X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d567a64d80184840c08ca4a016a979233f09ec23..0929ce9ca518b6987b63cf8659338ca434e07d9b:/doc/doc-txt/ChangeLog diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 483528b97..5427392b9 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,5 +1,479 @@ Change log file for Exim from version 4.21 ------------------------------------------- +This document describes *changes* to previous versions, that might +affect Exim's operation, with an unchanged configuration file. For new +options, and new features, see the NewStuff file next to this ChangeLog. + +Exim version 4.89 +------------------- +JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules + than -2003 did; needs libidn2 in addition to linidn. + +JH/02 The path option on a pipe transport is now expanded before use. + + +Exim version 4.88 +----------------- +JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination + supports it and a size is available (ie. the sending peer gave us one). + +JH/02 The obsolete acl condition "demime" is removed (finally, after ten + years of being deprecated). The replacements are the ACLs + acl_smtp_mime and acl_not_smtp_mime. + +JH/03 Upgrade security requirements imposed for hosts_try_dane: previously + a downgraded non-dane trust-anchor for the TLS connection (CA-style) + or even an in-clear connection were permitted. Now, if the host lookup + was dnssec and dane was requested then the host is only used if the + TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority + MXs) will be tried (for hosts_try_dane though not for hosts_require_dane) + if one fails this test. + This means that a poorly-configured remote DNS will make it incommunicado; + but it protects against a DNS-interception attack on it. + +JH/04 Bug 1810: make continued-use of an open smtp transport connection + non-noisy when a race steals the message being considered. + +JH/05 If main configuration option tls_certificate is unset, generate a + self-signed certificate for inbound TLS connections. + +JH/06 Bug 165: hide more cases of password exposure - this time in expansions + in rewrites and routers. + +JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 + and logged a warning sing 4.83; now they are a configuration file error. + +JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name + (lacking @domain). Apply the same qualification processing as RCPT. + +JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. + +JH/10 Support ${sha256:} applied to a string (as well as the previous + certificate). + +JH/11 Cutthrough: avoid using the callout hints db on a verify callout when + a cutthrough deliver is pending, as we always want to make a connection. + This also avoids re-routing the message when later placing the cutthrough + connection after a verify cache hit. + Do not update it with the verify result either. + +JH/12 Cutthrough: disable when verify option success_on_redirect is used, and + when routing results in more than one destination address. + +JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim + signing (which inhibits the cutthrough capability). Previously only + the presence of an option was tested; now an expansion evaluating as + empty is permissible (obviously it should depend only on data available + when the cutthrough connection is made). + +JH/14 Fix logging of errors under PIPELINING. Previously the log line giving + the relevant preceding SMTP command did not note the pipelining mode. + +JH/15 Fix counting of empty lines in $body_linecount and $message_linecount. + Previously they were not counted. + +JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same + as one having no matching records. Previously we deferred the message + that needed the lookup. + +JH/17 Fakereject: previously logged as a norml message arrival "<="; now + distinguished as "(=". + +JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work + for missing MX records. Previously it only worked for missing A records. + +JH/19 Bug 1850: support Radius libraries that return REJECT_RC. + +JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops + after the data-go-ahead and data-ack. Patch from Jason Betts. + +JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results, + even for a "none" policy. Patch from Tony Meyer. + +JH/22 Fix continued use of a connection for further deliveries. If a port was + specified by a router, it must also match for the delivery to be + compatible. + +JH/23 Bug 1874: fix continued use of a connection for further deliveries. + When one of the recipients of a message was unsuitable for the connection + (has no matching addresses), we lost track of needing to mark it + deferred. As a result mail would be lost. + +JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO. + +JH/25 Decoding ACL controls is now done using a binary search; the source code + takes up less space and should be simpler to maintain. Merge the ACL + condition decode tables also, with similar effect. + +JH/26 Fix problem with one_time used on a redirect router which returned the + parent address unchanged. A retry would see the parent address marked as + delivered, so not attempt the (identical) child. As a result mail would + be lost. + +JH/27 Fix a possible security hole, wherein a process operating with the Exim + UID can gain a root shell. Credit to http://www.halfdog.net/ for + discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim + itself :( + +JH/28 Enable {spool,log} filesystem space and inode checks as default. + Main config options check_{log,spool}_{inodes,space} are now + 100 inodes, 10MB unless set otherwise in the configuration. + +JH/29 Fix the connection_reject log selector to apply to the connect ACL. + Previously it only applied to the main-section connection policy + options. + +JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. + +PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created + by me. Added RFC7919 DH primes as an alternative. + +PP/02 Unbreak build via pkg-config with new hash support when crypto headers + are not in the system include path. + +JH/31 Fix longstanding bug with aborted TLS server connection handling. Under + GnuTLS, when a session startup failed (eg because the client disconnected) + Exim did stdio operations after fclose. This was exposed by a recent + change which nulled out the file handle after the fclose. + +JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is + signed directly by the cert-signing cert, rather than an intermediate + OCSP-signing cert. This is the model used by LetsEncrypt. + +JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT. + +HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on + an incoming connection. + +HS/02 Bug 1802: Do not half-close the connection after sending a request + to rspamd. + +HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2 + fallback to "prime256v1". + +JH/34 SECURITY: Use proper copy of DATA command in error message. + Could leak key material. Remotely explaoitable. CVE-2016-9963. + + +Exim version 4.87 +----------------- +JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16 + and 3.4.4 - once the server is enabled to respond to an OCSP request + it does even when not requested, resulting in a stapling non-aware + client dropping the TLS connection. + +TF/01 Code cleanup: Overhaul the debug_selector and log_selector machinery to + support variable-length bit vectors. No functional change. + +TF/02 Improve the consistency of logging incoming and outgoing interfaces. + The I= interface field on outgoing lines is now after the H= remote + host field, same as incoming lines. There is a separate + outgoing_interface log selector which allows you to disable the + outgoing I= field. + +JH/02 Bug 728: Close logfiles after a daemon-process "exceptional" log write. + If not running log_selector +smtp_connection the mainlog would be held + open indefinitely after a "too many connections" event, including to a + deleted file after a log rotate. Leave the per net connection logging + leaving it open for efficiency as that will be quickly detected by the + check on the next write. + +HS/01 Bug 1671: Fix post transport crash. + Processing the wait- messages could crash the delivery + process if the message IDs didn't exist for some reason. When + using 'split_spool_directory=yes' the construction of the spool + file name failed already, exposing the same netto behaviour. + +JH/03 Bug 425: Capture substrings in $regex1, $regex2 etc from regex & + mime_regex ACL conditions. + +JH/04 Bug 1686: When compiled with EXPERIMENTAL_DSN_INFO: Add extra information + to DSN fail messages (bounces): remote IP, remote greeting, remote response + to HELO, local diagnostic string. + +JH/05 Downgrade message for a TLS-certificate-based authentication fail from + log line to debug. Even when configured with a tls authenticator many + client connections are expected to not authenticate in this way, so + an authenticate fail is not an error. + +HS/02 Add the Exim version string to the process info. This way exiwhat + gives some more detail about the running daemon. + +JH/06 Bug 1395: time-limit cacheing of DNS lookups, to the TTL value. This may + matter for fast-change records such as DNSBLs. + +JH/07 Bug 1678: Always record an interface option value, if set, as part of a + retry record, even if constant. There may be multiple transports with + different interface settings and the retry behaviour needs to be kept + distinct. + +JH/08 Bug 1586: exiqgrep now refuses to run if there are unexpected arguments. + +JH/09 Bug 1700: ignore space & tab embedded in base64 during decode. + +JH/10 Bug 840: fix log_defer_output option of pipe transport + +JH/11 Bug 830: use same host for all RCPTS of a message, even under + hosts_randomize. This matters a lot when combined with mua_wrapper. + +JH/12 Bug 1706: percent and underbar characters are no longer escaped by the + ${quote_pgsql:} operator. + +JH/13 Bug 1708: avoid misaligned access in cached lookup. + +JH/14 Change header file name for freeradius-client. Relevant if compiling + with Radius support; from the Gentoo tree and checked under Fedora. + +JH/15 Bug 1712: Introduce $prdr_requested flag variable + +JH/16 Bug 1714: Permit an empty string as expansion result for transport + option transport_filter, meaning no filtering. + +JH/17 Bug 1713: Fix non-PDKIM_DEBUG build. Patch from Jasen Betts. + +JH/18 Bug 1709: When built with TLS support, the tls_advertise_hosts option now + defaults to "*" (all hosts). The variable is now available when not built + with TLS, default unset, mainly to enable keeping the testuite sane. + If a server certificate is not supplied (via tls_certificate) an error is + logged, and clients will find TLS connections fail on startup. Presumably + they will retry in-clear. + Packagers of Exim are strongly encouraged to create a server certificate + at installation time. + +HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency + with the $config_file variable. + +JH/19 Two additional event types: msg:rcpt:defer and msg:rcpt:host:defer. Both + in transport context, after the attempt, and per-recipient. The latter type + is per host attempted. The event data is the error message, and the errno + information encodes the lookup type (A vs. MX) used for the (first) host, + and the trailing two digits of the smtp 4xx reponse. + +GF/01 Bug 1715: Fix for race condition in exicyclog, where exim could attempt + to write to mainlog (or rejectlog, paniclog) in the window between file + creation and permissions/ownership being changed. Particularly affects + installations where exicyclog is run as root, rather than exim user; + result is that the running daemon panics and dies. + +JH/20 Bug 1701: For MySQL lookups, support MySQL config file option group names. + +JH/21 Bug 1720: Add support for priority groups and weighted-random proxy + selection for the EXPERIMENTAL_SOCKS feature, via new per-proxy options + "pri" and "weight". Note that the previous implicit priority given by the + list order is no longer honoured. + +JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalisation + for DKIM processing. + +JH/23 Move SOCKS5 support from Experimental to mainline, enabled for a build + by defining SUPPORT_SOCKS. + +JH/26 Move PROXY support from Experimental to mainline, enabled for a build + by defining