1 $Cambridge: exim/doc/doc-txt/ChangeLog.0,v 1.1 2004/10/07 15:04:35 ph10 Exp $
3 Change log file for Exim from version 3.951 to 4.20
4 ---------------------------------------------------
10 1. If data for an authentication interaction was just the string "=",
11 indicating an empty string, Exim was not setting up the numerical variable
12 correctly. In some situations, this could cause a crash - in others, it
13 might have passed unnoticed.
15 2. Changed signal(SIGTERM, command_sigterm_handler) in smtp_in.c to use
16 os_non_restarting_signal() for tidiness; in practice this doesn't actually
17 matter because the handler terminates the process.
21 (a) In some (but not all) places where Exim applies timers using alarm(),
22 it was resetting the SIGALRM handler afterwards, but sometimes to
23 SIG_IGN and sometimes to SIG_DFL. In other words, it was a mess. In
24 fact, this reset is not necessary, because after alarm(0) there is no
25 possibility of receiving a SIGLARM signal. So I've just removed them
28 (b) The daemon.c module had its own SIGALRM handler, which was unnecessary.
29 I changed it to use the handler that is used (almost) everywhere else.
31 (c) Almost all uses of SIGALRM use the same handler, but it was being set
32 by signal() all over the place. Now it is set at the start, and it
33 resets itself every time it is called, so it remains enabled
34 throughout. The few places that use a different handler reset to the
35 "standard" one afterwards.
37 (d) The setting of the SIGTERM handler while reading SMTP commands was done
38 somwhat untidily. I have re-arranged the code.
40 4. If the building process was interrupted during the MakeLinks script, a
41 subsequent run of 'make' gave misleading errors. I've made it a bit more
42 robust against this case. If there appears to be a half-made set of links,
43 an error message suggests that the user should remove the build directory
46 5. For compatibility with other MTAs, -f "" is now accepted as synonymous with
49 6. Upgraded to PCRE 4.1.
51 7. If a domain list contained @mx_any, or @mx_secondary, and the DNS contained
52 secondary MX records for a domain, but all the other MX (higher priority)
53 records pointed to non-existent hosts, Exim was behaving as if the domain
54 did not match the list item. This has been fixed.
56 8. Upgraded eximstats to 1.27.
58 9. It was reported that change 4.14/46(b) caused problems on some systems with
59 older libraries. There is now an option that can be set in Local/Makefile
60 (or in a operating system Makefile):
62 IPV6_USE_INET_PTON=yes
64 If this is done, Exim reverts to using inet_pton() to convert a textual
65 IPv6 address for actual use, instead of getaddrinfo(), as it did in
66 versions before 4.14. Of course, this means that the additional
67 functionality of getaddrinfo() - recognizing scoped addresses - is lost.
69 10. Update for PostgreSQL to match 4.14/14: after an insert, delete, or update
70 command, the result is the number of rows affected.
72 11. If smtp_banner expanded to an empty string, no greeting line was sent, thus
73 causing the client to time out. An empty 220 response is now sent.
75 12. An empty argument was logged as a null string by the "arguments" log
76 selector. Now empty strings and arguments that contain whitespace are
79 13. The "arguments" log selector now also logs the current working directory
82 14. Added a couple more debugging calls to tls-openssl.
84 15. Changed the name of the global variable ldap_version because some LDAP
85 library uses the same name, which causes a clash. It's now called
86 eldap_version. While I was at it, I changed the other two global variables,
87 ldap_default_servers and ldap_dn.
89 16. If an address that is verified in an ACL is redirected to a single address,
90 Exim verifies the child (this is not new). However, the value of $address_
91 data that was being returned was the value from the parent. It is now the
94 17. Re-arranged the code for rda_is_filter() to make it easier to add other
95 filter types in future.
97 18. Removed the filter test function from filter.c and put it into its own
98 source file, again to make things easier for multiple filter types.
100 19. To help those people who are maintaining a patch for dynamically loaded
101 local_scan() functions, I have added
103 #define LOCAL_SCAN_ABI_VERSION_MAJOR 1
104 #define LOCAL_SCAN_ABI_VERSION_MINOR 0
106 to the local_scan.h file.
108 20. The variables $tls_certificate_verified, $tls_cipher, and $tls_peerdn now
109 exist even when Exim is not compiled with TLS support.
111 21. If an empty user name was sent by a client for a LOGIN authentication, it
112 was not put into $1; instead, the password ended up in $1 (instead of in
115 22. When creating a temporary file in the appendfile transport for a per-file
116 delivery not in maildir or mailstore format (that is, in the old Smail
117 format - I wonder if anyone uses this?), Exim was opening the file without
118 O_EXCL, which is a bit unsafe.
120 23. The output from the ${stat: expansion operator was being formatted using %d
121 which expects an integer; in many (most) systems size_t is off_t, which
122 is actually a long or even a longlong, and in some cases this caused
123 incorrect data to be output. The formatting is now done using %ld, with the
124 values all explicitly cast to (long).
126 24. Callout caching was failing to cache a negative response to a "random"
129 25. If a daemon was started with -qsomething and not -bd, and deliver_drop_
130 privilege was set, and a pid file was specified with -oP, and the pid file
131 did not previously exist, it was created with owner exim instead of owner
134 26. verify=sender was not being allowed in a non-SMTP ACL.
136 27. Under some error conditions, the socket used for ident calls could be left
139 28. Added acl_smtp_helo, because some people seem to want it.
141 29. For hosts that match helo_verify_hosts, the error given when a MAIL command
142 is received without HELO or EHLO has been changed from 550 to 503 (which
143 means "bad sequence of commands").
145 30. Installed PCRE 4.2.
147 31. The quota_size_regex option for the appendfile transport was broken in that
148 a terminating zero was omitted from the string that was extracted for the
149 size. If it happened that digits followed in the memory to which it was
150 copied, an incorrect (too large) size was then used.
152 32. Change 4.14/32 (iv) introduced a bug in the case when the "phrase" part of
153 a rewritten address did *not* contain any special characters. The
154 generated address was mangled.
156 33. Several items of refactoring from Michael Haardt:
158 . Introduction of "const" in a number of places
159 . Use memcpy() instead of strncpy() in string_cat()
160 . Add HAVE_ICONV to Linux file, for external users (Exim doesn't use it)
161 [Later: From 4.21, Exim *does* use it.]
162 . Preparation for adding additional types of filter file
164 34. Changed (incompatibly, but hopefully not so it affects anyone) the
165 appendfile transport in the case when it is called directly as a result of
166 a .forward or a filter file requesting a delivery to a file. Previously,
167 any settings of "file" or "directory" were ignored in this case. Now they
168 are used. The path received from the router is in $address_file (as
169 before) and can therefore be included in the expansion.
171 35. If a "save" command in a filter specifies a non-absolute path, the value of
172 $home/ is pre-pended. This no longer happens if $home is unset or is an
173 empty string. It is expected that the transport will complete the path (see
174 34 above). If there is an error before the path is complete, the local part
175 is logged as "save xxxx".
177 36. If multiple "to file" deliveries are routed to the same transport, no
178 batching ever takes place, whatever the value of batch_max.
180 37. If an address was redirected to an unqualified local part preceded by a
181 backslash, Exim was qualifying it with the qualify_domain, instead of with
184 38. Minor rewording: header lines can be added by MAIL as well as RCPT: the
185 debug line mentioned only RCPT.
187 39. DESTDIR is the more common variable that ROOT for use when installing
188 software under a different root filing system. The Exim install script now
189 recognizes DESTDIR first; if it is not set, ROOT is used.
191 40. If DESTDIR is set when installing Exim, it no longer prepends its value to
192 the path of the system aliases file that appears in the default
193 configuration (when a default configuration is installed). If an aliases
194 file is actually created, its name *does* use the prefix.
196 41. If an item in log_file_path was an empty string, Exim wrote the log to the
197 log directory in the spool directory. Now it takes notice of the
198 setting of LOG_FILE_PATH in Local/Makefile, and uses the first non-empty,
199 non-"syslog" item from that list. If there are none, it uses the ultimate
200 default of the spool directory.
202 42. If there is a Reply-to: header line, but it is empty, $reply_address now
203 contains the From: address instead of being empty.
205 43. Added -no-cpp-precomp to CFLAGS in OS/Makefile-Darwin. Without this, the
206 compiler provides a string for __DATE__ that does not conform to the
207 specification in the C standard. The option disables precompiled headers,
208 which should not have any bad effects, as pre-compiled headers are
209 supposedly just a performance enhancement at compile time.
211 44. Refactoring: as there is now a flag that specifies whether or not a home
212 directory that is passed with an address is already expanded, we no longer
213 need the \N...\N fudge for home directories extracted from the password
216 45. Fixed an infelicity introduced by 4.14/71: The defaulting of the prefix,
217 suffix, and check string stuff in appendfile was happening when no
218 directory was supplied. Now it happens if no directory is supplied AND
219 maildir has not been specified.
221 46. If expansion of the serverpassword in a spa authenticator or expansion of
222 server_condition in a plaintext authenticator is forced to fail,
223 authentication now fails (previously it gave a temporary error, which is
224 what happens for other expansion failures). This brings these
225 authenticators into line with cram_md5, where expansion of server_secret
226 has always behaved like this.
228 46. Added new syslog facilities (courtesy Oliver Gorwits):
230 (i) SYSLOG_LOGS_PID and LONG_SYSLOG_LINES in src/EDITME.
231 (ii) syslog_facility and syslog_processname main options.
233 47. Callout was using only the hosts from the router, ignoring the transport.
234 This has been changed. If (a) the router does not set up hosts (e.g. it's
235 an accept router) or (b) the smtp transport that is routed to has
236 hosts_override set, then the transport's hosts are used for callout
239 48. When named lists were nested, and an inner list was resolved by a lookup
240 that saved data for, e.g. $domain_data, the data was associated with just
241 the outer list, though both were cached, so if a subsequent test was done
242 for the inner list, there was no domain data. Example:
243 domainlist A = lsearch;/a/b
244 domainlist B = lsearch;/c/d
245 domainlist C = +A : +B
246 A test on +C that matched, followed by a test on +A or +B would provoke
247 this bug. Now the data is saved with both the inner and the outer lists.
249 49. When the log selector +address_rewrite is turned on, the log lines now
250 show where the rewritten address came from (which header line, envelope
251 field, or an SMTP command).
253 50. If an integer or fixed point configuration value is too big to fit in
254 a 32-bit int, Exim now writes an error to the panic log and dies.
256 51. Unknown SMTP commands are now assumed to be ones that need synchronization;
257 this means that a packet that contains more than one of them will cause the
258 connection to be dropped as soon as the first one is encountered.
260 52. The "control" feature of ACLs was not permitted for the MAIL ACL (an
261 oversight). It now is allowed.
263 53. Added the "discard" verb to ACLs.
265 54. Fixed a theoretical bug observed by reading the code: if local_scan()
266 changed the number of recipients, output from the received_recipients log
267 selector would be incorrect.
269 55. Added HAVE_ICONV to the os.h files for Linux, Solaris, HP-UX. This is for
270 use in the forthcoming Sieve addition to Exim.
272 56. The behaviour of -t in the presence of Resent- headers has been changed,
273 for compability with Sendmail and other MTAs. Previously, Exim gave an
274 error, because it is not clear from RFC 2822 how this might be handled. It
275 turns out that MUAs don't seem to follow what RFC 2822 says, and any MUA
276 that uses -t with Resent- ensures that there is only one set of Resent-
277 header lines (usually by renaming others to X-Resent-xxx). So now Exim will
278 take recipients from all the Resent- header lines instead of the usual
285 1. Found another case where SIGCHLD is being ignored (a child process for
286 handling a filter file) and so the wait() doesn't find the subprocess. This
287 came to light as a result of extra logging introduced as part of the
288 4.12/14 fix. Now Exim is careful to set SIGCHLD handling to its default
289 (i.e. to be noticed) for this particular subprocess. (It already has this
290 code for other cases where it uses subprocesses.)
292 2. If ${run appeared in part of a conditional item that was being skipped, the
293 actual running of the command was not being skipped.
295 3. A bit of code tidying (refactoring): there were two functions that built
296 strings containing a host name and ident value for logging. There is now
297 only one. It is called in some additional places where previously just the
298 host name and address were given, so the wording of some log lines has
301 4. Added support for Unix domain socket connection to PostgreSQL.
303 5. The number of unknown SMTP commands that Exim will accept before dropping
304 a connection can now be changed by smtp_max_unknown_commands. The default
305 value is 3. Previously, a fixed value of 5 was used. The final command is
306 now included in the log line.
308 6. The standard place for chown and chgrp in Linux is /bin, not /usr/bin, as
309 assumed by the exicyclog script. I've implemented a "look for it" feature
310 that makes exicyclog look in /bin, /usr/bin, /usr/sbin, and /usr/etc for
311 the commands chown, chgrp, mv, and rm if configured, and turned on this
312 feature for Linux. This should cope with old Linuxes that use /usr/bin.
314 7. Implemented .ifdef etc.
316 8. Installed signal handlers for SIGSEGV, SIGILL, SIGFPE, and SIGBUS while
317 running local_scan(), so that crashes therein get caught. A temporary error
318 response is sent for an SMTP message, and the spool is cleaned up.
319 Previously, a -D file was left lying around if there was a crash in
322 9. The ${quote: operator has been changed so that it turns newline and
323 carriage return characters into \n and \r, respectively.
325 10. Added support for crypt16().
327 11. Some restrictions on the use of "verify" in ACLs were too restrictive, and
328 have been relaxed. In particular, "verify = sender" is now permitted in the
329 ACL for the MAIL command, as well as those for RCPT and DATA.
331 12. If local_scan() sets up recipient or errors_to addresses that are
332 unqualified (local parts without a domain) Exim now qualifies them using
333 the qualify_recipient domain.
335 13. White space at the start of continuation lines in -be input was not being
338 14. Previously, if a MySQL query was issued that did not request any data (an
339 insert, update, or delete command), Exim gave a lookup error and deferred.
340 This case is now recognized, and the result of the lookup is now the number
343 15. A configuration error is given if tls_try_verify_hosts is set and
344 tls_verify_certificates is not set. (Exim already did this for
347 16. Exim was trying to create a non-existent hints database even when it was
348 just opening it for reading. It called the creating function with the
349 O_RDONLY and O_CREAT flags. This works with many DB libraries, but it
350 not with DB 1.85, where a subsequent attempt to use the database gave the
351 error "Inappropriate file type or format". Exim now creates hints databases
352 only when it wants to open them for writing.
354 17. If an ACL condition test set a default "message" value without a
355 "log_message" value, and there were no overriding messages in the ACL
356 itself, no message was logged. The user message is now logged.
358 18. If callout made a connection, but it was dropped before the initial
359 welcome response was received, Exim logged "response to initial connection
360 was" with no further text. It now logs that the connection was dropped.
361 The wording of the logging for callout defers has been slightly changed so
362 as to reduce duplication.
364 19. When multiple messages were sent using TLS over one connection, the
365 additional required EHLO that follows STARTTLS was being counted as a
366 nonmail command, and thus causing a problem if there were a lot of
367 messages. Similarly, a new AUTH that followed STARTTLS was being counted.
368 It is now possible to run with smtp_accept_max_nonmail set to zero in these
369 and other "normal" circumstances.
371 20. During verify=sender, global rewriting rules are applied to the sender
372 address, and if it changes, $sender_address becomes the rewritten version.
373 Unfortunately, it was not getting updated until after the routers had been
374 run, so that if a router referred to $sender_address while verifying a
375 sender, the unrewritten value was used.
377 21. The "random address" callout test was being done after the other tests.
