X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d8ef35773b4c4c25c62a015928ed92b4a654b501..ca02eafb3654a6539abb59a0f3ce4c52fe97f20e:/doc/doc-txt/ChangeLog diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 249ef7cfe..ac121eb81 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,10 +1,471 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.28 2004/11/12 16:54:55 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.164 2005/06/17 14:20:48 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- -Exim version 4.44 +Exim version 4.52 +----------------- + +TF/01 Added support for Client SMTP Authorization. See NewStuff for details. + +PH/01 When a transport filter timed out in a pipe delivery, and the pipe + command itself ended in error, the underlying message about the transport + filter timeout was being overwritten with the pipe command error. Now the + underlying error message should be appended to the second error message. + +TK/01 Fix poll() being unavailable on Mac OSX 10.2. + +PH/02 Reduce the amount of output that "make" produces by default. Full output + can still be requested. + +PH/03 The warning log line about a condition test deferring for a "warn" verb + was being output only once per connection, rather than after each + occurrence (because it was using the same function as for successful + "warn" verbs). This seems wrong, so I have changed it. + +TF/02 Two buglets in acl.c which caused Exim to read a few bytes of memory that + it should not have, which might have caused a crash in the right + circumstances, but probably never did. + +PH/04 Installed a modified version of Tony Finch's patch to make submission + mode fix the return path as well as the Sender: header line, and to + add a /name= option so that you can make the user's friendly name appear + in the header line. + +TF/03 Added the control = fakedefer ACL modifier. + +TF/04 Added the ratelimit ACL condition. See NewStuff for details. Thanks to + Mark Lowes for thorough testing. + +TK/02 Rewrote SPF support to work with libspf2 versions >1.2.0. + +TK/03 Merged latest SRS patch from Miles Wilton. + +PH/05 There's a shambles in IRIX6 - it defines EX_OK in unistd.h which conflicts + with the definition in sysexits.h (which is #included earlier). + Fortunately, Exim does not actually use EX_OK. The code used to try to + preserve the sysexits.h value, by assumimg that macro definitions were + scanned for macro replacements. I have been disabused of this notion, + so now the code just undefines EX_OK before #including unistd.h. + +PH/06 There is a timeout for writing blocks of data, set by, e.g. data_timeout + in the smtp transport. When a block could not be written in a single + write() function, the timeout was being re-applied to each part-write. + This seems wrong - if the receiver was accepting one byte at a time it + would take for ever. The timeout is now adjusted when this happens. It + doesn't have to be particularly precise. + +TK/04 Added simple SPF lookup method in EXPERIMENTAL_SPF. See NewStuff for + details. Thanks to Chris Webb for the patch! + +PH/07 Added "fullpostmaster" verify option, which does a check to + without a domain if the check to fails. + +SC/01 Eximstats: added -xls and the ability to specify output files + (patch written by Frank Heydlauf). + +SC/02 Eximstats: use FileHandles for outputing results. + +SC/03 Eximstats: allow any combination of xls, txt, and html output. + +SC/04 Eximstats: fixed display of large numbers with -nvr option + +SC/05 Eximstats: fixed merging of reports with empty tables. + +SC/06 Eximstats: added the -include_original_destination flag + +SC/07 Eximstats: removed tabs and trailing whitespace. + +TK/05 Malware: Improve on aveserver error handling. Patch from Alex Miller. + +TK/06 MBOX spool code: Add real "From " MBOX separator line + so the .eml file is really in mbox format (even though + most programs do not really care). Patch from Alex Miller. + +TK/07 MBOX spool code: Add X-Envelope-From: and X-Envelope-To: headers. + The latter is generated from $received_to and is only set if the + message has one envelope recipient. SA can use these headers, + obviously out-of-the-box. Patch from Alex Miller. + +PH/08 The ${def test on a variable was returning false if the variable's + value was "0", contrary to what the specification has always said! + The result should be true unless the variable is empty. + +PH/09 The syntax error of a character other than { following "${if + def:variable_name" (after optional whitespace) was not being diagnosed. + An expansion such as ${if def:sender_ident:{xxx}{yyy}} in which an + accidental colon was present, for example, could give incorrect results. + +PH/10 Tidied the code in a number of places where the st_size field of a stat() + result is used (not including appendfile, where other changes are about + to be made). + +PH/11 Upgraded appendfile so that quotas larger than 2G are now supported. + This involved changing a lot of size variables from int to off_t. It + should work with maildirs and everything. + +TK/08 Apply fix provided by Michael Haardt to prevent deadlock in case of + spamd dying while we are connected to it. + +TF/05 Fixed a ${extract error message typo reported by Jeremy Harris + + +PH/12 Applied Alex Kiernan's patch for the API change for the error callback + function for BDB 4.3. + +PH/13 Changed auto_thaw such that it does not apply to bounce messages. + +PH/14 Imported PCRE 6.0; this was more than just a trivial operation because + the sources for PCRE