-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.46 2004/12/20 14:57:05 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.112 2005/04/06 10:06:14 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
+
+Exim version 4.51
+-----------------
+
+TK/01 Added Yahoo DomainKeys support via libdomainkeys. See
+ doc/experimental-spec.txt for details. (http://domainkeys.sf.net)
+
+TK/02 Fix ACL "control" statement not being available in MIME ACL.
+
+TK/03 Fix ACL "regex" condition not being available in MIME ACL.
+
+PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used
+ to test Sieve filters that use "vacation".
+
+PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch
+ that changes the way the GnuTLS parameters are stored in the cache file.
+ The new format can be generated externally. For backward compatibility,
+ if the data in the cache doesn't make sense, Exim assumes it has read an
+ old-format file, and it generates new data and writes a new file. This
+ means that you can't go back to an older release without removing the
+ file.
+
+PH/03 A redirect router that has both "unseen" and "one_time" set does not
+ work if there are any delivery delays because "one_time" forces the
+ parent to be marked "delivered", so its unseen clone is never tried
+ again. For this reason, Exim now forbids the simultaneous setting of
+ these two options.
+
+PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are
+ redirected to themselves ("homonym" addresses). Read the long ChangeLog
+ entry if you want to know the details. The fix, however, neglected to
+ consider the case when local delivery batching is involved. The test for
+ "previously delivered" was not happening when checking to see if an
+ address could be batched with a previous (undelivered) one; under
+ certain circumstances this could lead to multiple deliveries to the same
+ address.
+
+PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T
+ in its include files, and this causes problems building Exim.
+
+PH/06 A number of "verify =" ACL conditions have no options (e.g. verify =
+ header_syntax) but Exim was just ignoring anything given after a slash.
+ In particular, this caused confusion with an attempt to use "verify =
+ reverse_host_lookup/defer_ok". An error is now given when options are
+ supplied for verify items that do not have them. (Maybe reverse_host_
+ lookup should have a defer_ok option, but that's a different point.)
+
+PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as
+ defined by RFC 821) to 2048, because there were problems with some AUTH
+ commands, and RFC 1869 says the size should be increased for extended
+ SMTP commands that take arguments.
+
+PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony
+ Finch).
+
+PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an
+ "unknown" error; now it says that the functionality isn't in the binary.
+
+PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in
+ an address' error message when a string expansion fails (syntax or
+ whatever). Otherwise not only does the password appear in the log, it may
+ also be put in a bounce message.
+
+PH/11 Installed exipick version 20050225.0 from John Jetmore.
+
+PH/12 If the last host in a fallback_hosts list was multihomed, only the first
+ of its addresses was ever tried. (Bugzilla bug #2.)
+
+PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed
+ the result incorrectly in the debug output. (It correctly added a newline
+ to what was transported.)
+
+TF/01 Added $received_time.
+
+PH/14 Modified the default configuration to add an acl_smtp_data ACL, with
+ commented out examples of how to interface to a virus scanner and to
+ SpamAssassin. Also added commented examples of av_scanner and
+ spamd_address settings.
+
+PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions
+ and controls are allowed in which ACLs. There were a couple of minor
+ errors. Some of the entries in the conditions table (which is a table of
+ where they are NOT allowed) were getting very unwieldy; rewrote them as a
+ negation of where the condition IS allowed.
+
+PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer.
+
+PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the
+ header file does not have a version number, so I've had to invent a new
+ value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new
+ API. The code is untested by me (my Linux distribution still has 0.3.2 of
+ radiusclient), but it was contributed by a Radius user.
+
+PH/18 Installed Lars Mainka's patch for the support of CRL collections in
+ files or directories, for OpenSSL.