378 This is silly, because if the host accepts all local parts, there isn't any
379 point in doing the other, more specific, tests. I changed things around so
380 that the "random" test (if configured) is done first.
382 22. Expanded the wording for callout failures when MAIL FROM:<> or RCPT TO the
383 a postmaster address are rejected. Also include these words when a
384 rejection happens because of caching (when there isn't an actual SMTP
385 command/result to reflect).
387 23. A new router condition called "address_test" (default true) can be used to
388 skip routers when testing addresses using -bt (compare no_verify). This can
389 be a convenience when your first router sends stuff to an external scanner.
391 24. Testing for deliver_queue_load_max was happening inside the delivery
392 sub-process, when it could have happened outside, in the queue runner (thus
393 saving one process). This was a hangover from Exim 3, where there were
394 other load tests to be done. The code has been tidied.
396 25. Code tidy: the driver_info generic structure contained a field that
397 might, on 64-bit systems, not have been compatible with the fields in the
398 structures of which it is supposed to be a subset. It turns out that this
399 field and another are not actually used generically, so removing them from
400 the structure solves the problem.
402 26. Added server_advertise_condition to authenticators.
404 27. The exim_checkaccess utility wasn't sending a HELO command; this matters
405 now that it's possible to have an ACL that checks HELO/EHLO.
407 27. Added the ldap_version option to force a specific LDAP version.
409 28. Renamed the variable verify_address in exim.c as verify_address_mode,
410 because it had the same name as the verify_address() function, which was
413 29. Added authenticated_sender to the smtp transport.
415 30. When the skip_syntax_errors option is applied to a filter file, it covers
416 all filtering errors, some of which may not be strictly "syntax" (for
417 example, failure to open a log file). The wording of the message has been
418 changed to use "error" instead of "syntax error", to reduce confusion. Also
419 the subject of the message sent by syntax_errors_to is now "error(s) in
420 forwarding or filtering" instead of "syntax error(s) in address expansion".
422 31. Added -restore-times to the exim_lock utility.
424 32. Changes to the handling of the "phrase" parts of email addresses:
426 (i) Re-organized the code to use a supplied instead of an implied buffer,
427 and a length instead of expecting a terminated string.
429 (ii) Changed from using the macro mac_isprint() to an explicit test for
430 ASCII non-printing characters, because the macro pays attention to
431 print_topbitchars, which is not correct here.
433 (iii) If a rewritten address contained a "phrase" (whether or not the "w"
434 flag was present on the rewrite rule), but the actual address was
435 unqualified (had no domain) and was expected to be qualified by the
436 "Q" flag, Exim screwed up and created an illegal address.
438 (iv) When a header address is rewritten by a rule that includes the "w"
439 flag, the parts of the address outside <> are now encoded according
440 to RFC 2047 if necessary (assuming ISO-8859-1 encoding).
442 33. Added the ${rfc2047 and ${from_utf8 expansion operators.
444 34. The file names used for maildir deliveries have been changed, to accomodate
445 operating systems that may re-use a PID within one second. The file name
446 now include the microsecond time fraction, and the delivery process does
447 not exit until the clock is at least one microsecond after the time used in
448 the file name. The code copes with the clock going backwards (it waits
449 till time catches up).
451 35. The rules for creating message ids have been changed to allow for the fact
452 that a PID may be re-used within one second. As part of this change, the
453 range of localhost_number has been reduced to 0-16 for most systems, and
454 0-10 for those with case-insensitive file systems (Cygwin, Darwin).
456 36. Code tidy: there was a local count of non-TCP/IP messages that duplicated
457 the global receive_messagecount (used for accept_queue_per_connection).
459 37. verify = header_syntax was allowing unqualified addresses in all cases. Now
460 it allows them only for locally generated messages and from hosts that
461 match sender_unqualified_hosts or recipient_unqualified_hosts,
464 38. If PAM was called with an empty first string, it called the data function
465 to get the user name, thereby getting the second string by mistake. If this
466 was also null (empty passwords are permitted), there was an infinite loop.
467 An empty user name is not now passed to PAM; authentication is forcibly
468 failed instead. Also, if the end of the list of strings is reached, an
469 empty string is passed back just once; a subequent call for data provokes
472 39. If a reverse DNS lookup yields an empty string, treat it as if the lookup
473 failed. (Apparently such records have been seen. Sigh.)
475 40. Added the -bnq command line option to suppress automatic qualification of
476 addresses in locally submitted messages.
478 41. Header texts supplied by options to the autoreply transport may now contain
479 newlines that are followed by whitespace. (This was allowed from a filter,
480 but not from the transport.)
482 42. Patch for < > problems in eximstats 1.23.
484 43. Re-arranged the code to make it easier in future to add additional filter
487 44. Added support for changing the connection timeout in LDAP; this is
488 something that's available in Netscape SDK 4.1. Exim uses the given value
489 if LDAP_X_OPT_CONNECT_TIMEOUT is defined.
491 45. When Exim was setting a daemon listener on multiple interfaces, including
492 listening on "all IPv6" and "all IPv4" interfaces, it was binding all the
493 sockets, and then calling listen() for each of them. On some IP stacks, a
494 listen for "all IPv4" fails after listening for "all IPv6" because a single
495 socket catches both kinds of call. Exim coped with this, but it turns out
496 that on a USAGI-patched Linux, this logic doesn't work unless the "listen",
497 as well as the "bind" has been done for the IPv6 socket first. The order of
498 the functions has now been changed. Instead of "bind, bind ... listen,
499 listen..." it now does "bind, listen, bind, listen, ...". Also, the failure
500 happens in the bind() rather than in the listen(), so there are now two
501 checks, which hopefully will handle all kinds of IP stack.
503 46. IPv6 addresses have "scopes", and a host with multiple interfaces can, in
504 principle, have the same link-local addresses on different interfaces.
505 Thus, they need to be distinguished, and a convention of using a percent
506 sign followed by something (often the interface name) is being used, for
507 example: 3ffe:2101:12:1:a00:20ff:fe86:a061%eth0. Two changes have been made
510 (a) A percent sign followed by an arbitrary string is allowed at the end of
513 (b) Exim calls getaddrinfo() instead of inet_pton() to convert a textual
514 IPv6 address for actual use. This function recognizes the percent
515 convention in some operating systems.
517 47. Additional debugging inserted for the case of forced failure when expanding
520 48. A new debugging selector +expand has been added. This is not included in
521 the default set of selectors. It requests detailed debugging information
522 for string expansions.
524 49. Failure to open the main log results in a panic-die, but the original line
525 that was being logged could be lost. It is now output to stderr if there is
528 50. When Exim starts, it checks for the existence of its spool directory, and
529 creates it if necessary. Unfortunately, it was doing this after the code
530 for logging arguments. Thus, if the spool did not exist, trouble ensued.
532 51. The log line for an ACL warning after a sender verify callout failure was
533 not showing the details, unlike the log line for a deny. They are now shown
536 52. For reasons lost in the mists of time, when a pipe transport was run, the
537 environment variable MESSAGE_ID was set to the message ID preceded by 'E'
538 (the form used in Message-ID: header lines). The 'E' has been removed.
540 53. Updated the QNX configuration files for QNX 6.2.0.
542 54. The "*@" type partial matching for single-key lookups was broken in
543 releases after 4.10. Exim looked for *@xxx but, if that failed, it wasn't
544 going on to look for "*".
546 55. Included eximstats 1.25 in the source tree.
548 56. Changed log wording from "Authentication failed" to "<name> authenticator
549 failed", where <name> is the name of the authenticator.
551 57. gcc 3.2.2 warned about a selection of places where string casts were
554 58. Exim monitor: the use of one_time redirection could cause addresses to be
555 displayed with incorrect "parent" addresses after the one_time
556 re-arrangement had taken place. They should be shown with no parents,
557 because the parentage has been removed.
559 59. Arranged to keep independent timestamps for postmaster and random checks in
560 callouts, and not to do unnecessary tests for postmaster when testing
561 individual addresses.
563 60. Incorporated PCRE release 4.0.
565 61. Added ${hex2b64: operator.
569 63. Added ${strlen: operator.
571 64. Added ${stat: operator.
573 65. When Exim is receiving multiple messages on a single connection, and
574 spinning off delivery processess, it sets the SIGCHLD signal handling to
575 SIG_IGN, because it doesn't want to wait for these processes. However,
576 because on some OS this didn't work, it also has a paranoid call to
577 waitpid() in the loop to reap any children that have finished. Some
578 versions of Linux now complain (to the system log) about this "illogical"
579 call to waitpid(). I have therefore put it inside a conditional
580 compilation, and arranged for it to be omitted for Linux.
582 66. Added settable variables $acl_c0 - $acl_c9 and $acl_m0 - $acl_m9 for use
583 during ACL processing.
585 67. Added "defer" command to system filter.
587 68. X options such as -bg or -geometry that were added to an eximon command
588 were being lost as a result of a bug introduced by 4.12/6.
590 69. The "more" and "unseen" generic router options can now be expanded strings.
592 70. The "once_repeat" option in the autoreply tranport is now an expanded
595 71. If maildir_format is set on an appendfile transport that is referenced from
596 an file_transport setting in a redirect router, it forces maildir delivery,
597 even if the path given in the filter does not end with '/'.
599 72. Fixed three bugs in ${readsocket:
600 (i) If the operation failed, and a failure string was given, "}}" was
601 erroroneously added to it.
602 (ii) If the operation succeeded, but a failure string was present, "}" was
603 added to the expanded data.
604 (iii) The alarm for the timeout was set with signal() instead of with
605 os_non_restarting_signal(), which meant that it only worked on those
606 OS whose default is not to restart an interrupted system call.
608 73. A complete host name (no wildcards) in a host list causes a forward lookup
609 for the IP address. If this failed, Exim was behaving as if the host didn't
610 match the list, instead of giving an error (as it does when a reverse
613 74. If router_home_directory was passed on as a home directory for a local
614 transport, it was being re-expanded in the transport. This has been changed
615 so that the expanded value is passed from the router to the transport, and
616 no re-expansion takes place.
618 75. When a redirect router generated a pipe, file, or autoreply, the values of
619 $domain_data and $localpart_data were not being propagated to the
622 76. The macros MESSAGE_ID_LENGTH and SPOOL_DATA_START_OFFSET are now defined in
623 local_scan.h so that they are available to local_scan() functions.
625 77. Changes to the SMTP PIPELINING support:
627 (1) Exim used always to accept pipelined commands, even when it hadn't
628 advertised PIPELINING (i.e. when EHLO had not been received). Now it
629 objects unless PIPELINING has been advertised.
631 (2) Advertising PIPELINING to specific hosts can be disabled via the new
632 option pipelining_advertise_hosts.
634 78. The acl_smtp_connect ACL was not being run for -bs input when no IP address
635 was supplied via -oMa.
637 79. A "mail" command in a filter could cause a crash if the list of recipients
638 for the "to:" line was excessively long - this showed up in a reply to
639 a message with a ridiculously long Reply_to: header line.
641 80. Added allow_utf8_domains.
643 81. Added $rh_ and $rheader for "raw" header expansion.
645 82. Added smtp_accept_max_nonmail_hosts.
647 83. Extended ${stat (see 64 above) to add smode=symbolic mode.
649 84. Added default logging for host and IP lookup failures, with a log selector
650 called host_lookup_failed to turn it off.
652 85. Added header_maxsize and header_line_maxsize.
654 86. If a RCPT ACL made use of "verify = sender" without callout, followed by
655 another use with callout, and the callout failed, the caching was broken
656 such that for a subsequent RCPT command, the first callout failed
657 incorrectly. The caching of sender verification has been fixed so that it
658 now remembers that the routing succeeded even when the callout fails.
660 87. Added errno and strerror(errno) to the log line for a failure to lock the
661 -D file when receiving a message.
663 88. If router with check_local_user set up a local delivery, and no user was
664 specified on the transport, and errors_to on the router specified an
665 address whose verification also invoked check_local_user, the wrong uid/gid
666 was used for the transport. It used the uid/gid of the errors_to address
667 instead of the uid/gid of the original local part.
669 89. If log_file_path=:syslog was set, to use the default log path and also
670 syslog, and check_log_space was also set, Exim was confused, and refused to
671 accept messages, giving the error "cannot find slash in ".
673 90. If a router stripped a prefix or a suffix from a local part, and then
674 routed that address to an smtp or lmtp transport, the address that was
675 sent in the RCPT command did not have the affixes stripped.
677 91. For BSMTP delivery by appendfile or pipe, the address given in the RCPT
678 command did not preserve the case of the envelope address, as it is
685 There was no 4.13. I accidentally put out a fixed version of 4.12 (a typo was
686 discovered very soon after release) that verified itself as 4.13. This too was
687 hastily fixed, but it seems best not to use the number, to avoid confusion.
693 1. Update to change 4.11/82: for the max number of processes, set
694 RLIM_INFINITY if it is defined.
696 2. An expansion ${run{xxx}} where xxx was a successful command that produced
697 no output caused Exim to crash.
699 3. Some artificial delays of 1 second existed when running in the test
700 harness, to ensure repeatability of debugging output. Now that we have
701 the millisleep() function, these can be shorter.
703 4. Change 4.11/30 below overlooked the case when an address gets a 4xx
704 response from a server. Because this isn't a host problem, the host does
705 not get delayed, and it gets tried every time the address is OK'd for
706 routing, with the same reponse. However, if hosts_max_try is set, because
707 not all the hosts were tried, the address does not time out. I've changed
708 things so that if there is a 4xx response to a RCPT command, the host in
709 question does not count towards hosts_max_try if the message is older than
710 the host's maximum retry time. This means that other hosts are always tried
711 in this circumstance; if the address gets 4xx errors from all of them, it
712 will eventually time out.
714 5. If a retry rule for a host had no actual retry times specified, it could
715 cause a crash when checking the ultimate address timeout. (Very old bug,
716 spotted in passing, so probably never bothered anybody.)
718 6. Change 135 below broke the following scripts when a list of configuration
719 files was given: exicyclog, exim_checkaccess, eximon, exinext, and exiwhat.
720 In practice, if exim_path was not specified in the configuration file (a
721 common case), things would probably work OK. However, the use of
722 CONFIGURE_FILE_USE_NODE definitely did not work. These scripts have now
723 been updated to fix this problem. They now search for the configuration
724 file in the same way Exim itself does: for each name in the list, the
725 "noded" file is tried first, then the unsuffixed file.
727 7. If a WARN verb in an ACL did not specify an explicit "message" modifier,
728 and was triggered by a failing sender or recipient verification, the
729 response that would have been sent as an SMTP message for a DENY verb was
730 incorrectly being added to the message's headers.
732 8. I screwed up change 4.11/155. For lookup types whose names were prefixes of
733 other lookup types (e.g. nis and nisplus, dbm and dbmnz), the new search
734 function didn't do the correct comparison, meaning that the wrong lookup
737 9. Solaris seems to be one of the LDAPs that doesn't have the lud_scheme
738 member of the LDAPURLDesc structure. Since the check that is made on it
739 is only to double check that a path is given for ldapi, I've just removed
740 the test in the Solaris case.
742 10. The modified TextPop.c source in the Exim monitor had declarations of errno
743 and sys_nerr which never were actually referenced. The second of these
744 caused trouble on Darwin, so I've removed both of them. Why were they
745 there? Who knows? This is ancient X code...
747 11. The DEFER ACL verb crashed if no "message" modifier was set.
