-$Cambridge: exim/doc/doc-txt/Exim4.upgrade,v 1.1 2004/10/07 15:04:35 ph10 Exp $
-
Upgrading Exim from Release 3.33 to 4.xx
----------------------------------------
. The way that require_files works has been changed. Each item in the list is
now separately expanded as the test proceeds. The use of leading ! and +
characters is unchanged. However, user and group checking is done differently.
- Previously, seteuid() was used, but seteuid() is no longer used in Exim (see
- "Security" below). Instead, Exim now scans along the components of the file
- path and checks the access for the given uid and gid. It expects "x" access
- on directories and "r" on the final file. This means that file access control
- lists (on those operating systems that have them) are ignored.
+ Previously, seteuid() was used, but seteuid() is no longer used (see
+ "Security" below) for checking the files required by this option. Instead,
+ Exim now scans along the components of the file path and checks the access
+ for the given uid and gid. It expects "x" access on directories and "r" on
+ the final file. This means that file access control lists (on those
+ operating systems that have them) are ignored.
Other Consequences of the Director/Router Merge
. The authenticate_hosts option has been renamed as hosts_try_auth. A new
option called hosts_require_auth has been added; if authentication fails for
one of these hosts, Exim does _not_ try to send unauthenticated. It defers
- instead. The deferal error is detectable in the retry rules, so this can be
+ instead. The deferral error is detectable in the retry rules, so this can be
turned into a hard failure if required.
controlled by ACLs.
. The auth_always_advertise option has been abolished because it depended on
- auth_hosts and and host_auth_accept_relay, both of which are no more. In its
+ auth_hosts and host_auth_accept_relay, both of which are no more. In its
place there is a new option called auth_advertise_hosts, whose default value
is *, meaning "advertise AUTH to all".
The logging options that have been abolished are: log_all_parents,
log_arguments, log_incoming_port, log_interface, log_ip_options,
-log_level, log_queue_run_level, log_received_sender, log_received_rceipients,
+log_level, log_queue_run_level, log_received_sender, log_received_recipients,
log_rewrites, log_sender_on_delivery, log_smtp_confirmation,
log_smtp_connections, log_smtp_syntax_errors, log_subject, tls_log_cipher,
tls_log_peerdn.
. There's a new expansion feature for running commands:
- ${run{comand args}{yes}{no}}
+ ${run{command args}{yes}{no}}
Like all the other conditional items, the {yes} and {no} strings are
optional. Omitting both is equivalent to {$value}. The standard output of the
--------
Exim 3 could be run in a variety of ways as far as security was concerned. This
-has all been simplified in Exim 4. The security-conscious might like to know
-that it no longer makes any use of the seteuid() function.
+has all been simplified in Exim 4. Exim dropped the use of seteuid() in
+most places. But recent (2020-10/2021-04) vulnerabilities forced us to
+re-introduce seteuid() for opening the database files (hint files) as secure as
+possible. For future (>= 4.95) versions we work on a solution that
+does not need the seteuid call.
. A UID and GID are required to be specified when Exim is compiled. They can be
now specified by name as well as by number, so the relevant options are now