have been re-arranged and more files are now + involved. + +PH/15 The code I had for printing potentially long long variables in PH/11 + above was not the best (it lost precision). The length of off_t variables + is now inspected at build time, and an appropriate printing format (%ld + or %lld) is chosen and #defined by OFF_T_FMT. We also define LONGLONG_T + to be "long long int" or "long int". This is needed for the internal + formatting function string_vformat(). + +PH/16 Applied Matthew Newton's patch to exicyclog: "If log_file_path is set in + the configuration file to be ":syslog", then the script "guesses" where + the logs files are, rather than using the compiled in default. In our + case the guess is not the same as the compiled default, so the script + suddenly stopped working when I started to use syslog. The patch checks + to see if log_file_path is "". If so, it attempts to read it from exim + with no configuration file to get the compiled in version, before it + falls back to the previous guessing code." + +TK/09 Added "prvs" and "prvscheck" expansion items. These help a lot with + implementing BATV in an Exim configuration. See NewStuff for the gory + details. + +PH/17 Applied Michael Haardt's patch for HP-UX, affecting only the os.h and + Makefile that are specific to HP-UX. + +PH/18 If the "use_postmaster" option was set for a recipient callout together + with the "random" option, the postmaster address was used as the MAIL + FROM address for the random test, but not for the subsequent recipient + test. It is now used for both. + +PH/19 Applied Michael Haardt's patch to update Sieve to RFC3028bis. "The + patch removes a few documentation additions to RFC 3028, because the + latest draft now contains them. It adds the new en;ascii-case comparator + and a new error check for 8bit text in MIME parts. Comparator and + require names are now matched exactly. I enabled the subaddress + extension, but it is not well tested yet (read: it works for me)." + +PH/20 Added macros for time_t as for off_t (see PH/15 above) and used them to + rework some of the code of TK/09 above to avoid the hardwired use of + "%lld" and "long long". Replaced the call to snprintf() with a call to + string_vformat(). + +PH/21 Added another message to those in 4.51/PH/42, namely "All relevant MX + records point to non-existent hosts". + + +Exim version 4.51 +----------------- + +TK/01 Added Yahoo DomainKeys support via libdomainkeys. See + doc/experimental-spec.txt for details. (http://domainkeys.sf.net) + +TK/02 Fix ACL "control" statement not being available in MIME ACL. + +TK/03 Fix ACL "regex" condition not being available in MIME ACL. + +PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used + to test Sieve filters that use "vacation". + +PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch + that changes the way the GnuTLS parameters are stored in the cache file. + The new format can be generated externally. For backward compatibility, + if the data in the cache doesn't make sense, Exim assumes it has read an + old-format file, and it generates new data and writes a new file. This + means that you can't go back to an older release without removing the + file. + +PH/03 A redirect router that has both "unseen" and "one_time" set does not + work if there are any delivery delays because "one_time" forces the + parent to be marked "delivered", so its unseen clone is never tried + again. For this reason, Exim now forbids the simultaneous setting of + these two options. + +PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are + redirected to themselves ("homonym" addresses). Read the long ChangeLog + entry if you want to know the details. The fix, however, neglected to + consider the case when local delivery batching is involved. The test for + "previously delivered" was not happening when checking to see if an + address could be batched with a previous (undelivered) one; under + certain circumstances this could lead to multiple deliveries to the same + address. + +PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T + in its include files, and this causes problems building Exim. + +PH/06 A number of "verify =" ACL conditions have no options (e.g. verify = + header_syntax) but Exim was just ignoring anything given after a slash. + In particular, this caused confusion with an attempt to use "verify = + reverse_host_lookup/defer_ok". An error is now given when options are + supplied for verify items that do not have them. (Maybe reverse_host_ + lookup should have a defer_ok option, but that's a different point.) + +PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as + defined by RFC 821) to 2048, because there were problems with some AUTH + commands, and RFC 1869 says the size should be increased for extended + SMTP commands that take arguments. + +PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony + Finch). + +PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an + "unknown" error; now it says that the functionality isn't in the binary. + +PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in + an address' error message when a string expansion fails (syntax or + whatever). Otherwise the password may appear in the log. Following change + PH/42 below, there is no longer a chance of it appearing in a bounce + message. + +PH/11 Installed exipick version 20050225.0 from John Jetmore. + +PH/12 If the last host in a fallback_hosts list was multihomed, only the first + of its addresses was ever tried. (Bugzilla bug #2.) + +PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed + the result incorrectly in the debug output. (It correctly added a newline + to what was transported.) + +TF/01 Added $received_time. + +PH/14 Modified the default configuration to add an acl_smtp_data ACL, with + commented out examples of how to interface to a virus scanner and to + SpamAssassin. Also added commented examples of av_scanner and + spamd_address settings. + +PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions + and controls are allowed in which ACLs. There were a couple of minor + errors. Some of the entries in the conditions table (which is a table of + where they are NOT allowed) were getting very unwieldy; rewrote them as a + negation of where the condition IS allowed. + +PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer. + +PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the + header file does not have a version number, so I've had to invent a new + value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new + API. The code is untested by me (my Linux distribution still has 0.3.2 of + radiusclient), but it was contributed by a Radius user. + +PH/18 Installed Lars Mainka's patch for the support of CRL collections in + files or directories, for OpenSSL. + +PH/19 When an Exim process that is running as root has to create an Exim log + file, it does so in a subprocess that runs as exim:exim so as to get the + ownership right at creation (otherwise, other Exim processes might see + the file with the wrong ownership). There was no test for failure of this + fork() call, which would lead to the process getting stuck as it waited + for a non-existent subprocess. Forks do occasionally fail when resources + run out. I reviewed all the other calls to fork(); they all seem to check + for failure. + +PH/20 When checking for unexpected SMTP input at connect time (before writing + the banner), Exim was not dealing correctly with a non-positive return + from the read() function. If the client had disconnected by this time, + the result was a log entry for a synchronization error with an empty + string after "input=" when read() returned zero. If read() returned -1 + (an event I could not check), uninitialized data bytes were printed. + There were reports of junk text (parts of files, etc) appearing after + "input=". + +PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages. + +PH/22 Added support for macro redefinition, and (re)definition in between + driver and ACL definitions. + +PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then + forgetting to use the resulting value; it was using the unexpanded value. + +PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it + hadn't been configured. The fix is from Juergen Kreileder, who + understands it better than I do: + + "Here's what I see happening with three configured cyrus_sasl + authenticators configured (plain, login, cram-md5): + + On startup auth_cyrus_sasl_init() gets called for each of these. + This means three calls to sasl_listmech() without a specified mech_list. + => SASL tests which mechs of all available mechs actually work + => three warnings about OTP not working + => the returned list contains: plain, login, cram-md5, digest-md5, ... + + With the patch, sasl_listmech() also gets called three times. But now + SASL's mech_list option is set to the server_mech specified in the the + authenticator. Or in other words, the answer from sasl_listmech() + gets limited to just the mech you're testing for (which is different + for each call.) + => the return list contains just 'plain' or 'login', 'cram-md5' or + nothing depending on the value of ob->server_mech. + + I've just tested the patch: Authentication still works fine, + unavailable mechs specified in the exim configuration are still + caught, and the auth.log warnings about OTP are gone." + +PH/25 When debugging is enabled, the contents of the command line are added + to the debugging output, even when log_selector=+arguments is not + specified. + +PH/26 Change scripts/os-type so that when "uname -s" returns just "GNU", the + answer is "GNU", and only if the return is "GNU/something" is the answer + "Linux". + +PH/27 $acl_verify_message is now set immediately after the failure of a + verification in an ACL, and so is available in subsequent modifiers. In + particular, the message can be preserved by coding like this: + + warn !verify = sender + set acl_m0 = $acl_verify_message + + Previously, $acl_verify_message was set only while expanding "message" + and "log_message" when a very denied access. + +PH/28 Modified OS/os.c-Linux with + + -#ifndef OS_LOAD_AVERAGE + +#if !defined(OS_LOAD_AVERAGE) && defined(__linux__) + + to make Exim compile on kfreebsd-gnu. (I'm totally confused about the + nomenclature these days.) + +PH/29 Installed patch from the Sieve maintainer that adds the options + sieve_useraddress and sieve_subaddress to the redirect router. + +PH/30 In these circumstances: + . Two addresses routed to the same list of hosts; + . First host does not offer TLS; + . First host accepts first address; + . First host gives temporary error to second address; + . Second host offers TLS and a TLS session is established; + . Second host accepts second address. + Exim incorrectly logged both deliveries with the TLS parameters (cipher + and peerdn, if requested) that were in fact used only for the second + address. + +PH/31 When doing a callout as part of verifying an address, Exim was not paying + attention to any local part prefix or suffix that was matched by the + router that accepted the address. It now behaves in the same way as it + does for delivery: the affixes are removed from the local part unless + rcpt_include_affixes is set on the transport. + +PH/32 Add the sender address, as F=<...