1 Change log file for Exim from version 3.951 to 4.20
2 ---------------------------------------------------
8 1. If data for an authentication interaction was just the string "=",
9 indicating an empty string, Exim was not setting up the numerical variable
10 correctly. In some situations, this could cause a crash - in others, it
11 might have passed unnoticed.
13 2. Changed signal(SIGTERM, command_sigterm_handler) in smtp_in.c to use
14 os_non_restarting_signal() for tidiness; in practice this doesn't actually
15 matter because the handler terminates the process.
19 (a) In some (but not all) places where Exim applies timers using alarm(),
20 it was resetting the SIGALRM handler afterwards, but sometimes to
21 SIG_IGN and sometimes to SIG_DFL. In other words, it was a mess. In
22 fact, this reset is not necessary, because after alarm(0) there is no
23 possibility of receiving a SIGLARM signal. So I've just removed them
26 (b) The daemon.c module had its own SIGALRM handler, which was unnecessary.
27 I changed it to use the handler that is used (almost) everywhere else.
29 (c) Almost all uses of SIGALRM use the same handler, but it was being set
30 by signal() all over the place. Now it is set at the start, and it
31 resets itself every time it is called, so it remains enabled
32 throughout. The few places that use a different handler reset to the
33 "standard" one afterwards.
35 (d) The setting of the SIGTERM handler while reading SMTP commands was done
36 somewhat untidily. I have re-arranged the code.
38 4. If the building process was interrupted during the MakeLinks script, a
39 subsequent run of 'make' gave misleading errors. I've made it a bit more
40 robust against this case. If there appears to be a half-made set of links,
41 an error message suggests that the user should remove the build directory
44 5. For compatibility with other MTAs, -f "" is now accepted as synonymous with
47 6. Upgraded to PCRE 4.1.
49 7. If a domain list contained @mx_any, or @mx_secondary, and the DNS contained
50 secondary MX records for a domain, but all the other MX (higher priority)
51 records pointed to non-existent hosts, Exim was behaving as if the domain
52 did not match the list item. This has been fixed.
54 8. Upgraded eximstats to 1.27.
56 9. It was reported that change 4.14/46(b) caused problems on some systems with
57 older libraries. There is now an option that can be set in Local/Makefile
58 (or in a operating system Makefile):
60 IPV6_USE_INET_PTON=yes
62 If this is done, Exim reverts to using inet_pton() to convert a textual
63 IPv6 address for actual use, instead of getaddrinfo(), as it did in
64 versions before 4.14. Of course, this means that the additional
65 functionality of getaddrinfo() - recognizing scoped addresses - is lost.
67 10. Update for PostgreSQL to match 4.14/14: after an insert, delete, or update
68 command, the result is the number of rows affected.
70 11. If smtp_banner expanded to an empty string, no greeting line was sent, thus
71 causing the client to time out. An empty 220 response is now sent.
73 12. An empty argument was logged as a null string by the "arguments" log
74 selector. Now empty strings and arguments that contain whitespace are
77 13. The "arguments" log selector now also logs the current working directory
80 14. Added a couple more debugging calls to tls-openssl.
82 15. Changed the name of the global variable ldap_version because some LDAP
83 library uses the same name, which causes a clash. It's now called
84 eldap_version. While I was at it, I changed the other two global variables,
85 ldap_default_servers and ldap_dn.
87 16. If an address that is verified in an ACL is redirected to a single address,
88 Exim verifies the child (this is not new). However, the value of $address_
89 data that was being returned was the value from the parent. It is now the
92 17. Re-arranged the code for rda_is_filter() to make it easier to add other
93 filter types in future.
95 18. Removed the filter test function from filter.c and put it into its own
96 source file, again to make things easier for multiple filter types.
98 19. To help those people who are maintaining a patch for dynamically loaded
99 local_scan() functions, I have added
101 #define LOCAL_SCAN_ABI_VERSION_MAJOR 1
102 #define LOCAL_SCAN_ABI_VERSION_MINOR 0
104 to the local_scan.h file.
106 20. The variables $tls_certificate_verified, $tls_cipher, and $tls_peerdn now
107 exist even when Exim is not compiled with TLS support.
109 21. If an empty user name was sent by a client for a LOGIN authentication, it
110 was not put into $1; instead, the password ended up in $1 (instead of in
113 22. When creating a temporary file in the appendfile transport for a per-file
114 delivery not in maildir or mailstore format (that is, in the old Smail
115 format - I wonder if anyone uses this?), Exim was opening the file without
116 O_EXCL, which is a bit unsafe.
118 23. The output from the ${stat: expansion operator was being formatted using %d
119 which expects an integer; in many (most) systems size_t is off_t, which
120 is actually a long or even a longlong, and in some cases this caused
121 incorrect data to be output. The formatting is now done using %ld, with the
122 values all explicitly cast to (long).
124 24. Callout caching was failing to cache a negative response to a "random"
127 25. If a daemon was started with -qsomething and not -bd, and deliver_drop_
128 privilege was set, and a pid file was specified with -oP, and the pid file
129 did not previously exist, it was created with owner exim instead of owner
132 26. verify=sender was not being allowed in a non-SMTP ACL.
134 27. Under some error conditions, the socket used for ident calls could be left
137 28. Added acl_smtp_helo, because some people seem to want it.
139 29. For hosts that match helo_verify_hosts, the error given when a MAIL command
140 is received without HELO or EHLO has been changed from 550 to 503 (which
141 means "bad sequence of commands").
143 30. Installed PCRE 4.2.
145 31. The quota_size_regex option for the appendfile transport was broken in that
146 a terminating zero was omitted from the string that was extracted for the
147 size. If it happened that digits followed in the memory to which it was
148 copied, an incorrect (too large) size was then used.
150 32. Change 4.14/32 (iv) introduced a bug in the case when the "phrase" part of
151 a rewritten address did *not* contain any special characters. The
152 generated address was mangled.
154 33. Several items of refactoring from Michael Haardt:
156 . Introduction of "const" in a number of places
157 . Use memcpy() instead of strncpy() in string_cat()
158 . Add HAVE_ICONV to Linux file, for external users (Exim doesn't use it)
159 [Later: From 4.21, Exim *does* use it.]
160 . Preparation for adding additional types of filter file
162 34. Changed (incompatibly, but hopefully not so it affects anyone) the
163 appendfile transport in the case when it is called directly as a result of
164 a .forward or a filter file requesting a delivery to a file. Previously,
165 any settings of "file" or "directory" were ignored in this case. Now they
166 are used. The path received from the router is in $address_file (as
167 before) and can therefore be included in the expansion.
169 35. If a "save" command in a filter specifies a non-absolute path, the value of
170 $home/ is pre-pended. This no longer happens if $home is unset or is an
171 empty string. It is expected that the transport will complete the path (see
172 34 above). If there is an error before the path is complete, the local part
173 is logged as "save xxxx".
175 36. If multiple "to file" deliveries are routed to the same transport, no
176 batching ever takes place, whatever the value of batch_max.
178 37. If an address was redirected to an unqualified local part preceded by a
179 backslash, Exim was qualifying it with the qualify_domain, instead of with
182 38. Minor rewording: header lines can be added by MAIL as well as RCPT: the
183 debug line mentioned only RCPT.
185 39. DESTDIR is the more common variable that ROOT for use when installing
186 software under a different root filing system. The Exim install script now
187 recognizes DESTDIR first; if it is not set, ROOT is used.
189 40. If DESTDIR is set when installing Exim, it no longer prepends its value to
190 the path of the system aliases file that appears in the default
191 configuration (when a default configuration is installed). If an aliases
192 file is actually created, its name *does* use the prefix.
194 41. If an item in log_file_path was an empty string, Exim wrote the log to the
195 log directory in the spool directory. Now it takes notice of the
196 setting of LOG_FILE_PATH in Local/Makefile, and uses the first non-empty,
197 non-"syslog" item from that list. If there are none, it uses the ultimate
198 default of the spool directory.
200 42. If there is a Reply-to: header line, but it is empty, $reply_address now
201 contains the From: address instead of being empty.
203 43. Added -no-cpp-precomp to CFLAGS in OS/Makefile-Darwin. Without this, the
204 compiler provides a string for __DATE__ that does not conform to the
205 specification in the C standard. The option disables precompiled headers,
206 which should not have any bad effects, as pre-compiled headers are
207 supposedly just a performance enhancement at compile time.
209 44. Refactoring: as there is now a flag that specifies whether or not a home
210 directory that is passed with an address is already expanded, we no longer
211 need the \N...\N fudge for home directories extracted from the password
214 45. Fixed an infelicity introduced by 4.14/71: The defaulting of the prefix,
215 suffix, and check string stuff in appendfile was happening when no
216 directory was supplied. Now it happens if no directory is supplied AND
217 maildir has not been specified.
219 46. If expansion of the serverpassword in a spa authenticator or expansion of
220 server_condition in a plaintext authenticator is forced to fail,
221 authentication now fails (previously it gave a temporary error, which is
222 what happens for other expansion failures). This brings these
223 authenticators into line with cram_md5, where expansion of server_secret
224 has always behaved like this.
226 46. Added new syslog facilities (courtesy Oliver Gorwits):
228 (i) SYSLOG_LOGS_PID and LONG_SYSLOG_LINES in src/EDITME.
229 (ii) syslog_facility and syslog_processname main options.
231 47. Callout was using only the hosts from the router, ignoring the transport.
232 This has been changed. If (a) the router does not set up hosts (e.g. it's
233 an accept router) or (b) the smtp transport that is routed to has
234 hosts_override set, then the transport's hosts are used for callout
237 48. When named lists were nested, and an inner list was resolved by a lookup
238 that saved data for, e.g. $domain_data, the data was associated with just
239 the outer list, though both were cached, so if a subsequent test was done
240 for the inner list, there was no domain data. Example:
241 domainlist A = lsearch;/a/b
242 domainlist B = lsearch;/c/d
243 domainlist C = +A : +B
244 A test on +C that matched, followed by a test on +A or +B would provoke
245 this bug. Now the data is saved with both the inner and the outer lists.
247 49. When the log selector +address_rewrite is turned on, the log lines now
248 show where the rewritten address came from (which header line, envelope
249 field, or an SMTP command).
251 50. If an integer or fixed point configuration value is too big to fit in
252 a 32-bit int, Exim now writes an error to the panic log and dies.
254 51. Unknown SMTP commands are now assumed to be ones that need synchronization;
255 this means that a packet that contains more than one of them will cause the
256 connection to be dropped as soon as the first one is encountered.
258 52. The "control" feature of ACLs was not permitted for the MAIL ACL (an
259 oversight). It now is allowed.
261 53. Added the "discard" verb to ACLs.
263 54. Fixed a theoretical bug observed by reading the code: if local_scan()
264 changed the number of recipients, output from the received_recipients log
265 selector would be incorrect.
267 55. Added HAVE_ICONV to the os.h files for Linux, Solaris, HP-UX. This is for
268 use in the forthcoming Sieve addition to Exim.
270 56. The behaviour of -t in the presence of Resent- headers has been changed,
271 for compatibility with Sendmail and other MTAs. Previously, Exim gave an
272 error, because it is not clear from RFC 2822 how this might be handled. It
273 turns out that MUAs don't seem to follow what RFC 2822 says, and any MUA
274 that uses -t with Resent- ensures that there is only one set of Resent-
275 header lines (usually by renaming others to X-Resent-xxx). So now Exim will
276 take recipients from all the Resent- header lines instead of the usual
283 1. Found another case where SIGCHLD is being ignored (a child process for
284 handling a filter file) and so the wait() doesn't find the subprocess. This
285 came to light as a result of extra logging introduced as part of the
286 4.12/14 fix. Now Exim is careful to set SIGCHLD handling to its default
287 (i.e. to be noticed) for this particular subprocess. (It already has this
288 code for other cases where it uses subprocesses.)
290 2. If ${run appeared in part of a conditional item that was being skipped, the
291 actual running of the command was not being skipped.
293 3. A bit of code tidying (refactoring): there were two functions that built
294 strings containing a host name and ident value for logging. There is now
295 only one. It is called in some additional places where previously just the
296 host name and address were given, so the wording of some log lines has
299 4. Added support for Unix domain socket connection to PostgreSQL.
301 5. The number of unknown SMTP commands that Exim will accept before dropping
302 a connection can now be changed by smtp_max_unknown_commands. The default
303 value is 3. Previously, a fixed value of 5 was used. The final command is
304 now included in the log line.
306 6. The standard place for chown and chgrp in Linux is /bin, not /usr/bin, as
307 assumed by the exicyclog script. I've implemented a "look for it" feature
308 that makes exicyclog look in /bin, /usr/bin, /usr/sbin, and /usr/etc for
309 the commands chown, chgrp, mv, and rm if configured, and turned on this
310 feature for Linux. This should cope with old Linuxes that use /usr/bin.
312 7. Implemented .ifdef etc.
314 8. Installed signal handlers for SIGSEGV, SIGILL, SIGFPE, and SIGBUS while
315 running local_scan(), so that crashes therein get caught. A temporary error
316 response is sent for an SMTP message, and the spool is cleaned up.
317 Previously, a -D file was left lying around if there was a crash in
320 9. The ${quote: operator has been changed so that it turns newline and
321 carriage return characters into \n and \r, respectively.
323 10. Added support for crypt16().
325 11. Some restrictions on the use of "verify" in ACLs were too restrictive, and
326 have been relaxed. In particular, "verify = sender" is now permitted in the
327 ACL for the MAIL command, as well as those for RCPT and DATA.
329 12. If local_scan() sets up recipient or errors_to addresses that are
330 unqualified (local parts without a domain) Exim now qualifies them using
331 the qualify_recipient domain.
333 13. White space at the start of continuation lines in -be input was not being
336 14. Previously, if a MySQL query was issued that did not request any data (an
337 insert, update, or delete command), Exim gave a lookup error and deferred.
338 This case is now recognized, and the result of the lookup is now the number
341 15. A configuration error is given if tls_try_verify_hosts is set and
342 tls_verify_certificates is not set. (Exim already did this for
345 16. Exim was trying to create a non-existent hints database even when it was
346 just opening it for reading. It called the creating function with the
347 O_RDONLY and O_CREAT flags. This works with many DB libraries, but it
348 not with DB 1.85, where a subsequent attempt to use the database gave the
349 error "Inappropriate file type or format". Exim now creates hints databases
350 only when it wants to open them for writing.
352 17. If an ACL condition test set a default "message" value without a
353 "log_message" value, and there were no overriding messages in the ACL
354 itself, no message was logged. The user message is now logged.
356 18. If callout made a connection, but it was dropped before the initial
357 welcome response was received, Exim logged "response to initial connection
358 was" with no further text. It now logs that the connection was dropped.
359 The wording of the logging for callout defers has been slightly changed so
360 as to reduce duplication.
362 19. When multiple messages were sent using TLS over one connection, the
363 additional required EHLO that follows STARTTLS was being counted as a
364 nonmail command, and thus causing a problem if there were a lot of
365 messages. Similarly, a new AUTH that followed STARTTLS was being counted.
366 It is now possible to run with smtp_accept_max_nonmail set to zero in these
367 and other "normal" circumstances.
369 20. During verify=sender, global rewriting rules are applied to the sender
370 address, and if it changes, $sender_address becomes the rewritten version.
371 Unfortunately, it was not getting updated until after the routers had been
372 run, so that if a router referred to $sender_address while verifying a
373 sender, the unrewritten value was used.
375 21. The "random address" callout test was being done after the other tests.
376 This is silly, because if the host accepts all local parts, there isn't any
377 point in doing the other, more specific, tests. I changed things around so
378 that the "random" test (if configured) is done first.
