X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/3375e053c40dacf62a7eac02d52438a43398c053..e94526c53d4b81b4040ba60a0341684697af17e4:/src/README.UPDATING diff --git a/src/README.UPDATING b/src/README.UPDATING index e685b8ec3..8cb59e91e 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -26,11 +26,53 @@ The rest of this document contains information about changes in 4.xx releases that might affect a running system. +Exim version 4.88 +----------------- + + * The "demime" ACL condition, deprecated for the past 10 years, has + now been removed. + + * Old GnuTLS configuration options "gnutls_require_kx", "gnutls_require_mac", + and "gnutls_require_protocols" have now been removed. (Inoperative from + 4.80, per below; logging warnings since 4.83, again per below). + + +Exim version 4.83 +----------------- + + * SPF condition results renamed "permerror" and "temperror". The old + names are still accepted for back-compatability, for this release. + + * TLS details are now logged on rejects, subject to log selectors. + + * Items in headers_remove lists must now have any embedded list-separators + doubled. + + * Attempted use of the deprecated options "gnutls_require_kx" et. al. + now result in logged warning. + + +Exim version 4.82 +----------------- + + * New option gnutls_allow_auto_pkcs11 defaults false; if you have GnuTLS 2.12.0 + or later and do want PKCS11 modules to be autoloaded, then set this option. + + * A per-transport wait- database is no longer updated if the transport + sets "connection_max_messages" to 1, as it can not be used and causes + unnecessary serialisation and load. External tools tracking the state of + Exim by the hints databases may need modification to take this into account. + + * The av_scanner option can now accept multiple clamd TCP targets, all other + setting limitations remain. + + Exim version 4.80 ----------------- * BEWARE backwards-incompatible changes in SSL libraries, thus the version bump. See points below for details. + Also an LDAP data returned format change. * The value of $tls_peerdn is now print-escaped when written to the spool file in a -tls_peerdn line, and unescaped when read back in. We received reports @@ -42,6 +84,12 @@ Exim version 4.80 the message. No tool has been provided as we believe this is a rare occurence. + * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support + SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no + actual usage. You can re-enable with the "openssl_options" Exim option, + in the main configuration section. Note that supporting SSLv2 exposes + you to ciphersuite downgrade attacks. + * With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built against 1.0.1a then you will get a warning message and the "openssl_options" value will not parse "no_tlsv1_1": the value changes @@ -51,8 +99,9 @@ Exim version 4.80 "openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression". COMPATIBILITY WARNING: The default value of "openssl_options" is no longer - "+dont_insert_empty_fragments". We default to unset. That old default was - grandfathered in from before openssl_options became a configuration option. + "+dont_insert_empty_fragments". We default to "+no_sslv2". + That old default was grandfathered in from before openssl_options became a + configuration option. Empty fragments are inserted by default through TLS1.0, to partially defend against certain attacks; TLS1.1+ change the protocol so that this is not needed. The DIEF SSL option was required for some old releases of mail @@ -77,6 +126,12 @@ Exim version 4.80 attribute as a comma-separated list. Note the distinction from multiple attributes being returned, where each one is a name=value pair. + If you are currently splitting the results from LDAP upon a comma, then you + should check carefully to see if adjustments are needed. + + This change lets cautious folks distinguish "comma used as separator for + joining values" from "comma inside the data". + * accept_8bitmime now defaults on, which is not RFC compliant but is better suited to today's Internet. See http://cr.yp.to/smtp/8bitmime.html for a sane rationale. Those who wish to be strictly RFC compliant, or know that @@ -98,7 +153,7 @@ Exim version 4.80 is instead given to gnutls_priority_init(3), which expects a priority string; this behaviour is much closer to the OpenSSL behaviour. See: - http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + http://www.gnutls.org/manual/html_node/Priority-Strings.html for fuller documentation of the strings parsed. The three gnutls_require_* options are still parsed by Exim and, for this release, silently ignored. @@ -135,6 +190,21 @@ Exim version 4.80 fail completely. (The check is not done as root, to ensure that problems here are not made worse by the check). + * The "tls_dhparam" option has been updated, so that it can now specify a + path or an identifier for a standard DH prime from one of a few RFCs. + The default for OpenSSL is no longer to not use DH but instead to use + one of these standard primes. The default for GnuTLS is no longer to use + a file in the spool directory, but to use that same standard prime. + The option is now used by GnuTLS too. If it points to a path, then + GnuTLS will use that path, instead of a file in the spool directory; + GnuTLS will attempt to create it if it does not exist. + + To preserve the previous behaviour of generating files in the spool + directory, set "tls_dhparam = historic". Since prior releases of Exim + ignored tls_dhparam when using GnuTLS, this can safely be done before + the upgrade. + + Exim version 4.77 -----------------