracted field. 30. When Exim is acting as a client, if an attempt to start a TLS session fails during the TLS negotiation phase (i.e. STARTTLS is accepted, but there's a problem such as an unrecognized certificate during TLS session startup), Exim used always to defer delivery. Now, unless the host is in hosts_require_tls, Exim makes a new connection to the host and attempts to send the message unencrypted. This avoids stuck messages for servers that advertise STARTTLS but don't actually support it properly. 31. Added ${address:xxx} to go with ${domain:xxx} and ${local_part:xxx} which extract from RFC 2822 addresses. 32. The rules for recognizing when Exim is being called from inetd have changed. Previously Exim required SMTP input, stdin to be a TCP/IP socket, and the caller to be root or the Exim user. This left a gaping hole if the caller was not root or the Exim user, because then it wouldn't do the policy checking for a remote host, because it didn't realize it was being called from inetd. (This was seen on Debian configurations). Exim now behaves as follows: if the input is SMTP and stdin is a TCP/IP socket, a call from inetd is assumed. This is allowed to proceed either if the caller is root or the Exim user, or if the port used is privileged (less than 1024). Otherwise (a different user passing an unprivileged port) Exim gives a "Permission denied" error. 33. Removed $compile_number from the default SMTP banner line (after discussion on the mailing list). Also removed it from the default $Received: header. 34. # is documented as a comment character in the run time configuration only when it appears at the start of a line. In the case of boolean values, extra characters after "= true" or "= false" were being ignored, leading to a false impression that comments could appear there. This is now diagnosed as an error. 35. If a boolean option without a following "=" was followed by # (in the mistaken belief that this would be a comment), the error was "missing =", which was confusing. Exim now complains about extra characters. 36. When Exim complains about extra characters following an option setting, it now adds a comment about comments if the first extra character is #. 37. Output debug_print strings when testing a host using -bh. 38. Added server_debug_print to authenticators (compare routers and transports). This outputs when an authenticator is called as a server. It can be helpful while testing with -bh. 39. Added debugging output to the crypteq condition. 40. If a named domain or local part list used in a "domains" or "local_parts" option on a router matched by means of a lookup, the $domain_data and $local_part_data variables were set for the first router that did this, but were not set for any subsequent routers that used the same named list. The same was true for multiple tests of named domain or local parts lists in an ACL. 41. If the variable "build" is set when the top-level Makefile is run, the variable now propagates from the top-level Makefile to subsidiary ones. In addition, Local/Makefile-$(build) is added to the list of concatenated files that go at the start of the Makefile in the build directory. 42. If NO_SYMLINK is defined in Local/Makefile, the exim_install script just copies the Exim binary in with its unique name, without moving the "exim" symbolic link to it. 43. Added BSDI 4.2 as a BSDI variant in scripts/os-type. 44. The spool file format for remembering a "one_time" redirection has changed; I had forgotten to make Exim 4 capable of reading Exim 3 spool files. 45. Address lists are now permitted to include items of the form *@+name where "name" is a named domain list. (Note that an item of the form +name is taken as a named _address_ list.) 46. When Exim gives up privilege and reverts to the calling user because it was called with the -C, -D, -be, or -bi options, it now reinstates the supplementary group list as well as the uid and gid. 47. The crypteq condition has been extended. When the encrypted string begins with "{md5}" Exim used to assume that the digest was encoded as a base64 string. Now it assumes this only if its length is 24 bytes. If the length is 32 bytes, Exim assumes a digest expressed in hex characters. If the length is neither 24 nor 32, the comparison always fails. 48. Updated the convert4r4 script: (a) Some typos in the comments. (b) Remove kill_ip_options, log_ip_options, and refuse_ip_options, which no longer exist. (c) Move all macro definitions to the top of the output, to ensure that they precede any references to them. (d) If tls_verify_ciphers was set without tls_verify_hosts, the generated new configuration insisted on encryption ("these ciphers must be used for all connections") instead of just checking the cipher when encryption happened ("if encrypted, these ciphers must be used"). (e) Address lists are now checked to see if they contain any bare lookup items and if they do, these are converted to two items, the first preceded by "*@" and the second with "partial-" removed. This makes Exim 4 behave in the way that Exim 3 used to. An explanatory comment is output. (f) Put more explanation in above the "hosts = :" test. 49. Write a main and panic log entry when "partial-" is ignored in a lookup that is part of an address list. (Applies when the item is a lookup for which the whole address is the key.) 50. Two changes to the way $original_local_part and $parent_local_part work: (a) When an address that had a prefix or suffix was redirected to another address, the value of $original_local_part and $parent_local_part had the prefix or suffix stripped when referred to during the processing of the child address. This doesn't seem right, so it has been changed. (b) When an address that had a prefix or suffix was being processed, $local_part had the affix stripped, and if it was a top-level address, $original_local_part also has the affix stripped. This has been changed. Now $original_local_part contains the same value at all levels. ($parent_local_part remains empty at top level.) 