380 22. Expanded the wording for callout failures when MAIL FROM:<> or RCPT TO the
381 a postmaster address are rejected. Also include these words when a
382 rejection happens because of caching (when there isn't an actual SMTP
383 command/result to reflect).
385 23. A new router condition called "address_test" (default true) can be used to
386 skip routers when testing addresses using -bt (compare no_verify). This can
387 be a convenience when your first router sends stuff to an external scanner.
389 24. Testing for deliver_queue_load_max was happening inside the delivery
390 sub-process, when it could have happened outside, in the queue runner (thus
391 saving one process). This was a hangover from Exim 3, where there were
392 other load tests to be done. The code has been tidied.
394 25. Code tidy: the driver_info generic structure contained a field that
395 might, on 64-bit systems, not have been compatible with the fields in the
396 structures of which it is supposed to be a subset. It turns out that this
397 field and another are not actually used generically, so removing them from
398 the structure solves the problem.
400 26. Added server_advertise_condition to authenticators.
402 27. The exim_checkaccess utility wasn't sending a HELO command; this matters
403 now that it's possible to have an ACL that checks HELO/EHLO.
405 27. Added the ldap_version option to force a specific LDAP version.
407 28. Renamed the variable verify_address in exim.c as verify_address_mode,
408 because it had the same name as the verify_address() function, which was
411 29. Added authenticated_sender to the smtp transport.
413 30. When the skip_syntax_errors option is applied to a filter file, it covers
414 all filtering errors, some of which may not be strictly "syntax" (for
415 example, failure to open a log file). The wording of the message has been
416 changed to use "error" instead of "syntax error", to reduce confusion. Also
417 the subject of the message sent by syntax_errors_to is now "error(s) in
418 forwarding or filtering" instead of "syntax error(s) in address expansion".
420 31. Added -restore-times to the exim_lock utility.
422 32. Changes to the handling of the "phrase" parts of email addresses:
424 (i) Re-organized the code to use a supplied instead of an implied buffer,
425 and a length instead of expecting a terminated string.
427 (ii) Changed from using the macro mac_isprint() to an explicit test for
428 ASCII non-printing characters, because the macro pays attention to
429 print_topbitchars, which is not correct here.
431 (iii) If a rewritten address contained a "phrase" (whether or not the "w"
432 flag was present on the rewrite rule), but the actual address was
433 unqualified (had no domain) and was expected to be qualified by the
434 "Q" flag, Exim screwed up and created an illegal address.
436 (iv) When a header address is rewritten by a rule that includes the "w"
437 flag, the parts of the address outside <> are now encoded according
438 to RFC 2047 if necessary (assuming ISO-8859-1 encoding).
440 33. Added the ${rfc2047 and ${from_utf8 expansion operators.
442 34. The file names used for maildir deliveries have been changed, to accomodate
443 operating systems that may re-use a PID within one second. The file name
444 now include the microsecond time fraction, and the delivery process does
445 not exit until the clock is at least one microsecond after the time used in
446 the file name. The code copes with the clock going backwards (it waits
447 till time catches up).
449 35. The rules for creating message ids have been changed to allow for the fact
450 that a PID may be re-used within one second. As part of this change, the
451 range of localhost_number has been reduced to 0-16 for most systems, and
452 0-10 for those with case-insensitive file systems (Cygwin, Darwin).
454 36. Code tidy: there was a local count of non-TCP/IP messages that duplicated
455 the global receive_messagecount (used for accept_queue_per_connection).
457 37. verify = header_syntax was allowing unqualified addresses in all cases. Now
458 it allows them only for locally generated messages and from hosts that
459 match sender_unqualified_hosts or recipient_unqualified_hosts,
462 38. If PAM was called with an empty first string, it called the data function
463 to get the user name, thereby getting the second string by mistake. If this
464 was also null (empty passwords are permitted), there was an infinite loop.
465 An empty user name is not now passed to PAM; authentication is forcibly
466 failed instead. Also, if the end of the list of strings is reached, an
467 empty string is passed back just once; a subsequent call for data provokes
470 39. If a reverse DNS lookup yields an empty string, treat it as if the lookup
471 failed. (Apparently such records have been seen. Sigh.)
473 40. Added the -bnq command line option to suppress automatic qualification of
474 addresses in locally submitted messages.
476 41. Header texts supplied by options to the autoreply transport may now contain
477 newlines that are followed by whitespace. (This was allowed from a filter,
478 but not from the transport.)
480 42. Patch for < > problems in eximstats 1.23.
482 43. Re-arranged the code to make it easier in future to add additional filter
485 44. Added support for changing the connection timeout in LDAP; this is
486 something that's available in Netscape SDK 4.1. Exim uses the given value
487 if LDAP_X_OPT_CONNECT_TIMEOUT is defined.
489 45. When Exim was setting a daemon listener on multiple interfaces, including
490 listening on "all IPv6" and "all IPv4" interfaces, it was binding all the
491 sockets, and then calling listen() for each of them. On some IP stacks, a
492 listen for "all IPv4" fails after listening for "all IPv6" because a single
493 socket catches both kinds of call. Exim coped with this, but it turns out
494 that on a USAGI-patched Linux, this logic doesn't work unless the "listen",
495 as well as the "bind" has been done for the IPv6 socket first. The order of
496 the functions has now been changed. Instead of "bind, bind ... listen,
497 listen..." it now does "bind, listen, bind, listen, ...". Also, the failure
498 happens in the bind() rather than in the listen(), so there are now two
499 checks, which hopefully will handle all kinds of IP stack.
501 46. IPv6 addresses have "scopes", and a host with multiple interfaces can, in
502 principle, have the same link-local addresses on different interfaces.
503 Thus, they need to be distinguished, and a convention of using a percent
504 sign followed by something (often the interface name) is being used, for
505 example: 3ffe:2101:12:1:a00:20ff:fe86:a061%eth0. Two changes have been made
508 (a) A percent sign followed by an arbitrary string is allowed at the end of
511 (b) Exim calls getaddrinfo() instead of inet_pton() to convert a textual
512 IPv6 address for actual use. This function recognizes the percent
513 convention in some operating systems.
515 47. Additional debugging inserted for the case of forced failure when expanding
518 48. A new debugging selector +expand has been added. This is not included in
519 the default set of selectors. It requests detailed debugging information
520 for string expansions.
522 49. Failure to open the main log results in a panic-die, but the original line
523 that was being logged could be lost. It is now output to stderr if there is
526 50. When Exim starts, it checks for the existence of its spool directory, and
527 creates it if necessary. Unfortunately, it was doing this after the code
528 for logging arguments. Thus, if the spool did not exist, trouble ensued.
530 51. The log line for an ACL warning after a sender verify callout failure was
531 not showing the details, unlike the log line for a deny. They are now shown
534 52. For reasons lost in the mists of time, when a pipe transport was run, the
535 environment variable MESSAGE_ID was set to the message ID preceded by 'E'
536 (the form used in Message-ID: header lines). The 'E' has been removed.
538 53. Updated the QNX configuration files for QNX 6.2.0.
540 54. The "*@" type partial matching for single-key lookups was broken in
541 releases after 4.10. Exim looked for *@xxx but, if that failed, it wasn't
542 going on to look for "*".
544 55. Included eximstats 1.25 in the source tree.
546 56. Changed log wording from "Authentication failed" to "<name> authenticator
547 failed", where <name> is the name of the authenticator.
549 57. gcc 3.2.2 warned about a selection of places where string casts were
552 58. Exim monitor: the use of one_time redirection could cause addresses to be
553 displayed with incorrect "parent" addresses after the one_time
554 re-arrangement had taken place. They should be shown with no parents,
555 because the parentage has been removed.
557 59. Arranged to keep independent timestamps for postmaster and random checks in
558 callouts, and not to do unnecessary tests for postmaster when testing
559 individual addresses.
561 60. Incorporated PCRE release 4.0.
563 61. Added ${hex2b64: operator.
567 63. Added ${strlen: operator.
569 64. Added ${stat: operator.
571 65. When Exim is receiving multiple messages on a single connection, and
572 spinning off delivery processess, it sets the SIGCHLD signal handling to
573 SIG_IGN, because it doesn't want to wait for these processes. However,
574 because on some OS this didn't work, it also has a paranoid call to
575 waitpid() in the loop to reap any children that have finished. Some
576 versions of Linux now complain (to the system log) about this "illogical"
577 call to waitpid(). I have therefore put it inside a conditional
578 compilation, and arranged for it to be omitted for Linux.
580 66. Added settable variables $acl_c0 - $acl_c9 and $acl_m0 - $acl_m9 for use
581 during ACL processing.
583 67. Added "defer" command to system filter.
585 68. X options such as -bg or -geometry that were added to an eximon command
586 were being lost as a result of a bug introduced by 4.12/6.
588 69. The "more" and "unseen" generic router options can now be expanded strings.
590 70. The "once_repeat" option in the autoreply transport is now an expanded
593 71. If maildir_format is set on an appendfile transport that is referenced from
594 an file_transport setting in a redirect router, it forces maildir delivery,
595 even if the path given in the filter does not end with '/'.
597 72. Fixed three bugs in ${readsocket:
598 (i) If the operation failed, and a failure string was given, "}}" was
599 erroneously added to it.
600 (ii) If the operation succeeded, but a failure string was present, "}" was
601 added to the expanded data.
602 (iii) The alarm for the timeout was set with signal() instead of with
603 os_non_restarting_signal(), which meant that it only worked on those
604 OS whose default is not to restart an interrupted system call.
606 73. A complete host name (no wildcards) in a host list causes a forward lookup
607 for the IP address. If this failed, Exim was behaving as if the host didn't
608 match the list, instead of giving an error (as it does when a reverse
611 74. If router_home_directory was passed on as a home directory for a local
612 transport, it was being re-expanded in the transport. This has been changed
613 so that the expanded value is passed from the router to the transport, and
614 no re-expansion takes place.
616 75. When a redirect router generated a pipe, file, or autoreply, the values of
617 $domain_data and $localpart_data were not being propagated to the
620 76. The macros MESSAGE_ID_LENGTH and SPOOL_DATA_START_OFFSET are now defined in
621 local_scan.h so that they are available to local_scan() functions.
623 77. Changes to the SMTP PIPELINING support:
625 (1) Exim used always to accept pipelined commands, even when it hadn't
626 advertised PIPELINING (i.e. when EHLO had not been received). Now it
627 objects unless PIPELINING has been advertised.
629 (2) Advertising PIPELINING to specific hosts can be disabled via the new
630 option pipelining_advertise_hosts.
632 78. The acl_smtp_connect ACL was not being run for -bs input when no IP address
633 was supplied via -oMa.
635 79. A "mail" command in a filter could cause a crash if the list of recipients
636 for the "to:" line was excessively long - this showed up in a reply to
637 a message with a ridiculously long Reply_to: header line.
639 80. Added allow_utf8_domains.
641 81. Added $rh_ and $rheader for "raw" header expansion.
643 82. Added smtp_accept_max_nonmail_hosts.
645 83. Extended ${stat (see 64 above) to add smode=symbolic mode.
647 84. Added default logging for host and IP lookup failures, with a log selector
648 called host_lookup_failed to turn it off.
650 85. Added header_maxsize and header_line_maxsize.
652 86. If a RCPT ACL made use of "verify = sender" without callout, followed by
653 another use with callout, and the callout failed, the caching was broken
654 such that for a subsequent RCPT command, the first callout failed
655 incorrectly. The caching of sender verification has been fixed so that it
656 now remembers that the routing succeeded even when the callout fails.
658 87. Added errno and strerror(errno) to the log line for a failure to lock the
659 -D file when receiving a message.
661 88. If router with check_local_user set up a local delivery, and no user was
662 specified on the transport, and errors_to on the router specified an
663 address whose verification also invoked check_local_user, the wrong uid/gid
664 was used for the transport. It used the uid/gid of the errors_to address
665 instead of the uid/gid of the original local part.
667 89. If log_file_path=:syslog was set, to use the default log path and also
668 syslog, and check_log_space was also set, Exim was confused, and refused to
669 accept messages, giving the error "cannot find slash in ".
671 90. If a router stripped a prefix or a suffix from a local part, and then
672 routed that address to an smtp or lmtp transport, the address that was
673 sent in the RCPT command did not have the affixes stripped.
675 91. For BSMTP delivery by appendfile or pipe, the address given in the RCPT
676 command did not preserve the case of the envelope address, as it is
683 There was no 4.13. I accidentally put out a fixed version of 4.12 (a typo was
684 discovered very soon after release) that verified itself as 4.13. This too was
685 hastily fixed, but it seems best not to use the number, to avoid confusion.
691 1. Update to change 4.11/82: for the max number of processes, set
692 RLIM_INFINITY if it is defined.
694 2. An expansion ${run{xxx}} where xxx was a successful command that produced
695 no output caused Exim to crash.
697 3. Some artificial delays of 1 second existed when running in the test
698 harness, to ensure repeatability of debugging output. Now that we have
699 the millisleep() function, these can be shorter.
701 4. Change 4.11/30 below overlooked the case when an address gets a 4xx
702 response from a server. Because this isn't a host problem, the host does
703 not get delayed, and it gets tried every time the address is OK'd for
704 routing, with the same response. However, if hosts_max_try is set, because
705 not all the hosts were tried, the address does not time out. I've changed
706 things so that if there is a 4xx response to a RCPT command, the host in
707 question does not count towards hosts_max_try if the message is older than
708 the host's maximum retry time. This means that other hosts are always tried
709 in this circumstance; if the address gets 4xx errors from all of them, it
710 will eventually time out.
712 5. If a retry rule for a host had no actual retry times specified, it could
713 cause a crash when checking the ultimate address timeout. (Very old bug,
714 spotted in passing, so probably never bothered anybody.)
716 6. Change 135 below broke the following scripts when a list of configuration
717 files was given: exicyclog, exim_checkaccess, eximon, exinext, and exiwhat.
718 In practice, if exim_path was not specified in the configuration file (a
719 common case), things would probably work OK. However, the use of
720 CONFIGURE_FILE_USE_NODE definitely did not work. These scripts have now
721 been updated to fix this problem. They now search for the configuration
722 file in the same way Exim itself does: for each name in the list, the
723 "noded" file is tried first, then the unsuffixed file.
725 7. If a WARN verb in an ACL did not specify an explicit "message" modifier,
726 and was triggered by a failing sender or recipient verification, the
727 response that would have been sent as an SMTP message for a DENY verb was
728 incorrectly being added to the message's headers.
730 8. I screwed up change 4.11/155. For lookup types whose names were prefixes of
731 other lookup types (e.g. nis and nisplus, dbm and dbmnz), the new search
732 function didn't do the correct comparison, meaning that the wrong lookup
735 9. Solaris seems to be one of the LDAPs that doesn't have the lud_scheme
736 member of the LDAPURLDesc structure. Since the check that is made on it
737 is only to double check that a path is given for ldapi, I've just removed
738 the test in the Solaris case.
740 10. The modified TextPop.c source in the Exim monitor had declarations of errno
741 and sys_nerr which never were actually referenced. The second of these
742 caused trouble on Darwin, so I've removed both of them. Why were they
743 there? Who knows? This is ancient X code...
745 11. The DEFER ACL verb crashed if no "message" modifier was set.
747 12. The check on incoming messages that gives the error "too many non-mail
748 commands" was too strict. In the case of Exim sending to Exim, when the
749 client has queued messages for the server and is using TLS, it will close
750 and re-initialize TLS between messages (because the client has to hand the
751 SMTP connection to a new process). STARTTLS was being counted as a non-mail
752 command, and therefore could cause the limit to be hit. The revised code
753 now allows for one RSET, one HELO or EHLO, and one STARTTLS between each
754 message without counting them as non-mail commands. (One RSET was
755 previously allowed - I *had* spotted that case.)
