X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/f90a9fd133ac62eb3fa1e834b3bff16360d23500..1508acb8629a6ac1517ab524a9f29257a2335d5e:/src/README.UPDATING diff --git a/src/README.UPDATING b/src/README.UPDATING index 7ce35dff8..6a820bc7c 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -31,6 +31,7 @@ Exim version 4.80 * BEWARE backwards-incompatible changes in SSL libraries, thus the version bump. See points below for details. + Also an LDAP data returned format change. * The value of $tls_peerdn is now print-escaped when written to the spool file in a -tls_peerdn line, and unescaped when read back in. We received reports @@ -66,12 +67,23 @@ Exim version 4.80 security for compatibility. Exim is now defaulting to higher security and rewarding more modern clients. + If the option tls_dhparams is set and the parameters loaded from the file + have a bit-count greater than the new option tls_dh_max_bits, then the file + will now be ignored. If this affects you, raise the tls_dh_max_bits limit. + We suspect that most folks are using dated defaults and will not be affected. + * Ldap lookups returning multi-valued attributes now separate the attributes with only a comma, not a comma-space sequence. Also, an actual comma within a returned attribute is doubled. This makes it possible to parse the attribute as a comma-separated list. Note the distinction from multiple attributes being returned, where each one is a name=value pair. + If you are currently splitting the results from LDAP upon a comma, then you + should check carefully to see if adjustments are needed. + + This change lets cautious folks distinguish "comma used as separator for + joining values" from "comma inside the data". + * accept_8bitmime now defaults on, which is not RFC compliant but is better suited to today's Internet. See http://cr.yp.to/smtp/8bitmime.html for a sane rationale. Those who wish to be strictly RFC compliant, or know that @@ -111,6 +123,40 @@ Exim version 4.80 support for SNI and other features more readily. We regret that it wasn't feasible to retain the three dropped options. + * If built with TLS support, then Exim will now validate the value of + the main section tls_require_ciphers option at start-up. Before, this + would cause a STARTTLS 4xx failure, now it causes a failure to start. + Running with a broken configuration which causes failures that may only + be left in the logs has been traded off for something more visible. This + change makes an existing problem more prominent, but we do not believe + anyone would deliberately be running with an invalid tls_require_ciphers + option. + + This also means that library linkage issues caused by conflicts of some + kind might take out the main daemon, not just the delivery or receiving + process. Conceivably some folks might prefer to continue delivering + mail plaintext when their binary is broken in this way, if there is a + server that is a candidate to receive such mails that does not advertise + STARTTLS. Note that Exim is typically a setuid root binary and given + broken linkage problems that cause segfaults, we feel it is safer to + fail completely. (The check is not done as root, to ensure that problems + here are not made worse by the check). + + * The "tls_dhparam" option has been updated, so that it can now specify a + path or an identifier for a standard DH prime from one of a few RFCs. + The default for OpenSSL is no longer to not use DH but instead to use + one of these standard primes. The default for GnuTLS is no longer to use + a file in the spool directory, but to use that same standard prime. + The option is now used by GnuTLS too. If it points to a path, then + GnuTLS will use that path, instead of a file in the spool directory; + GnuTLS will attempt to create it if it does not exist. + + To preserve the previous behaviour of generating files in the spool + directory, set "tls_dhparam = historic". Since prior releases of Exim + ignored tls_dhparam when using GnuTLS, this can safely be done before + the upgrade. + + Exim version 4.77 -----------------