749 12. The check on incoming messages that gives the error "too many non-mail
750 commands" was too strict. In the case of Exim sending to Exim, when the
751 client has queued messages for the server and is using TLS, it will close
752 and re-initialize TLS between messages (because the client has to hand the
753 SMTP connection to a new process). STARTTLS was being counted as a non-mail
754 command, and therefore could cause the limit to be hit. The revised code
755 now allows for one RSET, one HELO or EHLO, and one STARTTLS between each
756 message without counting them as non-mail commands. (One RSET was
757 previously allowed - I *had* spotted that case.)
759 13. Some log lines for rejections by ACL were putting ident values in
760 parentheses instead of using U= after H=. (There are some other lines that
761 do use parens, typically when the host name appears without H= within a
762 message. This whole area could perhaps do with tidying up.)
764 14. When processing a redirection file happens in a subprocess (typically so
765 that a .forward file is processed as the user), Exim was assuming that a
766 call to wait() would always reap the subprocess, and it was failing to
767 check the result. In theory, a signal of some sort occurring at the wrong
768 time could break this assumption - the process was then left unreaped, and
769 could possibly be picked up later during deliveries, thus confusing that
770 code ("processes got out of step"). This is conjecture - I haven't got a
771 definite test of this. However, I have fixed the code to repeat the wait
774 15. When Exim was waiting for a remote delivery subprocess, and the waitpid()
775 call found a process that was not in the list of remote delivery processes,
776 Exim gave up waiting for remote processes. It is probably better just to
777 ignore the unexpected process (though, of course, write to the main and
778 panic logs) and to wait for another process, and so that is what now
779 happens. If the error situation is caused by failed waiting logic for
780 routing or local delivery processes, this approach will minimize bad
787 1. Ignore trailing spaces after numbers in expansion comparisons such as
788 ${if > { 5 } { 4 } ... (leading spaces were already ignored).
790 2. Two variables, $warnmsg_delay, and $warnmsg_recipients, had got left with
791 their old Exim 3 names, when I meant to change to "warn_message", along
792 with the warn_message_file option. They have now been changed. The old
793 names remain as synonyms, but will be undocumented in due course.
795 3. The message "This message was created automatically by mail delivery
796 software (Exim)." still confuses people. If they are sufficiently Internet-
797 ignorant, they think the message has come from exim.org. At first, I
798 changed thw wording to "This message was created automatically by mail
799 delivery software (Exim) running on a mail server handling mail for <the
800 qualify domain>." in the hope that that might be better. However, in
801 testing that still proved confusing on servers handling multiple domains.
802 The message has now reverted to the original, simple wording: "This message
803 was created automatically by mail delivery software."
805 4. It has been discovered that, under Linux, when a process and its children
806 are being traced by "strace -f", the children are stolen from the parent
807 while they are being traced. A call to waitpid(-1,&x,NOHANG), which Exim
808 uses to test for the completion of "any of my children" in a non-blocking
809 manner, returns as if there are no children in existence. Exim used treat
810 this as a serious unexpected error state. What it does now is to use
811 kill(pid,0) to check explicitly for the continued existence of any of its
812 children. If it finds any, it assumes it is being traced, and proceeds as
813 if the return from waitpid() had been "none of your children have finished
814 yet". If it can't find any children, it gives the error as before.
816 5. When Exim creates hints databases and their lock files as root, it needs to
817 change their ownership to exim. In Exim 3, the function to open a hints
818 database wasn't called as root very often, and the check "are we running as
819 root?" would usually fail. However, because Exim 4 eschews the use of
820 seteuid(), it runs all its routing as root, and this always calls the hints
821 database opening function. It wasn't noticing when it was actually creating
822 the database, and so it was running chmod() on all the files in the db
823 directory every time. This does no harm, of course, but wastes resources.
824 Exim now detects when the database was already in existence by opening
825 without O_CREAT at first. If this succeeds, it doesn't do the root test.
827 6. The line in MakeLinks that creates a link for direct.c had been
828 accidentally left in (cf 4.03/6).
830 7. The value of $0 in the replacement in a rewriting rule was being corrupted,
831 leading to incorrect results or error diagnostics.
833 8. Added support for ldapi:// URLs to the LDAP lookups (OpenLDAP only). Also,
834 re-organized the code to use ldap_initialize() with OpenLDAP in all cases
835 (it seems to be preferred).
837 9. With OpenLDAP 2.0.25, ldaps:// doesn't seem to work unless the LDAP
838 protocol level is set to 3. This is now standard in the Exim code, as v3
839 has been around for 5 years now. Testing ldaps:// is now included in the
840 Exim test suite. Although earlier versions claimed to support it, I rather
841 suspect that it never worked.
843 10. Inserted some checking of the syntax of the IP address given as the first
844 argument to the exim_checkaccess utility. This gives a better error
845 message, especially in the case when somebody gets the arguments in the
848 11. Improved the panic log entry if an unsupported format type is passed to
849 string_vformat() (now gives the whole format string, not just the little
852 12. Ever since its early days, Exim has checked the syntax of non-SMTP
853 addresses according to RFC [2]822 rules, rather than the stricter RFC
854 [2]821 rules that it uses for SMTP. This allows for a wider set of
855 characters in domains. This has now caused a problem, because I forgot
856 about it when making some changes to the format of spool files (see
857 3.953/44, 4.03/10, and 4.04/1). I can't believe that anybody actually makes
858 use of this feature (which isn't documented), so I have removed it. All
859 domains must now conform to RFC [2]821 rules. A non-SMTP message with a
860 domain that would previously have been accepted will now be bounced.
862 13. If widening a domain in a dnslookup router made it syntactically invalid,
863 the error message quoted the original domains instead of the widened
866 14. During a queue run initiated by -R or -S (or by -i when the use of message
867 logs is disabled), if Exim encountered a message with certain
868 characteristics (including text for $local_scan_data, and the setting of
869 the "manually thawed" flag), this data was not correctly reset for
870 subsequent messages. So if they didn't have those settings themselves,
871 strange things could occur.
873 15. With the "percent hack" enabled for percenthack.domain, if a message had
874 two addresses such as X%some.domain@percenthack.domain and X@some.domain,
875 Exim was not recognizing the duplication, and was making two deliveries
878 16. The output from verification (for -bv and VRFY) used to list a child
879 address when verification was applied to children (this happens, for
880 example, for aliases that generate just a single child). Now it lists only
881 the original address.
883 17. Changes 34 and 35 of 4.10 did not wholly solve problems with widened
884 domains. The following bug still existed:
886 . A recipient address was abbreviated (e.g. one component).
887 . A dnslookup router caused it to be widened.
888 . The new domain was a local domain.
889 . The address was redirected to itself.
891 At this point, Exim thought it was a duplicate, and discarded it.
893 This whole thing turned out to be a large can of worms, so I have reworked
894 the address widening code. This should get rid of all these problems.
895 Widening now appears similar to redirection, with the unwidened address
896 becoming a proper parent address. As part of this, there has been some
897 general re-organization of the way addresses are handled.
899 18. When a filter generated only "unseen" deliveries, the normal delivery that
900 happened subsequently lost any value of address_data that was previously
901 set. The handling of values like that that are propagated from parents to
902 children has been reworked.
904 19. Added smtp_return_error_details and the check_postmaster option for address
905 verification callouts.
907 20. Long SMTP responses (from ACL messages or wherever) are now automatically
908 split up into multi-line responses if possible. The split happens at an
909 occurrence of ": " if present after 40 characters. Otherwise it happens at
910 the last space before 75 characters. Existing newlines in the message are
913 21. When verify = header_sender is set, a different error message is now given
914 if a syntax is detected, as opposed to failure to verify.
916 22. Extended the general mechanism for ${quote_lookuptype:...} expansions by
917 allowing for an option to be given after the lookup name, for example
918 ${quote_ldap_dn:...}. Unrecognized options cause errors.
920 23. Re-worked the quote_ldap expansion items to provide two different kinds of
921 quoting, since the requirements of filter strings and DNs are different.
922 Sigh. Arranged for the DN given in the USER= setting to be de-URL-quoted
923 because not all libraries do it themselves.
925 24. The handling of responses from LDAP searches wasn't right. It was detecting
926 situations of the form "ldap_result failed internally or couldn't provide
927 you with a message" but not "the server has reported a problem with your
928 search". This has now been tidied up (thanks, Brian). Problems of the
929 latter kind are now handled as follows:
931 (1) For LDAP_SIZELIMIT_EXCEEDED, the truncated list of results is
932 returned. This is what happened before.
934 (2) For a small set of errors that, in effect, mean "that object does
935 not, or cannot, exist in the database", the lookup fails. This is
938 (3) For other problems, the lookup defers, giving the LDAP error.
940 25. Added $ldap_dn to hold the DN of the last entry retrieved in the most
943 26. Exim was not checking for the LDAP_INVALID_CREDENTIALS error when
944 ldap_bind() failed during an ldapauth call. With (at least) OpenLDAP2, the
945 connection to the server doesn't happen until ldap_bind(), so failures to
946 connect were being treated as authentication failures, and given hard
947 errors. Now, all errors other than LDAP_INVALID_CREDENTIALS are treated the
948 same way for all calls to ldap_bind(), whether ldaputh or otherwise. They
949 lead to temporary errors - if there are more servers, they will be tried.
951 27. If there was a reference to a non-existent named list, for example, a
952 setting such as "senders = +something", but no lists of that type were
953 actually defined, Exim misbehaved. For an address list, it treated the name
954 as a domain list. For a domain list, it just didn't match. Now it gives a
955 panic error about a non-existent named list (as it always did if there were
956 named lists of the appropriate type). The error now tells you what type of
957 list it thought it was looking for.
959 28. When -bt or -bv is used by a non-admin user, and there is some kind of
960 DEFER (e.g. database unreachable), details of the failure are no longer
961 given, because they may include private data such as the password for an
964 29. The logic for using a remote host name as a key for looking up retry rules
965 in preference to the domain of the email address was broken. It wouldn't
966 find such retry rules.
968 30. There were some problems with the action of hosts_max_try in the smtp
969 transport where there were indeed more hosts available than the limit.
971 (a) Exim used to time out an address out if all the hosts that were tried
972 were past their retry limits, ignoring the state of any hosts that were
973 not tried because the hosts_max_try limit was reached. Now it won't
974 time out an address unless all its hosts are actually considered and
975 are past their retry limits.
977 (b) Hosts that are past their retry limits are no longer counted for
978 hosts_max_try. This means that when some hosts are in this state, a
979 greater number of hosts are tried than before, but this is the only way
980 to ensure that all hosts are considered before timing out an address.
982 (c) When the hosts_max_try limit is reached, Exim now looks down the host
983 list to see if there is a subsequent host with a different MX. If there
984 is, that host is used next, and the current host is not counted. More
987 31. The source for spa authentication (taken from the Samba project) used the
988 type "int16". This has caused compilation problems in some systems that
989 happen to have a different definition of it. (Naughty, naughty, non-
990 standard.) I've renamed all the defined types by adding "x" on the end.
992 32. When a delivery that used authentication was run with -v (which an
993 unprivileged user can use) it included the authentication data when it
994 showed the SMTP transaction. Such data is now replaced by asterisks in any
995 reflection of the SMTP commands. This also applies if the command is logged
996 as a result of an error response.
998 33. Some little problems in queue runs:
1000 (a) The reading end of the synchronising pipe was being left open in the
1001 delivery subprocess. This caused no harm, but used up a file
1002 descriptor till that series of deliveries was done.
1004 (b) If the load level got high enough to abandon a queue run, the
1005 synchronizing pipe was accidentally not closed. Normally, this wouldn't
1006 matter, because the queue runner process would finish any way, but...
1008 (c) If split_spool_directory was set without queue_run_in_order, the code
1009 for abandoning a queue run because of too high load didn't stop
1010 cleanly. Instead, it went on to look at the remaining subdirectories.
1011 Each one would then notice the high load, and abort. Not only was this
1012 a waste of time, but because of (b) above, it used up one file
1013 descriptor per subdirectory. With up to 62 subdirectories, this could
1014 hit the limit of file descriptors if it was as low as 64 (which it
1017 34. Added SYSTEM_ALIASES_FILE to the build-time configuration, and the ability
1018 to set ROOT= when installing. Removed installation instructions for the
1019 info version of the overview document, because that document no longer
1022 35. Added a total line to exiqsumm.
1024 36. convert4r4 can now handle "optional" for single-key lookups in aliasfile
1027 37. Change 4.03/25 (making convert4r4 double colons in require_files lists) was
1028 incomplete. It worked for routers, but not for directors.
1030 38. After verify=recipient in an ACL, the value of $address_data is the last
1031 value that was set while routing the address.
1033 39. Included eximstats 1.22.
1035 40. If a delivery of another message over an existing SMTP connection yields
1036 DEFER, we do NOT set up retry data for the host. This covers the case when
1037 there are delays in routing the addresses in the second message that are so
1038 long that the server times out. This is alleviated by not routing addresses
1039 that previously had routing defers when handling an existing connection,
1040 but even so, this case may occur (e.g. if a previously happily routed
1041 address starts giving routing defers). If the host is genuinely down,
1042 another non-continued message delivery will notice it soon enough.
1044 41. Added quota_directory to appendfile.
1046 42. Changed the order of processing configuration input lines. Previously, it
1047 was comment, .include, continuation, macro expansion, comment again (in
1048 case a macro turned a logical line into a comment). This meant that macros
1049 could not be used in .include lines. The order is now macro, comment,
1050 .include, continuation. That is, macro expansion is done on physical lines,
1051 not on logical lines.
1053 43. Improved the error message if an option-setting line in the configuration
1054 does not start with a letter. (It used to say 'option "" unknown'.)
1056 44. Allow -D to set a macro to the empty string. Previously it would have
1057 moved on to the next commandline item. This seems pointless. Either -DXX or
1058 -DXX= sets an empty string.
1060 45. Changed OS/Makefile-FreeBSD thus:
1062 EXIWHAT_MULTIKILL_CMD='killall -m'
1063 EXIWHAT_MULTIKILL_ARG='^exim($$|-[0-9.]+-[0-9]+$$)'
1065 This is because, with the Exim standard installation using a symbolic link,
1066 the name of the running program is not "exim" but (e.g.) "exim-4.10-1".
1068 46. An Exim server now accepts AUTH or STARTTLS commands only if their
1069 availability has been advertised in response to EHLO.
1071 47. A few source changes to avoid warnings from very picky compilers that don't
1072 complain about unset variables when the only setting is by passing the
1073 address to another function.
1075 48. Added -d+pid to force the adding of the pid to all debug lines. Default it
1076 on when the daemon is run with any debugging turned on. (Pids are still
1077 automatically added when multiple deliveries are run in parallel.)
1079 49. Included Matt Hubbard's exiqgrep utility.
1081 50. Give error for two routers, transports, or authenticators with the same
1082 name. (It already caught duplicate ACLs.)
1084 51. If a host has more than MAX_INTERFACES interfaces (common for hosts with a
1085 slew of virtual interfaces), and Exim had to find the list of local
1086 interfaces, it ran off the end of the list that the ioctl returned. I had
1087 assumed the length would be set to correspond to the amount of data
1088 returned - but in at least one OS it is set to the actual number of
1089 interfaces, even if they don't all fit in the buffer.
1091 52. Nit-picking changes to store.c. It was assuming the length of the
1092 storeblock structure would be a multiple of the alignment, which is almost
1093 certainly "always" true. However, just in case it might not be it is now
1094 rounded up. For some long-forgotten reason, Exim was getting blocks of
1095 store of the size (8192 - alignment), which seems strange. I've changed it
1098 53. Added functions to compute SHA-1 digests, added the ${sha1: expansion
1099 operator, added support for {sha1} to crypteq.
1101 54. When local_scan() times out, include the message size in the log line.