SUPPORT_PROXY. Note that the proxy_required_hosts option + is renamed to hosts_proxy, and the proxy_{host,target}_{address,port}. + variables are renamed to proxy_{local,external}_{address,port}. + +JH/27 Move Internationalisation support from Experimental to mainline, enabled + for a build by defining SUPPORT_I18N + +JH/28 Bug 1745: Fix redis lookups to handle (quoted) spaces embedded in parts + of the query string, and make ${quote_redis:} do that quoting. + +JH/29 Move Events support from Experimental to mainline, enabled by default + and removable for a build by defining DISABLE_EVENT. + +JH/30 Updated DANE implementation code to current from Viktor Dukhovni. + +JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly + cached by the daemon. + +JH/32 Move Redis support from Experimental to mainline, enabled for a build + by defining LOOKUP_REDIS. The libhiredis library is required. + +JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit + keys are given for lookup. + +JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM + support, by using OpenSSL or GnuTLS library ones. This means DKIM is + only supported when built with TLS support. The PolarSSL SHA routines + are still used when the TLS library is too old for convenient support. + +JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option + openssl_options), for security. OpenSSL forces this from version 1.1.0 + server-side so match that on older versions. + +JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh + allocation for $value could be released as the expansion processing + concluded, but leaving the global pointer active for it. + +JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response, + and to use the domains and local_parts ACL conditions. + +JH/38 Fix cutthrough bug with body lines having a single dot. The dot was + incorrectly not doubled on cutthrough transmission, hence seen as a + body-termination at the receiving system - resulting in truncated mails. + Commonly the sender saw a TCP-level error, and retransmitted the message + via the normal store-and-forward channel. This could result in duplicates + received - but deduplicating mailstores were liable to retain only the + initial truncated version. + +JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64. + +JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS. + +JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While + we're in there, support oversigning also; bug 1309. + +JH/42 Bug 1796: Fix error logged on a malware scanner connection failure. + +HS/04 Add support for keep_environment and add_environment options. + +JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain; + either intentional arithmetic overflow during PRNG, or testing config- + induced overflows. + +JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough + delivery resulted in actual delivery. Cancel cutthrough before DATA + stage. + +JH/45 Fix cutthrough, when connection not opened by verify and target hard- + rejects a recipient: pass the reject to the originator. + +JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs. + Many were false-positives and ignorable, but it's worth fixing the + former class. + +JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also + for the new environment-manipulation done at startup. Move the routines + from being local to tls.c to being global via the os.c file. + +JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing + an extract embedded as result-arg for a map, the first arg for extract + is unavailable so we cannot tell if this is a numbered or keyed + extraction. Accept either. + + + +Exim version 4.86 +----------------- +JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now + expanded. + +JH/02 The smtp transport option "multi_domain" is now expanded. + +JH/03 The smtp transport now requests PRDR by default, if the server offers + it. + +JH/04 Certificate name checking on server certificates, when exim is a client, + is now done by default. The transport option tls_verify_cert_hostnames + can be used to disable this per-host. The build option + EXPERIMENTAL_CERTNAMES is withdrawn. + +JH/05 The value of the tls_verify_certificates smtp transport and main options + default to the word "system" to access the system default CA bundle. + For GnuTLS, only version 3.0.20 or later. + +JH/06 Verification of the server certificate for a TLS connection is now tried + (but not required) by default. The verification status is now logged by + default, for both outbound TLS and client-certificate supplying inbound + TLS connections + +JH/07 Changed the default rfc1413 lookup settings to disable calls. Few + sites use this now. + +JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery + Status Notification (bounce) messages are now MIME format per RFC 3464. + Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised + under the control of the dsn_advertise_hosts option, and routers may + have a dsn_lasthop option. + +JH/09 A timeout of 2 minutes is now applied to all malware scanner types by + default, modifiable by a malware= option. The list separator for + the options can now be changed in the usual way. Bug 68. + +JH/10 The smtp_receive_timeout main option is now expanded before use. + +JH/11 The incoming_interface log option now also enables logging of the + local interface on delivery outgoing connections. + +JH/12 The cutthrough-routing facility now supports multi-recipient mails, + if the interface and destination host and port all match. + +JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a + /defer_ok option. + +JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd. + Patch from Andrew Lewis. + +JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition) + now supports optional time-restrictions, weighting, and priority + modifiers per server. Patch originally by . + +JH/16 The spamd_address main option now supports a mixed list of local + and remote servers. Remote servers can be IPv6 addresses, and + specify a port-range. + +JH/17 Bug 68: The spamd_address main option now supports an optional + timeout value per server. + +JH/18 Bug 1581: Router and transport options headers_add/remove can + now