test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Version 4.95
+------------
+
+ 1. The fast-ramp two phase queue run support, previously experimental, is
+ now supported by default.
+
+ 2. The native SRS support, previously experimental, is now supported. It is
+ not built unless specified in the Local/Makefile.
+
+ 3. TLS resumption support, previously experimental, is now supported and
+ included in default builds.
+
+ 4. Single-key LMDB lookups, previously experimental, are now supported.
+ The support is not built unless specified in the Local/Makefile.
+
+ 5. Option "message_linelength_limit" on the smtp transport to enforce (by
+ default) the RFC 998 character limit.
+
+ 6. An option to ignore the cache on a lookup.
+
+ 7. Quota checking during reception (i.e. at SMTP time) for appendfile-
+ transport-managed quotas.
+
+ 8. Sqlite lookups accept a "file=<path>" option to specify a per-operation
+ db file, replacing the previous prefix to the SQL string (which had
+ issues when the SQL used tainted values).
+
+ 9. Lsearch lookups accept a "ret=full" option, to return both the portion
+ of the line matching the key, and the remainder.
+
+10. A command-line option to have a daemon not create a notifier socket.
+
+11. Faster TLS startup. When various configuration options contain no
+ expandable elements, the information can be preloaded and cached rather
+ than the provious behaviour of always loading at startup time for every
+ connection. This helps particularly for the CA bundle.
+
+12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout"
+ main config option.
+
+13. Option "smtp_accept_msx_per_connection" is now expanded.
+
+Version 4.94
+------------
+
+ 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec
+ file.
+
+ 2. Channel-binding for authenticators is now supported under OpenSSL.
+ Previously it was GnuTLS-only.
+
+ 3. A msg:defer event.
+
+ 4. Client-side support in the gsasl authenticator. Tested against the
+ plaintext driver for PLAIN; only against itself for SCRAM-SHA-1 and
+ SCRAM-SHA-1-PLUS methods.
+
+ 5. Server-side support in the gsasl authenticator for encrypted passwords, as
+ an alternate for the existing plaintext.
+
+ 6. Variable $local_part_data now also set by router check_local_user option,
+ with an de-tainted version of $local_part.
+
+ 7. Named-list definitions can now be prefixed "hide" so that "-bP" commands do
+ not output the content. Previously this could only be done on options.
+
+ 8. As an experimental feature, the dovecot authentication driver supports inet
+ sockets. Previously it was unix-domain sockets only.
+
+ 9. The ACL control "queue_only" can also be spelled "queue", and now takes an
+ option "first_pass_route" to do the same as a "-odqs" on the command line.
+
+10. Items specified for the router and transport headers_remove option can use
+ a trailing asterisk to specify globbing.
+
+11. New $queue_size variable.
+
+12. New variables $local_part_{pre,suf}fix_v.
+
+13. New main option "sqlite_dbfile", for use in preference to prefixing the
+ lookup string. The older method fails when tainted variables are used
+ in the lookup, as the filename becomes tainted. The new method keeps the
+ filename separate.
+
+14. Options on the dsearch lookup, to return the full path and to filter
+ filetypes for matching.
+
+15. Options on pgsql and mysql lookups, to specify server separate from the
+ lookup string.
+
+16. An option on all single-key lookups, to return (on a hit) a de-tainted
+ version of the lookup key rather than the looked-up data.
+
+17. $domain_data and $local_part_data are now set by all list-match successes.
+ Previously only list items that performed lookups did so.
+ Also, matching list items that are tail-match or RE-match now set the
+ numeric variables $0 (etc) in the same way os other RE matches.
+
+18. Expansion item ${listquote {<char} {<item>}}.
+
+19. An option for the ${readsocket {}{}{}} expansion to make the result data
+ cacheable.
+
+20. dkim_verify_min_keysizes, a list of minimum acceptable public-key sizes.
+
+21. bounce_message_file and warn_message_file are now expanded before use.
+
+22. New main config option spf_smtp_comment_template to customise the
+ $spf_smtp_comment variable
+
+
+
Version 4.93
------------
3. Variables $tls_in_cipher_std, $tls_out_cipher_std giving the RFC names
for ciphersuites.
+ 4. Log_selectors "msg_id" (on by default) and "msg_id_created".
+
+ 5. A case_insensitive option for verify=not_blind.
+
+ 6. EXPERIMENTAL_TLS_RESUME optional build feature. See the experimental.spec
+ file.
+
+ 7. A main option exim_version to override the version Exim
+ reports in verious places ($exim_version, $version_number).
+
+ 8. Expansion operator ${sha2_N:} for N=256, 384, 512.
+
+ 9. Router variables, $r_... settable from router options and usable in routers
+ and transports.
+
+10. The spf lookup now supports IPv6.
+
+11. Main options for DKIM verify to filter hash and key types.
+
+12. With TLS1.3, support for full-chain OCSP stapling.
+
+13. Dual-certificate stacks on servers now support OCSP stapling, under OpenSSL.
+
+14: An smtp:ehlo transport event, for observability of the remote offered features.
+
+15: Support under OpenSSL for writing NSS-style key files for packet-capture
+ decode. The environment variable SSLKEYLOGFILE is used; if an absolute path
+ it must indicate a file under the spool directory; if relative the the spool
+ directory is prepended. Works on the server side only. Support under
+ GnuTLS was already there, being done purely by the library (server side
+ only, and exim must be run as root).
+
+16: Command-line option to move messages from one named queue to another.
+
+17. Variables $tls_in_ver, $tls_out_ver.
+
+
Version 4.92
--------------
2. A main-section config option "debug_store" to control the checks on
variable locations during store-reset. Normally false but can be enabled
- when a memory corrution issue is suspected on a production system.
+ when a memory corruption issue is suspected on a production system.
Version 4.88
14. Main option "dns_trust_aa" for trusting your local nameserver at the
same level as DNSSEC.
-
Version 4.85
------------