X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d52120f2b5b5464091a61a47fe881a6e8f6ec09f..fa1fce6bfaeba9f94c90d279bb8f66f5b38db349:/doc/doc-txt/NewStuff diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index f61b1f7a3..3a3ad5de5 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.153 2007/06/26 09:23:34 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.176 2010/06/14 18:51:10 pdp Exp $ New Features in Exim -------------------- @@ -8,6 +8,202 @@ Before a formal release, there may be quite a lot of detail so that people can test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. + +Version 4.74 +------------ + + 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux) + the flaw permitted the Exim run-time user to cause root to append to + arbitrary files of the attacker's choosing, with the content based + on content supplied by the attacker. + + 2. Exim now supports loading some lookup types at run-time, using your + platform's dlopen() functionality. This has limited platform support + and the intention is not to support every variant, it's limited to + dlopen(). This permits the main Exim binary to not be linked against + all the libraries needed for all the lookup types. + + +Version 4.73 +------------ + + NOTE: this version is not guaranteed backwards-compatible, please read the + items below carefully + + 1. A new main configuration option, "openssl_options", is available if Exim + is built with SSL support provided by OpenSSL. The option allows + administrators to specify OpenSSL options to be used on connections; + typically this is to set bug compatibility features which the OpenSSL + developers have not enabled by default. There may be security + consequences for certain options, so these should not be changed + frivolously. + + 2. A new pipe transport option, "permit_coredumps", may help with problem + diagnosis in some scenarios. Note that Exim is typically installed as + a setuid binary, which on most OSes will inhibit coredumps by default, + so that safety mechanism would have to be overriden for this option to + be able to take effect. + + 3. ClamAV 0.95 is now required for ClamAV support in Exim, unless + Local/Makefile sets: WITH_OLD_CLAMAV_STREAM=yes + Note that this switches Exim to use a new API ("INSTREAM") and a future + release of ClamAV will remove support for the old API ("STREAM"). + + The av_scanner option, when set to "clamd", now takes an optional third + part, "local", which causes Exim to pass a filename to ClamAV instead of + the file content. This is the same behaviour as when clamd is pointed at + a Unix-domain socket. For example: + + av_scanner = clamd:192.0.2.3 1234:local + + ClamAV's ExtendedDetectionInfo response format is now handled. + + 4. There is now a -bmalware option, restricted to admin users. This option + takes one parameter, a filename, and scans that file with Exim's + malware-scanning framework. This is intended purely as a debugging aid + to ensure that Exim's scanning is working, not to replace other tools. + Note that the ACL framework is not invoked, so if av_scanner references + ACL variables without a fallback then this will fail. + + 5. There is a new expansion operator, "reverse_ip", which will reverse IP + addresses; IPv4 into dotted quad, IPv6 into dotted nibble. Examples: + + ${reverse_ip:192.0.2.4} + -> 4.2.0.192 + ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3} + -> 3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2 + + 6. There is a new ACL control called "debug", to enable debug logging. + This allows selective logging of certain incoming transactions within + production environments, with some care. It takes two options, "tag" + and "opts"; "tag" is included in the filename of the log and "opts" + is used as per the -d command-line option. Examples, which + don't all make sense in all contexts: + + control = debug + control = debug/tag=.$sender_host_address + control = debug/opts=+expand+acl + control = debug/tag=.$message_exim_id/opts=+expand + + 7. It has always been implicit in the design and the documentation that + "the Exim user" is not root. src/EDITME said that using root was + "very strongly discouraged". This is not enough to keep people from + shooting themselves in the foot in days when many don't configure Exim + themselves but via package build managers. The security consequences of + running various bits of network code are severe if there should be bugs in + them. As such, the Exim user may no longer be root. If configured + statically, Exim will refuse to build. If configured as ref:user then Exim + will exit shortly after start-up. If you must shoot yourself in the foot, + then henceforth you will have to maintain your own local patches to strip + the safeties off. + + 8. There is a new expansion operator, bool_lax{}. Where bool{} uses the ACL + condition logic to determine truth/failure and will fail to expand many + strings, bool_lax{} uses the router condition logic, where most strings + do evaluate true. + Note: bool{00} is false, bool_lax{00} is true. + + 9. Routers now support multiple "condition" tests, + +10. There is now a runtime configuration option "tcp_wrappers_daemon_name". + Setting this allows an admin to define which entry in the tcpwrappers + config file will be used to control access to the daemon. This option + is only available when Exim is built with USE_TCP_WRAPPERS. The + default value is set at build time using the TCP_WRAPPERS_DAEMON_NAME + build option. + +11. [POSSIBLE CONFIG BREAKAGE] The default value for system_filter_user is now + the Exim run-time user, instead of root. + +12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and + is forced on. This is mitigated by the new build option + TRUSTED_CONFIG_LIST which defines a list of configuration files which + are trusted; one per line. If a config file is owned by root and matches + a pathname in the list, then it may be invoked by the Exim build-time + user without Exim relinquishing root privileges. + +13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically + trusted to supply -D overrides on the command-line. Going + forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that + include the main config. As a transition mechanism, we are temporarily + providing a work-around: the new build option WHITELIST_D_MACROS provides + a colon-separated list of macro names which may be overriden by the Exim + run-time user. The values of these macros are constrained to the regex + ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values). + + +Version 