1103 55. If a pipe transport had no command specified, and the address also had
1104 no command associated with it, the transport process crashed. Now it defers
1105 with a suitable message.
1107 56. An Exim server output mangled junk if it received a HELP command on an
1108 TLS-encrypted session.
1110 57. The output from -bV (and at the start of debugging) now lists the optional
1111 items included in the binary (which routers, etc). The debugging output now
1112 includes the name of the configuration file at its start.
1114 58. Added support for GnuTLS as an alternative to OpenSSL.
1116 59. Give a configuration error if tls_verify_hosts is set, but tls_verify_
1117 certificates is not set. It doesn't make sense to require some hosts to
1118 verify if there's nothing to verify against.
1120 60. A pipe transport may now have temp_errors = * to specify that all errors
1121 are to be treated as temporary.
1123 61. The lmtp transport can now handle delivery to Unix domain sockets.
1125 62. Added support for flock() to appendfile, for those operating situations
1126 that need it. Not all OS support flock().
1128 63. It seems that host lists obtained from MX records often turn out to have
1129 duplicate IP addresses, especially for large sites with many MXs and many
1130 hosts. Exim now removes duplicate IP addresses. (Previously, it removed
1131 only duplicate names.)
1133 64. If ${readfile was inside a substring that was not part of the final
1134 expansion value (because its condition wasn't met), Exim still tried to
1135 read the file. This made an "exists" test for the file useless.
1137 65. Added ${readsocket to the expansion facilities.
1139 66. It is now possible to set errors_to to the empty string in routers.
1141 67. Added disable_logging as a generic transport and a generic router option.
1143 68. Applied Stefan Traby's patch to support threaded Perl. As I don't have a
1144 threaded Perl, I can't test that this fixed the problem, but it doesn't
1145 appear to break the non-threaded case.
1147 69. For SPA (NTLM) client authentication, the options are now expanded.
1149 70. Added support for SPA server authentication, courtesy of Tom Kistner.
1151 71. Latest versions of TCPwrappers use the macro HAVE_IPV6 inside the tcpd.h
1152 header, it appears, and this clashes with Exim's use of that macro.
1153 Renaming it for Exim is an incompatible change, so instead I've just
1154 arranged that HAVE_IPV6 is undefined while including the tcpd.h header.
1156 72. Mac OS 10.2 (Darwin) has IP option support that looks like the later
1157 versions of glibc, but without the __GLIBC__ macro setting. I've added a
1158 new macro called DARWIN_IP_OPTIONS, and tidied up the code in smtp_in.c to
1159 simplify the handling of the three different ways of doing this.
1161 73. If no "subject" keyword is given for a "vacation" command in a filter, the
1162 subject now defaults to "On vacation".
1164 74. Exim now counts the number of "non-mail" commands in an SMTP session, and
1165 drops the connection if there are too many. The new option
1166 smtp_accept_max_nonmail option defines "too many". This catches some DoS
1167 attempts and things like repeated failing AUTHs.
1169 75. Installed configuration files for OpenUNIX.
1171 76. When a TLS session was started over a TCP/IP connection for LMTP, Exim was
1172 sending EHLO instead of LHLO after the encrypted channel was established.
1174 77. When an address that was being verified routed to an smtp transport whose
1175 protocol was set to LMTP, the SMTP callout used EHLO instead of LHLO.
1177 78. Installed eximstats 1.23 in the distribution.
1179 79. Installed a new set of Cygwin-specific files from Pierre Humblet.
1181 80. Added caching for callout verification.
1183 81. Added datestamped logs and $tod_logfile.
1185 82. When Exim starts up with root privilege, set a high limit (1000) for the
1186 number of files that can be open and the number of processes that can be
1187 created (on systems where this is possible), in case Exim is called from a
1188 restricted environment.
1190 83. Minor bugfix in appendfile: when renaming failed for a file whose name was
1191 extended with a tag, the untagged name was shown in the error message.
1193 84. If Exim's retry configuration was changed so as to bounce a certain
1194 delivery failure immediately, for example to bounce quota errors:
1198 and there were messages on the queue that had previously been deferred
1199 because of this error, Exim crashed when trying to deliver them in a queue
1200 run. Now it will make one more delivery attempt and bounce on failure.
1202 85. Fixed an obscure problem that arose when (a) an address was redirected
1203 to itself, AND (b) the message was not delivered at the first attempt, AND
1204 (c) the pattern of redirection was changed at the next delivery attempt.
1205 When an address is redirected to the same address, Exim labels the new
1206 address as "2nd generation", and so on, in order to distinguish these
1207 homonym addresses from each other. Previously, it recorded the delivery of
1208 a homonym address as a delivery of the appropriate generation. This does
1209 not work if the generation numbers change at the next delivery attempt. The
1210 symptoms can be either duplicated deliveries, or missing deliveries,
1211 depending on the configuration.
1213 A real-life example is a configuration that takes "unseen" copies of
1214 messages at certain times only, because an "unseen" router in effect does a
1215 redirection to a modified address (the unseen delivery) and to the original
1216 address (for normal delivery). Thus the normal delivery can be either the
1217 1st or 2nd generation, depending on whether or not the unseen router is
1218 triggered at the time of delivery.
1220 The fix is not to record a delivery to a homonym address as such, but
1221 instead to record a delivery to the original address by the final
1222 transport. If the same address is subsequently routed to the same transport
1223 (whichever generation it now is), the delivery is discarded because it has
1224 already happened. Homonym addresses that are themselves redirected are now
1225 never recorded as "done", but non-homonym addresses are unaffected, so they
1226 are marked when all their children are complete (as before), thus saving
1227 an unnecessary subsequent expansion.
1229 The fix causes more routing processing to be done when homonyms are in use
1230 and a message is not delivered at the first attempt, but this is not
1231 expected to be very common, and the extra processing isn't all that much.
1233 86. Make sure Exim doesn't overrun the buffer if an oversize packet is received
1236 87. Added argument-expanding versions of hash, length, nhash, and substr
1239 88. The API for Berkeley DB changed at release 4.1. Exim now supports this
1242 89. When a host was looked up using gethostbyname() (or the more recent
1243 getipnodebyname() on IPv6 systems), Exim was not inspecting the error code
1244 on failure. Thus, any failure was treated as "host not found". Exim now
1245 checks for temporary errors, so the behaviour of "byname" and "bydns"
1246 lookups in this respect should be the same. However, on some OS it has been
1247 observed that getipnodebyname() gives HOST_NOT_FOUND for names for which a
1248 DNS lookup gives TRY_AGAIN. See also change 125 below.
1250 90. Minor rewording of ACL error for attemted header check after RCPT.
1252 91. When USE_GDBM was set, exim_dbmbuild wasn't working properly (still assumed
1253 NDBM compatibilify interface); similarly in dbmdb lookups when ownership
1256 92. If a Reply-To: header contained newlines and was used to generate
1257 recipients for an autoreply, the log line for the autoreply "delivery" had
1258 unwanted newlines. Such newlines are now turned into spaces.
1260 93. When a redirect router that has the "file" option set discovers that the
1261 file does not exist (the ENOENT error), it tries to stat() the parent
1262 directory, as a check against unmounted NFS directories. If the parent
1263 can't be statted, delivery is deferred. However, it seems wrong to do this
1264 check if ignore_enotdir is set, because that option tells Exim to ignore
1265 the error "something on the path is not a directory" (the ENOTDIR error).
1266 In fact, it seems that some operating systems give ENOENT where others give
1267 ENOTDIR, so this is a confusing area.
1269 94. When the rejectlog was cycled, an existing Exim process was not noticing,
1270 and was therefore not opening a new file.
1272 95. If expansion of an address_data setting was forced to fail, and debugging
1273 was enabled, a debugging statement tried to print an undefined value
1274 instead of the string that was being expanded. This could cause a crash.
1276 96. When Berkeley DB version 3 or higher is in use, a callback function is now
1277 set up to log DB error messages that are passed back.
1279 97. The conditions in the Makefile for rebuilding the exim_dbmbuild utility
1280 were wrong, leading to failures to rebuild when it should have done.
1282 98. Added -no_chown and -no_symlink options to the exim_install script. Also
1283 arranged for the environment variable INSTALL_ARG to be passed over
1284 from "make install".
1286 99. Exim sets the IPV6_V6ONLY option on IPv6 listening sockets on operating
1287 systems that support it. The call to setsockopt() to do this had SOL_SOCKET
1288 instead of IPPROTO_IPV6 as its second argument (and so wouldn't work).
1290 100. When a frozen message was timed out by timeout_frozen_after, the system
1291 filter was incorrectly being run for the message before it was thrown
1294 101. If a filter used $thisaddress in an argument to a pipe command, its value
1295 was not inserted where expected, because the expansion of a pipe command
1296 does not happen till transport time, and $thisaddress was not being saved.
1297 It is now saved (along with $1, $2, etc, which were already being saved),
1298 and reinstated at transport time.
1300 102. Added host grouping for randomizing to manualroute and smtp. A host list
1301 that is randomized by manualroute is never re-randomized by smtp. Two
1302 host lists that are randomized by manualroute are now treated as "the
1303 same" when checking for possible multiple deliveries in one SMTP
1304 transaction (this was always true for MX'd host lists).
1306 103. Added "randomize" and "no_randomize" options to manualroute.
1308 104. Added ${hmac expansion item.
1310 105. When compiling with gcc, make use of its facility for checking printf-like
1311 function calls (debug_printf and smtp_printf). This would have found the
1312 problem in 95 above. It actually found a number of missing casts to (int)
1313 in debug lines, and one spurious additional argument.
1315 106. Created an ACKNOWLEDGEMENTS file, which I will endeavour to update in
1318 107. Minor modification to Makefile: when a command that starts off "cd xxx;"
1319 is followed by another command (on the next line), put the first one in
1320 parentheses so that if a "clever" make program amalgamates them, the
1321 change of directory is turned off when it should be.
1323 108. If log_timezone is set true, the timestamps in log files now include the
1324 timezone offset. A new variable $tod_zone contains the offset. The exigrep
1325 utility has been updated to handle timestamps with offsets. The eximstats
1326 version included with this release (1.23) has been patched to handle
1327 timestamps with offsets. There is also a new -utc option that specifies
1328 the timestamps are in UTC. The Exim monitor has been modified so that it
1329 omits the zone offset from its display.
1331 109. If the expansion of an errors_to option is forced to fail, the option is
1334 110. Added $load_average.
1336 111. Added router_home_directory generic router option.
1338 112. Exim crashed on an attempt to check senders or sender domains in an ACL
1339 other than after RCPT or DATA. It's now a temporary error.
1341 113. \r was omitted before \n in the SMTP failure response for EHLO/HELO
1344 114. On receiving EHLO or HELO, Exim was resetting its state before checking
1345 the validity of the command. However, RFC 2821 says that the state should
1346 not be changed if an invalid EHLO/HELO is received, so Exim has been
1347 changed to conform. This applies mainly when there is more than one
1348 EHLO/HELO command in a session.
1350 115. When an Exim root process wrote to a log file, and the log file did not
1351 already exist, Exim used to create it as root, and then change its
1352 ownership to exim:exim. This could lead to a race condition if several
1353 processes were trying to log things at the same time; this happens
1354 especially when the exiwhat utility is used. I've changed things so that,
1355 if an Exim root process needs to create a log file, it does so in a
1356 subprocess that is running as exim:exim.
1358 116. When running filter tests (-bf and -bF) Exim now changes the current
1359 directory to "/" so that any assumptions about a particular current
1360 directory are false.
1362 117. The appendfile transport was doing the quota_threshold check before
1363 actually writing the message. However, the act of writing the message
1364 could make it longer by the addition of prefix, suffix, or additional
1365 headers. This meant that quota warning could be missed if the basic length
1366 of a message kept the mailbox below the threshold, but the transport
1367 additions took it over. The warning threshold check is now done after
1368 writing the message, when an accurate size is known.
1370 118. If all verifications for verify = header_sender deferred, the log was
1371 "temporarily rejected after DATA", without saying why. Now it adds "all
1372 attempts to verify a sender in a header line deferred".
1374 119. Added message_id_header_domain option.
1376 120. Ignore message_id_header_text forced expansion failure.
1378 121. Typos: "uknown" in acl.c; missing NULL initialized in drtables.c.
1380 122. When return_size_limit was set greater than zero but smaller than an Exim
1381 transport buffer size (so that only one buffer would be written), a
1382 message that was longer than the limit could be omitted from the bounce
1383 entirely under some circumstances. In other cases, the final buffer full
1384 before truncation could be omitted.
1386 123. The inode variables in log.c were of type int with -1 for unset; they
1387 have been changed to ino_t with 0 for unset.
1389 124. There are two Makefiles for NetBSD (for different object formats). They
1390 were originally supplied in a format where one .included the other. The
1391 problem with this has finally surfaced: when processing the Makefile to
1392 build config.h, the inclusion isn't seen. The easy way out has been taken:
1393 there are now two fully independent files. At the same time, HAVE_IPV6 has
1394 been added to both of them.
1396 125. Changed the default way of finding an IP address in both the manualroute
1397 and queryprogram routers. Exim now does a DNS lookup; if that yields
1398 HOST_NOT_FOUND, it tries calling getipnodebyname() (or gethostbyname()).
1399 See also change 89 above.
1401 126. Fixed a race bug in the loop that waits for a delivery subprocess to
1402 complete. After reading all the data from, and then closing, the pipe, it
1403 assumed that a call to waitpid() for the known pid would always return
1404 status for that process. An unfortunately timed signal (e.g. SIGUSR1 from
1405 exiwhat) could cause waitpid() to return -1/EINTR instead. The effect of
1406 this was to remain in the loop and call FD_SET() with an argument of -1.
1407 On Solaris it caused a crash; on other systems it might have looped.
1409 127. If an ACL that was read from a file was used in more than one message in a
1410 single SMTP transaction, Exim could crash or misbehave in arbitrary ways.
1411 The problem was that the ACL was remembered in memory that was thrown away
1412 at the end of the first message. In fixing this, I've done a bit of
1413 refactoring of the way memory allocation works, to provide a non-malloc
1414 allocator for small blocks of data that must be kept for the life of the
1415 process. There's a new function store_get_perm() and I've reintroduced a
1416 second storage pool (previously dropped on the 3->4 conversion). A number
1417 of instances of malloc calls for small amounts of memory have been changed
1418 to use this instead. It might be a tad more efficient. Then again, it
1421 128. A similar problem to 127: memory corruption could occur for multiple
1422 messages in one SMTP connection if the data from DNS black list lookups
1423 was being used in log or user messages, e.g. references to $dnslists_text.
1425 129. Blanks lines and comments are now ignored in ACLs that are read from
1428 130. Two instances of missing \n in debug output.
1430 131. The new debugging tag +timestamp causes a timestamp to be added to each
1433 132. Some debug information is written in multiple calls to debug_printf(),
1434 with a newline only on the last one. When debugging multiple simultaneous
1435 processes, the pid was added to each debug text, and for this reason, a
1436 newline was always forced. Now Exim buffers up debug output until the
1437 newline is reached, which makes things look much tidier. Also, if there
1438 are internal newlines and prefix data such as a pid or timestamp are being
1439 added, the prefix is inserted at the internal newlines.
1441 133. When running in the test harness, arrange to overwrite all memory that
1442 is released or freed, so that bugs are more easily found. This picked up
1445 134. Expansion error messages were left in released store, so could have been
1446 overwritten - but in fact most are used immediately, before this happened.
1448 135. A list of configuration files can be given; the first one that exists is
1451 136. Moved the code that ensures that newly-created hints databases and their
1452 lockfiles are owned by exim:exim so that it runs before the test for
1453 successful opening, because a case was reported where the file itself was
1454 created, but the DBM library returned an opening error.
