+Version 4.88
+------------
+
+ 1. The new perl_taintmode option allows to run the embedded perl
+ interpreter in taint mode.
+
+ 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines.
+
+ 3. Speculative debugging, via a "kill" option to the "control=debug" ACL
+ modifier.
+
+ 4. New expansion item ${sha3:<string>} / ${sha3_<N>:<string>}.
+ N can be 224, 256 (default), 384, 512.
+ With GnuTLS 3.5.0 or later, only.
+
+ 5. Facility for named queues: A commandline argument can specify
+ the queue name for a queue operation, and an ACL modifier can set
+ the queue to be used for a message. A $queue_name variable gives
+ visibility.
+
+ 6. New expansion operators base32/base32d.
+
+ 7. The CHUNKING ESMTP extension from RFC 3030. May give some slight
+ performance increase and network load decrease. Main config option
+ chunking_advertise_hosts, and smtp transport option hosts_try_chunking
+ for control.
+
+ 8. LMDB lookup support, as Experimental. Patch supplied by Andrew Colin Kissa.
+
+ 9. Expansion operator escape8bit, like escape but not touching newline etc..
+
+10. Feature macros, generated from compile options. All start with "_HAVE_"
+ and go on with some roughly recognisable name. Driver macros, for
+ router, transport and authentication drivers; names starting with "_DRVR_".
+ Option macros, for each configuration-file option; all start with "_OPT_".
+ Use the "-bP macros" command-line option to see what is present.
+
+11. Integer values for options can take a "G" multiplier.
+
+12. defer=pass option for the ACL control cutthrough_delivery, to reflect 4xx
+ returns from the target back to the initiator, rather than spooling the
+ message.
+
+
+Version 4.87
+------------
+
+ 1. The ACL conditions regex and mime_regex now capture substrings
+ into numeric variables $regex1 to 9, like the "match" expansion condition.
+
+ 2. New $callout_address variable records the address used for a spam=,
+ malware= or verify= callout.
+
+ 3. Transports now take a "max_parallel" option, to limit concurrency.
+
+ 4. Expansion operators ${ipv6norm:<string>} and ${ipv6denorm:<string>}.
+ The latter expands to a 8-element colon-sep set of hex digits including
+ leading zeroes. A trailing ipv4-style dotted-decimal set is converted
+ to hex. Pure ipv4 addresses are converted to IPv4-mapped IPv6.
+ The former operator strips leading zeroes and collapses the longest
+ set of 0-groups to a double-colon.
+
+ 5. New "-bP config" support, to dump the effective configuration.
+
+ 6. New $dkim_key_length variable.
+
+ 7. New base64d and base64 expansion items (the existing str2b64 being a
+ synonym of the latter). Add support in base64 for certificates.
+
+ 8. New main configuration option "bounce_return_linesize_limit" to
+ avoid oversize bodies in bounces. The dafault value matches RFC
+ limits.
+
+ 9. New $initial_cwd expansion variable.
+
+
+Version 4.86
+------------
+
+ 1. Support for using the system standard CA bundle.
+
+ 2. New expansion items $config_file, $config_dir, containing the file
+ and directory name of the main configuration file. Also $exim_version.
+
+ 3. New "malware=" support for Avast.
+
+ 4. New "spam=" variant option for Rspamd.
+
+ 5. Assorted options on malware= and spam= scanners.
+
+ 6. A commandline option to write a comment into the logfile.
+
+ 7. If built with EXPERIMENTAL_SOCKS feature enabled, the smtp transport can
+ be configured to make connections via socks5 proxies.
+
+ 8. If built with EXPERIMENTAL_INTERNATIONAL, support is included for
+ the transmission of UTF-8 envelope addresses.
+
+ 9. If built with EXPERIMENTAL_INTERNATIONAL, an expansion item for a commonly
+ used encoding of Maildir folder names.
+
+10. A logging option for slow DNS lookups.
+
+11. New ${env {<variable>}} expansion.
+
+12. A non-SMTP authenticator using information from TLS client certificates.
+
+13. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS.
+ Patch originally by Wolfgang Breyha.
+
+14. Main option "dns_trust_aa" for trusting your local nameserver at the
+ same level as DNSSEC.
+
+
+Version 4.85
+------------
+
+ 1. If built with EXPERIMENTAL_DANE feature enabled, Exim will follow the
+ DANE smtp draft to assess a secure chain of trust of the certificate
+ used to establish the TLS connection based on a TLSA record in the
+ domain of the sender.
+
+ 2. The EXPERIMENTAL_TPDA feature has been renamed to EXPERIMENTAL_EVENT
+ and several new events have been created. The reason is because it has
+ been expanded beyond just firing events during the transport phase. Any
+ existing TPDA transport options will have to be rewritten to use a new
+ $event_name expansion variable in a condition. Refer to the
+ experimental-spec.txt for details and examples.
+
+ 3. The EXPERIMENTAL_CERTNAMES features is an enhancement to verify that
+ server certs used for TLS match the result of the MX lookup. It does
+ not use the same mechanism as DANE.
+
+
+Version 4.84
+------------
+
+
+Version 4.83
+------------
+
+ 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be
+ configured to expect an initial header from a proxy that will make the
+ actual external source IP:host be used in exim instead of the IP of the
+ proxy that is connecting to it.
+
+ 2. New verify option header_names_ascii, which will check to make sure
+ there are no non-ASCII characters in header names. Exim itself handles
+ those non-ASCII characters, but downstream apps may not, so Exim can
+ detect and reject if those characters are present.
+
+ 3. New expansion operator ${utf8clean:string} to replace malformed UTF8
+ codepoints with valid ones.
+
+ 4. New malware type "sock". Talks over a Unix or TCP socket, sending one
+ command line and matching a regex against the return data for trigger
+ and a second regex to extract malware_name. The mail spoolfile name can
+ be included in the command line.
+
+ 5. The smtp transport now supports options "tls_verify_hosts" and
+ "tls_try_verify_hosts". If either is set the certificate verification
+ is split from the encryption operation. The default remains that a failed
+ verification cancels the encryption.
+
+ 6. New SERVERS override of default ldap server list. In the ACLs, an ldap
+ lookup can now set a list of servers to use that is different from the
+ default list.
+
+ 7. New command-line option -C for exiqgrep to specify alternate exim.conf
+ file when searching the queue.
+
+ 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that.
+
+ 9. Support for DNSSEC on outbound connections.
+
+10. New variables "tls_(in,out)_(our,peer)cert" and expansion item
+ "certextract" to extract fields from them. Hash operators md5 and sha1
+ work over them for generating fingerprints, and a new sha256 operator
+ for them added.
+
+11. PRDR is now supported dy default.
+
+12. OCSP stapling is now supported by default.
+
+13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output
+ Delivery Status Notification messages in MIME format, and negociate
+ DSN features per RFC 3461.
+
+
+Version 4.82