>, to the log line when logging a + timeout during the DATA phase of an incoming message. + +PH/33 Sieve envelope tests were broken for match types other than :is. I have + applied a patch sanctioned by the Sieve maintainer. + +PH/34 Change 4.50/80 broke Exim in that it could no longer handle cases where + the uid or gid is negative. A case of a negative gid caused this to be + noticed. The fix allows for either to be negative. + +PH/35 ACL_WHERE_MIME is now declared unconditionally, to avoid too much code + clutter, but the tables that are indexed by ACL_WHERE_xxx values had been + overlooked. + +PH/36 The change PH/12 above was broken. Fixed it. + +PH/37 Exim used to check for duplicate addresses in the middle of routing, on + the grounds that routing the same address twice would always produce the + same answer. This might have been true once, but it is certainly no + longer true now. Routing a child address may depend on the previous + routing that produced that child. Some complicated redirection strategies + went wrong when messages had multiple recipients, and made Exim's + behaviour dependent on the order in which the addresses were given. + + I have moved the duplicate checking until after the routing is complete. + Exim scans the addresses that are assigned to local and remote + transports, and removes any duplicates. This means that more work will be + done, as duplicates will always all be routed, but duplicates are + presumably rare, so I don't expect this is of any significance. + + For deliveries to pipes, files, and autoreplies, the duplicate checking + still happens during the routing process, since they are not going to be + routed further. + +PH/38 Installed a patch from Ian Freislich, with the agreement of Tom Kistner. + It corrects a timeout issue with spamd. This is Ian's comment: "The + background is that sometimes spamd either never reads data from a + connection it has accepted, or it never writes response data. The exiscan + spam.[ch] uses a 3600 second timeout on spamd socket reads, further, it + blindly assumes that writes won't block so it may never time out." + +PH/39 Allow G after quota size as well as K and M. + +PH/40 The value set for $authenticated_id in an authenticator may not contain + binary zeroes or newlines because the value is written to log lines and + to spool files. There was no check on this. Now the value is run through + the string_printing() function so that such characters are converted to + printable escape sequences. + +PH/41 $message_linecount is a new variable that contains the total number of + lines in the message. Compare $body_linecount, which is the count for the + body only. + +PH/42 Exim no longer gives details of delivery errors for specific addresses in + bounce and delay warning messages, except in certain special cases, which + are as follows: + + (a) An SMTP error message from a remote host; + (b) A message specified in a :fail: redirection; + (c) A message specified in a "fail" command in a system filter; + (d) A message specified in a FAIL return from the queryprogram router; + (e) A message specified by the cannot_route_message router option. + + In these cases only, Exim does include the error details in bounce and + warning messages. There are also a few cases where bland messages such + as "unrouteable address" or "local delivery error" are given. + +PH/43 $value is now also set for the "else" part of a ${run expansion. + +PH/44 Applied patch from the Sieve maintainer: "The vacation draft is still + being worked on, but at least Exim now implements the latest version to + play with." + +PH/45 In a pipe transport, although a timeout while waiting for the pipe + process to complete was treated as a delivery failure, a timeout while + writing the message to the pipe was logged, but erroneously treated as a + successful delivery. Such timeouts include transport filter timeouts. For + consistency with the overall process timeout, these timeouts are now + treated as errors, giving rise to delivery failures by default. However, + there is now a new Boolean option for the pipe transport called + timeout_defer, which, if set TRUE, converts the failures into defers for + both kinds of timeout. A transport filter timeout is now identified in + the log output. + +PH/46 The "scripts/Configure-config.h" script calls "make" at one point. On + systems where "make" and "gmake" are different, calling "gmake" at top + level broke things. I've arranged for the value of $(MAKE) to be passed + from the Makefile to this script so that it can call the same version of + "make". + + +A note about Exim versions 4.44 and 4.50 +---------------------------------------- + +Exim 4.50 was meant to be the next release after 4.43. It contains a lot of +changes of various kinds. As a consequence, a big documentation update was +needed. This delayed the release for rather longer than seemed good, especially +in the light of a couple of (minor) security issues. Therefore, the changes +that fixed bugs were backported into 4.43, to create a 4.44 maintenance +release. So 4.44 and 4.50 are in effect two different branches that both start +from 4.43. + +I have left the 4.50 change log unchanged; it contains all the changes since +4.43. The change log for 4.44 is below; many of