757 13. Some log lines for rejections by ACL were putting ident values in
758 parentheses instead of using U= after H=. (There are some other lines that
759 do use parens, typically when the host name appears without H= within a
760 message. This whole area could perhaps do with tidying up.)
762 14. When processing a redirection file happens in a subprocess (typically so
763 that a .forward file is processed as the user), Exim was assuming that a
764 call to wait() would always reap the subprocess, and it was failing to
765 check the result. In theory, a signal of some sort occurring at the wrong
766 time could break this assumption - the process was then left unreaped, and
767 could possibly be picked up later during deliveries, thus confusing that
768 code ("processes got out of step"). This is conjecture - I haven't got a
769 definite test of this. However, I have fixed the code to repeat the wait
772 15. When Exim was waiting for a remote delivery subprocess, and the waitpid()
773 call found a process that was not in the list of remote delivery processes,
774 Exim gave up waiting for remote processes. It is probably better just to
775 ignore the unexpected process (though, of course, write to the main and
776 panic logs) and to wait for another process, and so that is what now
777 happens. If the error situation is caused by failed waiting logic for
778 routing or local delivery processes, this approach will minimize bad
785 1. Ignore trailing spaces after numbers in expansion comparisons such as
786 ${if > { 5 } { 4 } ... (leading spaces were already ignored).
788 2. Two variables, $warnmsg_delay, and $warnmsg_recipients, had got left with
789 their old Exim 3 names, when I meant to change to "warn_message", along
790 with the warn_message_file option. They have now been changed. The old
791 names remain as synonyms, but will be undocumented in due course.
793 3. The message "This message was created automatically by mail delivery
794 software (Exim)." still confuses people. If they are sufficiently Internet-
795 ignorant, they think the message has come from exim.org. At first, I
796 changed thw wording to "This message was created automatically by mail
797 delivery software (Exim) running on a mail server handling mail for <the
798 qualify domain>." in the hope that that might be better. However, in
799 testing that still proved confusing on servers handling multiple domains.
800 The message has now reverted to the original, simple wording: "This message
801 was created automatically by mail delivery software."
803 4. It has been discovered that, under Linux, when a process and its children
804 are being traced by "strace -f", the children are stolen from the parent
805 while they are being traced. A call to waitpid(-1,&x,NOHANG), which Exim
806 uses to test for the completion of "any of my children" in a non-blocking
807 manner, returns as if there are no children in existence. Exim used treat
808 this as a serious unexpected error state. What it does now is to use
809 kill(pid,0) to check explicitly for the continued existence of any of its
810 children. If it finds any, it assumes it is being traced, and proceeds as
811 if the return from waitpid() had been "none of your children have finished
812 yet". If it can't find any children, it gives the error as before.
814 5. When Exim creates hints databases and their lock files as root, it needs to
815 change their ownership to exim. In Exim 3, the function to open a hints
816 database wasn't called as root very often, and the check "are we running as
817 root?" would usually fail. However, because Exim 4 eschews the use of
818 seteuid(), it runs all its routing as root, and this always calls the hints
819 database opening function. It wasn't noticing when it was actually creating
820 the database, and so it was running chmod() on all the files in the db
821 directory every time. This does no harm, of course, but wastes resources.
822 Exim now detects when the database was already in existence by opening
823 without O_CREAT at first. If this succeeds, it doesn't do the root test.
825 6. The line in MakeLinks that creates a link for direct.c had been
826 accidentally left in (cf 4.03/6).
828 7. The value of $0 in the replacement in a rewriting rule was being corrupted,
829 leading to incorrect results or error diagnostics.
831 8. Added support for ldapi:// URLs to the LDAP lookups (OpenLDAP only). Also,
832 re-organized the code to use ldap_initialize() with OpenLDAP in all cases
833 (it seems to be preferred).
835 9. With OpenLDAP 2.0.25, ldaps:// doesn't seem to work unless the LDAP
836 protocol level is set to 3. This is now standard in the Exim code, as v3
837 has been around for 5 years now. Testing ldaps:// is now included in the
838 Exim test suite. Although earlier versions claimed to support it, I rather
839 suspect that it never worked.
841 10. Inserted some checking of the syntax of the IP address given as the first
842 argument to the exim_checkaccess utility. This gives a better error
843 message, especially in the case when somebody gets the arguments in the
846 11. Improved the panic log entry if an unsupported format type is passed to
847 string_vformat() (now gives the whole format string, not just the little
850 12. Ever since its early days, Exim has checked the syntax of non-SMTP
851 addresses according to RFC [2]822 rules, rather than the stricter RFC
852 [2]821 rules that it uses for SMTP. This allows for a wider set of
853 characters in domains. This has now caused a problem, because I forgot
854 about it when making some changes to the format of spool files (see
855 3.953/44, 4.03/10, and 4.04/1). I can't believe that anybody actually makes
856 use of this feature (which isn't documented), so I have removed it. All
857 domains must now conform to RFC [2]821 rules. A non-SMTP message with a
858 domain that would previously have been accepted will now be bounced.
860 13. If widening a domain in a dnslookup router made it syntactically invalid,
861 the error message quoted the original domains instead of the widened
864 14. During a queue run initiated by -R or -S (or by -i when the use of message
865 logs is disabled), if Exim encountered a message with certain
866 characteristics (including text for $local_scan_data, and the setting of
867 the "manually thawed" flag), this data was not correctly reset for
868 subsequent messages. So if they didn't have those settings themselves,
869 strange things could occur.
871 15. With the "percent hack" enabled for percenthack.domain, if a message had
872 two addresses such as X%some.domain@percenthack.domain and X@some.domain,
873 Exim was not recognizing the duplication, and was making two deliveries
876 16. The output from verification (for -bv and VRFY) used to list a child
877 address when verification was applied to children (this happens, for
878 example, for aliases that generate just a single child). Now it lists only
879 the original address.
881 17. Changes 34 and 35 of 4.10 did not wholly solve problems with widened
882 domains. The following bug still existed:
884 . A recipient address was abbreviated (e.g. one component).
885 . A dnslookup router caused it to be widened.
886 . The new domain was a local domain.
887 . The address was redirected to itself.
889 At this point, Exim thought it was a duplicate, and discarded it.
891 This whole thing turned out to be a large can of worms, so I have reworked
892 the address widening code. This should get rid of all these problems.
893 Widening now appears similar to redirection, with the unwidened address
894 becoming a proper parent address. As part of this, there has been some
895 general re-organization of the way addresses are handled.
897 18. When a filter generated only "unseen" deliveries, the normal delivery that
898 happened subsequently lost any value of address_data that was previously
899 set. The handling of values like that that are propagated from parents to
900 children has been reworked.
902 19. Added smtp_return_error_details and the check_postmaster option for address
903 verification callouts.
905 20. Long SMTP responses (from ACL messages or wherever) are now automatically
906 split up into multi-line responses if possible. The split happens at an
907 occurrence of ": " if present after 40 characters. Otherwise it happens at
908 the last space before 75 characters. Existing newlines in the message are
911 21. When verify = header_sender is set, a different error message is now given
912 if a syntax is detected, as opposed to failure to verify.
914 22. Extended the general mechanism for ${quote_lookuptype:...} expansions by
915 allowing for an option to be given after the lookup name, for example
916 ${quote_ldap_dn:...}. Unrecognized options cause errors.
918 23. Re-worked the quote_ldap expansion items to provide two different kinds of
919 quoting, since the requirements of filter strings and DNs are different.
920 Sigh. Arranged for the DN given in the USER= setting to be de-URL-quoted
921 because not all libraries do it themselves.
923 24. The handling of responses from LDAP searches wasn't right. It was detecting
924 situations of the form "ldap_result failed internally or couldn't provide
925 you with a message" but not "the server has reported a problem with your
926 search". This has now been tidied up (thanks, Brian). Problems of the
927 latter kind are now handled as follows:
929 (1) For LDAP_SIZELIMIT_EXCEEDED, the truncated list of results is
930 returned. This is what happened before.
932 (2) For a small set of errors that, in effect, mean "that object does
933 not, or cannot, exist in the database", the lookup fails. This is
936 (3) For other problems, the lookup defers, giving the LDAP error.
938 25. Added $ldap_dn to hold the DN of the last entry retrieved in the most
941 26. Exim was not checking for the LDAP_INVALID_CREDENTIALS error when
942 ldap_bind() failed during an ldapauth call. With (at least) OpenLDAP2, the
943 connection to the server doesn't happen until ldap_bind(), so failures to
944 connect were being treated as authentication failures, and given hard
945 errors. Now, all errors other than LDAP_INVALID_CREDENTIALS are treated the
946 same way for all calls to ldap_bind(), whether ldaputh or otherwise. They
947 lead to temporary errors - if there are more servers, they will be tried.
949 27. If there was a reference to a non-existent named list, for example, a
950 setting such as "senders = +something", but no lists of that type were
951 actually defined, Exim misbehaved. For an address list, it treated the name
952 as a domain list. For a domain list, it just didn't match. Now it gives a
953 panic error about a non-existent named list (as it always did if there were
954 named lists of the appropriate type). The error now tells you what type of
955 list it thought it was looking for.
957 28. When -bt or -bv is used by a non-admin user, and there is some kind of
958 DEFER (e.g. database unreachable), details of the failure are no longer
959 given, because they may include private data such as the password for an
962 29. The logic for using a remote host name as a key for looking up retry rules
963 in preference to the domain of the email address was broken. It wouldn't
964 find such retry rules.
966 30. There were some problems with the action of hosts_max_try in the smtp
967 transport where there were indeed more hosts available than the limit.
969 (a) Exim used to time out an address out if all the hosts that were tried
970 were past their retry limits, ignoring the state of any hosts that were
971 not tried because the hosts_max_try limit was reached. Now it won't
972 time out an address unless all its hosts are actually considered and
973 are past their retry limits.
975 (b) Hosts that are past their retry limits are no longer counted for
976 hosts_max_try. This means that when some hosts are in this state, a
977 greater number of hosts are tried than before, but this is the only way
978 to ensure that all hosts are considered before timing out an address.
980 (c) When the hosts_max_try limit is reached, Exim now looks down the host
981 list to see if there is a subsequent host with a different MX. If there
982 is, that host is used next, and the current host is not counted. More
985 31. The source for spa authentication (taken from the Samba project) used the
986 type "int16". This has caused compilation problems in some systems that
987 happen to have a different definition of it. (Naughty, naughty, non-
988 standard.) I've renamed all the defined types by adding "x" on the end.
990 32. When a delivery that used authentication was run with -v (which an
991 unprivileged user can use) it included the authentication data when it
992 showed the SMTP transaction. Such data is now replaced by asterisks in any
993 reflection of the SMTP commands. This also applies if the command is logged
994 as a result of an error response.
996 33. Some little problems in queue runs:
998 (a) The reading end of the synchronising pipe was being left open in the
999 delivery subprocess. This caused no harm, but used up a file
1000 descriptor till that series of deliveries was done.
1002 (b) If the load level got high enough to abandon a queue run, the
1003 synchronizing pipe was accidentally not closed. Normally, this wouldn't
1004 matter, because the queue runner process would finish any way, but...
1006 (c) If split_spool_directory was set without queue_run_in_order, the code
1007 for abandoning a queue run because of too high load didn't stop
1008 cleanly. Instead, it went on to look at the remaining subdirectories.
1009 Each one would then notice the high load, and abort. Not only was this
1010 a waste of time, but because of (b) above, it used up one file
1011 descriptor per subdirectory. With up to 62 subdirectories, this could
1012 hit the limit of file descriptors if it was as low as 64 (which it
1015 34. Added SYSTEM_ALIASES_FILE to the build-time configuration, and the ability
1016 to set ROOT= when installing. Removed installation instructions for the
1017 info version of the overview document, because that document no longer
1020 35. Added a total line to exiqsumm.
1022 36. convert4r4 can now handle "optional" for single-key lookups in aliasfile
1025 37. Change 4.03/25 (making convert4r4 double colons in require_files lists) was
1026 incomplete. It worked for routers, but not for directors.
1028 38. After verify=recipient in an ACL, the value of $address_data is the last
1029 value that was set while routing the address.
1031 39. Included eximstats 1.22.
1033 40. If a delivery of another message over an existing SMTP connection yields
1034 DEFER, we do NOT set up retry data for the host. This covers the case when
1035 there are delays in routing the addresses in the second message that are so
1036 long that the server times out. This is alleviated by not routing addresses
1037 that previously had routing defers when handling an existing connection,
1038 but even so, this case may occur (e.g. if a previously happily routed
1039 address starts giving routing defers). If the host is genuinely down,
1040 another non-continued message delivery will notice it soon enough.
1042 41. Added quota_directory to appendfile.
1044 42. Changed the order of processing configuration input lines. Previously, it
1045 was comment, .include, continuation, macro expansion, comment again (in
1046 case a macro turned a logical line into a comment). This meant that macros
1047 could not be used in .include lines. The order is now macro, comment,
1048 .include, continuation. That is, macro expansion is done on physical lines,
1049 not on logical lines.
1051 43. Improved the error message if an option-setting line in the configuration
1052 does not start with a letter. (It used to say 'option "" unknown'.)
1054 44. Allow -D to set a macro to the empty string. Previously it would have
1055 moved on to the next commandline item. This seems pointless. Either -DXX or
1056 -DXX= sets an empty string.
1058 45. Changed OS/Makefile-FreeBSD thus:
1060 EXIWHAT_MULTIKILL_CMD='killall -m'
1061 EXIWHAT_MULTIKILL_ARG='^exim($$|-[0-9.]+-[0-9]+$$)'
1063 This is because, with the Exim standard installation using a symbolic link,
1064 the name of the running program is not "exim" but (e.g.) "exim-4.10-1".
1066 46. An Exim server now accepts AUTH or STARTTLS commands only if their
1067 availability has been advertised in response to EHLO.
1069 47. A few source changes to avoid warnings from very picky compilers that don't
1070 complain about unset variables when the only setting is by passing the
1071 address to another function.
1073 48. Added -d+pid to force the adding of the pid to all debug lines. Default it
1074 on when the daemon is run with any debugging turned on. (Pids are still
1075 automatically added when multiple deliveries are run in parallel.)
1077 49. Included Matt Hubbard's exiqgrep utility.
1079 50. Give error for two routers, transports, or authenticators with the same
1080 name. (It already caught duplicate ACLs.)
1082 51. If a host has more than MAX_INTERFACES interfaces (common for hosts with a
1083 slew of virtual interfaces), and Exim had to find the list of local
1084 interfaces, it ran off the end of the list that the ioctl returned. I had
1085 assumed the length would be set to correspond to the amount of data
1086 returned - but in at least one OS it is set to the actual number of
1087 interfaces, even if they don't all fit in the buffer.
1089 52. Nit-picking changes to store.c. It was assuming the length of the
1090 storeblock structure would be a multiple of the alignment, which is almost
1091 certainly "always" true. However, just in case it might not be it is now
1092 rounded up. For some long-forgotten reason, Exim was getting blocks of
1093 store of the size (8192 - alignment), which seems strange. I've changed it
1096 53. Added functions to compute SHA-1 digests, added the ${sha1: expansion
1097 operator, added support for {sha1} to crypteq.
1099 54. When local_scan() times out, include the message size in the log line.
1101 55. If a pipe transport had no command specified, and the address also had
1102 no command associated with it, the transport process crashed. Now it defers
1103 with a suitable message.
