X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/525239c16e35d7bf893e0e2232f4c4c4a7c75447..02f4d3acbd24be25e7e2ae7ef546a2e17013e773:/doc/doc-txt/NewStuff?ds=sidebyside diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 3c5c4913b..c7889223f 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -3,10 +3,343 @@ New Features in Exim This file contains descriptions of new features that have been added to Exim. Before a formal release, there may be quite a lot of detail so that people can -test from the snapshots or the CVS before the documentation is updated. Once +test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. -Version 4.81 +Version 4.91 +-------------- + + 1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS + version 3.5.6 or later. + + 2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and + OpenSSL versions are moved to mainline support from Experimental. + New SMTP transport option "dane_require_tls_ciphers". + + 3. Feature macros for the compiled-in set of malware scanner interfaces. + + 4. SPF support is promoted from Experimental to mainline status. The template + src/EDITME makefile does not enable its inclusion. + + 5. Logging control for DKIM verification. The existing DKIM log line is + controlled by a "dkim_verbose" selector which is _not_ enabled by default. + A new tag "DKIM=" is added to <= lines by default, controlled by + a "dkim" log_selector. + + 6. Receive duration on <= lines, under a new log_selector "receive_time". + + 7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on + routing rules in the manualroute router. + + 8. Expansion item ${sha3:} / ${sha3_:} now also supported + under OpenSSL version 1.1.1 or later. + + 9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under + GnuTLS 3.6.0 or OpenSSL 1.1.1 or later. + +10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library + version dependent. + +11. "exim -bP macro " returns caller-usable status. + +12. Expansion item ${authresults {}} for creating an + Authentication-Results: header. + +13. EXPERIMENTAL_ARC. See the experimental.spec file. + See also new util/renew-opendmarc-tlds.sh script for use with DMARC/ARC. + +14: A dane:fail event, intended to facilitate reporting. + +15. "Lightweight" support for Redis Cluster. Requires redis_servers list to + contain all the servers in the cluster, all of which must be reachable from + the running exim instance. If the cluster has master/slave replication, the + list must contain all the master and slave servers. + +16. Add an option to the Avast scanner interface: "pass_unscanned". This + allows to treat unscanned files as clean. Files may be unscanned for + several reasons: decompression bombs, broken archives. + + +Version 4.90 +------------ + + 1. PKG_CONFIG_PATH can now be set in Local/Makefile; + wildcards will be expanded, values are collapsed. + + 2. The ${readsocket } expansion now takes an option to not shutdown the + connection after sending the query string. The default remains to do so. + + 3. An smtp transport option "hosts_noproxy_tls" to control whether multiple + deliveries on a single TCP connection can maintain a TLS connection + open. By default disabled for all hosts, doing so saves the cost of + making new TLS sessions, at the cost of having to proxy the data via + another process. Logging is also affected. + + 4. A malware connection type for the FPSCAND protocol. + + 5. An option for recipient verify callouts to hold the connection open for + further recipients and for delivery. + + 6. The reproducible build $SOURCE_DATE_EPOCH environment variable is now + supported. + + 7. Optionally, an alternate format for spool data-files which matches the + wire format - meaning more efficient reception and transmission (at the + cost of difficulty with standard Unix tools). Only used for messages + received using the ESMTP CHUNKING option, and when a new main-section + option "spool_wireformat" (false by default) is set. + + 8. New main configuration option "commandline_checks_require_admin" to + restrict who can use various introspection options. + + 9. New option modifier "no_check" for quota and quota_filecount + appendfile transport. + +10. Variable $smtp_command_history returning a comma-sep list of recent + SMTP commands. + +11. Millisecond timetamps in logs, on log_selector "millisec". Also affects + log elements QT, DT and D, and timstamps in debug output. + +12. TCP Fast Open logging. As a server, logs when the SMTP banner was sent + while still in SYN_RECV state; as a client logs when the connection + is opened with a TFO cookie. + +13. DKIM support for multiple signing, by domain and/or key-selector. + DKIM support for multiple hashes, and for alternate-identity tags. + Builtin macro with default list of signed headers. + Better syntax for specifying oversigning. + The DKIM ACL can override verification status, and status is visible in + the data ACL. + +14. Exipick understands -C|--config for an alternative Exim + configuration file. + +15. TCP Fast Open used, with data-on-SYN, for client SMTP via SOCKS5 proxy, + for ${readsocket } expansions, and for ClamAV. + +16. The "-be" expansion test mode now supports macros. Macros are expanded + in test lines, and new macros can be defined. + +17. Support for server-side dual-certificate-stacks (eg. RSA + ECDSA). + + +Version 