1456 137. If an address is redirected to just one child address, verification
1457 continues with the child address. However, if verification of the child
1458 failed because of (for example) a :fail: redirection, the error message
1459 did not get passed back as it would have been had the original address
1460 failed. The error information is now passed back for both fail and defer
1463 138. Added $rcpt_defer_count and $rcpt_fail_count.
1465 139. Added "rejected_header" log selector.
1467 140. Added the cannot_route_message generic router option.
1469 141. Change 87 above introduced a bug in the expansion of substrings when the
1470 offset was greater than the length of the string, for example
1471 ${substr_1:}. Exim crashed instead of returning an empty string.
1473 142. Added extra features to ACLs: the "drop" and "defer" verbs, and the
1474 "delay" and "control" modifiers (the latter with "freeze" and
1477 143. If Exim failed to create a log file, it used to try to create the superior
1478 directories only if the logs were being written in the spool directory.
1479 Now it tries in all cases, but always from a process running as the exim
1482 144. Added $authentication_failed.
1484 145. Added $host_data for use in ACLs.
1486 146. Added new ACLs for non-SMTP messages, SMTP connection, MAIL, and STARTTLS.
1488 147. Added a number of new features to the local_scan() API:
1489 Access to debug_printf() and the local_scan debug selector
1490 Direct access to the message_id variable
1491 LOCAL_SCAN_REJECT_NOLOGHDR and LOCAL_SCAN_TEMPREJECT_NOLOGHDR
1492 Access to store_get_perm() and store_pool (see 127 above)
1493 Access to expand_string_message
1494 Option settings in the main configuration file
1495 LOCAL_SCAN_ACCEPT_FREEZE and LOCAL_SCAN_ACCEPT_QUEUE
1496 LOG_PANIC to write to the panic log
1497 Access to host_checking
1498 Supporting functions lss_match_xxx() for matching lists
1500 148. Minor security problem involving pid_file_path (admin user could get root)
1503 149. When an ACL contained a sender_domains condition with a reference to a
1504 named domain list, the result of the check was not being cached (an
1507 150. Allowed for quoted keys in lsearch lookups; this makes it possible to have
1508 whitespace and colons in keys.
1510 151. Added wildlsearch lookup.
1512 152. Yet another new set of configuration files for Cygwin from Pierre Humblet.
1514 153. Ensure that log_file_path contains at most one instance of %s and one
1515 instance of %D and no other % characters.
1517 154. Added $tls_certificate_verified.
1519 155. Now that the list of lookup types has got so long (and more are in
1520 prospect) arrange to search it by binary chop instead of linear search.
1522 156. Added passwd lookup.
1524 157. Added simple arithmetic in expansion strings.
1526 158. Added the ability to vary what is appended for partial lookups.
1528 159. Made base 64 encode/decode functions available to local_scan.
1534 1. Added HAVE_SA_LEN=YES to the OS/Makefile-Darwin file, because it needs it
1535 (unsurprising, as it's based on FreeBSD).
1537 2. Removed the HTML versions of the PCRE and pcretest documentation from the
1538 distribution tarbundle, and instead included them in the HTML tarbundle,
1539 linked to the overall index file.
1541 3. The code for computing load averages was broken in 64-bit Solaris.
1543 4. Make the default ACL refuse local parts that start with a dot.
1545 5. LDAP binds with an empty password are considered anonymous regardless of
1546 the username and will succeed in most configurations. Exim has been changed
1547 so that the LDAP authentication (the ${if ldapauth... condition) always
1548 fails when an empty password is used.
1550 6. Remove quoting from rbl_domains when used in an ACL by the convert4r4
1553 7. A lookup entry in a list that had spaces after the lookup type, e.g.
1554 "lsearch; /etc/relaydomains" was including the space as part of the file
1557 8. Give an error if EXIM_USER or EXIM_GROUP contains control characters (it
1558 happened when somebody had CRLF terminations in Local/Makefile, which
1559 messed up the "unknown user" error message).
1561 9. Ensure recipient address appears in log line for internal pipe problems
1564 10. Tidies to code for calls to fork(): (a) 3 typos of "<=" that should have
1565 been "<" (but would have no actual effect). (b) 2 cases of fork() failures
1566 not being logged: during -M for multiple messages, and for auto-delivery
1567 of incoming messages.
1569 11. A reference to any header line that contains addresses (e.g. $h_to:) caused
1570 a crash if the header was empty. Change 46 for 4.05 introduced this bug.
1572 12. If a system filter file was defined as a non-absolute path, but system_
1573 filter_user was undefined, Exim's behaviour was undefined. It could, for
1574 example, discard all deliveries, thinking the system filter had overridden
1575 them all. Delivery is now deferred, with a message written to the panic
1578 13. If a redirection file (or system filter file when system_filter_user was
1579 set) was defined as a non-absolute path containing no slash characters,
1582 14. Added $rcpt_count, containing the number of RCPT commands received during
1583 an SMTP transaction. This differs from $recipients_count when some of the
1586 15. Added $pid, containing the pid of the current process.
1588 16. Fixed uninitialized variable warning in eximstats for relayed messages when
1589 there was no sending host name (logged as H=[n.n.n.n]). There's no change
1592 17. The exiqusumm script failed horribly if it encountered a message that had
1593 been on the queue for 100 days or more.
1595 18. Added the message_logs option for suppressing the writing of message logs.
1597 19. Allow local_scan() to change the errors_to setting on recipient addresses.
1598 (This was made trivially possible because of change 10 in 4.03.)
1600 20. Convert4r4 changed: if forbid_pipe is set on a forwardfile director, also
1601 set forbid_filter_run on the generated redirect router.
1603 21. In the Makefile, $(INCLUDE) was preceding the -I. item that refers to
1604 Exim's own include files. This caused a conflict with an external library
1605 that also happened to have a config.h file. Exim saw the wrong file, and
1606 chaos ensued. I've moved the -I. item in the relevant lines so that it
1607 comes before $(INCLUDE).
1609 22. Added $acl_verify_message to contain any existing user message when
1610 expanding the "message" modifier in an ACL.
1612 23. Changed the default argument for egrep when called in exiwhat to find
1613 Exim processes. It is now ' exim( |$$|-)' instead of ' exim( |$$)' so that
1614 it works on OS where the true file name appears.
1616 24. In the plaintext authenticator, server_prompts was not being expanded, as
1617 documented. It now is.
1619 25. The exinext script was outputting in an incorrect format for routing
1620 delays. It said "deliver" when it should have said "route", and the layout
1621 of the text was screwed up. In fact, "deliver" is not the right word
1622 anyway. I've changed it to "transport". Also removed redundant code for
1623 "directing" delays, because these can't occur in Exim 4.
1625 26. Fixed some problems concerned with retrying address errors in remote
1628 (a) I'd overlooked temporary address errors, and assumed that all the
1629 retry items would be for host errors, and therefore on the first
1630 address when multiple RCPTs were involved. Consequently, no retry
1631 record was written for second and subsequent addresses if they
1632 received a 4xx error. Thus, these addresses wouldn't be delayed
1633 after such a delivery failure.
1635 (b) A temporary address error causes a routing delay; when the address
1636 is eventually tried again, and routing succeeds, the retry record is
1637 flagged for deletion. If the address gets another temporary error,
1638 the retry record got updated, and then deleted. Thus, temporary
1639 address errors were not being delayed and would be tried on every
1642 27. A minor code tidy for the CRAM-MD5 authenticator.
1644 28. Some OS have a command to select processes by the name of the command they
1645 are running, and send a signal to them. Linux and FreeBSD have "killall";
1646 Solaris has "pkill" (it also has "killall", but that does something
1647 disastrously different). Using such a command makes "exiwhat" more
1648 efficient, and reduces the chances of it trying to signal a non-existent
1649 process. There are now two build-time parameters, EXIWHAT_MULTIKILL_CMD and
1650 EXIWHAT_MULTIKILL_ARG, which can be set to enable this feature to be used.
1651 They are defined in the OS-specific files for Linux, FreeBSD, and Solaris.
1652 See OS/Makefile-Default for more details.
1654 29. As part of tidying up for 28, changed the name of the build-time parameter
1655 EXIWHAT_KILL_ARG to EXIWHAT_KILL_SIGNAL so that its name makes more sense
1656 when used in both kinds of exiwhat processing.
1658 30. By default, the daemon doesn't write a pid file if -bd is not used (i.e. if
1659 only -q is used). The -oP didn't override this - it was ignored. It now
1660 overrides the default and causes a pid file to be written.
1662 31. The values of $local_part, $domain, etc. were not being set during the
1663 expansion of shadow_condition in a local transport.
1665 32. The convert4r4 script failed when macros that had continuation lines were
1666 present in the Exim 3 configuration file. It inserted junk lines into the
1667 output and gave uninitialized variable errors.
1669 33. The convert4r4 script discards (with a comment) a setting of "rewrite" on
1670 a smartuser director that has no setting of new_address when it turns it
1671 into an "accept" router.
1673 34. When an alias generated an address with a single-component domain, and
1674 routing that domain caused it to be widened, Exim remembered only that it
1675 had delivered to the widened domain. If any other addresses were deferred,
1676 so that another delivery attempt happened later, Exim re-delivered to the
1677 widened address, because it checked only the original address. When this
1678 kind of widening happens, Exim now checks for previous delivery.
1680 35. A delivery was silently discarded under the following specific
1682 . The original address is x@a.b.c, where a.b.c is the local host;
1683 . a.b.c is recognized as a local domain, and the address is redirected
1685 . a is not recognized as a local domain, causing the address to be
1686 processed by a dnslookup router;
1687 . the router widens the address to a.b.c, routes it, and discovers it
1689 Exim realized that because the domain had been widened, it might have
1690 become a local domain, so it arranged to re-route from scratch, using the
1691 new domain. However, because the original address was the same address,
1692 it thought it had already dealt with it.
1694 36. A space at the start of an LDAP query in an expansion (after the opening
1695 curly) was provoking a syntax error.
1697 37. A syntax error in the data of an ldapauth expansion caused the condition to
1698 be false without an LDAP query even being tried. Now it causes the
1701 38. Ensure that an incomplete config.h is removed when the buildconfig program
1702 gives an error. Otherwise, if the error is a non-existent Exim user, and
1703 the admin fixes this by creating the user (and not modifying any files),
1704 Exim will try to use the broken config.h next time.
1706 39. A call with an argument of the form "-D=xxxx" (i.e. omitting the macro
1707 name) caused Exim to loop. It now reports an error.
1709 40. If an ACL tested an address for being in a named domain list (e.g.
1710 +relay_domains) and then called for recipient verification, and the
1711 recipient was rewritten, the cache for remembering matching domain lists
1712 was not being cleared after the rewrite, leading to potential routing (and
1713 therefore verification) errors. Furthermore, the rewritten address would
1714 (incorrectly) have been used for any subsequent address checking within
1717 41. If an address such as a%b@c was processed using the "percent hack" and then
1718 transmitted over SMTP, Exim was sending "RCPT TO:<a%b@c>" instead of
1721 42. A revised Makefile-CYGWIN file from Pierre Humblet.
1723 43. If local_scan() rejected a -bS message, it wasn't handling the error in the
1724 way -bS errors should be handled.
1730 1. In the log display in Eximon, put the insert point (caret) at the start of
1731 the last line instead of at the end, because this stops unwanted horizontal
1732 scrolling when certain X libraries are used.
1734 2. A malformed spool file with an incorrect number of recipients (which
1735 should never occur, of course) could cause eximon (and probably exim) to
1738 3. Updated Cygwin Makefile and os.h (minor tweaks).
1740 4. Setting allow_domain_literals=true was not allowing domain literal
1741 addresses in the -f command line option.
1743 5. Added debugging output for removing and adding header lines at transport
1746 6. On systems where SA_NOCLDWAIT is defined, changed from using signal(
1747 SIGCHLD, SIG_DFL) to using sigaction(), with flags explicitly set zero, to
1748 ensure that SA_NOCLDWAIT is definitely off. This fixes a bug in AIX where
1749 subprocesses were disappearing without being turned into zombies for Exim
1750 to reap. There was a previous report of the error "remote delivery process
1751 count got out of step" on a Linux box that was never resolved. It is
1752 possible that this change fixes that too.
1754 7. Other applications that support IPv6 have been coded to choose IPv6
1755 addresses in preference to IPv4 addresses where possible. This is
1756 encouraged, in order to speed up the use of IPv6. Exim has now been changed
1757 to do likewise when it looks up IP addresses from host names. This applies
1758 both to hosts that have more than one IP address, and to MX records with
1759 equal preference values when the hosts they point to have both IPv4 and
1760 IPv6 addresses. Within one preference value, Exim will try all the IPv6
1761 addresses before any IPv4 addresses, even when some of the IPv4 addresses
1762 belong to hosts that also have IPv6 addresses.
1764 8. When Exim sent HELO after EHLO was rejected, or when it sent a second EHLO
1765 after starting a TLS session, it used the primary host name as the
1766 argument, instead of the expansion of the helo_data option.
1768 9. Exim was failing to batch addresses for local delivery when errors_to was
1769 set on the router to the same string for each address, in the case when the
1770 string involved some kind of expansion (that ended up with the same value
1771 each time). If the string was fixed (i.e. no expansion) the batching was
1772 not blocked. In other words, I was testing the addresses of the strings but
1773 forgetting to compare the content. The same problem was not present for
1774 remote deliveries, but the code was written out instead of using a
1775 subroutine that now exists for this purpose, so I tidied that code.
1777 10. When Exim passes a connected TCP/IP socket to a new Exim process in order
1778 to deliver another message on the same connection, it closes down TLS,
1779 because it can't pass on the state information that is required by the
1780 OpenSSL package. The new process then tries to start up TLS again.
1781 Unfortunately, not all servers handle this - and, it has to be said, it is
1782 a bit of a dubious interpretation of the RFC. (Exim as a server copes OK,
1783 needless to say.) The problem is that the server may just die or give an
1784 invalid response, causing a retry delay to occur. The option
1785 hosts_nopass_tls was invented to help with this, but an automatic way of
1786 testing has been invented. What now happens is that Exim sends a new EHLO
1787 after shutting down TLS, before passing the socket on. This in itself
1788 reduces the dubiousness of the procedure. If there isn't an OK response,
1789 Exim doesn't try to pass the socket on.
1791 11. There was inconsistency in the way failures to set up TLS sessions in the
1792 smtp transport were handled when the host was not in hosts_require_tls.
1793 It deferred for 4xx responses to STARTTLS, but tried in clear if the actual
1794 TLS negotiation failed. It now does the same thing in both cases, and what
1795 this is can be controlled by the new option tls_tempfail_tryclear. This
1796 defaults true, causing a retry in clear to occur. If it is set false, these
1797 kinds of temporary failure cause a defer (for that host; if there are
1798 other hosts, they are tried).
1800 12. Tidying. When starting up a new delivery process to deliver another message
1801 over an existing SMTP connection, pass over the IP address as well as the
1802 host name. This saves having to get the IP address from the socket.
1804 13. Added "#define base_62 36" to OS/os.h-Darwin because the MacOS X operating
1805 system has case-insensitive file names.
1807 14. Tidies to rewriting code: (1) It was getting an unnecessarily large block
1808 of memory for a rewritten header. (2) Removed some unnecessary debugging
1809 code that just duplicated log output.