1105 56. An Exim server output mangled junk if it received a HELP command on an
1106 TLS-encrypted session.
1108 57. The output from -bV (and at the start of debugging) now lists the optional
1109 items included in the binary (which routers, etc). The debugging output now
1110 includes the name of the configuration file at its start.
1112 58. Added support for GnuTLS as an alternative to OpenSSL.
1114 59. Give a configuration error if tls_verify_hosts is set, but tls_verify_
1115 certificates is not set. It doesn't make sense to require some hosts to
1116 verify if there's nothing to verify against.
1118 60. A pipe transport may now have temp_errors = * to specify that all errors
1119 are to be treated as temporary.
1121 61. The lmtp transport can now handle delivery to Unix domain sockets.
1123 62. Added support for flock() to appendfile, for those operating situations
1124 that need it. Not all OS support flock().
1126 63. It seems that host lists obtained from MX records often turn out to have
1127 duplicate IP addresses, especially for large sites with many MXs and many
1128 hosts. Exim now removes duplicate IP addresses. (Previously, it removed
1129 only duplicate names.)
1131 64. If ${readfile was inside a substring that was not part of the final
1132 expansion value (because its condition wasn't met), Exim still tried to
1133 read the file. This made an "exists" test for the file useless.
1135 65. Added ${readsocket to the expansion facilities.
1137 66. It is now possible to set errors_to to the empty string in routers.
1139 67. Added disable_logging as a generic transport and a generic router option.
1141 68. Applied Stefan Traby's patch to support threaded Perl. As I don't have a
1142 threaded Perl, I can't test that this fixed the problem, but it doesn't
1143 appear to break the non-threaded case.
1145 69. For SPA (NTLM) client authentication, the options are now expanded.
1147 70. Added support for SPA server authentication, courtesy of Tom Kistner.
1149 71. Latest versions of TCPwrappers use the macro HAVE_IPV6 inside the tcpd.h
1150 header, it appears, and this clashes with Exim's use of that macro.
1151 Renaming it for Exim is an incompatible change, so instead I've just
1152 arranged that HAVE_IPV6 is undefined while including the tcpd.h header.
1154 72. Mac OS 10.2 (Darwin) has IP option support that looks like the later
1155 versions of glibc, but without the __GLIBC__ macro setting. I've added a
1156 new macro called DARWIN_IP_OPTIONS, and tidied up the code in smtp_in.c to
1157 simplify the handling of the three different ways of doing this.
1159 73. If no "subject" keyword is given for a "vacation" command in a filter, the
1160 subject now defaults to "On vacation".
1162 74. Exim now counts the number of "non-mail" commands in an SMTP session, and
1163 drops the connection if there are too many. The new option
1164 smtp_accept_max_nonmail option defines "too many". This catches some DoS
1165 attempts and things like repeated failing AUTHs.
1167 75. Installed configuration files for OpenUNIX.
1169 76. When a TLS session was started over a TCP/IP connection for LMTP, Exim was
1170 sending EHLO instead of LHLO after the encrypted channel was established.
1172 77. When an address that was being verified routed to an smtp transport whose
1173 protocol was set to LMTP, the SMTP callout used EHLO instead of LHLO.
1175 78. Installed eximstats 1.23 in the distribution.
1177 79. Installed a new set of Cygwin-specific files from Pierre Humblet.
1179 80. Added caching for callout verification.
1181 81. Added datestamped logs and $tod_logfile.
1183 82. When Exim starts up with root privilege, set a high limit (1000) for the
1184 number of files that can be open and the number of processes that can be
1185 created (on systems where this is possible), in case Exim is called from a
1186 restricted environment.
1188 83. Minor bugfix in appendfile: when renaming failed for a file whose name was
1189 extended with a tag, the untagged name was shown in the error message.
1191 84. If Exim's retry configuration was changed so as to bounce a certain
1192 delivery failure immediately, for example to bounce quota errors:
1196 and there were messages on the queue that had previously been deferred
1197 because of this error, Exim crashed when trying to deliver them in a queue
1198 run. Now it will make one more delivery attempt and bounce on failure.
1200 85. Fixed an obscure problem that arose when (a) an address was redirected
1201 to itself, AND (b) the message was not delivered at the first attempt, AND
1202 (c) the pattern of redirection was changed at the next delivery attempt.
1203 When an address is redirected to the same address, Exim labels the new
1204 address as "2nd generation", and so on, in order to distinguish these
1205 homonym addresses from each other. Previously, it recorded the delivery of
1206 a homonym address as a delivery of the appropriate generation. This does
1207 not work if the generation numbers change at the next delivery attempt. The
1208 symptoms can be either duplicated deliveries, or missing deliveries,
1209 depending on the configuration.
1211 A real-life example is a configuration that takes "unseen" copies of
1212 messages at certain times only, because an "unseen" router in effect does a
1213 redirection to a modified address (the unseen delivery) and to the original
1214 address (for normal delivery). Thus the normal delivery can be either the
1215 1st or 2nd generation, depending on whether or not the unseen router is
1216 triggered at the time of delivery.
1218 The fix is not to record a delivery to a homonym address as such, but
1219 instead to record a delivery to the original address by the final
1220 transport. If the same address is subsequently routed to the same transport
1221 (whichever generation it now is), the delivery is discarded because it has
1222 already happened. Homonym addresses that are themselves redirected are now
1223 never recorded as "done", but non-homonym addresses are unaffected, so they
1224 are marked when all their children are complete (as before), thus saving
1225 an unnecessary subsequent expansion.
1227 The fix causes more routing processing to be done when homonyms are in use
1228 and a message is not delivered at the first attempt, but this is not
1229 expected to be very common, and the extra processing isn't all that much.
1231 86. Make sure Exim doesn't overrun the buffer if an oversize packet is received
1234 87. Added argument-expanding versions of hash, length, nhash, and substr
1237 88. The API for Berkeley DB changed at release 4.1. Exim now supports this
1240 89. When a host was looked up using gethostbyname() (or the more recent
1241 getipnodebyname() on IPv6 systems), Exim was not inspecting the error code
1242 on failure. Thus, any failure was treated as "host not found". Exim now
1243 checks for temporary errors, so the behaviour of "byname" and "bydns"
1244 lookups in this respect should be the same. However, on some OS it has been
1245 observed that getipnodebyname() gives HOST_NOT_FOUND for names for which a
1246 DNS lookup gives TRY_AGAIN. See also change 125 below.
1248 90. Minor rewording of ACL error for attempted header check after RCPT.
1250 91. When USE_GDBM was set, exim_dbmbuild wasn't working properly (still assumed
1251 NDBM compatible interface); similarly in dbmdb lookups when ownership
1254 92. If a Reply-To: header contained newlines and was used to generate
1255 recipients for an autoreply, the log line for the autoreply "delivery" had
1256 unwanted newlines. Such newlines are now turned into spaces.
1258 93. When a redirect router that has the "file" option set discovers that the
1259 file does not exist (the ENOENT error), it tries to stat() the parent
1260 directory, as a check against unmounted NFS directories. If the parent
1261 can't be statted, delivery is deferred. However, it seems wrong to do this
1262 check if ignore_enotdir is set, because that option tells Exim to ignore
1263 the error "something on the path is not a directory" (the ENOTDIR error).
1264 In fact, it seems that some operating systems give ENOENT where others give
1265 ENOTDIR, so this is a confusing area.
1267 94. When the rejectlog was cycled, an existing Exim process was not noticing,
1268 and was therefore not opening a new file.
1270 95. If expansion of an address_data setting was forced to fail, and debugging
1271 was enabled, a debugging statement tried to print an undefined value
1272 instead of the string that was being expanded. This could cause a crash.
1274 96. When Berkeley DB version 3 or higher is in use, a callback function is now
1275 set up to log DB error messages that are passed back.
1277 97. The conditions in the Makefile for rebuilding the exim_dbmbuild utility
1278 were wrong, leading to failures to rebuild when it should have done.
1280 98. Added -no_chown and -no_symlink options to the exim_install script. Also
1281 arranged for the environment variable INSTALL_ARG to be passed over
1282 from "make install".
1284 99. Exim sets the IPV6_V6ONLY option on IPv6 listening sockets on operating
1285 systems that support it. The call to setsockopt() to do this had SOL_SOCKET
1286 instead of IPPROTO_IPV6 as its second argument (and so wouldn't work).
1288 100. When a frozen message was timed out by timeout_frozen_after, the system
1289 filter was incorrectly being run for the message before it was thrown
1292 101. If a filter used $thisaddress in an argument to a pipe command, its value
1293 was not inserted where expected, because the expansion of a pipe command
1294 does not happen till transport time, and $thisaddress was not being saved.
1295 It is now saved (along with $1, $2, etc, which were already being saved),
1296 and reinstated at transport time.
1298 102. Added host grouping for randomizing to manualroute and smtp. A host list
1299 that is randomized by manualroute is never re-randomized by smtp. Two
1300 host lists that are randomized by manualroute are now treated as "the
1301 same" when checking for possible multiple deliveries in one SMTP
1302 transaction (this was always true for MX'd host lists).
1304 103. Added "randomize" and "no_randomize" options to manualroute.
1306 104. Added ${hmac expansion item.
1308 105. When compiling with gcc, make use of its facility for checking printf-like
1309 function calls (debug_printf and smtp_printf). This would have found the
1310 problem in 95 above. It actually found a number of missing casts to (int)
1311 in debug lines, and one spurious additional argument.
1313 106. Created an ACKNOWLEDGEMENTS file, which I will endeavour to update in
1316 107. Minor modification to Makefile: when a command that starts off "cd xxx;"
1317 is followed by another command (on the next line), put the first one in
1318 parentheses so that if a "clever" make program amalgamates them, the
1319 change of directory is turned off when it should be.
1321 108. If log_timezone is set true, the timestamps in log files now include the
1322 timezone offset. A new variable $tod_zone contains the offset. The exigrep
1323 utility has been updated to handle timestamps with offsets. The eximstats
1324 version included with this release (1.23) has been patched to handle
1325 timestamps with offsets. There is also a new -utc option that specifies
1326 the timestamps are in UTC. The Exim monitor has been modified so that it
1327 omits the zone offset from its display.
1329 109. If the expansion of an errors_to option is forced to fail, the option is
1332 110. Added $load_average.
1334 111. Added router_home_directory generic router option.
1336 112. Exim crashed on an attempt to check senders or sender domains in an ACL
1337 other than after RCPT or DATA. It's now a temporary error.
1339 113. \r was omitted before \n in the SMTP failure response for EHLO/HELO
1342 114. On receiving EHLO or HELO, Exim was resetting its state before checking
1343 the validity of the command. However, RFC 2821 says that the state should
1344 not be changed if an invalid EHLO/HELO is received, so Exim has been
1345 changed to conform. This applies mainly when there is more than one
1346 EHLO/HELO command in a session.
1348 115. When an Exim root process wrote to a log file, and the log file did not
1349 already exist, Exim used to create it as root, and then change its
1350 ownership to exim:exim. This could lead to a race condition if several
1351 processes were trying to log things at the same time; this happens
1352 especially when the exiwhat utility is used. I've changed things so that,
1353 if an Exim root process needs to create a log file, it does so in a
1354 subprocess that is running as exim:exim.
1356 116. When running filter tests (-bf and -bF) Exim now changes the current
1357 directory to "/" so that any assumptions about a particular current
1358 directory are false.
1360 117. The appendfile transport was doing the quota_threshold check before
1361 actually writing the message. However, the act of writing the message
1362 could make it longer by the addition of prefix, suffix, or additional
1363 headers. This meant that quota warning could be missed if the basic length
1364 of a message kept the mailbox below the threshold, but the transport
1365 additions took it over. The warning threshold check is now done after
1366 writing the message, when an accurate size is known.
1368 118. If all verifications for verify = header_sender deferred, the log was
1369 "temporarily rejected after DATA", without saying why. Now it adds "all
1370 attempts to verify a sender in a header line deferred".
1372 119. Added message_id_header_domain option.
1374 120. Ignore message_id_header_text forced expansion failure.
1376 121. Typos: "uknown" in acl.c; missing NULL initialized in drtables.c.
1378 122. When return_size_limit was set greater than zero but smaller than an Exim
1379 transport buffer size (so that only one buffer would be written), a
1380 message that was longer than the limit could be omitted from the bounce
1381 entirely under some circumstances. In other cases, the final buffer full
1382 before truncation could be omitted.
1384 123. The inode variables in log.c were of type int with -1 for unset; they
1385 have been changed to ino_t with 0 for unset.
1387 124. There are two Makefiles for NetBSD (for different object formats). They
1388 were originally supplied in a format where one .included the other. The
1389 problem with this has finally surfaced: when processing the Makefile to
1390 build config.h, the inclusion isn't seen. The easy way out has been taken:
1391 there are now two fully independent files. At the same time, HAVE_IPV6 has
1392 been added to both of them.
1394 125. Changed the default way of finding an IP address in both the manualroute
1395 and queryprogram routers. Exim now does a DNS lookup; if that yields
1396 HOST_NOT_FOUND, it tries calling getipnodebyname() (or gethostbyname()).
1397 See also change 89 above.
1399 126. Fixed a race bug in the loop that waits for a delivery subprocess to
1400 complete. After reading all the data from, and then closing, the pipe, it
1401 assumed that a call to waitpid() for the known pid would always return
1402 status for that process. An unfortunately timed signal (e.g. SIGUSR1 from
1403 exiwhat) could cause waitpid() to return -1/EINTR instead. The effect of
1404 this was to remain in the loop and call FD_SET() with an argument of -1.
1405 On Solaris it caused a crash; on other systems it might have looped.
1407 127. If an ACL that was read from a file was used in more than one message in a
1408 single SMTP transaction, Exim could crash or misbehave in arbitrary ways.
1409 The problem was that the ACL was remembered in memory that was thrown away
1410 at the end of the first message. In fixing this, I've done a bit of
1411 refactoring of the way memory allocation works, to provide a non-malloc
1412 allocator for small blocks of data that must be kept for the life of the
1413 process. There's a new function store_get_perm() and I've reintroduced a
1414 second storage pool (previously dropped on the 3->4 conversion). A number
1415 of instances of malloc calls for small amounts of memory have been changed
1416 to use this instead. It might be a tad more efficient. Then again, it
1419 128. A similar problem to 127: memory corruption could occur for multiple
1420 messages in one SMTP connection if the data from DNS black list lookups
1421 was being used in log or user messages, e.g. references to $dnslists_text.
1423 129. Blanks lines and comments are now ignored in ACLs that are read from
1426 130. Two instances of missing \n in debug output.
1428 131. The new debugging tag +timestamp causes a timestamp to be added to each
1431 132. Some debug information is written in multiple calls to debug_printf(),
1432 with a newline only on the last one. When debugging multiple simultaneous
1433 processes, the pid was added to each debug text, and for this reason, a
1434 newline was always forced. Now Exim buffers up debug output until the
1435 newline is reached, which makes things look much tidier. Also, if there
1436 are internal newlines and prefix data such as a pid or timestamp are being
1437 added, the prefix is inserted at the internal newlines.
1439 133. When running in the test harness, arrange to overwrite all memory that
1440 is released or freed, so that bugs are more easily found. This picked up
1443 134. Expansion error messages were left in released store, so could have been
1444 overwritten - but in fact most are used immediately, before this happened.
1446 135. A list of configuration files can be given; the first one that exists is
1449 136. Moved the code that ensures that newly-created hints databases and their
1450 lockfiles are owned by exim:exim so that it runs before the test for
1451 successful opening, because a case was reported where the file itself was
1452 created, but the DBM library returned an opening error.