+
+PH/19 When an Exim process that is running as root has to create an Exim log
+ file, it does so in a subprocess that runs as exim:exim so as to get the
+ ownership right at creation (otherwise, other Exim processes might see
+ the file with the wrong ownership). There was no test for failure of this
+ fork() call, which would lead to the process getting stuck as it waited
+ for a non-existent subprocess. Forks do occasionally fail when resources
+ run out. I reviewed all the other calls to fork(); they all seem to check
+ for failure.
+
+PH/20 When checking for unexpected SMTP input at connect time (before writing
+ the banner), Exim was not dealing correctly with a non-positive return
+ from the read() function. If the client had disconnected by this time,
+ the result was a log entry for a synchronization error with an empty
+ string after "input=" when read() returned zero. If read() returned -1
+ (an event I could not check), uninitialized data bytes were printed.
+ There were reports of junk text (parts of files, etc) appearing after
+ "input=".
+
+PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages.
+
+PH/22 Added support for macro redefinition, and (re)definition in between
+ driver and ACL definitions.
+
+PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then
+ forgetting to use the resulting value; it was using the unexpanded value.
+
+PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it
+ hadn't been configured. The fix is from Juergen Kreileder, who
+ understands it better than I do:
+
+ "Here's what I see happening with three configured cyrus_sasl
+ authenticators configured (plain, login, cram-md5):
+
+ On startup auth_cyrus_sasl_init() gets called for each of these.
+ This means three calls to sasl_listmech() without a specified mech_list.
+ => SASL tests which mechs of all available mechs actually work
+ => three warnings about OTP not working
+ => the returned list contains: plain, login, cram-md5, digest-md5, ...
+
+ With the patch, sasl_listmech() also gets called three times. But now
+ SASL's mech_list option is set to the server_mech specified in the the
+ authenticator. Or in other words, the answer from sasl_listmech()
+ gets limited to just the mech you're testing for (which is different
+ for each call.)
+ => the return list contains just 'plain' or 'login', 'cram-md5' or
+ nothing depending on the value of ob->server_mech.
+
+ I've just tested the patch: Authentication still works fine,
+ unavailable mechs specified in the exim configuration are still
+ caught, and the auth.log warnings about OTP are gone."
+
+PH/25 When debugging is enabled, the contents of the command line are added
+ to the debugging output, even when log_selector=+arguments is not
+ specified.
+
+
+A note about Exim versions 4.44 and 4.50
+----------------------------------------
+
+Exim 4.50 was meant to be the next release after 4.43. It contains a lot of
+changes of various kinds. As a consequence, a big documentation update was
+needed. This delayed the release for rather longer than seemed good, especially
+in the light of a couple of (minor) security issues. Therefore, the changes
+that fixed bugs were backported into 4.43, to create a 4.44 maintenance
+release. So 4.44 and 4.50 are in effect two different branches that both start
+from 4.43.
+
+I have left the 4.50 change log unchanged; it contains all the changes since
+4.43. The change log for 4.44 is below; many of its items are identical to
+those for 4.50. This seems to be the most sensible way to preserve the
+historical information.
+
+
Exim version 4.50
-----------------
just the host names, not the priorities.
(3) It is now possible to give a list of domains (or IP addresses) to be
- looked up.
+ looked up. The behaviour when one of the lookups defers can be
+ controlled by a keyword.
(4) It is now possible to specify the separator character for use when
multiple records are returned.
contradicting the general specification for all authenticators. Instead it
was generating a temporary error. It now behaves as specified.
+50. The default ordering of permitted cipher suites for GnuTLS was pessimal
+ (the order specifies the preference for clients). The order is now AES256,
+ AES128, 3DES, ARCFOUR128.
+
+51. Small patch to Sieve code - explicitly set From: when generating an
+ autoreply.
+
+52. Exim crashed if a remote delivery caused a very long error message to be
+ recorded - for instance if somebody sent an entire SpamAssassin report back
+ as a large number of 550 error lines. This bug was coincidentally fixed by
+ increasing the size of one of Exim's internal buffers (big_buffer) that
+ happened as part of the Exiscan merge. However, to be on the safe side, I
+ have made the code more robust (and fixed the comments that describe what
+ is going on).