4.89 +------------ + + 1. Allow relative config file names for ".include" + + 2. A main-section config option "debug_store" to control the checks on + variable locations during store-reset. Normally false but can be enabled + when a memory corrution issue is suspected on a production system. + + +Version 4.88 +------------ + + 1. The new perl_taintmode option allows to run the embedded perl + interpreter in taint mode. + + 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines. + + 3. Speculative debugging, via a "kill" option to the "control=debug" ACL + modifier. + + 4. New expansion item ${sha3:} / ${sha3_:}. + N can be 224, 256 (default), 384, 512. + With GnuTLS 3.5.0 or later, only. + + 5. Facility for named queues: A command-line argument can specify + the queue name for a queue operation, and an ACL modifier can set + the queue to be used for a message. A $queue_name variable gives + visibility. + + 6. New expansion operators base32/base32d. + + 7. The CHUNKING ESMTP extension from RFC 3030. May give some slight + performance increase and network load decrease. Main config option + chunking_advertise_hosts, and smtp transport option hosts_try_chunking + for control. + + 8. LMDB lookup support, as Experimental. Patch supplied by Andrew Colin Kissa. + + 9. Expansion operator escape8bit, like escape but not touching newline etc.. + +10. Feature macros, generated from compile options. All start with "_HAVE_" + and go on with some roughly recognisable name. Driver macros, for + router, transport and authentication drivers; names starting with "_DRIVER_". + Option macros, for each configuration-file option; all start with "_OPT_". + Use the "-bP macros" command-line option to see what is present. + +11. Integer values for options can take a "G" multiplier. + +12. defer=pass option for the ACL control cutthrough_delivery, to reflect 4xx + returns from the target back to the initiator, rather than spooling the + message. + +13. New built-in constants available for tls_dhparam and default changed. + +14. If built with EXPERIMENTAL_QUEUEFILE, a queuefile transport, for writing + out copies of the message spool files for use by 3rd-party scanners. + +15. A new option on the smtp transport, hosts_try_fastopen. If the system + supports it (on Linux it must be enabled in the kernel by the sysadmin) + try to use RFC 7413 "TCP Fast Open". No data is sent on the SYN segment + but it permits a peer that also supports the facility to send its SMTP + banner immediately after the SYN,ACK segment rather then waiting for + another ACK - so saving up to one roundtrip time. Because it requires + previous communication with the peer (we save a cookie from it) this + will only become active on frequently-contacted destinations. + +16. A new syslog_pid option to suppress PID duplication in syslog lines. + + +Version 4.87 +------------ + + 1. The ACL conditions regex and mime_regex now capture substrings + into numeric variables $regex1 to 9, like the "match" expansion condition. + + 2. New $callout_address variable records the address used for a spam=, + malware= or verify= callout. + + 3. Transports now take a "max_parallel" option, to limit concurrency. + + 4. Expansion operators ${ipv6norm:} and ${ipv6denorm:}. + The latter expands to a 8-element colon-sep set of hex digits including + leading zeroes. A trailing ipv4-style dotted-decimal set is converted + to hex. Pure ipv4 addresses are converted to IPv4-mapped IPv6. + The former operator strips leading zeroes and collapses the longest + set of 0-groups to a double-colon. + + 5. New "-bP config" support, to dump the effective configuration. + + 6. New $dkim_key_length variable. + + 7. New base64d and base64 expansion items (the existing str2b64 being a + synonym of the latter). Add support in base64 for certificates. + + 8. New main configuration option "bounce_return_linesize_limit" to + avoid oversize bodies in bounces. The default value matches RFC + limits. + + 9. New $initial_cwd expansion variable. + + +Version 4.86 +------------ + + 1. Support for using the system standard CA bundle. + + 2. New expansion items $config_file, $config_dir, containing the file + and directory name of the main configuration file. Also $exim_version. + + 3. New "malware=" support for Avast. + + 4. New "spam=" variant option for Rspamd. + + 5. Assorted options on malware= and spam= scanners. + + 6. A command-line option to write a comment into the logfile. + + 7. If built with EXPERIMENTAL_SOCKS feature enabled, the smtp transport can + be configured to make connections via socks5 proxies. + + 8. If built with EXPERIMENTAL_INTERNATIONAL, support is included for + the transmission of UTF-8 envelope addresses. + + 9. If built with EXPERIMENTAL_INTERNATIONAL, an expansion item for a commonly + used encoding of Maildir folder names. + +10. A logging option for slow DNS lookups. + +11. New ${env {}} expansion. + +12. A non-SMTP authenticator using information from TLS client certificates. + +13. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS. + Patch originally by Wolfgang Breyha. + +14. Main option "dns_trust_aa" for trusting your local nameserver at the + same level as DNSSEC. + + +Version 4.85 +------------ + + 1. If built with EXPERIMENTAL_DANE feature enabled, Exim will follow the + DANE SMTP draft to assess a secure chain of trust of the certificate + used to establish the TLS connection based on a TLSA record in the + domain of the sender. + + 2. The EXPERIMENTAL_TPDA feature has been renamed to EXPERIMENTAL_EVENT + and several new events have been created. The reason is because it has + been expanded beyond just firing events during the transport phase. Any + existing TPDA transport options will have to be rewritten to use a new + $event_name expansion variable in a condition. Refer to the + experimental-spec.txt for details and examples. + + 3. The EXPERIMENTAL_CERTNAMES features is an enhancement to verify that + server certs used for TLS match the result of the MX lookup. It does + not use the same mechanism as DANE. + + +Version 4.84 +------------ + + +Version 4.83 +------------ + + 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be + configured to expect an initial header from a proxy that will make the + actual external source IP:host be used in exim instead of the IP of the + proxy that is connecting to it. + + 2. New verify option header_names_ascii, which will check to make sure + there are no non-ASCII characters in header names. Exim itself handles + those non-ASCII characters, but downstream apps may not, so Exim can + detect and reject if those characters are present. + + 3. New expansion operator ${utf8clean:string} to replace malformed UTF8 + codepoints with valid ones. + + 4. New malware type "sock". Talks over a Unix or TCP socket, sending one + command line and matching a regex against the return data for trigger + and a second regex to extract malware_name. The mail spoolfile name can + be included in the command line. + + 5. The smtp transport now supports options "tls_verify_hosts" and + "tls_try_verify_hosts". If either is set the certificate verification + is split from the encryption operation. The default remains that a failed + verification cancels the encryption. + + 6. New SERVERS override of default ldap server list. In the ACLs, an ldap + lookup can now set a list of servers to use that is different from the + default list. + + 7. New command-line option -C for exiqgrep to specify alternate exim.conf + file when searching the queue. + + 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. + + 9. Support for DNSSEC on outbound connections. + +10. New variables "tls_(in,out)_(our,peer)cert" and expansion item + "certextract" to extract fields from them. Hash operators md5 and sha1 + work over them for generating fingerprints, and a new sha256 operator + for them added. + +11. PRDR is now supported dy default. + +12. OCSP stapling is now supported by default. + +13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output + Delivery Status Notification messages in MIME format, and negotiate + DSN features per RFC 3461. + + +Version 4.82 ------------ 1. New command-line option -bI:sieve will list all supported sieve extensions @@ -32,10 +365,11 @@ Version 4.81 Unless you really know what you are doing, leave it alone. 4. If not built with DISABLE_DNSSEC, Exim now has the main option - dns_use_dnssec; if set to 1 then Exim will initialise the resolver library + dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library to send the DO flag to your recursive resolver. If you have a recursive resolver, which can set the Authenticated Data (AD) flag in results, Exim - can now detect this. + can now detect this. Exim does not perform validation itself, instead + relying upon a trusted path to the resolver. Current status: work-in-progress; $sender_host_dnssec variable added. @@ -56,24 +390,24 @@ Version 4.81 ignored. 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery" - ACL modifier; works for single-recipient mails which are recieved on and + ACL modifier; works for single-recipient mails which are received on and deliverable via SMTP. Using the connection made for a recipient verify, if requested before the verify, or a new one made for the purpose while the inbound connection is still active. The bulk of the mail item is copied direct from the inbound socket to the outbound (as well as the spool file). When the source notifies the end of data, the data acceptance by the destination - is negociated before the acceptance is sent to the source. If the destination + is negotiated before the acceptance is sent to the source. If the destination does not accept the mail item, for example due to content-scanning, the item is not accepted from the source and therefore there is no need to generate a bounce mail. This is of benefit when providing a secondary-MX service. The downside is that delays are under the control of the ultimate destination system not your own. - The Recieved-by: header on items delivered by cutthrough is generated + The Received-by: header on items delivered by cutthrough is generated early in reception rather than at the end; this will affect any timestamp included. The log line showing delivery is recorded before that showing reception; it uses a new ">>" tag instead of "=>". - + To support the feature, verify-callout connections can now use ESMTP and TLS. The usual smtp transport options are honoured, plus a (new, default everything) hosts_verify_avoid_tls. @@ -82,15 +416,90 @@ Version 4.81 for specific access to the information for each connection. The old names are present for now but deprecated. - Not yet supported: IGNOREQUOTA, SIZE, PIPELINING, AUTH. + Not yet supported: IGNOREQUOTA, SIZE, PIPELINING. 