its items are identical to +those for 4.50. This seems to be the most sensible way to preserve the +historical information. + + +Exim version 4.50 ----------------- 1. Minor wording change to the doc/README.SIEVE file. @@ -117,6 +578,456 @@ Exim version 4.44 host was specified on an smtp transport, and looking it up yielded more than one IP address. +31. Re-factored the code for checking spool and log partition space into a + function that finds that data and another that does the check. The former + is then used to implement four new variables: $spool_space, $log_space, + $spool_inodes, and $log_inodes. + +32. The RFC2047 encoding function was originally intended for short strings + such as real names; it was not keeping to the 75-character limit for + encoded words that the RFC imposes. It now respects the limit, and + generates multiple encoded words if necessary. To be on the safe side, I + have increased the buffer size for the ${rfc2047: expansion operator from + 1024 to 2048 bytes. + +33. It is now permitted to omit both strings after an "if" condition; if the + condition is true, the result is "true". As before, when the second string + is omitted, a false condition yields an empty string. This makes it less + cumbersome to write custom ACL and router conditions. + +34. Failure to deliver a bounce message always caused it to be frozen, even if + there was an errors_to setting on the router. The errors_to setting is now + respected. + +35. If an IPv6 address is given for -bh or -bhc, it is now converted to the + canonical form (fully expanded) before being placed in + $sender_host_address. + +36. The table in the code that translates DNS record types into text (T_A to + "A" for instance) was missing entries for NS and CNAME. It is just possible + that this could have caused confusion if both these types were looked up + for the same domain, because the text type is used as part of Exim's + per-process caching. But the chance of anyone hitting this buglet seems + very small. + +37. The dnsdb lookup has been extended in a number of ways. + + (1) There is a new type, "zns", which walks up the domain tree until it + finds some nameserver records. It should be used with care. + + (2) There is a new type, "mxh", which is like "mx" except that it returns + just the host names, not the priorities. + + (3) It is now possible to give a list of domains (or IP addresses) to be + looked up. The behaviour when one of the lookups defers can be + controlled by a keyword. + + (4) It is now possible to specify the separator character for use when + multiple records are returned. + +38. The dnslists ACL condition has been extended: it is now possible to supply + a list of IP addresses and/or domains to be looked up in a particular DNS + domain. + +39. Added log_selector=+queue_time_overall. + +40. When running the queue in the test harness, wait just a tad after forking a + delivery process, to get repeatability of debugging output. + +41. Include certificate and key file names in error message when GnuTLS fails + to set them up, because the GnuTLS error message doesn't include the name + of the failing file when there is a problem reading it. + +42. Allow both -bf and -bF in the same test run. + +43. Did the same fix as 41 above for OpenSSL, which had the same infelicity. + +44. The "Exiscan patch" is now merged into the mainline Exim source. + +45. Sometimes the final signoff response after QUIT could fail to get + transmitted in the non-TLS case. Testing !tls_active instead of tls_active + < 0 before doing a fflush(). This bug looks as though it goes back to the + introduction of TLS in release 3.20, but "sometimes" must have been rare + because the tests only now provoked it. + +46. Reset the locale to "C" after calling embedded Perl, in case it was changed + (this can affect the format of dates). + +47. exim_tidydb, when checking for the continued existence of a message for + which it has found a message-specific retry record, was not finding + messages that were in split spool directories. Consequently, it was + deleting retry records that should have stayed in existence. + +48. Steve fixed some bugs in eximstats. + +49. The SPA authentication driver was not abandoning authentication and moving + on to the next authenticator when an expansion was forced to fail, + contradicting the general specification for all authenticators. Instead it + was generating a temporary error. It now behaves as specified. + +50. The default ordering of permitted cipher suites for GnuTLS was pessimal + (the order specifies the preference for clients). The order is now AES256, + AES128, 3DES, ARCFOUR128. + +51. Small patch to Sieve code - explicitly set From: when generating an + autoreply. + +52. Exim crashed if a remote delivery caused a very long error message to be + recorded - for instance if somebody sent an entire SpamAssassin report back + as a large number of 550 error lines. This bug was coincidentally fixed by + increasing the size of one of Exim's internal buffers (big_buffer) that + happened as part of the Exiscan merge. However, to be on the safe side, I + have made the code more robust (and fixed the comments that describe what + is going on). + +53. Now that there can be additional text after "Completed" in log lines (if + the queue_time_overall log selector is set), a one-byte patch to exigrep + was needed to allow it to recognize "Completed" as not the last thing in + the line. + +54. The LDAP lookup was not handling a return of LDAP_RES_SEARCH_REFERENCE. A + patch that reportedly fixes this has been added. I am not expert enough to + create a test for it. This is what the patch creator wrote: + + "I found a little strange behaviour of ldap code when working with + Windows 2003 AD Domain, where users was placed in more than one + Organization Units. When I tried to give exim partial DN, the exit code + of ldap_search was unknown to exim because of LDAP_RES_SEARCH_REFERENCE. + But simultaneously result of request was absolutely normal ldap result, + so I produce this patch..." + + Later: it seems that not all versions of LDAP support LDAP_RES_SEARCH_ + REFERENCE, so I have modified the code to exclude the patch when that macro + is not defined. + +55. Some experimental protocols are using DNS PTR records for new purposes. The + keys for these records are domain names, not reversed IP addresses. The + dnsdb PTR lookup now tests whether its key is an IP address. If not, it + leaves it alone. Component reversal etc. now happens only for IP addresses. + CAN-2005-0021 + +56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP. + +57. Double the size of the debug message buffer (to 2048) so that more of very + long debug lines gets shown. + +58. The exicyclog utility now does better if the number of log files to keep + exceeds 99. In this case, it numbers them 001, 002 ... instead of 01, 02... + +59. Two changes related to the smtp_active_hostname option: + + (1) $smtp_active_hostname is now available as a variable. + (2) The default for smtp_banner uses $smtp_active_hostname instead + of $primary_hostname. + +60. The host_aton() function is supposed to be passed a string that is known + to be a valid IP address. However, in the case of IPv6 addresses, it was + not checking this. This is a hostage to fortune. Exim now panics and dies + if the condition is not met. A case was found where this could be provoked + from a dnsdb PTR lookup with an IPv6 address that had more than 8 + components; fortuitously, this particular loophole had already been fixed + by change 4.50/55 above. + + If there are any other similar loopholes, the new check in host_aton() + itself should stop them being exploited. The report I received stated that + data on the command line could provoke the exploit when Exim was running as + exim, but did not say which command line option was involved. All I could + find was the use of -be with a bad dnsdb PTR lookup, and in that case it is + running as the user. + CAN-2005-0021 + +61. There was a buffer overflow vulnerability in the SPA authentication code + (which came originally from the Samba project). I have added a test to the + spa_base64_to_bits() function which I hope fixes it. + CAN-2005-0022 + +62. Configuration update for GNU/Hurd and variations. Updated Makefile-GNU and + os.h-GNU, and added configuration files for GNUkFreeBSD and GNUkNetBSD. + +63. The daemon start-up calls getloadavg() while still root for those OS that + need the first call to be done as root, but it missed one case: when + deliver_queue_load_max is set with deliver_drop_privilege. This is + necessary for the benefit of the queue runner, because there is no re-exec + when deliver_drop_privilege is set. + +64. A call to exiwhat cut short delays set up by "delay" modifiers in ACLs. + This has been fixed. + +65. Caching of lookup data for "hosts =" ACL conditions, when a named host list + was in use, was not putting the data itself into the right store pool; + consequently, it could be overwritten for a subsequent message in the same + SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked + the caching.) + +66. Added hosts_max_try_hardlimit to the smtp transport, default 50. + +67. The string_is_ip_address() function returns 0, 4, or 6, for "no an IP + address", "IPv4 address", and "IPv6 address", respectively. Some calls of + the function were treating the return as a boolean value, which happened to + work because 0=false and not-0=true, but is not correct code. + +68. The host_aton() function was not handling scoped IPv6 addresses (those + with, for example, "%eth0" on the end) correctly. + +69. Fixed some compiler warnings in acl.c for the bitmaps specified with + negated items (that is, ~something) in unsigned ints. Some compilers + apparently mutter when there is no cast. + +70. If an address verification called from an ACL failed, and did not produce a + user-specific message (i.e. there was only a "system" message), nothing was + put in $acl_verify_message. In this situation, it now puts the system + message there. + +71. Change 4.23/11 added synchronization checking at the start of an SMTP + session; change 4.31/43 added the unwanted input to the log line - except + that it did not do this in the start of session case. It now does. + +72. After a timeout in a callout SMTP session, Exim still sent a QUIT command. + This is wrong and can cause the other end to generate a synchronization + error if it is another Exim or anything else that does the synchronization + check. A QUIT command is no longer sent after a timeout. + +73. $host_lookup_deferred has been added, to make it easier to detect DEFERs + during host lookups. + +74. The defer_ok option of callout verification was not working if it was used + when verifying addresses in header lines, that is, for this case: + + verify = header_sender/callout=defer_ok + +75. A backgrounded daemon closed stdin/stdout/stderr on entry; this meant that + those file descriptors could be used for SMTP connections. If anything + wrote to stderr (the example that