4.72 +------------ + + 1. TWO SECURITY FIXES: one relating to mail-spools which are globally + writable, the other to locking of MBX folders (not mbox). + + 2. MySQL stored procedures are now supported. + + 3. The dkim_domain transport option is now a list, not a single string, and + messages will be signed for each element in the list (discarding + duplicates). + + 4. The 4.70 release unexpectedly changed the behaviour of dnsdb TXT lookups + in the presence of multiple character strings within the RR. Prior to 4.70, + only the first string would be returned. The dnsdb lookup now, by default, + preserves the pre-4.70 semantics, but also now takes an extended output + separator specification. The separator can be followed by a semicolon, to + concatenate the individual text strings together with no join character, + or by a comma and a second separator character, in which case the text + strings within a TXT record are joined on that second character. + Administrators are reminded that DNS provides no ordering guarantees + between multiple records in an RRset. For example: + + foo.example. IN TXT "a" "b" "c" + foo.example. IN TXT "d" "e" "f" + + ${lookup dnsdb{>/ txt=foo.example}} -> "a/d" + ${lookup dnsdb{>/; txt=foo.example}} -> "def/abc" + ${lookup dnsdb{>/,+ txt=foo.example}} -> "a+b+c/d+e+f" + + +Version 4.70 / 4.71 +------------------- + + 1. Native DKIM support without an external library. + (Note that if no action to prevent it is taken, a straight upgrade will + result in DKIM verification of all signed incoming emails. See spec + for details on conditionally disabling) + + 2. Experimental DCC support via dccifd (contributed by Wolfgang Breyha). + + 3. There is now a bool{} expansion condition which maps certain strings to + true/false condition values (most likely of use in conjunction with the + and{} expansion operator). + + 4. The $spam_score, $spam_bar and $spam_report variables are now available + at delivery time. + + 5. exim -bP now supports "macros", "macro_list" or "macro MACRO_NAME" as + options, provided that Exim is invoked by an admin_user. + + 6. There is a new option gnutls_compat_mode, when linked against GnuTLS, + which increases compatibility with older clients at the cost of decreased + security. Don't set this unless you need to support such clients. + + 7. There is a new expansion operator, ${randint:...} which will produce a + "random" number less than the supplied integer. This randomness is + not guaranteed to be cryptographically strong, but depending upon how + Exim was built may be better than the most naive schemes. + + 8. Exim now explicitly ensures that SHA256 is available when linked against + OpenSSL. + + 9. The transport_filter_timeout option now applies to SMTP transports too. + + +Version 4.69 +------------ + + 1. Preliminary DKIM support in Experimental. + + Version 4.68 ------------ @@ -82,6 +278,80 @@ Version 4.68 +ignore_unknown and +include_unknown. These options should be used with care, probably only in non-critical host lists such as whitelists. + 8. There's a new option called queue_only_load_latch, which defaults true. + If set false when queue_only_load is greater than zero, Exim re-evaluates + the load for each incoming message in an SMTP session. Otherwise, once one + message is queued, the remainder are also. + + 9. There is a new ACL, specified by acl_smtp_notquit, which is run in most + cases when an SMTP session ends without sending QUIT. However, when Exim + itself is is bad trouble, such as being unable to write to its log files, + this ACL is not run, because it might try to do things (such as write to + log files) that make the situation even worse. + + Like the QUIT ACL, this new ACL is provided to make it possible to gather + statistics. Whatever it returns (accept or deny) is immaterial. The "delay" + modifier is forbidden in this ACL. + + When the NOTQUIT ACL is running, the variable $smtp_notquit_reason is set + to a string that indicates the reason for the termination of the SMTP + connection. The possible values are: + + acl-drop Another ACL issued a "drop" command + bad-commands Too many unknown or non-mail commands + command-timeout Timeout while reading SMTP commands + connection-lost The SMTP connection has been lost + data-timeout Timeout while reading message data + local-scan-error The local_scan() function crashed + local-scan-timeout The local_scan() function timed out + signal-exit SIGTERM or SIGINT + synchronization-error SMTP synchronization error + tls-failed TLS failed to start + + In most cases when an SMTP connection is closed without having received + QUIT, Exim sends an SMTP response message before actually closing the + connection. With the exception of acl-drop, the default message can be + overridden by the "message" modifier in the NOTQUIT ACL. In the case of a + "drop" verb in another ACL, it is the message from the other ACL that is + used. + +10. For MySQL and PostgreSQL lookups, it is now possible to specify a list of + servers with individual queries. This is done by starting the query with + "servers=x:y:z;", where each item in the list may take one of two forms: + + (1) If it is just a host name, the appropriate global option (mysql_servers + or pgsql_servers) is searched for a host of the same name, and the + remaining parameters (database, user, password) are taken from there. + + (2) If it contains any slashes, it is taken as a complete parameter set. + + The list of servers is used in exactly the same was as the global list. + Once a connection to a server has happened and a query has been + successfully executed, processing of the lookup ceases. + + This feature is intended for use in master/slave situations where updates + are occurring, and one wants to update a master rather than a slave. If the + masters are in the list for reading, you might have: + + mysql_servers = slave1/db/name/pw:slave2/db/name/pw:master/db/name/pw + + In an updating lookup, you could then write + + ${lookup mysql{servers=master; UPDATE ...} + + If, on the other hand, the master is not to be used for reading lookups: + + pgsql_servers = slave1/db/name/pw:slave2/db/name/pw + + you can still update the master by + + ${lookup pgsql{servers=master/db/name/pw; UPDATE ...} + +11. The message_body_newlines option (default FALSE, for backwards + compatibility) can be used to control whether newlines are present in + $message_body and $message_body_end. If it is FALSE, they are replaced by + spaces. + Version 4.67 ------------