8. New expansion operators ${listnamed:name} to get the content of a named list and ${listcount:string} to count the items in a list. - 9. New expansion item ${acl {name}{arg}...} to call an ACL. The argument can - be accessed by the ACL in $acl_arg1 to $acl_arg9. $acl_narg will be the - number of arguments. The expansion result is set by a "message =" modifier - and an "accept" return from the ACL. + 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS + rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 + modules. For some situations this is desirable, but we expect admin in + those situations to know they want the feature. More commonly, it means + that GUI user modules get loaded and are broken by the setuid Exim being + unable to access files specified in environment variables and passed + through, thus breakage. So we explicitly inhibit the PKCS11 initialisation + unless this new option is set. + + Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability, + so have also added a build option which can be used to build Exim with GnuTLS + but without trying to use any kind of PKCS11 support. Uncomment this in the + Local/Makefile: + + AVOID_GNUTLS_PKCS11=yes + +10. The "acl = name" condition on an ACL now supports optional arguments. + New expansion item "${acl {name}{arg}...}" and expansion condition + "acl {{name}{arg}...}" are added. In all cases up to nine arguments + can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL. + Variable $acl_narg contains the number of arguments. If the ACL sets + a "message =" value this becomes the result of the expansion item, + or the value of $value for the expansion condition. If the ACL returns + accept the expansion condition is true; if reject, false. A defer + return results in a forced fail. + +11. Routers and transports can now have multiple headers_add and headers_remove + option lines. The concatenated list is used. + +12. New ACL modifier "remove_header" can remove headers before message gets + handled by routers/transports. + +13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured), + "aaaa" and "a" lookups is done and the full set of results returned. + +14. New expansion variable $headers_added with content from ACL add_header + modifier (but not yet added to message). + +15. New 8bitmime status logging option for received messages. Log field "M8S". + +16. New authenticated_sender logging option, adding to log field "A". + +17. New expansion variables $router_name and $transport_name. Useful + particularly for debug_print as -bt command-line option does not + require privilege whereas -d does. + +18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a + proposed extension to SMTP from Eric Hall. + +19. The pipe transport has gained the force_command option, to allow + decorating commands from user .forward pipe aliases with prefix + wrappers, for instance. + +20. Callout connections can now AUTH; the same controls as normal delivery + connections apply. + +21. Support for DMARC, using opendmarc libs, can be enabled. It adds new + options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file. + It adds new expansion variables $dmarc_ar_header, $dmarc_status, + $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier + dmarc_status. It adds new control flags dmarc_disable_verify and + dmarc_enable_forensic. The default for the dmarc_tld_file option is + "/etc/exim/opendmarc.tlds" and can be changed via EDITME. + +22. Add expansion variable $authenticated_fail_id, which is the username + provided to the authentication method which failed. It is available + for use in subsequent ACL processing (typically quit or notquit ACLs). + +23. New ACL modifier "udpsend" can construct a UDP packet to send to a given + UDP host and port. + +24. New ${hexquote:..string..} expansion operator converts non-printable + characters in the string to \xNN form. + +25. Experimental TPDA (Transport Post Delivery Action) function added. + Patch provided by Axel Rau. + +26. Experimental Redis lookup added. Patch provided by Warren Baker. + Version 4.80 ------------ @@ -162,7 +571,7 @@ Version 4.80 gnutls_require_mac & gnutls_require_protocols are no longer supported. tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority string, documentation for which is at: - http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + http://www.gnutls.org/manual/html_node/Priority-Strings.html SNI support has been added to Exim's GnuTLS integration too. @@ -338,13 +747,13 @@ Version 4.73 then henceforth you will have to maintain your own local patches to strip the safeties off. - 8. There is a new expansion operator, bool_lax{}. Where bool{} uses the ACL + 8. There is a new expansion condition, bool_lax{}. Where bool{} uses the ACL condition logic to determine truth/failure and will fail to expand many strings, bool_lax{} uses the router condition logic, where most strings do evaluate true. Note: bool{00} is false, bool_lax{00} is true. - 9. Routers now support multiple "condition" tests, + 9. Routers now support multiple "condition" tests. 10. There is now a runtime configuration option "tcp_wrappers_daemon_name". Setting this allows an admin to define which entry in the tcpwrappers