1454 137. If an address is redirected to just one child address, verification
1455 continues with the child address. However, if verification of the child
1456 failed because of (for example) a :fail: redirection, the error message
1457 did not get passed back as it would have been had the original address
1458 failed. The error information is now passed back for both fail and defer
1461 138. Added $rcpt_defer_count and $rcpt_fail_count.
1463 139. Added "rejected_header" log selector.
1465 140. Added the cannot_route_message generic router option.
1467 141. Change 87 above introduced a bug in the expansion of substrings when the
1468 offset was greater than the length of the string, for example
1469 ${substr_1:}. Exim crashed instead of returning an empty string.
1471 142. Added extra features to ACLs: the "drop" and "defer" verbs, and the
1472 "delay" and "control" modifiers (the latter with "freeze" and
1475 143. If Exim failed to create a log file, it used to try to create the superior
1476 directories only if the logs were being written in the spool directory.
1477 Now it tries in all cases, but always from a process running as the exim
1480 144. Added $authentication_failed.
1482 145. Added $host_data for use in ACLs.
1484 146. Added new ACLs for non-SMTP messages, SMTP connection, MAIL, and STARTTLS.
1486 147. Added a number of new features to the local_scan() API:
1487 Access to debug_printf() and the local_scan debug selector
1488 Direct access to the message_id variable
1489 LOCAL_SCAN_REJECT_NOLOGHDR and LOCAL_SCAN_TEMPREJECT_NOLOGHDR
1490 Access to store_get_perm() and store_pool (see 127 above)
1491 Access to expand_string_message
1492 Option settings in the main configuration file
1493 LOCAL_SCAN_ACCEPT_FREEZE and LOCAL_SCAN_ACCEPT_QUEUE
1494 LOG_PANIC to write to the panic log
1495 Access to host_checking
1496 Supporting functions lss_match_xxx() for matching lists
1498 148. Minor security problem involving pid_file_path (admin user could get root)
1501 149. When an ACL contained a sender_domains condition with a reference to a
1502 named domain list, the result of the check was not being cached (an
1505 150. Allowed for quoted keys in lsearch lookups; this makes it possible to have
1506 whitespace and colons in keys.
1508 151. Added wildlsearch lookup.
1510 152. Yet another new set of configuration files for Cygwin from Pierre Humblet.
1512 153. Ensure that log_file_path contains at most one instance of %s and one
1513 instance of %D and no other % characters.
1515 154. Added $tls_certificate_verified.
1517 155. Now that the list of lookup types has got so long (and more are in
1518 prospect) arrange to search it by binary chop instead of linear search.
1520 156. Added passwd lookup.
1522 157. Added simple arithmetic in expansion strings.
1524 158. Added the ability to vary what is appended for partial lookups.
1526 159. Made base 64 encode/decode functions available to local_scan.
1532 1. Added HAVE_SA_LEN=YES to the OS/Makefile-Darwin file, because it needs it
1533 (unsurprising, as it's based on FreeBSD).
1535 2. Removed the HTML versions of the PCRE and pcretest documentation from the
1536 distribution tarbundle, and instead included them in the HTML tarbundle,
1537 linked to the overall index file.
1539 3. The code for computing load averages was broken in 64-bit Solaris.
1541 4. Make the default ACL refuse local parts that start with a dot.
1543 5. LDAP binds with an empty password are considered anonymous regardless of
1544 the username and will succeed in most configurations. Exim has been changed
1545 so that the LDAP authentication (the ${if ldapauth... condition) always
1546 fails when an empty password is used.
1548 6. Remove quoting from rbl_domains when used in an ACL by the convert4r4
1551 7. A lookup entry in a list that had spaces after the lookup type, e.g.
1552 "lsearch; /etc/relaydomains" was including the space as part of the file
1555 8. Give an error if EXIM_USER or EXIM_GROUP contains control characters (it
1556 happened when somebody had CRLF terminations in Local/Makefile, which
1557 messed up the "unknown user" error message).
1559 9. Ensure recipient address appears in log line for internal pipe problems
1562 10. Tidies to code for calls to fork(): (a) 3 typos of "<=" that should have
1563 been "<" (but would have no actual effect). (b) 2 cases of fork() failures
1564 not being logged: during -M for multiple messages, and for auto-delivery
1565 of incoming messages.
1567 11. A reference to any header line that contains addresses (e.g. $h_to:) caused
1568 a crash if the header was empty. Change 46 for 4.05 introduced this bug.
1570 12. If a system filter file was defined as a non-absolute path, but system_
1571 filter_user was undefined, Exim's behaviour was undefined. It could, for
1572 example, discard all deliveries, thinking the system filter had overridden
1573 them all. Delivery is now deferred, with a message written to the panic
1576 13. If a redirection file (or system filter file when system_filter_user was
1577 set) was defined as a non-absolute path containing no slash characters,
1580 14. Added $rcpt_count, containing the number of RCPT commands received during
1581 an SMTP transaction. This differs from $recipients_count when some of the
1584 15. Added $pid, containing the pid of the current process.
1586 16. Fixed uninitialized variable warning in eximstats for relayed messages when
1587 there was no sending host name (logged as H=[n.n.n.n]). There's no change
1590 17. The exiqusumm script failed horribly if it encountered a message that had
1591 been on the queue for 100 days or more.
1593 18. Added the message_logs option for suppressing the writing of message logs.
1595 19. Allow local_scan() to change the errors_to setting on recipient addresses.
1596 (This was made trivially possible because of change 10 in 4.03.)
1598 20. Convert4r4 changed: if forbid_pipe is set on a forwardfile director, also
1599 set forbid_filter_run on the generated redirect router.
1601 21. In the Makefile, $(INCLUDE) was preceding the -I. item that refers to
1602 Exim's own include files. This caused a conflict with an external library
1603 that also happened to have a config.h file. Exim saw the wrong file, and
1604 chaos ensued. I've moved the -I. item in the relevant lines so that it
1605 comes before $(INCLUDE).
1607 22. Added $acl_verify_message to contain any existing user message when
1608 expanding the "message" modifier in an ACL.
1610 23. Changed the default argument for egrep when called in exiwhat to find
1611 Exim processes. It is now ' exim( |$$|-)' instead of ' exim( |$$)' so that
1612 it works on OS where the true file name appears.
1614 24. In the plaintext authenticator, server_prompts was not being expanded, as
1615 documented. It now is.
1617 25. The exinext script was outputting in an incorrect format for routing
1618 delays. It said "deliver" when it should have said "route", and the layout
1619 of the text was screwed up. In fact, "deliver" is not the right word
1620 anyway. I've changed it to "transport". Also removed redundant code for
1621 "directing" delays, because these can't occur in Exim 4.
1623 26. Fixed some problems concerned with retrying address errors in remote
1626 (a) I'd overlooked temporary address errors, and assumed that all the
1627 retry items would be for host errors, and therefore on the first
1628 address when multiple RCPTs were involved. Consequently, no retry
1629 record was written for second and subsequent addresses if they
1630 received a 4xx error. Thus, these addresses wouldn't be delayed
1631 after such a delivery failure.
1633 (b) A temporary address error causes a routing delay; when the address
1634 is eventually tried again, and routing succeeds, the retry record is
1635 flagged for deletion. If the address gets another temporary error,
1636 the retry record got updated, and then deleted. Thus, temporary
1637 address errors were not being delayed and would be tried on every
1640 27. A minor code tidy for the CRAM-MD5 authenticator.
1642 28. Some OS have a command to select processes by the name of the command they
1643 are running, and send a signal to them. Linux and FreeBSD have "killall";
1644 Solaris has "pkill" (it also has "killall", but that does something
1645 disastrously different). Using such a command makes "exiwhat" more
1646 efficient, and reduces the chances of it trying to signal a non-existent
1647 process. There are now two build-time parameters, EXIWHAT_MULTIKILL_CMD and
1648 EXIWHAT_MULTIKILL_ARG, which can be set to enable this feature to be used.
1649 They are defined in the OS-specific files for Linux, FreeBSD, and Solaris.
1650 See OS/Makefile-Default for more details.
1652 29. As part of tidying up for 28, changed the name of the build-time parameter
1653 EXIWHAT_KILL_ARG to EXIWHAT_KILL_SIGNAL so that its name makes more sense
1654 when used in both kinds of exiwhat processing.
1656 30. By default, the daemon doesn't write a pid file if -bd is not used (i.e. if
1657 only -q is used). The -oP didn't override this - it was ignored. It now
1658 overrides the default and causes a pid file to be written.
1660 31. The values of $local_part, $domain, etc. were not being set during the
1661 expansion of shadow_condition in a local transport.
1663 32. The convert4r4 script failed when macros that had continuation lines were
1664 present in the Exim 3 configuration file. It inserted junk lines into the
1665 output and gave uninitialized variable errors.
1667 33. The convert4r4 script discards (with a comment) a setting of "rewrite" on
1668 a smartuser director that has no setting of new_address when it turns it
1669 into an "accept" router.
1671 34. When an alias generated an address with a single-component domain, and
1672 routing that domain caused it to be widened, Exim remembered only that it
1673 had delivered to the widened domain. If any other addresses were deferred,
1674 so that another delivery attempt happened later, Exim re-delivered to the
1675 widened address, because it checked only the original address. When this
1676 kind of widening happens, Exim now checks for previous delivery.
1678 35. A delivery was silently discarded under the following specific
1680 . The original address is x@a.b.c, where a.b.c is the local host;
1681 . a.b.c is recognized as a local domain, and the address is redirected
1683 . a is not recognized as a local domain, causing the address to be
1684 processed by a dnslookup router;
1685 . the router widens the address to a.b.c, routes it, and discovers it
1687 Exim realized that because the domain had been widened, it might have
1688 become a local domain, so it arranged to re-route from scratch, using the
1689 new domain. However, because the original address was the same address,
1690 it thought it had already dealt with it.
1692 36. A space at the start of an LDAP query in an expansion (after the opening
1693 curly) was provoking a syntax error.
1695 37. A syntax error in the data of an ldapauth expansion caused the condition to
1696 be false without an LDAP query even being tried. Now it causes the
1699 38. Ensure that an incomplete config.h is removed when the buildconfig program
1700 gives an error. Otherwise, if the error is a non-existent Exim user, and
1701 the admin fixes this by creating the user (and not modifying any files),
1702 Exim will try to use the broken config.h next time.
1704 39. A call with an argument of the form "-D=xxxx" (i.e. omitting the macro
1705 name) caused Exim to loop. It now reports an error.
1707 40. If an ACL tested an address for being in a named domain list (e.g.
1708 +relay_domains) and then called for recipient verification, and the
1709 recipient was rewritten, the cache for remembering matching domain lists
1710 was not being cleared after the rewrite, leading to potential routing (and
1711 therefore verification) errors. Furthermore, the rewritten address would
1712 (incorrectly) have been used for any subsequent address checking within
1715 41. If an address such as a%b@c was processed using the "percent hack" and then
1716 transmitted over SMTP, Exim was sending "RCPT TO:<a%b@c>" instead of
1719 42. A revised Makefile-CYGWIN file from Pierre Humblet.
1721 43. If local_scan() rejected a -bS message, it wasn't handling the error in the
1722 way -bS errors should be handled.
1728 1. In the log display in Eximon, put the insert point (caret) at the start of
1729 the last line instead of at the end, because this stops unwanted horizontal
1730 scrolling when certain X libraries are used.
1732 2. A malformed spool file with an incorrect number of recipients (which
1733 should never occur, of course) could cause eximon (and probably exim) to
1736 3. Updated Cygwin Makefile and os.h (minor tweaks).
1738 4. Setting allow_domain_literals=true was not allowing domain literal
1739 addresses in the -f command line option.
1741 5. Added debugging output for removing and adding header lines at transport
1744 6. On systems where SA_NOCLDWAIT is defined, changed from using signal(
1745 SIGCHLD, SIG_DFL) to using sigaction(), with flags explicitly set zero, to
1746 ensure that SA_NOCLDWAIT is definitely off. This fixes a bug in AIX where
1747 subprocesses were disappearing without being turned into zombies for Exim
1748 to reap. There was a previous report of the error "remote delivery process
1749 count got out of step" on a Linux box that was never resolved. It is
1750 possible that this change fixes that too.
1752 7. Other applications that support IPv6 have been coded to choose IPv6
1753 addresses in preference to IPv4 addresses where possible. This is
1754 encouraged, in order to speed up the use of IPv6. Exim has now been changed
1755 to do likewise when it looks up IP addresses from host names. This applies
1756 both to hosts that have more than one IP address, and to MX records with
1757 equal preference values when the hosts they point to have both IPv4 and
1758 IPv6 addresses. Within one preference value, Exim will try all the IPv6
1759 addresses before any IPv4 addresses, even when some of the IPv4 addresses
1760 belong to hosts that also have IPv6 addresses.
1762 8. When Exim sent HELO after EHLO was rejected, or when it sent a second EHLO
1763 after starting a TLS session, it used the primary host name as the
1764 argument, instead of the expansion of the helo_data option.
1766 9. Exim was failing to batch addresses for local delivery when errors_to was
1767 set on the router to the same string for each address, in the case when the
1768 string involved some kind of expansion (that ended up with the same value
1769 each time). If the string was fixed (i.e. no expansion) the batching was
1770 not blocked. In other words, I was testing the addresses of the strings but
1771 forgetting to compare the content. The same problem was not present for
1772 remote deliveries, but the code was written out instead of using a
1773 subroutine that now exists for this purpose, so I tidied that code.
1775 10. When Exim passes a connected TCP/IP socket to a new Exim process in order
1776 to deliver another message on the same connection, it closes down TLS,
1777 because it can't pass on the state information that is required by the
1778 OpenSSL package. The new process then tries to start up TLS again.
1779 Unfortunately, not all servers handle this - and, it has to be said, it is
1780 a bit of a dubious interpretation of the RFC. (Exim as a server copes OK,
1781 needless to say.) The problem is that the server may just die or give an
1782 invalid response, causing a retry delay to occur. The option
1783 hosts_nopass_tls was invented to help with this, but an automatic way of
1784 testing has been invented. What now happens is that Exim sends a new EHLO
1785 after shutting down TLS, before passing the socket on. This in itself
1786 reduces the dubiousness of the procedure. If there isn't an OK response,
1787 Exim doesn't try to pass the socket on.
1789 11. There was inconsistency in the way failures to set up TLS sessions in the
1790 smtp transport were handled when the host was not in hosts_require_tls.
1791 It deferred for 4xx responses to STARTTLS, but tried in clear if the actual
1792 TLS negotiation failed. It now does the same thing in both cases, and what
1793 this is can be controlled by the new option tls_tempfail_tryclear. This
1794 defaults true, causing a retry in clear to occur. If it is set false, these
1795 kinds of temporary failure cause a defer (for that host; if there are
1796 other hosts, they are tried).
1798 12. Tidying. When starting up a new delivery process to deliver another message
1799 over an existing SMTP connection, pass over the IP address as well as the
1800 host name. This saves having to get the IP address from the socket.
1802 13. Added "#define base_62 36" to OS/os.h-Darwin because the MacOS X operating
1803 system has case-insensitive file names.
1805 14. Tidies to rewriting code: (1) It was getting an unnecessarily large block
1806 of memory for a rewritten header. (2) Removed some unnecessary debugging
1807 code that just duplicated log output.
1809 15. In an expansion like "${if <condition> {${mask:xxxx}}{yyyy}}" Exim still
1810 tried to perform the masking operation even when the condition was false
1811 and the yield was "yyyy". This could fail when "xxxx" wasn't a valid string
1812 for the masking operation. Some other operators (e.g. base62) could fail in
1813 a similar way. All string operations are now skipped when processing the
1814 unused substring of a condition.