51. A number of macros in the Exim source began with "DB_". When compiling with Berkeley DB version 4, DB_LOCK_TIMEOUT clashed with a macro set by that package. The Exim macros now all start with "EXIMDB_", and Exim therefore now supports DB version 4. 52. Newlines in a "freeze" text from a system filter were being sent as \n in messages created by the "freeze_tell" option. They are now converted back to newlines (in the log line they continue to appear as \n). 53. Added a new ACL condition "verify = reverse_host_lookup". This does a reverse lookup of the client host's IP address, then does a forward lookup for all the names it receives, and checks that at least one of the IP addresses obtained from the forward lookup matches the incoming IP address. The lookups are done with gethostbyaddr() and gethostbyname(), respectively. 54. A small fix to eximstats reduces its store usage substantially when it is processing very large log files: when a message's "completed" line is reached, discard the memory of the message's size. 55. If an address was redirected to itself more than once (e.g. by two different "redirect" routers, or because of the use of "unseen", it was incorrectly discarded as a duplicate address. 56. For a rewrite pattern of the form *@something, if an actual address contained @ in the local part (e.g. "a@b"@x.y), the value of $1 was set incorrectly during expansion of the replacement address (it stopped at the first @ instead of at the last one). 57. Added hosts_nopass_tls to the smtp transport. For any host that matches this list, a connection on which a TLS session has been started will not be passed to a new delivery process for sending another message on the same connection. 58. The -dropcr command line option now turns CRLF into LF, while leaving isolated CR characters alone. (Previously it removed _all_ CR characters.) There is now also a drop_cr main option which has the effect of -dropcr for all incoming non-SMTP messages. 59. If a configuration file macro expanded into a boolean option which was not followed by = and a value, Exim gave a spurious error for an "unknown" value for the option (typically a string from the previous line). Exim version 3.952 ------------------ 1. convert4r4 had an incorrect file name in its comment output. 2. convert4r4 was looking up $local_part instead of $domain in its generated manualroute output. 3. There was no check that getpeername() was giving a socket address when called on stdin passed from a previous delivery. 4. Fixed an old bug whereby Exim could segfault if debugging was turned on and a DNS lookup found MX records for hosts whose A records had to be looked up separately, and some of them pointed to the local host (pretty rare). 5. The debugging output for log writes now shows the names of any log selectors instead of the hex value of the selector word. 6. If a delivery subprocess is terminated by SIGKILL or SIGQUIT, do not freeze the message. This can happen during system shutdown. Other kinds of process failure indicate problems. 7. If a sender verification did not complete (e.g. DNS lookup timed out), the log line for the temporary RCPT rejection did not always say why (it lost the message if there had been a previous call to any lookup). 8. The special message about MX records that point to IP addresses instead of host names was not getting returned in the SMTP response when a verification failed. This has been fixed, and the message that is logged in this circumstance has been made less verbose. 9. When an SMTP callout is done, Exim tries to use the interface and port number from the transport that the address was routed to during the prior verification. If it wasn't routed to a remote transport, or if there's a problem expanding the relevant options, Exim does not use a specific interface, and it connects to port 25. 10. If the string "syslog" happened to occur in the log file path, eximon was failing to extract the name of the main log file correctly. 11. Unlike other operating systems, Linux does not sync a directory after a rename. However, we need this to happen to be sure an incoming message has been safely recorded after it has been received. I have therefore added a macro called NEED_SYNC_DIRECTORY (which is set in OS/os.h_Linux) to request Exim to do an explicit sync on the directory after the rename. If O_DIRECTORY is defined, it is used when opening the directory. 12. When a system filter creates any new deliveries, they are given a fake "parent" address which appears on the logs, and is necessary for pipes, files, and autoreplies, which cannot be toplevel addresses. This fake was set up with the text "system filter". It's been changed to "system-filter" because the space in the previous text could cause trouble. 