-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.405 2006/10/10 11:15:12 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.417 2006/10/30 16:41:04 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
addresses), $smtp_active_hostname is used.
PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various
- tweaks were necessary in order to get it to work:
+ tweaks were necessary in order to get it to work (see also 21 below):
(a) The code assumed that strncpy() returns a negative number on buffer
overflow, which isn't the case. Replaced with Exim's string_format()
function.
str(n)cmp tests so they don't re-test the leading "-" and the first
character, in the hope this might squeeze out yet more improvement.
+PH/18 Two problems with "group" syntax in header lines when verifying: (1) The
+ flag allowing group syntax was set by the header_syntax check but not
+ turned off, possible causing trouble later; (2) The flag was not being
+ set at all for the header_verify test, causing "group"-style headers to
+ be rejected. I have now set it in this case, and also caused header_
+ verify to ignore an empty address taken from a group. While doing this, I
+ came across some other cases where the code for allowing group syntax
+ while scanning a header line wasn't quite right (mostly, not resetting
+ the flag correctly in the right place). These bugs could have caused
+ trouble for malformed header lines. I hope it is now all correct.
+
+PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called
+ with the "reply" argument non-NULL. The code, however (which originally
+ came from elsewhere) had *some* tests for NULL when it wrote to *reply,
+ but it didn't always do it. This confused somebody who was copying the
+ code for some other use. I have removed all the tests.
+
+PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a
+ feature that was used to support insecure browsers during the U.S. crypto
+ embargo. It requires special client support, and Exim is probably the
+ only MTA that supported it -- and would never use it because real RSA is
+ always available. This code has been removed, because it had the bad
+ effect of slowing Exim down by computing (never used) parameters for the
+ RSA_EXPORT functionality.
+
+PH/21 On the advice of Timo Sirainen, added a check to the dovecot
+ authenticator to fail if there's a tab character in the incoming data
+ (there should never be unless someone is messing about, as it's supposed
+ to be base64-encoded). Also added, on Timo's advice, the "secured" option
+ if the connection is using TLS or if the remote IP is the same as the
+ local IP, and the "valid-client-cert option" if a client certificate has
+ been verified.
+
+PH/22 As suggested by Dennis Davis, added a server_condition option to *all*
+ authenticators. This can be used for authorization after authentication
+ succeeds. (In the case of plaintext, it servers for both authentication
+ and authorization.)
+
+PH/23 Testing for tls_required and lost_connection in a retry rule didn't work
+ if any retry times were supplied.
+
+PH/24 Exim crashed if verify=helo was activated during an incoming -bs
+ connection, where there is no client IP address to check. In this
+ situation, the verify now always succeeds.
+
+PH/25 Applied John Jetmore's -Mset patch.
+
+PH/26 Added -bem to be like -Mset, but loading a message from a file.
+
+PH/27 In a string expansion for a processed (not raw) header when multiple
+ headers of the same name were present, leading whitespace was being
+ removed from all of them, but trailing whitespace was being removed only
+ from the last one. Now trailing whitespace is removed from each header
+ before concatenation. Completely empty headers in a concatenation (as
+ before) are ignored.
+
+PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John
+ Jetmore). It would have mis-read ACL variables from pre-4.61 spool files.
+
+PH/29 After an address error (typically a 4xx response from a server), Exim
+ always tries the failing address if it appears in a new message, but
+ respects the retry time otherwise. This was implemented by checking for
+ being in a queue run, which isn't quite right. Now it checks the
+ "first_delivery" flag instead.
+
+PH/30 Exim was sometimes attempting to deliver messages that had suffered
+ address errors (4xx response to RCPT) over the same connection as other
+ messages routed to the same hosts. Such deliveries are always "forced",
+ so retry times are not inspected. This resulted in far too many retries
+ for the affected addresses. The effect occurred only when there were more
+ hosts than the hosts_max_try setting in the smtp transport when it had
+ the 4xx errors. Those hosts that it had tried were not added to the list
+ of hosts for which the message was waiting, so if all were tried, there
+ was no problem. Two fixes have been applied:
+
+ (i) If there are any address or message errors in an SMTP delivery, none
+ of the hosts (tried or untried) are now added to the list of hosts
+ for which the message is waiting, so the message should not be a
+ candidate for sending over the same connection that was used for a
+ successful delivery of some other message. This seems entirely
+ reasonable: after all the message is NOT "waiting for some host".
+ This is so "obvious" that I'm not sure why it wasn't done
+ previously. Hope I haven't missed anything, but it can't do any
+ harm, as the worst effect is to miss an optimization.
+
+ (ii) If, despite (i), such a delivery is accidentally attempted, the
+ routing retry time is respected, so at least it doesn't keep
+ hammering the server.
+
Exim version 4.63
-----------------
projects / exim.git / blobdiff