1816 16. If a verification of a sender address in a header (caused by verify =
1817 header_sender in an ACL) caused the address in the header to be rewritten
1818 (typically because a DNS lookup had widened the domain), the newline at the
1819 end of the header got lost, thereby causing two headers to be run together.
1820 Sometimes, but not always, this caused a "spool format error".
1822 17. A user wanted to use "save" in a filter file with a non-absolute path, and
1823 to set file_transport to a non-appendfile transport that made use of
1824 $address_file for its own purposes. This didn't work because Exim was
1825 distinguishing between file and autoreplies by the leading '/' of the
1826 former. It now checks for the leading '>' of the latter instead.
1828 18. The "accept" router was forcing log_as_local instead of just defaulting it.
1830 19. Exim crashed while verifying a recipient in an ACL if the address was
1831 verified by a dnslookup router that widened the domain.
1833 20. When checking the parameters returned from an ident call, Exim was assuming
1834 that the format would be textually identical to the values it sent,
1835 including the white space. This is not always the case, causing Exim to
1836 discard returned ident data that it should have been accepting.
1838 21. Typo (space missing) in "failed to expand condition" error message.
1840 22. The option of specifying an individual transport in a route_data or
1841 route_list option of the manualroute router wasn't working. Such settings
1842 were being completely ignored.
1844 23. The memory management was poor when building up a string from a lookup that
1845 retrieved a large number of data items that had to be concatenated, for
1846 example, an alias lookup in a database that returned thousands of
1847 addresses. In extreme cases, this could grind the host to a halt. (Compare
1848 change 8 for 4.00, which was a similar effect.) Two changes have been made
1849 to improve matters: (a) For longer strings, it extends them in bigger
1850 chunks, thus requiring fewer extensions. (b) It is now able to release some
1851 unwanted memory when a string is copied out of it into a larger block.
1853 24. There was a small error in the memory sizes quoted when -d+memory was used
1854 and emptied memory blocks were released.
1856 25. When helo[_try]_verify was set, Exim crashed if the reverse DNS lookup gave
1857 a temporary error when trying to look up the host name. It now tries to
1858 check with a forward DNS lookup (as it does when the reverse lookup can't
1859 find a name). For helo_verify, a temporary error is now given if
1860 verification failed, but the host name lookup gave a temporary error. (As
1861 before, a permanent error is given if there is no host name available.)
1863 26. When checking quotes for maildir++ format, if the directory name was given
1864 with a trailing slash in the "directory" option of the appendfile
1865 transport, Exim got the quota calculation wrong because it scanned the
1866 final directory instead of the parent directory.
1868 27. The "quota_xxx" error facility for retry rules was broken in Exim 4 if
1869 the mailbox had not been read for more than approximately 10 hours.
1871 28. If a router with "unseen" had a setting of address_data, the value was not
1872 passed on to subsequent routers for the continuing processing of the
1875 29. If a daemon was started with (e.g.) -qff15m, it omitted the second 'f' when
1876 starting queue runners. Likewise, if the flags included 'i', this was
1879 30. Some operating systems log warnings if exec() happens without the standard
1880 input, output, and error file descriptors existing. The worry is that the
1881 called program will open some file which will be allocated one of these
1882 fds. Another bit of code might assume it can write an error message to
1883 stderr, or whatever. Exim was calling itself to regain privilege for
1884 delivery without these fds set, thus provoking the warning. Of course, it
1885 didn't make use of them itself, but the exposure was there for libraries it
1886 might be using. The code has been changed to ensure that, if any of the
1887 file descriptors 0, 1, or 2 does not exist at the time of a call to exec(),
1888 they are opened to /dev/null.
1890 31. A delivery process could loop under the unusual combination of the
1891 following circumstances:
1892 (1) A delivery process had envelope_to_add set for its transport.
1893 (2) The delivery was for a child address of an envelope address that
1894 also had another child.
1895 (3) This other child had been discarded because it was a duplicate of a
1896 second envelope address.
1897 (4) The second envelope address had generated a child that was discarded
1898 because it was a duplicate of the first envelope address.
1900 32. The -bp option was failing to notice delivered addresses that were in the
1901 -J file but had not yet made it into the -H file. (This got broken between
1904 33. If "query" or "queries" in aliasfile director, or "route_query" or
1905 "route_queries" in a domainlist router were enclosed in quotes, the
1906 convert4r4 script was not removing the quotes before inserting the query
1907 into an expansion string, leading to invalid queries within the string.
1909 34. If more than two addresses were being delivered in a batch (either local or
1910 remote deliveries), and they all had the same, non-empty value for
1911 $self_hostname, but had different domains, Exim crashed. (This is rare,
1912 because the use of "self=pass", which is the only way $self_hostname gets
1915 35. If $message_headers was used in a context where there were no headers (e.g.
1916 while verifying an address before receiving a message), it caused an
1917 "unknown variable" error. Now it just returns an empty string.
1919 36. Exim was not diagnosing missing time units letters in times on retry
1920 rules. It was treating such malformed times as "-1", which caused the rules
1923 37. Added some debugging output to the CRAM-MD5 server code.
1925 38. In the appendfile transport, check for a file name supplied by redirection
1926 by checking for "not pipe and not autoreply" instead of looking for a
1927 leading '/' in the "address".
1929 39. The os.h file for Darwin defined CRYPT_H, which apparently is wrong.
1931 40. The "condition" condition in ACLs has been tightened up. Formerly, anything
1932 other than an empty string, "0", "no" or "false" was treated as "true". Now
1933 it insists on "yes", "true", or a non-zero number.
1935 41. Change 22 of 4.02 has been improved; somebody mailed me the correct code
1936 to get an error message when ldap_result() doesn't set a result.
1938 42. Update convert4r4 to recognize "ldap:" in require_files, and double the
1941 43. Added "protocol violation" to the "SMTP synchronization" error message, to
1942 make it clearer what it is complaining about.
1944 44. Change 26 of 4.03 was incomplete. The same problem could arise if a lookup
1945 failed while checking the pre-conditions of a router that was subsequently
1946 run. This can happen for negated conditions such as "domains = !<lookup>".
1948 45. Somebody managed to set up a configuration that crashed buildconfig such
1949 that it left a half-built config.h but did not stop the build process. I
1950 can't reproduce it, but I have added a check after building config.h to
1951 test for the presence of its last line ("/* End of config.h */").
1953 46. Added a .PHONY target to the Makefile to be tidy for GNU make. (It should
1954 be ignored by other versions).
1956 45. When Exim uses Berkeley DB version 3 or 4 to create a DBM file, it creates
1957 it in hashed format. Previously, it opened these files for reading in the
1958 same format. Now it opens them as "unknown", which means that other formats
1959 can be accommodated when using DB files for auxiliary data.
1961 46. When concatenating header lines that may contain lists of addresses (From:,
1962 To:, etc.) as a result of references to $h_from: etc., a comma is now
1963 inserted at the concatenation point. Without it, the use of "if
1964 foranyaddress" fails on such headers, which is dangerous.
1966 47. The code for ratelimiting MAIL commands was triggering on the count of
1967 messages received, instead of the number of MAIL commands (which is not the
1968 same thing if no message is accepted in a transaction). The smtp_accept_
1969 max_per_connection limit has also been changed to use the count of MAIL
1970 commands instead of the count of messages accepted.
1972 48. There was a typo in the exiwhat script which broke it if the esoteric
1973 CONFIGURE_FILE_USE_NODE option was in use.
1979 1. Fix 10 for 4.03 had a bug in it, which could cause problems when converting
1980 from an earlier 4.xx release with delayed "one_time" messages on the spool.
1981 4.03 incorrectly complains about spool format errors (and refuses to
1982 process these messages).
1984 2. Changed the status of the text widgets in the monitor from Append to Edit,
1985 because this matters on some versions of X.
1987 3. Change 22 for 4.03 turns out to be misguided. Luckily it is controlled by
1988 a compile-time macro. I have removed the settings from OS/os.h-Linux that
1989 made it try to use these functions.
1995 1. Change 12 for 4.02 overlooked one case where 256 should have been replaced
1996 by MAX_LOCALHOST_NUMBER.
1998 2. Timeouts (etc) in dnslist lookups were not behaving as documented; they
1999 were deferring (causing 4xx errors) instead of behaving as if the host was
2000 not in the list. This has been fixed. In addition, some new special items
2001 may appear in dns lists, to control what happens in this case. The items
2002 are +include_unknown, +exclude_unknown, and +defer_unknown.
2004 3. Added #include <unix.h> to OS/os.h-QNX because it was reported that this
2005 was needed, in order to get O_NDELAY.
2007 4. Added #define BASE_62 36 to OS/os.h-Cygwin.
2009 5. Change 8 for 4.02 overlooked the fact that "directory" need not be set if
2010 the directory name is coming from a filter or forwarding file. The check
2011 has now been moved from initialization time to run time. Thus, it happens
2012 later, but it still helps to diagnose the problem.
2014 6. The file direct.c had been accidentally left in the distribution.
2016 7. When a new process was forked to deliver another message down an existing
2017 SMTP connection, a pipe file descriptor was accidentally left open. This
2018 meant that if there was a long chain of such processes, the number of open
2019 file descriptors increased by one for each process, and if there were
2020 sufficient, the limit of open descriptors could be reached, causing various
2023 8. When an address was being checked with -bt and the routing involved an
2024 errors_to setting whose address verification also involved an errors_to
2025 setting, Exim got into a verifying loop. It shouldn't verify an errors_to
2026 setting when already verifying, but got this wrong if it started from -bt.
2028 9. Tidied up some compiler warnings when compiling with TCP wrappers.
2030 10. When a child address was promoted to a toplevel address by "one_time" after
2031 a deferred delivery, it was not remembering any "errors_to" address that
2032 was set by the routers that processed the original address. Consequently,
2033 the subsequent delivery had (incorrectly) the original sender address in
2034 the envelope. Exim now remembers the "errors_to" address with the new
2035 toplevel address and reinstates it for the next delivery.
2037 11. When Exim received a message other than from the daemon, there were two
2038 situations in which it did not re-exec itself for delivery: when it was
2039 running as root, or when it was running in an unprivileged mode. This was
2040 an attempt to save some resources (very early Exims ran as root more often)
2041 but has turned out to be pretty rare. A bug has been discovered in this
2042 case: if the incoming message was on a TLS session (from inetd, for
2043 example), but the outgoing delivery was on an unencrypted SMTP connection,
2044 Exim got confused. The effect was minimal: it sent two EHLO commands, but
2045 otherwise worked. Multiple EHLOs are not an error, according to the RFCs,
2046 but there was at least one broken MTA that objected. This error would have
2047 occurred only when synchronous delivery (-odi or -odf) was specified.
2049 While sorting this out, I have abandoned the logic that did a delivery
2050 without forking in the interests of simplicity. This was an even rarer
2051 case: it only happened when Exim was running as root or in an unprivileged
2052 mode AND synchronous delivery was specified.
2054 12. Change references to /bin/rm in the Makefile to plain rm.
2056 13. If EXIM_PERL was set in Local/Makefile, but PERL_COMMAND was set to a
2057 command that was not a file, or if it was set to a non-existent file,
2058 the build process carried on trying to build Perl support, but without the
2059 relevant variables for the Perl libraries, etc., which is disastrous. In
2060 fact, the build process shouldn't have been using PERL_COMMAND; that is a
2061 value for screwing into utility scripts. The build process assumes a
2062 suitable PATH for things like rm, mv, etc., which have xxx_COMMAND
2063 variables for scripts. So I've changed it to use just "perl". It now bombs
2064 out if "perl --version" doesn't produce some output.
2066 14. Changed the #includes in perl.c for the Perl headers to use <> instead of
2067 "" because this is apparently better usage.
2069 15. Added local_scan_timeout to apply a timeout to local_scan().
2071 16. Recognize IPv6 addresses as IP addresses, even when Exim is not compiled
2074 17. When verifying a HELO/EHLO name, Exim was not checking the alias host names
2075 it obtained from calling gethostbyaddr(). In many cases, this didn't cause
2076 any unwanted rejections because as a last resort Exim does a forward lookup
2077 on the HELO name to see if any of its IP addresses matches. But it fixing
2078 the bug saves the unnecessary additional lookup.
2080 18. Added "domains = ! +local_domains" to the commented-out ipliteral router in
2081 the default configuration.
2083 19. Default sender_host_aliases to an empty alias list, instead of NULL. This
2084 is just for tidiness; the way it was coded, it didn't cause any problems.
2086 20. Added -tls-on-connect, which starts a TLS session without waiting for
2087 STARTTLS. This supports older clients that used a different port.
2089 21. Added support for the Cyrus pwcheck daemon.
2091 22. Arranged to use getipnodebyaddr() instead of gethostbyaddr() in systems
2092 with IPv6 support that have this function, because gethostbyaddr() doesn't
2093 work for IPv6 addresses on all systems (it does on some).
2095 23. Header lines added by "warn" statements in the ACL for RCPT are saved up to
2096 be added after the message's header has been received. Previously, Exim was
2097 saving up all added headers, from both RCPT and DATA, until the very end.
2098 Now it adds those from RCPT before the DATA ACL is obeyed, so that they can
2099 be accessed from within the DATA ACL.
2101 24. Changed TLS initialization to use SSL_CTX_use_certificate_chain_file()
2102 instead of SSL_CTX_use_certificate_file(). This means that the file can
2103 contain the whole chain of certificates that authenticate the server.
2105 25. Updated convert4r4 to check for colons that look as if they are part of
2106 expansion items in require_files lists (e.g. ${lc:xxxx}). In Exim 3, the
2107 whole list was expanded before splitting up, but in Exim 4, the splitting
2108 happens first, so such colons must be doubled. The conversion script now
2109 doubles such colons, and outputs a warning message. The test for one of
2110 these colons is a match against "\$\{\w+:".
2112 26. If, while verifying a recipient address, a router was skipped because a
2113 lookup did not succeed, and the following router suffered a temporary
2114 failure (e.g. a timeout), the log line for the temporary rejection showed
2115 the error from the first router instead of from the second.
2117 27. Exim crashed if a dnslists test was obeyed in an ACL for an SMTP message
2118 from the local host. Now it just fails to match the list.
2124 1. Bug in string expansion: if a "fail" substring of a conditional contained
2125 another conditional that used the "fail" facility, Exim didn't swallow the
2126 right number of closing parentheses in the case when the original condition
2127 succeeded (i.e. when the condition containing the "fail" should be
2130 2. helo_verify_hosts wasn't working when comparing host names.
2132 3. When delivering down an existing SMTP connection, the error "Unexpectedly
2133 no free subprocess slot" was sometimes given for other addresses in the
2136 4. Binary zeroes in the message body are now turned into spaces in the
2137 contents of $message_body and $message_body_end.
2139 5. If the value of a field in a MySQL result was SQL NULL, and more than one
2140 field was selected, Exim crashed.
2142 6. It seems that many OS treat 0.0.0.0 as meaning the local host, typically
2143 making it behave like 127.0.0.1. Since there have been incidents where this
2144 was found in the DNS, two changes have been made:
2145 (a) Added 0.0.0.0 to the ignore_target_hosts setting in the default
2147 (b) Unconditionally recognize 0.0.0.0 as the local host while routing.
2149 7. Added helo_allow_chars so people can let in underscores if they really
2152 8. Give configuration error if "maildir_format" or "mailstore_format" is
2153 specified for appendfile without specifying "directory".