13. The new option local_sender_retain suppresses the removal of Sender: header lines in locally-submited (non-TCP/IP) messages from untrusted users. It is required that no_local_from_check be set with local_sender_retain. 14. In a file interpolated into an address list, if a local part contained a # character and there was also a following comment (introduced by a # preceded by white space), the comment was not recognized. 15. Local part lists are now handled as address lists as far as recognition of comments in interpolated files and the processing of +caseful at the top level are concerned. In the local_parts option of a router, +caseful will restore case-sensitive matching, even when the router does not have caseful_local_part set (the default). 16. The key used for a dsearch lookup may not contain '/'. If it does, the lookup defers. 17. When starting a delivery process after receiving a message locally, discard the controlling terminal unless debugging is turned on. 18. The exim group was automatically trusted; this was not correct because it meant that admin users who were in the exim group were automatically trusted. If you want the exim group to be trusted, it must now be explicitly configured. 19. The default configuration mentioned "dns_lists" instead of "dnslists" in a comment. 20. Minor corrections and changes to the Exim4.upgrade document and to the OptionLists.txt document. 21. If a local part beginning with a pipe symbol was routed to a pipe transport, the transport got confused as to which command it should run. This could be a security exposure if unchecked local parts are routed to pipe transports. 22. When logging SMTP connections to the daemon from other hosts, include the connection count in the log line. Tidied up the identification of SMTP sources in logging lines. 23. Added "sender_domains" as a new ACL condition so that the Exim 3 setting of sender_verify_callback_domains can easily be replicated. Corrected convert4r4, which was incorrectly converting this to a "domains" setting. 24. The code for reading ident values was not discarding leading spaces, which some hosts seem to send. 25. The building process was still insisting that PID_FILE_PATH contained %s, but this is not required for Exim 4. 26. The logging of ETRN commands had got lost. It has been restored, and the log selector "etrn" (on by default) added to control it. 27. IPv6 reverse DNS lookups were originally specified as happening in the ip6.int domain, but this is being changed to ip6.arpa (and they've changed the meaning of "arpa" to "Address and Routing Parameters Area"). The only time Exim does reverse lookups directly (as opposed to calling gethostbyaddress()) is in the code for the dnsdb lookup type. This has been changed to use ip6.arpa. 28. Made the test programs (test_dbfn for testing DBM files, and some others) compile! Updated the help output from test_dbfn. 29. Changed all occurrences of "r" and "w" in fopen() fdopen() calls to "rb" and "wb". This makes no difference in Unix systems, but is apparently necessary for running Exim under Cygwin. 30. Three changes that make virtually no difference when Exim is run on a real Unix system, but which were asked for to make life easier when porting it to run under Cygwin: (a) Changed the logic for locking a message when an Exim process is handling it. Previously, the entire -D file was locked to indicate this. Now Exim locks only the first line, which contains the name of the file. Apparently, in the Cygwin environment, a subprocess cannot read locked parts of a file, even when it is passed an open file descriptor to that file from the process that did the locking. By locking only the first line, which the subprocess does not want to read (it just needs to read the data that follows), we can get round this restriction with minimal effort. (b) Added support for native gdbm function calls. GDBM is apparently the only DBM library that is currently available Cygwin, and only with its native API. (c) The default modes for files, directories, and lock files in the appendfile transport can now be set in Local/Makefile at build time. 31. When transmitting a message using SMTP with PIPELINING, if the server gave a malformed SMTP response, the message logged by Exim didn't associate it with the pipelined SMTP command to which it referred. For example it logged "after DATA" if all the recipients had been sent. Also, if the response was an empty line (illegal), it didn't show up very clearly. The error messages are now more accurate, and point out empty lines. 32. Minor corrections and changes to src/configure.default. 33. When a host list in a route_list item that was enclosed in double quotes contained single quotes within it, the quoting was incorrectly terminated. Both the pattern and the host list in route_list items are now handled by the standard quote-processing function. 34. Corrected the EDITME file for eximon so that the default stripchart patterns work with the default runtime configuration for local deliveries. (Previously it matched a delivery via a director - not possible in Exim 4.) Exim version 3.951 ------------------ Exim 3.951 is the first alpha testing release for Exim 4. A list the many individual changes to the code made between Exim 3.33 and Exim 3.951 was not kept. The functional changes are listed in the Exim4.upgrade file. ****