+
+53. Now that there can be additional text after "Completed" in log lines (if
+ the queue_time_overall log selector is set), a one-byte patch to exigrep
+ was needed to allow it to recognize "Completed" as not the last thing in
+ the line.
+
+54. The LDAP lookup was not handling a return of LDAP_RES_SEARCH_REFERENCE. A
+ patch that reportedly fixes this has been added. I am not expert enough to
+ create a test for it. This is what the patch creator wrote:
+
+ "I found a little strange behaviour of ldap code when working with
+ Windows 2003 AD Domain, where users was placed in more than one
+ Organization Units. When I tried to give exim partial DN, the exit code
+ of ldap_search was unknown to exim because of LDAP_RES_SEARCH_REFERENCE.
+ But simultaneously result of request was absolutely normal ldap result,
+ so I produce this patch..."
+
+ Later: it seems that not all versions of LDAP support LDAP_RES_SEARCH_
+ REFERENCE, so I have modified the code to exclude the patch when that macro
+ is not defined.
+
+55. Some experimental protocols are using DNS PTR records for new purposes. The
+ keys for these records are domain names, not reversed IP addresses. The
+ dnsdb PTR lookup now tests whether its key is an IP address. If not, it
+ leaves it alone. Component reversal etc. now happens only for IP addresses.
+ CAN-2005-0021
+
+56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP.
+
+57. Double the size of the debug message buffer (to 2048) so that more of very
+ long debug lines gets shown.
+
+58. The exicyclog utility now does better if the number of log files to keep
+ exceeds 99. In this case, it numbers them 001, 002 ... instead of 01, 02...
+
+59. Two changes related to the smtp_active_hostname option:
+
+ (1) $smtp_active_hostname is now available as a variable.
+ (2) The default for smtp_banner uses $smtp_active_hostname instead
+ of $primary_hostname.
+
+60. The host_aton() function is supposed to be passed a string that is known
+ to be a valid IP address. However, in the case of IPv6 addresses, it was
+ not checking this. This is a hostage to fortune. Exim now panics and dies
+ if the condition is not met. A case was found where this could be provoked
+ from a dnsdb PTR lookup with an IPv6 address that had more than 8
+ components; fortuitously, this particular loophole had already been fixed
+ by change 4.50/55 above.
+
+ If there are any other similar loopholes, the new check in host_aton()
+ itself should stop them being exploited. The report I received stated that
+ data on the command line could provoke the exploit when Exim was running as
+ exim, but did not say which command line option was involved. All I could
+ find was the use of -be with a bad dnsdb PTR lookup, and in that case it is
+ running as the user.
+ CAN-2005-0021
+
+61. There was a buffer overflow vulnerability in the SPA authentication code
+ (which came originally from the Samba project). I have added a test to the
+ spa_base64_to_bits() function which I hope fixes it.
+ CAN-2005-0022
+
+62. Configuration update for GNU/Hurd and variations. Updated Makefile-GNU and
+ os.h-GNU, and added configuration files for GNUkFreeBSD and GNUkNetBSD.
+
+63. The daemon start-up calls getloadavg() while still root for those OS that
+ need the first call to be done as root, but it missed one case: when
+ deliver_queue_load_max is set with deliver_drop_privilege. This is
+ necessary for the benefit of the queue runner, because there is no re-exec
+ when deliver_drop_privilege is set.
+
+64. A call to exiwhat cut short delays set up by "delay" modifiers in ACLs.
+ This has been fixed.
+
+65. Caching of lookup data for "hosts =" ACL conditions, when a named host list
+ was in use, was not putting the data itself into the right store pool;
+ consequently, it could be overwritten for a subsequent message in the same
+ SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked
+ the caching.)
+
+66. Added hosts_max_try_hardlimit to the smtp transport, default 50.