2155 9. When return_path was expanded in an smtp transport, the values of
2156 $local_part and $domain were not set up.
2158 10. The optimization for sending multiple copies of a single message over one
2159 SMTP connection when there are lots of recipients (but too many for one
2160 copy of the message) was messing up in the case when max_rcpt was set to 1
2161 (for VERP). It would send lots of copies with one RCPT each, correctly, but
2162 because the transport was passed more than one address, $local_part and
2163 $domain weren't set. Since setting max_rcpt to 1 is almost always
2164 associated with VERP (or at least, you do it because you want to use
2165 $domain or $local_part), I've made that a special case where the
2166 optimization is disabled.
2168 11. Cygwin has case-insensitive file names. Therefore, we can't use base 62
2169 numbers for Exim's identifiers. We have to use base 36 instead. Luckily 6
2170 base 36 digits are still plenty enough to hold the time for some years to
2171 come. There's now a macro that is set either to 62 or 36, but the names and
2172 documentation still talk about "base 62".
2174 12. Added build-time variable MAX_LOCALHOST_NUMBER (default 256) to allow the
2175 localhost number to be traded off against the maximum number of messages
2176 one process can receive in one second. This is relevant only when
2177 localhost_number is set. It may be useful for Cygwin, where the maximum
2178 sequence number is much less when up to 256 hosts are allowed.
2180 13. Extended MySQL server data to allow for the specification of an alternate
2183 14. Give error if too many slashes in mysql_servers or pgsql_servers item.
2185 15. Changed the wording "debug string overflowed buffer" to "debug string too
2186 long - truncated" to make it clearer that it's not a big disaster.
2188 16. Now that I finally understand the difference between the resolver's returns
2189 HOST_NOT_FOUND and NO_DATA, I've optimized Exim's DNS lookup so that if an
2190 MX lookup gets HOST_NOT_FOUND, it doesn't bother to try to look up an
2191 address record. Only if it gets NO_DATA does it do that.
2193 17. The contents of Envelope-To: were not correct in cases when more than one
2194 envelope address was redirected to a single delivery address via an
2195 intermediate address, because the duplication was detected at the
2196 intermediate stage, but the checking for Envelope-To: only looked at
2197 duplicates of the final address.
2199 18. If a message with the -N flag was on the spool, and was selected during a
2200 queue run by -R or -S, the -N flag was incorrectly passed on to all
2201 subsequent messages, leading to their being thrown away.
2203 19. Remove unnecessary check for the local host when looking up host names in
2206 20. If tls_certificate is supplied, but tls_privatekey is not, assume that both
2207 are in the tls_certificate file.
2209 21. If a router set transport_current_directory or transport_home_directory
2210 to something that involved an LDAP lookup, and there was more than one
2211 local delivery to be done for a single message, all but the first got
2212 deferred because the LDAP connection for those variables got opened in the
2213 superior process, but closed in the first subprocess. The second subprocess
2214 then assumed it was still open. We now ensure that each subprocess starts
2215 with a clean slate (everything closed down) so that it can open and close
2216 its own connections as needed.
2218 22. After a failure of ldap_result(), Exim was calling ldap_result2error() in
2219 order to get an error message. However, it appears that it shouldn't do
2220 this if the value of result variable is NULL. As I can't find any way of
2221 getting an error message out of LDAP in this circumstance, Exim now just
2222 gives says "ldap_result failed and result is NULL".
2224 23. If a message arrives over a TLS connection via inetd, close down the SSL
2225 library in the subprocess for message delivery (but don't molest the
2226 parent's SSL connection).
2232 1. When setting TCP_NODELAY, the call to setsockopt() was using SOL_SOCKET
2233 instead of IPPROTO_TCP, which caused excessive logging on some systems.
2235 2. Changed the Makefile for Cygwin to set EXIM_USER and EXIM_GROUP to 0.
2237 3. The SMTP rewriting facility was broken.
2239 4. There was some malformatting in the spec.txt file (the other formats were
2242 5. Made convert4r4 change "bydns_a" into "bydns" in route_list options, and
2243 to do the same for "bydns_mx", but in this case to comment that it won't
2244 work the same (and to suggest a workaround).
2246 6. Removed redundant code in deliver.c for indicating when a reused SMTP
2247 connection had been closed in a subprocess - this was being done twice.
2249 7. Change 2 of 3.164 removed Exim's explicit checking that a reverse DNS
2250 lookup yielded a name whose forwarded lookup gave the original IP address,
2251 because I thought that gethostbyaddr() did this automatically (it seems to
2252 on some systems). There is hard evidence that I was wrong, so this test has
2253 been put back, and in a better form, because it now checks alias names.
2254 This means that the verify=reverse_host_lookup condition in an ACL reduces
2255 to requiring that the host name has been looked up, since the checks it
2256 previously did are not always applied.
2258 8. When sender verification fails, the error associated with it is given by
2259 default before the 550 error for the first RCPT command. Not everybody
2260 wants to see this. There is now an option (no_details) that suppresses it.
2262 9. The patterns in rewriting rules with the 'S' flag were not being expanded.
2263 For consistency with other patterns (and the documentation), this has been
2266 10. "domainlist", "hostlist", and "addresslist" weren't recognized if the
2267 immediately following character was a tab rather than a space.
2269 11. The rules for writing daemon pid files have changed. A new option -oP has
2270 been added to provide a way of specifying a pid file path on the command
2271 line. Exim now writes a pid file when -bd is used, unless -oX is specified
2274 12. The version number of OpenSSL was included in the response to the STARTTLS
2275 command - a legacy from the original contributed code that doesn't seem
2276 sensible. It no longer appears, and I took it out of the debug output as
2277 well because that was the only place left, and the code to compute it was
2278 "mysterious magic" that didn't seem worth keeping.
2280 13. When another message was processed in order to send it down an existing
2281 SMTP connection, Exim was doing the routing for all the addresses. Even if
2282 called from a delivery from a queue runner, this doesn't count as "in a
2283 queue run", so retry times were not being inspected. If the message had a
2284 large number of recipients, and several of them timed out while routing,
2285 the delay could be so large that the server at the other end of the SMTP
2286 connection would time out. To avoid this happening, Exim now skips routing
2287 for any addresses that have a domain retry time set for routing, whether or
2288 not that retry time has arrived, when dealing with a pre-existing SMTP
2289 connection. This will be "right" pretty well all of the time, and even
2290 when it is "wrong", the only consequence will be some delay. (This doesn't
2291 apply to "address" retry times, because those are usually the result of 4xx
2292 errors, not timeouts.)
2294 14. Added words to the initial output from -bh pointing out that no ident
2297 15. The convert4r4 script wasn't getting it quite right with an aliasfile
2298 director that had a "transport" setting. It was missing the "yes/no" in the
2299 "condition" setting.
2305 1. Changed the name of debug_print for authenticators (3.953/38) to
2306 server_debug_print because it applies only when the authenticator is
2307 running as a server.
2309 2. Forgot to change DB_ to EXIMDB_ in the Cygwin Makefile.
2311 3. There were still a couple of uses of vfork() when passing a socket to a
2312 new delivery process. The use of vfork() is not recommended these days,
2313 so I changed them to fork().
2315 4. Added the spa authentication mechanism, using the code contributed by Marc
2316 Prud'hommeaux (and mostly taken from the Samba project). This supports
2317 Microsoft's "Secure Password Authentication", but only as a client.
2319 5. queryprogram had current_directory unset, but used "/" when it was unset.
2320 It is tidier just to make the default "/" and have done with it.
2322 6. When a delivery is run with -v, the -v flag is no longer passed on to new
2323 processes that are started in order to send other messages on existing
2324 SMTP connections. This prevents non-admin users from seeing these other
2325 deliveries. Admin users can specify a higher level of debugging, and when
2326 this is done, the debugging selection is passed on.
2328 7. Increased the increment for dynamic strings from 50 to 100.
2330 8. When Exim was building a dynamic string for $header_xxx from a number of
2331 headers of the same name, or for $message_headers, it was using the dynamic
2332 string function which is designed for use with relatively short strings. If
2333 a pathological message had an enormous header, it chewed up memory at a
2334 ridiculous rate. The code has been rewritten so that it does not do this.
2335 With a 64K header string (there's a limit set at 64K) it now just gets one
2336 64K buffer. Previously it used a large number of megabytes to build such a
2337 string, and some system filter processing ran machines into the ground on
2338 messages with huge headers.
2340 9. The work for 8 involved a small amount of other "refactoring" in the
2341 expansion functions.
2343 10. If "headers add" or "headers remove" were used in a system filter, the
2344 headers didn't actually get changed when testing with -bF. This could
2345 affect later commands in the filter that referred to the headers.
2347 11. Two system filter bugs: (a) The system filter was always being run as root,
2348 even if system_filter_user was set. (b) When the system filter was not run
2349 as root, changes to the header lines by "headers add" or "headers remove"
2350 were being lost. Because of (a), (b) would never have bitten.
2352 12. Some "refactoring" in the daemon:
2353 (a) Removed redundant statement smtp_in=NULL.
2354 (b) The test for fork failure for a delivery process was not quite in the
2356 (c) Added main and panic logging for receive and delivery fork failures.
2357 (d) Check for fdopen() failure, and don't try to continue, but ensure
2358 the sockets get closed.
2359 (e) Log fclose() failures.
2361 13. Added the "/data" facility to ACL dnslists so as to make it easy to use,
2362 for example, the domain lookup of rfc-ignorant.org.
2364 14. Refactored the code in the daemon to use a vector of structures instead of
2365 two separate vectors for storing the pid of a spawned accepting process and
2366 the corresponding IP address of the client. (This is to make it easier to
2369 15. If EXIM_USER or EXIM_GROUP were set to the empty string in Local/Makefile,
2370 the uid or gid were set to zero, which is unsafe. These settings now cause
2371 an error message at build time.
2373 16. check_ancestor was doing its check case-sensitively, which meant that it
2374 did not work with some configurations when redirecting changed the case of
2375 the local part. Now check_ancestor respects the setting of
2376 caseful_local_part on the router which routed the ancestor address.
2378 17. The check for router looping (whether the current router had previously
2379 routed the same address) was always being done case-insensitively. It
2380 should do the local part check case-sensitively when caseful_local_part is
2381 set for that router.
2383 18. Added helo_try_verify_hosts, which is like helo_verify_hosts except that
2384 it doesn't reject failing HELO/EHLO. Instead the verification state can be
2385 testing in an ACL by verify=helo.
2387 19. When echoing log writes from a parallel remote delivery process to the
2388 debug output, the pid of the parallel process was being omitted.
2390 20. In an ACL run for a RCPT command, the values of $domain and $local_part
2391 were becoming unset after a sender or recipient verification.
2393 21. Exim crashed if called with -C followed by a ridiculously long string.
2395 22. Some other potential points of trouble caused by pathological input data
2398 23. If hosts_randomize was set on an smtp transport, the randomizing code had
2399 a bug which could put the delivery process into a tight loop.
2406 1. Exim was not terminating the names of named lists in memory. It got away
2407 with this on systems where newly malloc()d store is zeroed (always a bad
2408 practice). When running in its test harness, Exim now ensures that all
2409 new memory from malloc is filled with a non-zero value. This will help
2410 pick up bugs like this in future. (I haven't made it do it always, for
2411 performance reasons.)
2413 2. When skip_syntax_errors was set on a redirect router, and a forward file
2414 (NOT a filter file) contained only invalid addresses, the message was
2415 discarded. The router now declines, as it does for invalid filter files.
2416 Thus, the address is passed on unless no_more is set.
2418 3. When an address containing upper case letters in the local part was
2419 deferred, eximon showed the lowercased version with the caseful version
2420 as a "parent", as well as the original caseful version in its queue list.
2422 4. When hide_child_in_errmsg was set on a redirect router, bounce messages
2423 still showed the failed addresses in the X-Failed-Recipients: header line.
2425 5. Change 6 for 3.952 should also have included SIGTERM.
2427 6. exim -bP +something was searching only the domain lists. It now searches
2428 all lists for a matching name.
2430 7. If Local/Makefile contains more than one of USE_DB, USE_GDBM, or USE_TDB,
2431 give a build-time error. When it does contain one of them, arrange for any
2432 OS default for any other one to be overridden. (The code expects at most
2433 one of these to be defined.)
2435 8. When a value for transport_home_directory is taken from the password
2436 information, wrap it in \N...\N so that it isn't expanded in the transport.
2437 This affects Cygwin, where home directories may contain $ characters.
2439 9. Fixed an occasional crash when autoreply was sending a message created by
2440 a user's filter file. It was referencing uninitialized memory. (The
2441 prophylactic mentioned in 1 above made it a hard error.)
2443 10. The "run" and "readfile" expansion items could sometimes return extra junk
2444 characters (yet another uninitialized memory bug).
2446 11. The lockout options forbid_filter_existstest etc. were not propagating to
2447 the expansion of files sent as part of "mail" messages from users' filter
2450 12. Another unterminated string bug: when an ACL was read from a file
2451 dynamically it wasn't properly terminated.
2453 13. Cached pgsql connections weren't being re-used, leading to a potential
2454 build-up of open connections.
2456 14. $message_headers is supposed to be limited to 64K in length, but it wasn't
2457 so limited if an individual header line was longer than 64K.
2459 15. An individual header line, or concatenation of multiple identically-
2460 named header lines, inserted by $h_xxxx is supposed to be limited to 64K in
2461 length, but it wasn't so limited if the only header line was longer than
2464 16. A syntactically incorrect setting of -d... is now treated as a command line
2465 syntax error (message to stderr, return code 1), without any entry on the
2468 17. Modifications to the exim_install script:
2469 (a) Scan the combined Makefile in the build directory instead of messing
2470 around scanning its individual constituent files.
2471 (b) Use sed instead of a pipe of grep, tail and cuts. This allows better
2472 control, but has to be very simple sed in order to work on Solaris.
2473 (c) Allow for the setting of EXE to add a subscript to executables for
2474 the benefit of Cygwin.
2475 (d) Use -c instead of -b with "cut" because the "cut" in BSD/OS doesn't
2478 18. Changes for Cygwin:
2479 (a) Update scripts/os-type to recognize CYGWIN.
2480 (b) Arrange (via the Uopen() macro) for all calls to open() to have
2481 the O_BINARY flag, to avoid CRLF problems.
2482 (c) If OS_INIT is defined, call it at the very start of Exim's execution.
2483 (d) When resolver debugging is enabled, set _res.options |= RES_DEBUG
2484 before calling res_init() as well as after, because that generates
2485 some debugging info during initialization.
2487 19. Make the initial call to os_getloadavg() in exim.c conditional on
2488 LOAD_AVG_NEEDS_ROOT because it is done just to initialize os_getloadavg()
2489 on systems that require the first call to be done as root. It should be
2490 called only when messages are being received; it was being called
2491 unnecessarily in some cases.
2493 20. If Exim failed to open its retry hints database at routing time, it crashed
2494 during a subsequent local delivery.
2496 21. If Exim is neither setuid root nor called by root, there is no need to
2497 attempt to drop root privilege when it is not needed.
2499 22. I'd forgotten to remove the check for the presence of %s in pid_file_path
2500 when it was set at run time.
2502 23. If a transport filter crashed, or yielded a non-zero return code during an
2503 SMTP delivery, Exim was not aborting the delivery. This led to multiple
2504 partial deliveries of the message until the transport filter was fixed.
2506 24. Do not try alternate hosts if a transport filter crashes or yields a
2507 non-zero return during an SMTP delivery.
2509 25. When exim -be is reading input lines from stdin, backslash can now be used
2510 for continuations. This makes it easier to test expansions from a
2511 configuration file by cut and paste, and long expansions in general.