1811 15. In an expansion like "${if <condition> {${mask:xxxx}}{yyyy}}" Exim still
1812 tried to perform the masking operation even when the condition was false
1813 and the yield was "yyyy". This could fail when "xxxx" wasn't a valid string
1814 for the masking operation. Some other operators (e.g. base62) could fail in
1815 a similar way. All string operations are now skipped when processing the
1816 unused substring of a condition.
1818 16. If a verification of a sender address in a header (caused by verify =
1819 header_sender in an ACL) caused the address in the header to be rewritten
1820 (typically because a DNS lookup had widened the domain), the newline at the
1821 end of the header got lost, thereby causing two headers to be run together.
1822 Sometimes, but not always, this caused a "spool format error".
1824 17. A user wanted to use "save" in a filter file with a non-absolute path, and
1825 to set file_transport to a non-appendfile transport that made use of
1826 $address_file for its own purposes. This didn't work because Exim was
1827 distinguishing between file and autoreplies by the leading '/' of the
1828 former. It now checks for the leading '>' of the latter instead.
1830 18. The "accept" router was forcing log_as_local instead of just defaulting it.
1832 19. Exim crashed while verifying a recipient in an ACL if the address was
1833 verified by a dnslookup router that widened the domain.
1835 20. When checking the parameters returned from an ident call, Exim was assuming
1836 that the format would be textually identical to the values it sent,
1837 including the white space. This is not always the case, causing Exim to
1838 discard returned ident data that it should have been accepting.
1840 21. Typo (space missing) in "failed to expand condition" error message.
1842 22. The option of specifying an individual transport in a route_data or
1843 route_list option of the manualroute router wasn't working. Such settings
1844 were being completely ignored.
1846 23. The memory management was poor when building up a string from a lookup that
1847 retrieved a large number of data items that had to be concatenated, for
1848 example, an alias lookup in a database that returned thousands of
1849 addresses. In extreme cases, this could grind the host to a halt. (Compare
1850 change 8 for 4.00, which was a similar effect.) Two changes have been made
1851 to improve matters: (a) For longer strings, it extends them in bigger
1852 chunks, thus requiring fewer extensions. (b) It is now able to release some
1853 unwanted memory when a string is copied out of it into a larger block.
1855 24. There was a small error in the memory sizes quoted when -d+memory was used
1856 and emptied memory blocks were released.
1858 25. When helo[_try]_verify was set, Exim crashed if the reverse DNS lookup gave
1859 a temporary error when trying to look up the host name. It now tries to
1860 check with a forward DNS lookup (as it does when the reverse lookup can't
1861 find a name). For helo_verify, a temporary error is now given if
1862 verification failed, but the host name lookup gave a temporary error. (As
1863 before, a permanent error is given if there is no host name available.)
1865 26. When checking quotes for maildir++ format, if the directory name was given
1866 with a trailing slash in the "directory" option of the appendfile
1867 transport, Exim got the quota calculation wrong because it scanned the
1868 final directory instead of the parent directory.
1870 27. The "quota_xxx" error facility for retry rules was broken in Exim 4 if
1871 the mailbox had not been read for more than approximately 10 hours.
1873 28. If a router with "unseen" had a setting of address_data, the value was not
1874 passed on to subsequent routers for the continuing processing of the
1877 29. If a daemon was started with (e.g.) -qff15m, it omitted the second 'f' when
1878 starting queue runners. Likewise, if the flags included 'i', this was
1881 30. Some operating systems log warnings if exec() happens without the standard
1882 input, output, and error file descriptors existing. The worry is that the
1883 called program will open some file which will be allocated one of these
1884 fds. Another bit of code might assume it can write an error message to
1885 stderr, or whatever. Exim was calling itself to regain privilege for
1886 delivery without these fds set, thus provoking the warning. Of course, it
1887 didn't make use of them itself, but the exposure was there for libraries it
1888 might be using. The code has been changed to ensure that, if any of the
1889 file descriptors 0, 1, or 2 does not exist at the time of a call to exec(),
1890 they are opened to /dev/null.
1892 31. A delivery process could loop under the unusual combination of the
1893 following circumstances:
1894 (1) A delivery process had envelope_to_add set for its transport.
1895 (2) The delivery was for a child address of an envelope address that
1896 also had another child.
1897 (3) This other child had been discarded because it was a duplicate of a
1898 second envelope address.
1899 (4) The second envelope address had generated a child that was discarded
1900 because it was a duplicate of the first envelope address.
1902 32. The -bp option was failing to notice delivered addresses that were in the
1903 -J file but had not yet made it into the -H file. (This got broken between
1906 33. If "query" or "queries" in aliasfile director, or "route_query" or
1907 "route_queries" in a domainlist router were enclosed in quotes, the
1908 convert4r4 script was not removing the quotes before inserting the query
1909 into an expansion string, leading to invalid queries within the string.
1911 34. If more than two addresses were being delivered in a batch (either local or
1912 remote deliveries), and they all had the same, non-empty value for
1913 $self_hostname, but had different domains, Exim crashed. (This is rare,
1914 because the use of "self=pass", which is the only way $self_hostname gets
1917 35. If $message_headers was used in a context where there were no headers (e.g.
1918 while verifying an address before receiving a message), it caused an
1919 "unknown variable" error. Now it just returns an empty string.
1921 36. Exim was not diagnosing missing time units letters in times on retry
1922 rules. It was treating such malformed times as "-1", which caused the rules
1925 37. Added some debugging output to the CRAM-MD5 server code.
1927 38. In the appendfile transport, check for a file name supplied by redirection
1928 by checking for "not pipe and not autoreply" instead of looking for a
1929 leading '/' in the "address".
1931 39. The os.h file for Darwin defined CRYPT_H, which apparently is wrong.
1933 40. The "condition" condition in ACLs has been tightened up. Formerly, anything
1934 other than an empty string, "0", "no" or "false" was treated as "true". Now
1935 it insists on "yes", "true", or a non-zero number.
1937 41. Change 22 of 4.02 has been improved; somebody mailed me the correct code
1938 to get an error message when ldap_result() doesn't set a result.
1940 42. Update convert4r4 to recognize "ldap:" in require_files, and double the
1943 43. Added "protocol violation" to the "SMTP synchronization" error message, to
1944 make it clearer what it is complaining about.
1946 44. Change 26 of 4.03 was incomplete. The same problem could arise if a lookup
1947 failed while checking the pre-conditions of a router that was subsequently
1948 run. This can happen for negated conditions such as "domains = !<lookup>".
1950 45. Somebody managed to set up a configuration that crashed buildconfig such
1951 that it left a half-built config.h but did not stop the build process. I
1952 can't reproduce it, but I have added a check after building config.h to
1953 test for the presence of its last line ("/* End of config.h */").
1955 46. Added a .PHONY target to the Makefile to be tidy for GNU make. (It should
1956 be ignored by other versions).
1958 45. When Exim uses Berkeley DB version 3 or 4 to create a DBM file, it creates
1959 it in hashed format. Previously, it opened these files for reading in the
1960 same format. Now it opens them as "unknown", which means that other formats
1961 can be accommodated when using DB files for auxiliary data.
1963 46. When concatenating header lines that may contain lists of addresses (From:,
1964 To:, etc.) as a result of references to $h_from: etc., a comma is now
1965 inserted at the concatenation point. Without it, the use of "if
1966 foranyaddress" fails on such headers, which is dangerous.
1968 47. The code for ratelimiting MAIL commands was triggering on the count of
1969 messages received, instead of the number of MAIL commands (which is not the
1970 same thing if no message is accepted in a transaction). The smtp_accept_
1971 max_per_connection limit has also been changed to use the count of MAIL
1972 commands instead of the count of messages accepted.
1974 48. There was a typo in the exiwhat script which broke it if the esoteric
1975 CONFIGURE_FILE_USE_NODE option was in use.
1981 1. Fix 10 for 4.03 had a bug in it, which could cause problems when converting
1982 from an earlier 4.xx release with delayed "one_time" messages on the spool.
1983 4.03 incorrectly complains about spool format errors (and refuses to
1984 process these messages).
1986 2. Changed the status of the text widgets in the monitor from Append to Edit,
1987 because this matters on some versions of X.
1989 3. Change 22 for 4.03 turns out to be misguided. Luckily it is controlled by
1990 a compile-time macro. I have removed the settings from OS/os.h-Linux that
1991 made it try to use these functions.
1997 1. Change 12 for 4.02 overlooked one case where 256 should have been replaced
1998 by MAX_LOCALHOST_NUMBER.
2000 2. Timeouts (etc) in dnslist lookups were not behaving as documented; they
2001 were deferring (causing 4xx errors) instead of behaving as if the host was
2002 not in the list. This has been fixed. In addition, some new special items
2003 may appear in dns lists, to control what happens in this case. The items
2004 are +include_unknown, +exclude_unknown, and +defer_unknown.
2006 3. Added #include <unix.h> to OS/os.h-QNX because it was reported that this
2007 was needed, in order to get O_NDELAY.
2009 4. Added #define BASE_62 36 to OS/os.h-Cygwin.
2011 5. Change 8 for 4.02 overlooked the fact that "directory" need not be set if
2012 the directory name is coming from a filter or forwarding file. The check
2013 has now been moved from initialization time to run time. Thus, it happens
2014 later, but it still helps to diagnose the problem.
2016 6. The file direct.c had been accidentally left in the distribution.
2018 7. When a new process was forked to deliver another message down an existing
2019 SMTP connection, a pipe file descriptor was accidentally left open. This
2020 meant that if there was a long chain of such processes, the number of open
2021 file descriptors increased by one for each process, and if there were
2022 sufficent, the limit of open descriptors could be reached, causing various
2025 8. When an address was being checked with -bt and the routing involved an
2026 errors_to setting whose address verification also involved an errors_to
2027 setting, Exim got into a verifying loop. It shouldn't verify an errors_to
2028 setting when already verifying, but got this wrong if it started from -bt.
2030 9. Tidied up some compiler warnings when compiling with TCP wrappers.
2032 10. When a child address was promoted to a toplevel address by "one_time" after
2033 a deferred delivery, it was not remembering any "errors_to" address that
2034 was set by the routers that processed the original address. Consequently,
2035 the subsequent delivery had (incorrectly) the original sender address in
2036 the envelope. Exim now remembers the "errors_to" address with the new
2037 toplevel address and reinstates it for the next delivery.
2039 11. When Exim received a message other than from the daemon, there were two
2040 situations in which it did not re-exec itself for delivery: when it was
2041 running as root, or when it was running in an unprivileged mode. This was
2042 an attempt to save some resources (very early Exims ran as root more often)
2043 but has turned out to be pretty rare. A bug has been discovered in this
2044 case: if the incoming message was on a TLS session (from inetd, for
2045 example), but the outgoing delivery was on an unencrypted SMTP connection,
2046 Exim got confused. The effect was minimal: it sent two EHLO commands, but
2047 otherwise worked. Multiple EHLOs are not an error, according to the RFCs,
2048 but there was at least one broken MTA that objected. This error would have
2049 occurred only when synchronous delivery (-odi or -odf) was specified.
2051 While sorting this out, I have abandoned the logic that did a delivery
2052 without forking in the interests of simplicity. This was an even rarer
2053 case: it only happened when Exim was running as root or in an unprivileged
2054 mode AND synchronous delivery was specified.
2056 12. Change references to /bin/rm in the Makefile to plain rm.
2058 13. If EXIM_PERL was set in Local/Makefile, but PERL_COMMAND was set to a
2059 command that was not a file, or if it was set to a non-existent file,
2060 the build process carried on trying to build Perl support, but without the
2061 relevant variables for the Perl libraries, etc., which is disastrous. In
2062 fact, the build process shouldn't have been using PERL_COMMAND; that is a
2063 value for screwing into utility scripts. The build process assumes a
2064 suitable PATH for things like rm, mv, etc., which have xxx_COMMAND
2065 variables for scripts. So I've changed it to use just "perl". It now bombs
2066 out if "perl --version" doesn't produce some output.
2068 14. Changed the #includes in perl.c for the Perl headers to use <> instead of
2069 "" because this is apparently better usage.
2071 15. Added local_scan_timeout to apply a timeout to local_scan().
2073 16. Recognize IPv6 addresses as IP addresses, even when Exim is not compiled
2076 17. When verifying a HELO/EHLO name, Exim was not checking the alias host names
2077 it obtained from calling gethostbyaddr(). In many cases, this didn't cause
2078 any unwanted rejections because as a last resort Exim does a forward lookup
2079 on the HELO name to see if any of its IP addresses matches. But it fixing
2080 the bug saves the unnecessary additional lookup.
2082 18. Added "domains = ! +local_domains" to the commented-out ipliteral router in
2083 the default configuration.
2085 19. Default sender_host_aliases to an empty alias list, instead of NULL. This
2086 is just for tidiness; the way it was coded, it didn't cause any problems.
2088 20. Added -tls-on-connect, which starts a TLS session without waiting for
2089 STARTTLS. This supports older clients that used a different port.
2091 21. Added support for the Cyrus pwcheck daemon.
2093 22. Arranged to use getipnodebyaddr() instead of gethostbyaddr() in systems
2094 with IPv6 support that have this function, because gethostbyaddr() doesn't
2095 work for IPv6 addresses on all systems (it does on some).
2097 23. Header lines added by "warn" statements in the ACL for RCPT are saved up to
2098 be added after the message's header has been received. Previously, Exim was
2099 saving up all added headers, from both RCPT and DATA, until the very end.
2100 Now it adds those from RCPT before the DATA ACL is obeyed, so that they can
2101 be accessed from within the DATA ACL.
2103 24. Changed TLS initialization to use SSL_CTX_use_certificate_chain_file()
2104 instead of SSL_CTX_use_certificate_file(). This means that the file can
2105 contain the whole chain of certificates that authenticate the server.
2107 25. Updated convert4r4 to check for colons that look as if they are part of
2108 expansion items in require_files lists (e.g. ${lc:xxxx}). In Exim 3, the
2109 whole list was expanded before splitting up, but in Exim 4, the splitting
2110 happens first, so such colons must be doubled. The conversion script now
2111 doubles such colons, and outputs a warning message. The test for one of
2112 these colons is a match against "\$\{\w+:".
2114 26. If, while verifying a recipient address, a router was skipped because a
2115 lookup did not succeed, and the following router suffered a temporary
2116 failure (e.g. a timeout), the log line for the temporary rejection showed
2117 the error from the first router instead of from the second.
2119 27. Exim crashed if a dnslists test was obeyed in an ACL for an SMTP message
2120 from the local host. Now it just fails to match the list.
2126 1. Bug in string expansion: if a "fail" substring of a conditional contained
2127 another conditional that used the "fail" facility, Exim didn't swallow the
2128 right number of closing parentheses in the case when the original condition
2129 succeeded (i.e. when the condition containing the "fail" should be
2132 2. helo_verify_hosts wasn't working when comparing host names.
2134 3. When delivering down an existing SMTP connection, the error "Unexpectedly
2135 no free subprocess slot" was sometimes given for other addresses in the
2138 4. Binary zeroes in the message body are now turned into spaces in the
2139 contents of $message_body and $message_body_end.
2141 5. If the value of a field in a MySQL result was SQL NULL, and more than one
2142 field was selected, Exim crashed.
2144 6. It seems that many OS treat 0.0.0.0 as meaning the local host, typically
2145 making it behave like 127.0.0.1. Since there have been incidents where this
2146 was found in the DNS, two changes have been made:
2147 (a) Added 0.0.0.0 to the ignore_target_hosts setting in the default
2149 (b) Unconditionally recognize 0.0.0.0 as the local host while routing.
2151 7. Added helo_allow_chars so people can let in underscores if they really
2154 8. Give configuration error if "maildir_format" or "mailstore_format" is
2155 specified for appendfile without specifying "directory".