+
+67. The string_is_ip_address() function returns 0, 4, or 6, for "no an IP
+ address", "IPv4 address", and "IPv6 address", respectively. Some calls of
+ the function were treating the return as a boolean value, which happened to
+ work because 0=false and not-0=true, but is not correct code.
+
+68. The host_aton() function was not handling scoped IPv6 addresses (those
+ with, for example, "%eth0" on the end) correctly.
+
+69. Fixed some compiler warnings in acl.c for the bitmaps specified with
+ negated items (that is, ~something) in unsigned ints. Some compilers
+ apparently mutter when there is no cast.
+
+70. If an address verification called from an ACL failed, and did not produce a
+ user-specific message (i.e. there was only a "system" message), nothing was
+ put in $acl_verify_message. In this situation, it now puts the system
+ message there.
+
+71. Change 4.23/11 added synchronization checking at the start of an SMTP
+ session; change 4.31/43 added the unwanted input to the log line - except
+ that it did not do this in the start of session case. It now does.
+
+72. After a timeout in a callout SMTP session, Exim still sent a QUIT command.
+ This is wrong and can cause the other end to generate a synchronization
+ error if it is another Exim or anything else that does the synchronization
+ check. A QUIT command is no longer sent after a timeout.
+
+73. $host_lookup_deferred has been added, to make it easier to detect DEFERs
+ during host lookups.
+
+74. The defer_ok option of callout verification was not working if it was used
+ when verifying addresses in header lines, that is, for this case:
+
+ verify = header_sender/callout=defer_ok
+
+75. A backgrounded daemon closed stdin/stdout/stderr on entry; this meant that
+ those file descriptors could be used for SMTP connections. If anything
+ wrote to stderr (the example that came up was "warn" in embedded Perl), it
+ could be sent to the SMTP client, causing chaos. The daemon now opens
+ stdin, stdout, and stderr to /dev/null when it puts itself into the
+ background.
+
+76. Arrange for output from Perl's "warn" command to be written to Exim's main
+ log by default. The user can override this with suitable Perl magic.
+
+77. The use of log_message on a "discard" ACL verb, which is supposed to add to
+ the log message when discard triggers, was not working for the DATA ACL or
+ for the non-SMTP ACL.
+
+78. Error message wording change in sieve.c.
+
+79. If smtp_accept_max_per_host was set, the number of connections could be
+ restricted to fewer than expected, because the daemon was trying to set up
+ a new connection before checking whether the processes handling previous
+ connections had finished. The check for completed processes is now done
+ earlier. On busy systems, this bug wouldn't be noticed because something
+ else would have woken the daemon, and it would have reaped the completed
+ process earlier.
+
+80. If a message was submitted locally by a user whose login name contained one
+ or more spaces (ugh!), the spool file that Exim wrote was not re-readable.
+ It caused a spool format error. I have fixed the spool reading code. A
+ related problem was that the "from" clause in the Received: line became
+ illegal because of the space(s). It is now covered by ${quote_local_part.
+
+81. Included the latest eximstats from Steve (adds average sizes to HTML Top
+ tables).
+
+82. Updated OS/Makefile-AIX as per message from Mike Meredith.
+
+83. Patch from Sieve maintainer to fix unterminated string problem in
+ "vacation" handling.
+
+84. Some minor changes to the Linux configuration files to help with other
+ OS variants using glibc.
+
+85. One more patch for Sieve to update vacation handling to latest spec.
+
+
+----------------------------------------------------
+See the note above about the 4.44 and 4.50 releases.
+----------------------------------------------------
+
+
+Exim version 4.44
+-----------------
+
+ 1. Change 4.43/35 introduced a bug that caused file counts to be
+ incorrectly computed when quota_filecount was set in an appendfile
+ transport
+
+ 2. Closing a stable door: arrange to panic-die if setitimer() ever fails. The
+ bug fixed in 4.43/37 would have been diagnosed quickly if this had been in
+ place.