2513 26. The file src/auths/xtextdecode.c was incorrectly named xtestdecode.c, but
2514 because the MakeLinks script built a symbolic link that worked, this
2515 mistake didn't actually show up.
2517 27. When Exim is delivering another message down an existing connection,
2518 remote_max_parallel should be forced to 1; this wasn't happening, though
2519 it would have caused a problem only if a message had more than 100
2520 recipients routed to the host.
2522 28. When there was a problem while delivering down an existing connection, such
2523 that the transport process closed the connection, this fact wasn't getting
2524 communicated to the calling delivery process, which might have tried to do
2525 more deliveries on the same connection. This would only have caused a
2526 problem if there were more than 100 recipients to the same host.
2528 29. The ${extract} action, with a negative field number that selected the first
2529 field in a string, could return junk characters at the start of the
2532 30. When Exim is acting as a client, if an attempt to start a TLS session fails
2533 during the TLS negotiation phase (i.e. STARTTLS is accepted, but there's a
2534 problem such as an unrecognized certificate during TLS session startup),
2535 Exim used always to defer delivery. Now, unless the host is in
2536 hosts_require_tls, Exim makes a new connection to the host and attempts to
2537 send the message unencrypted. This avoids stuck messages for servers that
2538 advertise STARTTLS but don't actually support it properly.
2540 31. Added ${address:xxx} to go with ${domain:xxx} and ${local_part:xxx} which
2541 extract from RFC 2822 addresses.
2543 32. The rules for recognizing when Exim is being called from inetd have
2544 changed. Previously Exim required SMTP input, stdin to be a TCP/IP socket,
2545 and the caller to be root or the Exim user. This left a gaping hole if the
2546 caller was not root or the Exim user, because then it wouldn't do the
2547 policy checking for a remote host, because it didn't realize it was being
2548 called from inetd. (This was seen on Debian configurations). Exim now
2549 behaves as follows: if the input is SMTP and stdin is a TCP/IP socket, a
2550 call from inetd is assumed. This is allowed to proceed either if the caller
2551 is root or the Exim user, or if the port used is privileged (less than
2552 1024). Otherwise (a different user passing an unprivileged port) Exim gives
2553 a "Permission denied" error.
2555 33. Removed $compile_number from the default SMTP banner line (after discussion
2556 on the mailing list). Also removed it from the default $Received: header.
2558 34. # is documented as a comment character in the run time configuration only
2559 when it appears at the start of a line. In the case of boolean values,
2560 extra characters after "= true" or "= false" were being ignored, leading to
2561 a false impression that comments could appear there. This is now diagnosed
2564 35. If a boolean option without a following "=" was followed by # (in the
2565 mistaken belief that this would be a comment), the error was "missing =",
2566 which was confusing. Exim now complains about extra characters.
2568 36. When Exim complains about extra characters following an option setting, it
2569 now adds a comment about comments if the first extra character is #.
2571 37. Output debug_print strings when testing a host using -bh.
2573 38. Added server_debug_print to authenticators (compare routers and
2574 transports). This outputs when an authenticator is called as a server. It
2575 can be helpful while testing with -bh.
2577 39. Added debugging output to the crypteq condition.
2579 40. If a named domain or local part list used in a "domains" or "local_parts"
2580 option on a router matched by means of a lookup, the $domain_data and
2581 $local_part_data variables were set for the first router that did this, but
2582 were not set for any subsequent routers that used the same named list. The
2583 same was true for multiple tests of named domain or local parts lists in an
2586 41. If the variable "build" is set when the top-level Makefile is run, the
2587 variable now propagates from the top-level Makefile to subsidiary ones.
2588 In addition, Local/Makefile-$(build) is added to the list of concatenated
2589 files that go at the start of the Makefile in the build directory.
2591 42. If NO_SYMLINK is defined in Local/Makefile, the exim_install script just
2592 copies the Exim binary in with its unique name, without moving the "exim"
2593 symbolic link to it.
2595 43. Added BSDI 4.2 as a BSDI variant in scripts/os-type.
2597 44. The spool file format for remembering a "one_time" redirection has changed;
2598 I had forgotten to make Exim 4 capable of reading Exim 3 spool files.
2600 45. Address lists are now permitted to include items of the form *@+name where
2601 "name" is a named domain list. (Note that an item of the form +name is
2602 taken as a named _address_ list.)
2604 46. When Exim gives up privilege and reverts to the calling user because it was
2605 called with the -C, -D, -be, or -bi options, it now reinstates the
2606 supplementary group list as well as the uid and gid.
2608 47. The crypteq condition has been extended. When the encrypted string begins
2609 with "{md5}" Exim used to assume that the digest was encoded as a base64
2610 string. Now it assumes this only if its length is 24 bytes. If the length
2611 is 32 bytes, Exim assumes a digest expressed in hex characters. If the
2612 length is neither 24 nor 32, the comparison always fails.
2614 48. Updated the convert4r4 script:
2616 (a) Some typos in the comments.
2617 (b) Remove kill_ip_options, log_ip_options, and refuse_ip_options, which
2619 (c) Move all macro definitions to the top of the output, to ensure that
2620 they precede any references to them.
2621 (d) If tls_verify_ciphers was set without tls_verify_hosts, the generated
2622 new configuration insisted on encryption ("these ciphers must be
2623 used for all connections") instead of just checking the cipher when
2624 encryption happened ("if encrypted, these ciphers must be used").
2625 (e) Address lists are now checked to see if they contain any bare lookup
2626 items and if they do, these are converted to two items, the first
2627 preceded by "*@" and the second with "partial-" removed. This makes
2628 Exim 4 behave in the way that Exim 3 used to. An explanatory comment
2630 (f) Put more explanation in above the "hosts = :" test.
2632 49. Write a main and panic log entry when "partial-" is ignored in a lookup
2633 that is part of an address list. (Applies when the item is a lookup for
2634 which the whole address is the key.)
2636 50. Two changes to the way $original_local_part and $parent_local_part work:
2638 (a) When an address that had a prefix or suffix was redirected to another
2639 address, the value of $original_local_part and $parent_local_part
2640 had the prefix or suffix stripped when referred to during the
2641 processing of the child address. This doesn't seem right, so it has
2643 (b) When an address that had a prefix or suffix was being processed,
2644 $local_part had the affix stripped, and if it was a top-level
2645 address, $original_local_part also has the affix stripped. This has
2646 been changed. Now $original_local_part contains the same value at all
2647 levels. ($parent_local_part remains empty at top level.)
2649 51. A number of macros in the Exim source began with "DB_". When compiling
2650 with Berkeley DB version 4, DB_LOCK_TIMEOUT clashed with a macro set by
2651 that package. The Exim macros now all start with "EXIMDB_", and Exim
2652 therefore now supports DB version 4.
2654 52. Newlines in a "freeze" text from a system filter were being sent as \n
2655 in messages created by the "freeze_tell" option. They are now converted
2656 back to newlines (in the log line they continue to appear as \n).
2658 53. Added a new ACL condition "verify = reverse_host_lookup". This does a
2659 reverse lookup of the client host's IP address, then does a forward lookup
2660 for all the names it receives, and checks that at least one of the IP
2661 addresses obtained from the forward lookup matches the incoming IP address.
2662 The lookups are done with gethostbyaddr() and gethostbyname(),
2665 54. A small fix to eximstats reduces its store usage substantially when it is
2666 processing very large log files: when a message's "completed" line is
2667 reached, discard the memory of the message's size.
2669 55. If an address was redirected to itself more than once (e.g. by two
2670 different "redirect" routers, or because of the use of "unseen", it was
2671 incorrectly discarded as a duplicate address.
2673 56. For a rewrite pattern of the form *@something, if an actual address
2674 contained @ in the local part (e.g. "a@b"@x.y), the value of $1 was set
2675 incorrectly during expansion of the replacement address (it stopped at the
2676 first @ instead of at the last one).
2678 57. Added hosts_nopass_tls to the smtp transport. For any host that matches
2679 this list, a connection on which a TLS session has been started will not be
2680 passed to a new delivery process for sending another message on the same
2683 58. The -dropcr command line option now turns CRLF into LF, while leaving
2684 isolated CR characters alone. (Previously it removed _all_ CR characters.)
2685 There is now also a drop_cr main option which has the effect of -dropcr for
2686 all incoming non-SMTP messages.
2688 59. If a configuration file macro expanded into a boolean option which was not
2689 followed by = and a value, Exim gave a spurious error for an "unknown"
2690 value for the option (typically a string from the previous line).
2696 1. convert4r4 had an incorrect file name in its comment output.
2698 2. convert4r4 was looking up $local_part instead of $domain in its generated
2701 3. There was no check that getpeername() was giving a socket address when
2702 called on stdin passed from a previous delivery.
2704 4. Fixed an old bug whereby Exim could segfault if debugging was turned on and
2705 a DNS lookup found MX records for hosts whose A records had to be looked up
2706 separately, and some of them pointed to the local host (pretty rare).
2708 5. The debugging output for log writes now shows the names of any log selectors
2709 instead of the hex value of the selector word.
2711 6. If a delivery subprocess is terminated by SIGKILL or SIGQUIT, do not freeze
2712 the message. This can happen during system shutdown. Other kinds of process
2713 failure indicate problems.
2715 7. If a sender verification did not complete (e.g. DNS lookup timed out), the
2716 log line for the temporary RCPT rejection did not always say why (it lost
2717 the message if there had been a previous call to any lookup).
2719 8. The special message about MX records that point to IP addresses instead of
2720 host names was not getting returned in the SMTP response when a
2721 verification failed. This has been fixed, and the message that is logged in
2722 this circumstance has been made less verbose.
2724 9. When an SMTP callout is done, Exim tries to use the interface and port
2725 number from the transport that the address was routed to during the prior
2726 verification. If it wasn't routed to a remote transport, or if there's a
2727 problem expanding the relevant options, Exim does not use a specific
2728 interface, and it connects to port 25.
2730 10. If the string "syslog" happened to occur in the log file path, eximon was
2731 failing to extract the name of the main log file correctly.
2733 11. Unlike other operating systems, Linux does not sync a directory after a
2734 rename. However, we need this to happen to be sure an incoming message has
2735 been safely recorded after it has been received. I have therefore added a
2736 macro called NEED_SYNC_DIRECTORY (which is set in OS/os.h_Linux) to request
2737 Exim to do an explicit sync on the directory after the rename. If
2738 O_DIRECTORY is defined, it is used when opening the directory.
2740 12. When a system filter creates any new deliveries, they are given a fake
2741 "parent" address which appears on the logs, and is necessary for pipes,
2742 files, and autoreplies, which cannot be toplevel addresses. This fake was
2743 set up with the text "system filter". It's been changed to "system-filter"
2744 because the space in the previous text could cause trouble.
2746 13. The new option local_sender_retain suppresses the removal of Sender: header
2747 lines in locally-submited (non-TCP/IP) messages from untrusted users. It is
2748 required that no_local_from_check be set with local_sender_retain.
2750 14. In a file interpolated into an address list, if a local part contained a
2751 # character and there was also a following comment (introduced by a #
2752 preceded by white space), the comment was not recognized.
2754 15. Local part lists are now handled as address lists as far as recognition of
2755 comments in interpolated files and the processing of +caseful at the top
2756 level are concerned. In the local_parts option of a router, +caseful will
2757 restore case-sensitive matching, even when the router does not have
2758 caseful_local_part set (the default).
2760 16. The key used for a dsearch lookup may not contain '/'. If it does, the
2763 17. When starting a delivery process after receiving a message locally, discard
2764 the controlling terminal unless debugging is turned on.
2766 18. The exim group was automatically trusted; this was not correct because it
2767 meant that admin users who were in the exim group were automatically
2768 trusted. If you want the exim group to be trusted, it must now be
2769 explicitly configured.
2771 19. The default configuration mentioned "dns_lists" instead of "dnslists" in a
2774 20. Minor corrections and changes to the Exim4.upgrade document and to the
2775 OptionLists.txt document.
2777 21. If a local part beginning with a pipe symbol was routed to a pipe
2778 transport, the transport got confused as to which command it should run.
2779 This could be a security exposure if unchecked local parts are routed to
2782 22. When logging SMTP connections to the daemon from other hosts, include the
2783 connection count in the log line. Tidied up the identification of SMTP
2784 sources in logging lines.
2786 23. Added "sender_domains" as a new ACL condition so that the Exim 3 setting
2787 of sender_verify_callback_domains can easily be replicated. Corrected
2788 convert4r4, which was incorrectly converting this to a "domains" setting.
2790 24. The code for reading ident values was not discarding leading spaces, which
2791 some hosts seem to send.
2793 25. The building process was still insisting that PID_FILE_PATH contained %s,
2794 but this is not required for Exim 4.
2796 26. The logging of ETRN commands had got lost. It has been restored, and the
2797 log selector "etrn" (on by default) added to control it.
2799 27. IPv6 reverse DNS lookups were originally specified as happening in the
2800 ip6.int domain, but this is being changed to ip6.arpa (and they've changed
2801 the meaning of "arpa" to "Address and Routing Parameters Area"). The only
2802 time Exim does reverse lookups directly (as opposed to calling
2803 gethostbyaddress()) is in the code for the dnsdb lookup type. This has been
2804 changed to use ip6.arpa.
2806 28. Made the test programs (test_dbfn for testing DBM files, and some others)
2807 compile! Updated the help output from test_dbfn.
2809 29. Changed all occurrences of "r" and "w" in fopen() fdopen() calls to "rb"
2810 and "wb". This makes no difference in Unix systems, but is apparently
2811 necessary for running Exim under Cygwin.
2813 30. Three changes that make virtually no difference when Exim is run on a real
2814 Unix system, but which were asked for to make life easier when porting it
2815 to run under Cygwin:
2817 (a) Changed the logic for locking a message when an Exim process is
2818 handling it. Previously, the entire -D file was locked to indicate
2819 this. Now Exim locks only the first line, which contains the name of
2820 the file. Apparently, in the Cygwin environment, a subprocess cannot
2821 read locked parts of a file, even when it is passed an open file
2822 descriptor to that file from the process that did the locking. By
2823 locking only the first line, which the subprocess does not want to read
2824 (it just needs to read the data that follows), we can get round this
2825 restriction with minimal effort.
2827 (b) Added support for native gdbm function calls. GDBM is apparently the
2828 only DBM library that is currently available Cygwin, and only with its
2831 (c) The default modes for files, directories, and lock files in the
2832 appendfile transport can now be set in Local/Makefile at build time.
2834 31. When transmitting a message using SMTP with PIPELINING, if the server gave
2835 a malformed SMTP response, the message logged by Exim didn't associate it
2836 with the pipelined SMTP command to which it referred. For example it logged
2837 "after DATA" if all the recipients had been sent. Also, if the response
2838 was an empty line (illegal), it didn't show up very clearly. The error
2839 messages are now more accurate, and point out empty lines.
2841 32. Minor corrections and changes to src/configure.default.
2843 33. When a host list in a route_list item that was enclosed in double quotes
2844 contained single quotes within it, the quoting was incorrectly terminated.
2845 Both the pattern and the host list in route_list items are now handled by
2846 the standard quote-processing function.
2848 34. Corrected the EDITME file for eximon so that the default stripchart
2849 patterns work with the default runtime configuration for local deliveries.
2850 (Previously it matched a delivery via a director - not possible in Exim 4.)
2856 Exim 3.951 is the first alpha testing release for Exim 4. A list the many
2857 individual changes to the code made between Exim 3.33 and Exim 3.951 was not
2858 kept. The functional changes are listed in the Exim4.upgrade file.