came up was "warn" in embedded Perl), it + could be sent to the SMTP client, causing chaos. The daemon now opens + stdin, stdout, and stderr to /dev/null when it puts itself into the + background. + +76. Arrange for output from Perl's "warn" command to be written to Exim's main + log by default. The user can override this with suitable Perl magic. + +77. The use of log_message on a "discard" ACL verb, which is supposed to add to + the log message when discard triggers, was not working for the DATA ACL or + for the non-SMTP ACL. + +78. Error message wording change in sieve.c. + +79. If smtp_accept_max_per_host was set, the number of connections could be + restricted to fewer than expected, because the daemon was trying to set up + a new connection before checking whether the processes handling previous + connections had finished. The check for completed processes is now done + earlier. On busy systems, this bug wouldn't be noticed because something + else would have woken the daemon, and it would have reaped the completed + process earlier. + +80. If a message was submitted locally by a user whose login name contained one + or more spaces (ugh!), the spool file that Exim wrote was not re-readable. + It caused a spool format error. I have fixed the spool reading code. A + related problem was that the "from" clause in the Received: line became + illegal because of the space(s). It is now covered by ${quote_local_part. + +81. Included the latest eximstats from Steve (adds average sizes to HTML Top + tables). + +82. Updated OS/Makefile-AIX as per message from Mike Meredith. + +83. Patch from Sieve maintainer to fix unterminated string problem in + "vacation" handling. + +84. Some minor changes to the Linux configuration files to help with other + OS variants using glibc. + +85. One more patch for Sieve to update vacation handling to latest spec. + + +---------------------------------------------------- +See the note above about the 4.44 and 4.50 releases. +---------------------------------------------------- + + +Exim version 4.44 +----------------- + + 1. Change 4.43/35 introduced a bug that caused file counts to be + incorrectly computed when quota_filecount was set in an appendfile + transport + + 2. Closing a stable door: arrange to panic-die if setitimer() ever fails. The + bug fixed in 4.43/37 would have been diagnosed quickly if this had been in + place. + + 3. Give more explanation in the error message when the command for a transport + filter fails to execute. + + 4. There are several places where Exim runs a non-Exim command in a + subprocess. The SIGUSR1 signal should be disabled for these processes. This + was being done only for the command run by the queryprogram router. It is + now done for all such subprocesses. The other cases are: ${run, transport + filters, and the commands run by the lmtp and pipe transports. + + 5. Some older OS have a limit of 256 on the maximum number of file + descriptors. Exim was using setrlimit() to set 1000 as a large value + unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these + systems. I've change it so that if it can't get 1000, it tries for 256. + + 6. "control=submission" was allowed, but had no effect, in a DATA ACL. This + was an oversight, and furthermore, ever since the addition of extra + controls (e.g. 4.43/32), the checks on when to allow different forms of + "control" were broken. There should now be diagnostics for all cases when a + control that does not make sense is encountered. + + 7. $recipients is now available in the predata ACL (oversight). + + 8. Tidy the search cache before the fork to do a delivery from a message + received from the command line. Otherwise the child will trigger a lookup + failure and thereby defer the delivery if it tries to use (for example) a + cached ldap connection that the parent has called unbind on. + + 9. If verify=recipient was followed by verify=sender in a RCPT ACL, the value + of $address_data from the recipient verification was clobbered by the + sender verification. + +10. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0 + was its contents. (It was OK if the option was not defined at all.) + +11. A "Completed" log line is now written for messages that are removed from + the spool by the -Mrm option. + +12. $host_address is now set to the target address during the checking of + ignore_target_hosts. + +13. When checking ignore_target_hosts for an ipliteral router, no host name was + being passed; this would have caused $sender_host_name to have been used if + matching the list had actually called for a host name (not very likely, + since this list is usually IP addresses). A host name is now passed as + "[x.x.x.x]". + +14. Changed the calls that set up the SIGCHLD handler in the daemon to use the + code that specifies a non-restarting handler (typically sigaction() in + modern systems) in an attempt to fix a rare and obscure crash bug. + +15. Narrowed the window for a race in the daemon that could cause it to ignore + SIGCHLD signals. This is not a major problem, because they are used only to + wake it up if nothing else does. + +16. A malformed maildirsize file could cause Exim to calculate negative values + for the mailbox size or file count. Odd effects could occur as a result. + The maildirsize information is now recalculated if the size or filecount + end up negative. + +17. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this + support for a long time. Removed HAVE_SYS_VFS_H. + +18. Updated exipick to current release from John Jetmore. + +19. Allow an empty sender to be matched against a lookup in an address list. + Previously the only cases considered were a regular expression, or an + empty pattern. + +20. Exim went into a mad DNS lookup loop when doing a callout where the + host was specified on the transport, if the DNS lookup yielded more than + one IP address. + +21. The RFC2047 encoding function was originally intended for short strings + such as real names; it was not keeping to the 75-character limit for + encoded words that the RFC imposes. It now respects the limit, and + generates multiple encoded words if necessary. To be on the safe side, I + have increased the buffer size for the ${rfc2047: expansion operator from + 1024 to 2048 bytes. + +22. Failure to deliver a bounce message always caused it to be frozen, even if + there was an errors_to setting on the router. The errors_to setting is now + respected. + +23. If an IPv6 address is given for -bh or -bhc, it is now converted to the + canonical form (fully expanded) before being placed in + $sender_host_address. + +24. Updated eximstats to version 1.33 + +25. Include certificate and key file names in error message when GnuTLS fails + to set them up, because the GnuTLS error message doesn't include the name + of the failing file when there is a problem reading it. + +26. Expand error message when OpenSSL has problems setting up cert/key files. + As per change 25. + +27. Reset the locale to "C" after calling embedded Perl, in case it was changed + (this can affect the format of dates). + +28. exim_tidydb, when checking for the continued existence of a message for + which it has found a message-specific retry record, was not finding + messages that were in split spool directories. Consequently, it was + deleting retry records that should have stayed in existence. + +29. eximstats updated to version 1.35 + 1.34 - allow eximstats to parse syslog lines as well as mainlog lines + 1.35 - bugfix such that pie charts by volume are generated correctly + +30. The SPA authentication driver was not abandoning authentication and moving + on to the next authenticator when an expansion was forced to fail, + contradicting the general specification for all authenticators. Instead it + was generating a temporary error. It now behaves as specified. + +31. The default ordering of permitted cipher suites for GnuTLS was pessimal + (the order specifies the preference for clients). The order is now AES256, + AES128, 3DES, ARCFOUR128. + +31. Small patch to Sieve code - explicitly set From: when generating an + autoreply. + +32. Exim crashed if a remote delivery caused a very long error message to be + recorded - for instance if somebody sent an entire SpamAssassin report back + as a large number of 550 error lines. This bug was coincidentally fixed by + increasing the size of one of Exim's internal buffers (big_buffer) that + happened as part of the Exiscan merge. However, to be on the safe side, I + have made the code more robust (and fixed the comments that describe what + is going on). + +33. Some experimental protocols are using DNS PTR records for new purposes. The + keys for these records are domain names, not reversed IP addresses. The + dnsdb PTR lookup now tests whether its key is an IP address. If not, it + leaves it alone. Component reversal etc. now happens only for IP addresses. + CAN-2005-0021 + +34. The host_aton() function is supposed to be passed a string that is known + to be a valid IP address. However, in the case of IPv6 addresses, it was + not checking this. This is a hostage to fortune. Exim now panics and dies + if the condition is not met. A case was found where this could be provoked + from a dnsdb PTR lookup with an IPv6 address that had more than 8 + components; fortuitously, this particular loophole had already been fixed + by change 4.50/55 or 4.44/33 above. + + If there are any other similar loopholes, the new check in host_aton() + itself should stop them being exploited. The report I received stated that + data on the command line could provoke the exploit when Exim was running as + exim, but did not say which command line option was involved. All I could + find was the use of -be with a bad dnsdb PTR lookup, and in that case it is + running as the user. + CAN-2005-0021 + +35. There was a buffer overflow vulnerability in the SPA authentication code + (which came originally from the Samba project). I have added a test to the + spa_base64_to_bits() function which I hope fixes it. + CAN-2005-0022 + +36. The daemon start-up calls getloadavg() while still root for those OS that + need the first call to be done as root, but it missed one case: when + deliver_queue_load_max is set with deliver_drop_privilege. This is + necessary for the benefit of the queue runner, because there is no re-exec + when deliver_drop_privilege is set. + +37. Caching of lookup data for "hosts =" ACL conditions, when a named host list + was in use, was not putting the data itself into the right store pool; + consequently, it could be overwritten for a subsequent message in the same + SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked + the caching.) + +38. Sometimes the final signoff response after QUIT could fail to get + transmitted in the non-TLS case. Testing !tls_active instead of tls_active + < 0 before doing a fflush(). This bug looks as though it goes back to the + introduction of TLS in release 3.20, but "sometimes" must have been rare + because the tests only now provoked it. + Exim version 4.43 -----------------