+
+ 3. Give more explanation in the error message when the command for a transport
+ filter fails to execute.
+
+ 4. There are several places where Exim runs a non-Exim command in a
+ subprocess. The SIGUSR1 signal should be disabled for these processes. This
+ was being done only for the command run by the queryprogram router. It is
+ now done for all such subprocesses. The other cases are: ${run, transport
+ filters, and the commands run by the lmtp and pipe transports.
+
+ 5. Some older OS have a limit of 256 on the maximum number of file
+ descriptors. Exim was using setrlimit() to set 1000 as a large value
+ unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these
+ systems. I've change it so that if it can't get 1000, it tries for 256.
+
+ 6. "control=submission" was allowed, but had no effect, in a DATA ACL. This
+ was an oversight, and furthermore, ever since the addition of extra
+ controls (e.g. 4.43/32), the checks on when to allow different forms of
+ "control" were broken. There should now be diagnostics for all cases when a
+ control that does not make sense is encountered.
+
+ 7. $recipients is now available in the predata ACL (oversight).
+
+ 8. Tidy the search cache before the fork to do a delivery from a message
+ received from the command line. Otherwise the child will trigger a lookup
+ failure and thereby defer the delivery if it tries to use (for example) a
+ cached ldap connection that the parent has called unbind on.
+
+ 9. If verify=recipient was followed by verify=sender in a RCPT ACL, the value
+ of $address_data from the recipient verification was clobbered by the
+ sender verification.
+
+10. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0
+ was its contents. (It was OK if the option was not defined at all.)
+
+11. A "Completed" log line is now written for messages that are removed from
+ the spool by the -Mrm option.
+
+12. $host_address is now set to the target address during the checking of
+ ignore_target_hosts.
+
+13. When checking ignore_target_hosts for an ipliteral router, no host name was
+ being passed; this would have caused $sender_host_name to have been used if
+ matching the list had actually called for a host name (not very likely,
+ since this list is usually IP addresses). A host name is now passed as
+ "[x.x.x.x]".
+
+14. Changed the calls that set up the SIGCHLD handler in the daemon to use the
+ code that specifies a non-restarting handler (typically sigaction() in
+ modern systems) in an attempt to fix a rare and obscure crash bug.
+
+15. Narrowed the window for a race in the daemon that could cause it to ignore
+ SIGCHLD signals. This is not a major problem, because they are used only to
+ wake it up if nothing else does.
+
+16. A malformed maildirsize file could cause Exim to calculate negative values
+ for the mailbox size or file count. Odd effects could occur as a result.
+ The maildirsize information is now recalculated if the size or filecount
+ end up negative.
+
+17. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this
+ support for a long time. Removed HAVE_SYS_VFS_H.
+
+18. Updated exipick to current release from John Jetmore.
+
+19. Allow an empty sender to be matched against a lookup in an address list.
+ Previously the only cases considered were a regular expression, or an
+ empty pattern.
+
+20. Exim went into a mad DNS lookup loop when doing a callout where the
+ host was specified on the transport, if the DNS lookup yielded more than
+ one IP address.
+
+21. The RFC2047 encoding function was originally intended for short strings
+ such as real names; it was not keeping to the 75-character limit for
+ encoded words that the RFC imposes. It now respects the limit, and
+ generates multiple encoded words if necessary. To be on the safe side, I
+ have increased the buffer size for the ${rfc2047: expansion operator from
+ 1024 to 2048 bytes.
+
+22. Failure to deliver a bounce message always caused it to be frozen, even if
+ there was an errors_to setting on the router. The errors_to setting is now
+ respected.
+
+23. If an IPv6 address is given for -bh or -bhc, it is now converted to the
+ canonical form (fully expanded) before being placed in
+ $sender_host_address.
+
+24. Updated eximstats to version 1.33
+
+25. Include certificate and key file names in error message when GnuTLS fails
+ to set them up, because the GnuTLS error message doesn't include the name
+ of the failing file when there is a problem reading it.