2157 9. When return_path was expanded in an smtp transport, the values of
2158 $local_part and $domain were not set up.
2160 10. The optimization for sending multiple copies of a single message over one
2161 SMTP connection when there are lots of recipients (but too many for one
2162 copy of the message) was messing up in the case when max_rcpt was set to 1
2163 (for VERP). It would send lots of copies with one RCPT each, correctly, but
2164 because the transport was passed more than one address, $local_part and
2165 $domain weren't set. Since setting max_rcpt to 1 is almost always
2166 associated with VERP (or at least, you do it because you want to use
2167 $domain or $local_part), I've made that a special case where the
2168 optimization is disabled.
2170 11. Cygwin has case-insensitive file names. Therefore, we can't use base 62
2171 numbers for Exim's identifiers. We have to use base 36 instead. Luckily 6
2172 base 36 digits are still plenty enough to hold the time for some years to
2173 come. There's now a macro that is set either to 62 or 36, but the names and
2174 documentation still talk about "base 62".
2176 12. Added build-time variable MAX_LOCALHOST_NUMBER (default 256) to allow the
2177 localhost number to be traded off against the maximum number of messages
2178 one process can receive in one second. This is relevant only when
2179 localhost_number is set. It may be useful for Cygwin, where the maximum
2180 sequence number is much less when up to 256 hosts are allowed.
2182 13. Extended MySQL server data to allow for the specification of an alternate
2185 14. Give error if too many slashes in mysql_servers or pgsql_servers item.
2187 15. Changed the wording "debug string overflowed buffer" to "debug string too
2188 long - truncated" to make it clearer that it's not a big disaster.
2190 16. Now that I finally understand the difference between the resolver's returns
2191 HOST_NOT_FOUND and NO_DATA, I've optimized Exim's DNS lookup so that if an
2192 MX lookup gets HOST_NOT_FOUND, it doesn't bother to try to look up an
2193 address record. Only if it gets NO_DATA does it do that.
2195 17. The contents of Envelope-To: were not correct in cases when more than one
2196 envelope address was redirected to a single delivery address via an
2197 intermediate address, because the duplication was detected at the
2198 intermediate stage, but the checking for Envelope-To: only looked at
2199 duplicates of the final address.
2201 18. If a message with the -N flag was on the spool, and was selected during a
2202 queue run by -R or -S, the -N flag was incorrectly passed on to all
2203 subsequent messages, leading to their being thrown away.
2205 19. Remove unnecessary check for the local host when looking up host names in
2208 20. If tls_certificate is supplied, but tls_privatekey is not, assume that both
2209 are in the tls_certificate file.
2211 21. If a router set transport_current_directory or transport_home_directory
2212 to something that involved an LDAP lookup, and there was more than one
2213 local delivery to be done for a single message, all but the first got
2214 deferred because the LDAP connection for those variables got opened in the
2215 superior process, but closed in the first subprocess. The second subprocess
2216 then assumed it was still open. We now ensure that each subprocess starts
2217 with a clean slate (everything closed down) so that it can open and close
2218 its own connections as needed.
2220 22. After a failure of ldap_result(), Exim was calling ldap_result2error() in
2221 order to get an error message. However, it appears that it shouldn't do
2222 this if the value of result variable is NULL. As I can't find any way of
2223 getting an error message out of LDAP in this circumstance, Exim now just
2224 gives says "ldap_result failed and result is NULL".
2226 23. If a message arrives over a TLS connection via inetd, close down the SSL
2227 library in the subprocess for message delivery (but don't molest the
2228 parent's SSL connection).
2234 1. When setting TCP_NODELAY, the call to setsockopt() was using SOL_SOCKET
2235 instead of IPPROTO_TCP, which caused excessive logging on some systems.
2237 2. Changed the Makefile for Cygwin to set EXIM_USER and EXIM_GROUP to 0.
2239 3. The SMTP rewriting facility was broken.
2241 4. There was some malformatting in the spec.txt file (the other formats were
2244 5. Made convert4r4 change "bydns_a" into "bydns" in route_list options, and
2245 to do the same for "bydns_mx", but in this case to comment that it won't
2246 work the same (and to suggest a workaround).
2248 6. Removed redundant code in deliver.c for indicating when a reused SMTP
2249 connection had been closed in a subprocess - this was being done twice.
2251 7. Change 2 of 3.164 removed Exim's explicit checking that a reverse DNS
2252 lookup yielded a name whose forwarded lookup gave the original IP address,
2253 because I thought that gethostbyaddr() did this automatically (it seems to
2254 on some systems). There is hard evidence that I was wrong, so this test has
2255 been put back, and in a better form, because it now checks alias names.
2256 This means that the verify=reverse_host_lookup condition in an ACL reduces
2257 to requiring that the host name has been looked up, since the checks it
2258 previously did are not always applied.
2260 8. When sender verification fails, the error associated with it is given by
2261 default before the 550 error for the first RCPT command. Not everybody
2262 wants to see this. There is now an option (no_details) that suppresses it.
2264 9. The patterns in rewriting rules with the 'S' flag were not being expanded.
2265 For consistency with other patterns (and the documentation), this has been
2268 10. "domainlist", "hostlist", and "addresslist" weren't recognized if the
2269 immediately following character was a tab rather than a space.
2271 11. The rules for writing daemon pid files have changed. A new option -oP has
2272 been added to provide a way of specifying a pid file path on the command
2273 line. Exim now writes a pid file when -bd is used, unless -oX is specified
2276 12. The version number of OpenSSL was included in the response to the STARTTLS
2277 command - a legacy from the original contributed code that doesn't seem
2278 sensible. It no longer appears, and I took it out of the debug output as
2279 well because that was the only place left, and the code to compute it was
2280 "mysterious magic" that didn't seem worth keeping.
2282 13. When another message was processed in order to send it down an existing
2283 SMTP connection, Exim was doing the routing for all the addresses. Even if
2284 called from a delivery from a queue runner, this doesn't count as "in a
2285 queue run", so retry times were not being inspected. If the message had a
2286 large number of recipients, and several of them timed out while routing,
2287 the delay could be so large that the server at the other end of the SMTP
2288 connection would time out. To avoid this happening, Exim now skips routing
2289 for any addresses that have a domain retry time set for routing, whether or
2290 not that retry time has arrived, when dealing with a pre-existing SMTP
2291 connection. This will be "right" pretty well all of the time, and even
2292 when it is "wrong", the only consequence will be some delay. (This doesn't
2293 apply to "address" retry times, because those are usually the result of 4xx
2294 errors, not timeouts.)
2296 14. Added words to the initial output from -bh pointing out that no ident
2299 15. The convert4r4 script wasn't getting it quite right with an aliasfile
2300 director that had a "transport" setting. It was missing the "yes/no" in the
2301 "condition" setting.
2307 1. Changed the name of debug_print for authenticators (3.953/38) to
2308 server_debug_print because it applies only when the authenticator is
2309 running as a server.
2311 2. Forgot to change DB_ to EXIMDB_ in the Cygwin Makefile.
2313 3. There were still a couple of uses of vfork() when passing a socket to a
2314 new delivery process. The use of vfork() is not recommended these days,
2315 so I changed them to fork().
2317 4. Added the spa authentication mechanism, using the code contributed by Marc
2318 Prud'hommeaux (and mostly taken from the Samba project). This supports
2319 Microsoft's "Secure Password Authentication", but only as a client.
2321 5. queryprogram had current_directory unset, but used "/" when it was unset.
2322 It is tidier just to make the default "/" and have done with it.
2324 6. When a delivery is run with -v, the -v flag is no longer passed on to new
2325 processes that are started in order to send other messages on existing
2326 SMTP connections. This prevents non-admin users from seeing these other
2327 deliveries. Admin users can specify a higher level of debugging, and when
2328 this is done, the debugging selection is passed on.
2330 7. Increased the increment for dynamic strings from 50 to 100.
2332 8. When Exim was building a dynamic string for $header_xxx from a number of
2333 headers of the same name, or for $message_headers, it was using the dynamic
2334 string function which is designed for use with relatively short strings. If
2335 a pathological message had an enormous header, it chewed up memory at a
2336 ridiculous rate. The code has been rewritten so that it does not do this.
2337 With a 64K header string (there's a limit set at 64K) it now just gets one
2338 64K buffer. Previously it used a large number of megabytes to build such a
2339 string, and some system filter processing ran machines into the ground on
2340 messages with huge headers.
2342 9. The work for 8 involved a small amount of other "refactoring" in the
2343 expansion functions.
2345 10. If "headers add" or "headers remove" were used in a system filter, the
2346 headers didn't actually get changed when testing with -bF. This could
2347 affect later commands in the filter that referred to the headers.
2349 11. Two system filter bugs: (a) The system filter was always being run as root,
2350 even if system_filter_user was set. (b) When the system filter was not run
2351 as root, changes to the header lines by "headers add" or "headers remove"
2352 were being lost. Because of (a), (b) would never have bitten.
2354 12. Some "refactoring" in the daemon:
2355 (a) Removed redundant statement smtp_in=NULL.
2356 (b) The test for fork failure for a delivery process was not quite in the
2358 (c) Added main and panic logging for receive and delivery fork failures.
2359 (d) Check for fdopen() failure, and don't try to continue, but ensure
2360 the sockets get closed.
2361 (e) Log fclose() failures.
2363 13. Added the "/data" facility to ACL dnslists so as to make it easy to use,
2364 for example, the domain lookup of rfc-ignorant.org.
2366 14. Refactored the code in the daemon to use a vector of structures instead of
2367 two separate vectors for storing the pid of a spawned accepting process and
2368 the corresponding IP address of the client. (This is to make it easier to
2371 15. If EXIM_USER or EXIM_GROUP were set to the empty string in Local/Makefile,
2372 the uid or gid were set to zero, which is unsafe. These settings now cause
2373 an error message at build time.
2375 16. check_ancestor was doing its check case-sensitively, which meant that it
2376 did not work with some configurations when redirecting changed the case of
2377 the local part. Now check_ancestor respects the setting of
2378 caseful_local_part on the router which routed the ancestor address.
2380 17. The check for router looping (whether the current router had previously
2381 routed the same address) was always being done case-insensitively. It
2382 should do the local part check case-sensitively when caseful_local_part is
2383 set for that router.
2385 18. Added helo_try_verify_hosts, which is like helo_verify_hosts except that
2386 it doesn't reject failing HELO/EHLO. Instead the verification state can be
2387 testing in an ACL by verify=helo.
2389 19. When echoing log writes from a parallel remote delivery process to the
2390 debug output, the pid of the parallel process was being omitted.
2392 20. In an ACL run for a RCPT command, the values of $domain and $local_part
2393 were becoming unset after a sender or recipient verification.
2395 21. Exim crashed if called with -C followed by a ridiculously long string.
2397 22. Some other potential points of trouble caused by pathological input data
2400 23. If hosts_randomize was set on an smtp transport, the randomizing code had
2401 a bug which could put the delivery process into a tight loop.
2408 1. Exim was not terminating the names of named lists in memory. It got away
2409 with this on systems where newly malloc()d store is zeroed (always a bad
2410 practice). When running in its test harness, Exim now ensures that all
2411 new memory from malloc is filled with a non-zero value. This will help
2412 pick up bugs like this in future. (I haven't made it do it always, for
2413 performance reasons.)
2415 2. When skip_syntax_errors was set on a redirect router, and a forward file
2416 (NOT a filter file) contained only invalid addresses, the message was
2417 discarded. The router now declines, as it does for invalid filter files.
2418 Thus, the address is passed on unless no_more is set.
2420 3. When an address containing upper case letters in the local part was
2421 deferred, eximon showed the lowercased version with the caseful version
2422 as a "parent", as well as the original caseful version in its queue list.
2424 4. When hide_child_in_errmsg was set on a redirect router, bounce messages
2425 still showed the failed addresses in the X-Failed-Recipients: header line.
2427 5. Change 6 for 3.952 should also have included SIGTERM.
2429 6. exim -bP +something was searching only the domain lists. It now searches
2430 all lists for a matching name.
2432 7. If Local/Makefile contains more than one of USE_DB, USE_GDBM, or USE_TDB,
2433 give a build-time error. When it does contain one of them, arrange for any
2434 OS default for any other one to be overridden. (The code expects at most
2435 one of these to be defined.)
2437 8. When a value for transport_home_directory is taken from the password
2438 information, wrap it in \N...\N so that it isn't expanded in the transport.
2439 This affects Cygwin, where home directories may contain $ characters.
2441 9. Fixed an occasional crash when autoreply was sending a message created by
2442 a user's filter file. It was referencing uninitialized memory. (The
2443 prophylactic mentioned in 1 above made it a hard error.)
2445 10. The "run" and "readfile" expansion items could sometimes return extra junk
2446 characters (yet another uninitialized memory bug).
2448 11. The lockout options forbid_filter_existstest etc. were not propagating to
2449 the expansion of files sent as part of "mail" messages from users' filter
2452 12. Another unterminated string bug: when an ACL was read from a file
2453 dynamically it wasn't properly terminated.
2455 13. Cached pgsql connections weren't being re-used, leading to a potential
2456 build-up of open connections.
2458 14. $message_headers is supposed to be limited to 64K in length, but it wasn't
2459 so limited if an individual header line was longer than 64K.
2461 15. An individual header line, or concatenation of multiple identically-
2462 named header lines, inserted by $h_xxxx is supposed to be limited to 64K in
2463 length, but it wasn't so limited if the only header line was longer than
2466 16. A syntactically incorrect setting of -d... is now treated as a command line
2467 syntax error (message to stderr, return code 1), without any entry on the
2470 17. Modifications to the exim_install script:
2471 (a) Scan the combined Makefile in the build directory instead of messing
2472 around scanning its individual constituent files.
2473 (b) Use sed instead of a pipe of grep, tail and cuts. This allows better
2474 control, but has to be very simple sed in order to work on Solaris.
2475 (c) Allow for the setting of EXE to add a subscript to executables for
2476 the benefit of Cygwin.
2477 (d) Use -c instead of -b with "cut" because the "cut" in BSD/OS doesn't
2480 18. Changes for Cygwin:
2481 (a) Update scripts/os-type to recognize CYGWIN.
2482 (b) Arrange (via the Uopen() macro) for all calls to open() to have
2483 the O_BINARY flag, to avoid CRLF problems.
2484 (c) If OS_INIT is defined, call it at the very start of Exim's execution.
2485 (d) When resolver debugging is enabled, set _res.options |= RES_DEBUG
2486 before calling res_init() as well as after, because that generates
2487 some debugging info during initialization.
2489 19. Make the initial call to os_getloadavg() in exim.c conditional on
2490 LOAD_AVG_NEEDS_ROOT because it is done just to initialize os_getloadavg()
2491 on systems that require the first call to be done as root. It should be
2492 called only when messages are being received; it was being called
2493 unnecessarily in some cases.
2495 20. If Exim failed to open its retry hints database at routing time, it crashed
2496 during a subsequent local delivery.
2498 21. If Exim is neither setuid root nor called by root, there is no need to
2499 attempt to drop root privilege when it is not needed.
2501 22. I'd forgotten to remove the check for the presence of %s in pid_file_path
2502 when it was set at run time.
2504 23. If a transport filter crashed, or yielded a non-zero return code during an
2505 SMTP delivery, Exim was not aborting the delivery. This led to multiple
2506 partial deliveries of the message until the transport filter was fixed.
2508 24. Do not try alternate hosts if a transport filter crashes or yields a
2509 non-zero return during an SMTP delivery.
2511 25. When exim -be is reading input lines from stdin, backslash can now be used
2512 for continuations. This makes it easier to test expansions from a
2513 configuration file by cut and paste, and long expansions in general.