have the list separator specified. + +JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry + option values. + +JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails + under OpenSSL. + +JH/21 Support for the A6 type of dns record is withdrawn. + +JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters + rather than the verbs used. + +JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size + from 255 to 1024 chars. + +JH/24 Verification callouts now attempt to use TLS by default. + +HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) + are generic router options now. The defaults didn't change. + +JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. + Original patch from Alexander Shikoff, worked over by JH. + +HS/02 Bug 1575: exigrep falls back to autodetection of compressed + files if ZCAT_COMMAND is not executable. + +JH/26 Bug 1539: Add timout/retry options on dnsdb lookups. + +JH/27 Bug 286: Support SOA lookup in dnsdb lookups. + +JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN. + Normally benign, it bites when the pair was led to by a CNAME; + modern usage is to not canoicalize the domain to a CNAME target + (and we were inconsistent anyway for A-only vs AAAA+A). + +JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards. + +JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse, + when evaluating $sender_host_dnssec. + +JH/31 Check the HELO verification lookup for DNSSEC, adding new + $sender_helo_dnssec variable. + +JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve. + +JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log. + +JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues. + +JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was + documented as working, but never had. Support all but $spam_report. + +JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command + added for tls authenticator. + +HS/03 Add perl_taintmode main config option Exim version 4.85 @@ -17,9 +491,84 @@ TL/02 The BSD's have an arc4random API. One of the functions to induce OpenBSD 5.5. Detect this OpenBSD version and skip calling this function when detected. -JH/01 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for +JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now + cause callback expansion. + +TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that + syntax errors in an expansion can be treated as a string instead of + logging or causing an error, due to the internal use of bool_lax + instead of bool when processing it. + +JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for server certificates when making smtp deliveries. +JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups. + +JH/04 Add ${sort {list}{condition}{extractor}} expansion item. + +TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep. + +TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups. + Merged patch from Sebastian Wiedenroth. + +JH/05 Fix results-pipe from transport process. Several recipients, combined + with certificate use, exposed issues where response data items split + over buffer boundaries were not parsed properly. This eventually + resulted in duplicates being sent. This issue only became common enough + to notice due to the introduction of conection certificate information, + the item size being so much larger. Found and fixed by Wolfgang Breyha. + +JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed + size buffer was used, resulting in syntax errors when an expansion + exceeded it. + +JH/07 Add support for directories of certificates when compiled with a GnuTLS + version 3.3.6 or later. + +JH/08 Rename the TPDA expermimental facility to Event Actions. The #ifdef + is EXPERIMENTAL_EVENT, the main-configuration and transport options + both become "event_action", the variables become $event_name, $event_data + and $event_defer_errno. There is a new variable $verify_mode, usable in + routers, transports and related events. The tls:cert event is now also + raised for inbound connections, if the main configuration event_action + option is defined. + +TL/06 In test suite, disable OCSP for old versions of openssl which contained + early OCSP support, but no stapling (appears to be less than 1.0.0). + +JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on + server certificate names available under the smtp transport option + "tls_verify_cert_hostname" now do not permit multi-component wildcard + matches. + +JH/10 Time-related extraction expansions from certificates now use the main + option "timezone" setting for output formatting, and are consistent + between OpenSSL and GnuTLS compilations. Bug 1541. + +JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047- + encoded parameter in the incoming message. Bug 1558. + +JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now + include certificate info, eximon was claiming there were spoolfile + syntax errors. + +JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return. + +JH/14 Log delivery-related information more consistently, using the sequence + "H= []" wherever possible. + +TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which + are problematic for Debian distribution, omit them from the release + tarball. + +JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature. + +JH/16 Fix string representation of time values on 64bit time_t anchitectures. + Bug 1561. + +JH/17 Fix a null-indirection in certextract expansions when a nondefault + output list separator was used. + Exim version 4.84 ----------------- @@ -33,7 +582,7 @@ JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers. JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled. TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when - EXPERIMENTAL_DNS is enabled. Fix from Wolfgang Breyha. + EXPERIMENTAL_DSN is enabled. Fix from Wolfgang Breyha. Exim version 4.83 @@ -506,7 +1055,7 @@ PP/12 MAIL args handles TAB as well as SP, for better interop with Analysis and variant patch by Todd Lyons. NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated - Bug report from Lars Müller (via SUSE), + Bug report from Lars Müller (via SUSE), Patch from Dirk Mueller PP/13 tls_peerdn now print-escaped for spool files.