+
+26. Expand error message when OpenSSL has problems setting up cert/key files.
+ As per change 25.
+
+27. Reset the locale to "C" after calling embedded Perl, in case it was changed
+ (this can affect the format of dates).
+
+28. exim_tidydb, when checking for the continued existence of a message for
+ which it has found a message-specific retry record, was not finding
+ messages that were in split spool directories. Consequently, it was
+ deleting retry records that should have stayed in existence.
+
+29. eximstats updated to version 1.35
+ 1.34 - allow eximstats to parse syslog lines as well as mainlog lines
+ 1.35 - bugfix such that pie charts by volume are generated correctly
+
+30. The SPA authentication driver was not abandoning authentication and moving
+ on to the next authenticator when an expansion was forced to fail,
+ contradicting the general specification for all authenticators. Instead it
+ was generating a temporary error. It now behaves as specified.
+
+31. The default ordering of permitted cipher suites for GnuTLS was pessimal
+ (the order specifies the preference for clients). The order is now AES256,
+ AES128, 3DES, ARCFOUR128.
+
+31. Small patch to Sieve code - explicitly set From: when generating an
+ autoreply.
+
+32. Exim crashed if a remote delivery caused a very long error message to be
+ recorded - for instance if somebody sent an entire SpamAssassin report back
+ as a large number of 550 error lines. This bug was coincidentally fixed by
+ increasing the size of one of Exim's internal buffers (big_buffer) that
+ happened as part of the Exiscan merge. However, to be on the safe side, I
+ have made the code more robust (and fixed the comments that describe what
+ is going on).
+
+33. Some experimental protocols are using DNS PTR records for new purposes. The
+ keys for these records are domain names, not reversed IP addresses. The
+ dnsdb PTR lookup now tests whether its key is an IP address. If not, it
+ leaves it alone. Component reversal etc. now happens only for IP addresses.
+ CAN-2005-0021
+
+34. The host_aton() function is supposed to be passed a string that is known
+ to be a valid IP address. However, in the case of IPv6 addresses, it was
+ not checking this. This is a hostage to fortune. Exim now panics and dies
+ if the condition is not met. A case was found where this could be provoked
+ from a dnsdb PTR lookup with an IPv6 address that had more than 8
+ components; fortuitously, this particular loophole had already been fixed
+ by change 4.50/55 or 4.44/33 above.
+
+ If there are any other similar loopholes, the new check in host_aton()
+ itself should stop them being exploited. The report I received stated that
+ data on the command line could provoke the exploit when Exim was running as
+ exim, but did not say which command line option was involved. All I could
+ find was the use of -be with a bad dnsdb PTR lookup, and in that case it is
+ running as the user.
+ CAN-2005-0021
+
+35. There was a buffer overflow vulnerability in the SPA authentication code
+ (which came originally from the Samba project). I have added a test to the
+ spa_base64_to_bits() function which I hope fixes it.
+ CAN-2005-0022
+
+36. The daemon start-up calls getloadavg() while still root for those OS that
+ need the first call to be done as root, but it missed one case: when
+ deliver_queue_load_max is set with deliver_drop_privilege. This is
+ necessary for the benefit of the queue runner, because there is no re-exec
+ when deliver_drop_privilege is set.
+
+37. Caching of lookup data for "hosts =" ACL conditions, when a named host list
+ was in use, was not putting the data itself into the right store pool;
+ consequently, it could be overwritten for a subsequent message in the same
+ SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked
+ the caching.)
+
+38. Sometimes the final signoff response after QUIT could fail to get
+ transmitted in the non-TLS case. Testing !tls_active instead of tls_active
+ < 0 before doing a fflush(). This bug looks as though it goes back to the
+ introduction of TLS in release 3.20, but "sometimes" must have been rare
+ because the tests only now provoked it.
+
Exim version 4.43
-----------------