2515 26. The file src/auths/xtextdecode.c was incorrectly named xtestdecode.c, but
2516 because the MakeLinks script built a symbolic link that worked, this
2517 mistake didn't actually show up.
2519 27. When Exim is delivering another message down an existing connection,
2520 remote_max_parallel should be forced to 1; this wasn't happening, though
2521 it would have caused a problem only if a message had more than 100
2522 recipients routed to the host.
2524 28. When there was a problem while delivering down an existing connection, such
2525 that the transport process closed the connection, this fact wasn't getting
2526 communicated to the calling delivery process, which might have tried to do
2527 more deliveries on the same connection. This would only have caused a
2528 problem if there were more than 100 recipients to the same host.
2530 29. The ${extract} action, with a negative field number that selected the first
2531 field in a string, could return junk characters at the start of the
2534 30. When Exim is acting as a client, if an attempt to start a TLS session fails
2535 during the TLS negotiation phase (i.e. STARTTLS is accepted, but there's a
2536 problem such as an unrecognized certificate during TLS session startup),
2537 Exim used always to defer delivery. Now, unless the host is in
2538 hosts_require_tls, Exim makes a new connection to the host and attempts to
2539 send the message unencrypted. This avoids stuck messages for servers that
2540 advertise STARTTLS but don't actually support it properly.
2542 31. Added ${address:xxx} to go with ${domain:xxx} and ${local_part:xxx} which
2543 extract from RFC 2822 addresses.
2545 32. The rules for recognizing when Exim is being called from inetd have
2546 changed. Previously Exim required SMTP input, stdin to be a TCP/IP socket,
2547 and the caller to be root or the Exim user. This left a gaping hole if the
2548 caller was not root or the Exim user, because then it wouldn't do the
2549 policy checking for a remote host, because it didn't realize it was being
2550 called from inetd. (This was seen on Debian configurations). Exim now
2551 behaves as follows: if the input is SMTP and stdin is a TCP/IP socket, a
2552 call from inetd is assumed. This is allowed to proceed either if the caller
2553 is root or the Exim user, or if the port used is privileged (less than
2554 1024). Otherwise (a different user passing an unprivileged port) Exim gives
2555 a "Permission denied" error.
2557 33. Removed $compile_number from the default SMTP banner line (after discussion
2558 on the mailing list). Also removed it from the default $Received: header.
2560 34. # is documented as a comment character in the run time configuration only
2561 when it appears at the start of a line. In the case of boolean values,
2562 extra characters after "= true" or "= false" were being ignored, leading to
2563 a false impression that comments could appear there. This is now diagnosed
2566 35. If a boolean option without a following "=" was followed by # (in the
2567 mistaken belief that this would be a comment), the error was "missing =",
2568 which was confusing. Exim now complains about extra characters.
2570 36. When Exim complains about extra characters following an option setting, it
2571 now adds a comment about comments if the first extra character is #.
2573 37. Output debug_print strings when testing a host using -bh.
2575 38. Added server_debug_print to authenticators (compare routers and
2576 transports). This outputs when an authenticator is called as a server. It
2577 can be helpful while testing with -bh.
2579 39. Added debugging output to the crypteq condition.
2581 40. If a named domain or local part list used in a "domains" or "local_parts"
2582 option on a router matched by means of a lookup, the $domain_data and
2583 $local_part_data variables were set for the first router that did this, but
2584 were not set for any subsequent routers that used the same named list. The
2585 same was true for multiple tests of named domain or local parts lists in an
2588 41. If the variable "build" is set when the top-level Makefile is run, the
2589 variable now propagates from the top-level Makefile to subsidiary ones.
2590 In addition, Local/Makefile-$(build) is added to the list of concatenated
2591 files that go at the start of the Makefile in the build directory.
2593 42. If NO_SYMLINK is defined in Local/Makefile, the exim_install script just
2594 copies the Exim binary in with its unique name, without moving the "exim"
2595 symbolic link to it.
2597 43. Added BSDI 4.2 as a BSDI variant in scripts/os-type.
2599 44. The spool file format for remembering a "one_time" redirection has changed;
2600 I had forgotten to make Exim 4 capable of reading Exim 3 spool files.
2602 45. Address lists are now permitted to include items of the form *@+name where
2603 "name" is a named domain list. (Note that an item of the form +name is
2604 taken as a named _address_ list.)
2606 46. When Exim gives up privilege and reverts to the calling user because it was
2607 called with the -C, -D, -be, or -bi options, it now reinstates the
2608 supplementary group list as well as the uid and gid.
2610 47. The crypteq condition has been extended. When the encrypted string begins
2611 with "{md5}" Exim used to assume that the digest was encoded as a base64
2612 string. Now it assumes this only if its length is 24 bytes. If the length
2613 is 32 bytes, Exim assumes a digest expressed in hex characters. If the
2614 length is neither 24 nor 32, the comparison always fails.
2616 48. Updated the convert4r4 script:
2618 (a) Some typos in the comments.
2619 (b) Remove kill_ip_options, log_ip_options, and refuse_ip_options, which
2621 (c) Move all macro definitions to the top of the output, to ensure that
2622 they precede any references to them.
2623 (d) If tls_verify_ciphers was set without tls_verify_hosts, the generated
2624 new configuration insisted on encryption ("these ciphers must be
2625 used for all connections") instead of just checking the cipher when
2626 encryption happened ("if encrypted, these ciphers must be used").
2627 (e) Address lists are now checked to see if they contain any bare lookup
2628 items and if they do, these are converted to two items, the first
2629 preceded by "*@" and the second with "partial-" removed. This makes
2630 Exim 4 behave in the way that Exim 3 used to. An explanatory comment
2632 (f) Put more explanation in above the "hosts = :" test.
2634 49. Write a main and panic log entry when "partial-" is ignored in a lookup
2635 that is part of an address list. (Applies when the item is a lookup for
2636 which the whole address is the key.)
2638 50. Two changes to the way $original_local_part and $parent_local_part work:
2640 (a) When an address that had a prefix or suffix was redirected to another
2641 address, the value of $original_local_part and $parent_local_part
2642 had the prefix or suffix stripped when referred to during the
2643 processing of the child address. This doesn't seem right, so it has
2645 (b) When an address that had a prefix or suffix was being processed,
2646 $local_part had the affix stripped, and if it was a top-level
2647 address, $original_local_part also has the affix stripped. This has
2648 been changed. Now $original_local_part contains the same value at all
2649 levels. ($parent_local_part remains empty at top level.)
2651 51. A number of macros in the Exim source began with "DB_". When compiling
2652 with Berkeley DB version 4, DB_LOCK_TIMEOUT clashed with a macro set by
2653 that package. The Exim macros now all start with "EXIMDB_", and Exim
2654 therefore now supports DB version 4.
2656 52. Newlines in a "freeze" text from a system filter were being sent as \n
2657 in messages created by the "freeze_tell" option. They are now converted
2658 back to newlines (in the log line they continue to appear as \n).
2660 53. Added a new ACL condition "verify = reverse_host_lookup". This does a
2661 reverse lookup of the client host's IP address, then does a forward lookup
2662 for all the names it receives, and checks that at least one of the IP
2663 addresses obtained from the forward lookup matches the incoming IP address.
2664 The lookups are done with gethostbyaddr() and gethostbyname(),
2667 54. A small fix to eximstats reduces its store usage substantially when it is
2668 processing very large log files: when a message's "completed" line is
2669 reached, discard the memory of the message's size.
2671 55. If an address was redirected to itself more than once (e.g. by two
2672 different "redirect" routers, or because of the use of "unseen", it was
2673 incorrectly discarded as a duplicate address.
2675 56. For a rewrite pattern of the form *@something, if an actual address
2676 contained @ in the local part (e.g. "a@b"@x.y), the value of $1 was set
2677 incorrectly during expansion of the replacement address (it stopped at the
2678 first @ instead of at the last one).
2680 57. Added hosts_nopass_tls to the smtp transport. For any host that matches
2681 this list, a connection on which a TLS session has been started will not be
2682 passed to a new delivery process for sending another message on the same
2685 58. The -dropcr command line option now turns CRLF into LF, while leaving
2686 isolated CR characters alone. (Previously it removed _all_ CR characters.)
2687 There is now also a drop_cr main option which has the effect of -dropcr for
2688 all incoming non-SMTP messages.
2690 59. If a configuration file macro expanded into a boolean option which was not
2691 followed by = and a value, Exim gave a spurious error for an "unknown"
2692 value for the option (typically a string from the previous line).
2698 1. convert4r4 had an incorrect file name in its comment output.
2700 2. convert4r4 was looking up $local_part instead of $domain in its generated
2703 3. There was no check that getpeername() was giving a socket address when
2704 called on stdin passed from a previous delivery.
2706 4. Fixed an old bug whereby Exim could segfault if debugging was turned on and
2707 a DNS lookup found MX records for hosts whose A records had to be looked up
2708 separately, and some of them pointed to the local host (pretty rare).
2710 5. The debugging output for log writes now shows the names of any log selectors
2711 instead of the hex value of the selector word.
2713 6. If a delivery subprocess is terminated by SIGKILL or SIGQUIT, do not freeze
2714 the message. This can happen during system shutdown. Other kinds of process
2715 failure indicate problems.
2717 7. If a sender verification did not complete (e.g. DNS lookup timed out), the
2718 log line for the temporary RCPT rejection did not always say why (it lost
2719 the message if there had been a previous call to any lookup).
2721 8. The special message about MX records that point to IP addresses instead of
2722 host names was not getting returned in the SMTP response when a
2723 verification failed. This has been fixed, and the message that is logged in
2724 this circumstance has been made less verbose.
2726 9. When an SMTP callout is done, Exim tries to use the interface and port
2727 number from the transport that the address was routed to during the prior
2728 verification. If it wasn't routed to a remote transport, or if there's a
2729 problem expanding the relevant options, Exim does not use a specific
2730 interface, and it connects to port 25.
2732 10. If the string "syslog" happened to occur in the log file path, eximon was
2733 failing to extract the name of the main log file correctly.
2735 11. Unlike other operating systems, Linux does not sync a directory after a
2736 rename. However, we need this to happen to be sure an incoming message has
2737 been safely recorded after it has been received. I have therefore added a
2738 macro called NEED_SYNC_DIRECTORY (which is set in OS/os.h_Linux) to request
2739 Exim to do an explicit sync on the directory after the rename. If
2740 O_DIRECTORY is defined, it is used when opening the directory.
2742 12. When a system filter creates any new deliveries, they are given a fake
2743 "parent" address which appears on the logs, and is necessary for pipes,
2744 files, and autoreplies, which cannot be toplevel addresses. This fake was
2745 set up with the text "system filter". It's been changed to "system-filter"
2746 because the space in the previous text could cause trouble.
2748 13. The new option local_sender_retain suppresses the removal of Sender: header
2749 lines in locally-submited (non-TCP/IP) messages from untrusted users. It is
2750 required that no_local_from_check be set with local_sender_retain.
2752 14. In a file interpolated into an address list, if a local part contained a
2753 # character and there was also a following comment (introduced by a #
2754 preceded by white space), the comment was not recognized.
2756 15. Local part lists are now handled as address lists as far as recognition of
2757 comments in interpolated files and the processing of +caseful at the top
2758 level are concerned. In the local_parts option of a router, +caseful will
2759 restore case-sensitive matching, even when the router does not have
2760 caseful_local_part set (the default).
2762 16. The key used for a dsearch lookup may not contain '/'. If it does, the
2765 17. When starting a delivery process after receiving a message locally, discard
2766 the controlling terminal unless debugging is turned on.
2768 18. The exim group was automatically trusted; this was not correct because it
2769 meant that admin users who were in the exim group were automatically
2770 trusted. If you want the exim group to be trusted, it must now be
2771 explicitly configured.
2773 19. The default configuration mentioned "dns_lists" instead of "dnslists" in a
2776 20. Minor corrections and changes to the Exim4.upgrade document and to the
2777 OptionLists.txt document.
2779 21. If a local part beginning with a pipe symbol was routed to a pipe
2780 transport, the transport got confused as to which command it should run.
2781 This could be a security exposure if unchecked local parts are routed to
2784 22. When logging SMTP connections to the daemon from other hosts, include the
2785 connection count in the log line. Tidied up the identification of SMTP
2786 sources in logging lines.
2788 23. Added "sender_domains" as a new ACL condition so that the Exim 3 setting
2789 of sender_verify_callback_domains can easily be replicated. Corrected
2790 convert4r4, which was incorrectly converting this to a "domains" setting.
2792 24. The code for reading ident values was not discarding leading spaces, which
2793 some hosts seem to send.
2795 25. The building process was still insisting that PID_FILE_PATH contained %s,
2796 but this is not required for Exim 4.
2798 26. The logging of ETRN commands had got lost. It has been restored, and the
2799 log selector "etrn" (on by default) added to control it.
2801 27. IPv6 reverse DNS lookups were originally specified as happening in the
2802 ip6.int domain, but this is being changed to ip6.arpa (and they've changed
2803 the meaning of "arpa" to "Address and Routing Parameters Area"). The only
2804 time Exim does reverse lookups directly (as opposed to calling
2805 gethostbyaddress()) is in the code for the dnsdb lookup type. This has been
2806 changed to use ip6.arpa.
2808 28. Made the test programs (test_dbfn for testing DBM files, and some others)
2809 compile! Updated the help output from test_dbfn.
2811 29. Changed all occurrences of "r" and "w" in fopen() fdopen() calls to "rb"
2812 and "wb". This makes no difference in Unix systems, but is apparently
2813 necessary for running Exim under Cygwin.
2815 30. Three changes that make virtually no difference when Exim is run on a real
2816 Unix system, but which were asked for to make life easier when porting it
2817 to run under Cygwin:
2819 (a) Changed the logic for locking a message when an Exim process is
2820 handling it. Previously, the entire -D file was locked to indicate
2821 this. Now Exim locks only the first line, which contains the name of
2822 the file. Apparently, in the Cygwin environment, a subprocess cannot
2823 read locked parts of a file, even when it is passed an open file
2824 descriptor to that file from the process that did the locking. By
2825 locking only the first line, which the subprocess does not want to read
2826 (it just needs to read the data that follows), we can get round this
2827 restriction with minimal effort.
2829 (b) Added support for native gdbm function calls. GDBM is apparently the
2830 only DBM library that is currently available Cygwin, and only with its
2833 (c) The default modes for files, directories, and lock files in the
2834 appendfile transport can now be set in Local/Makefile at build time.
2836 31. When transmitting a message using SMTP with PIPELINING, if the server gave
2837 a malformed SMTP response, the message logged by Exim didn't associate it
2838 with the pipelined SMTP command to which it referred. For example it logged
2839 "after DATA" if all the recipients had been sent. Also, if the response
2840 was an empty line (illegal), it didn't show up very clearly. The error
2841 messages are now more accurate, and point out empty lines.
2843 32. Minor corrections and changes to src/configure.default.
2845 33. When a host list in a route_list item that was enclosed in double quotes
2846 contained single quotes within it, the quoting was incorrectly terminated.
2847 Both the pattern and the host list in route_list items are now handled by
2848 the standard quote-processing function.
2850 34. Corrected the EDITME file for eximon so that the default stripchart
2851 patterns work with the default runtime configuration for local deliveries.
2852 (Previously it matched a delivery via a director - not possible in Exim 4.)
2858 Exim 3.951 is the first alpha testing release for Exim 4. A list the many
2859 individual changes to the code made between Exim 3.33 and Exim 3.951 was not
2860 kept. The functional changes are listed in the Exim4.upgrade file.