1 $Cambridge: exim/doc/doc-txt/NewStuff,v 1.123 2006/11/14 16:40:36 ph10 Exp $
6 This file contains descriptions of new features that have been added to Exim.
7 Before a formal release, there may be quite a lot of detail so that people can
8 test from the snapshots or the CVS before the documentation is updated. Once
9 the documentation is updated, this file is reduced to a short list.
15 1. ACL variables can now be given arbitrary names, as long as they start with
16 "acl_c" or "acl_m" (for connection variables and message variables), are at
17 least six characters long, with the sixth character being either a digit or
18 an underscore. The rest of the name can contain alphanumeric characters and
19 underscores. This is a compatible change because the old set of variables
20 such as acl_m12 are a subset of the allowed names. There may now be any
21 number of ACL variables. For example:
23 set acl_c13 = value for original ACL variable
24 set acl_c13b = whatever
25 set acl_m_foo = something
27 What happens if a syntactically valid but undefined ACL variable is
28 referenced depends on the setting of the strict_acl_vars option. If it is
29 false (the default), an empty string is substituted; if it is true, an
30 error is generated. This affects all ACL variables, including the "old"
31 ones such as acl_c4. (Previously there wasn't the concept of an undefined
34 The implementation has been done in such a way that spool files containing
35 ACL variable settings written by previous releases of Exim are compatible
36 and can be read by the new release. If only the original numeric names are
37 used, spool files written by the new release can be read by earlier
40 2. There is a new ACL modifier called log_reject_target. It makes it possible
41 to specify which logs are used for messages about ACL rejections. Its
42 argument is a list of words which can be "main", "reject", or "panic". The
43 default is "main:reject". The list may be empty, in which case a rejection
44 is not logged at all. For example, this ACL fragment writes no logging
45 information when access is denied:
47 deny <some conditions>
50 The modifier can be used in SMTP and non-SMTP ACLs. It applies to both
51 permanent and temporary rejections.
53 3. There is a new authenticator called "dovecot". This is an interface to the
54 authentication facility of the Dovecot POP/IMAP server, which can support a
55 number of authentication methods. If you are using Dovecot to authenticate
56 POP/IMAP clients, it might be helpful to use the same mechanisms for SMTP
57 authentication. This is a server authenticator only. The only option is
58 server_socket, which must specify the socket which is the interface to
59 Dovecot authentication. The public_name option must specify an
60 authentication mechanism that Dovecot is configured to support. You can
61 have several authenticators for different mechanisms. For example:
66 server_name = /var/run/dovecot/auth-client
72 server_name = /var/run/dovecot/auth-client
75 If the SMTP connection is encrypted, or if $sender_host_address is equal to
76 $interface_address (that is, the connection is local), the "secured" option
77 is passed in the Dovecot authentication command. If, for a TLS connection,
78 a client certificate has been verified, the "valid-client-cert" option is
81 4. The variable $message_headers_raw provides a concatenation of all the
82 messages's headers without any decoding. This is in contrast to
83 $message_headers, which does RFC2047 decoding on the header contents.
85 5. In a DNS black list, when the facility for restricting the matching IP
86 values is used, the text from the TXT record that is set in $dnslist_text
87 may not reflect the true reason for rejection. This happens when lists are
88 merged and the IP address in the A record is used to distinguish them;
89 unfortunately there is only one TXT record. One way round this is not to
90 use merged lists, but that can be inefficient because it requires multiple
91 DNS lookups where one would do in the vast majority of cases when the host
92 of interest is not on any of the lists.
94 A less inefficient way of solving this problem has now been implemented. If
95 two domain names, comma-separated, are given, the second is used first to
96 do an initial check, making use of any IP value restrictions that are set.
97 If there is a match, the first domain is used, without any IP value
98 restrictions, to get the TXT record. As a byproduct of this, there is also
99 a check that the IP being tested is indeed on the first list. The first
100 domain is the one that is put in $dnslist_domain. For example:
102 reject message = rejected because $sender_ip_address is blacklisted \
103 at $dnslist_domain\n$dnslist_text
104 dnslists = sbl.spamhaus.org,sbl-xbl.spamhaus.org=127.0.0.2 : \
105 dul.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.10
107 For the first blacklist item, this starts by doing a lookup in
108 sbl-xbl.spamhaus.org and testing for a 127.0.0.2 return. If there is a
109 match, it then looks in sbl.spamhaus.org, without checking the return
110 value, and as long as something is found, it looks for the corresponding
111 TXT record. If there is no match in sbl-xbl.spamhaus.org, nothing more is
112 done. The second blacklist item is processed similarly.
114 If you are interested in more than one merged list, the same list must be
115 given several times, but because the results of the DNS lookups are cached,
116 the DNS calls themselves are not repeated. For example:
118 reject dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
119 socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \
120 misc.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.4 : \
121 dul.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.10
123 In this case there is a lookup in dnsbl.sorbs.net, and if none of the IP
124 values matches (or if no record is found), this is the only lookup that is
125 done. Only if there is a match is one of the more specific lists consulted.
127 6. All authenticators now have a server_condition option. Previously, only
128 plaintext had this, and this has not changed: it must be set to the
129 authenticator as a server. For the others, if server_condition is set, it
130 is expanded if authentication is successful, and treated exactly as it is
131 in plaintext. This can serve as a means of adding authorization to an
134 7. There is a new command-line option called -Mset. It is useful only in
135 conjunction with -be (that is, when testing string expansions). It must be
136 followed by a message id; Exim loads the given message from its spool
137 before doing the expansions, thus setting message-specific variables such
138 as $message_size and the header variables. The $recipients variable is
139 available. This feature is provided to make it easier to test expansions
140 that make use of these variables. However, Exim must be called by an admin
141 user when -Mset is used.
143 8. Another similar new command-line option is called -bem. It operates like
144 -be except that it must be followed by the name of a file. For example:
146 exim -bem /tmp/testmessage
148 The file is read as a message (as if receiving a locally-submitted non-SMTP
149 message) before any of the test expansions are done. Thus, message-specific
150 variables such as $message_size and $h_from: are available. However, no
151 Received: header is added to the message. If the -t option is set,
152 recipients are read from the headers in the normal way, and are shown in
153 the $recipients variable. Note that recipients cannot be given on the
154 command line, because further arguments are taken as strings to expand
157 9. When an address is delayed because of a 4xx response to a RCPT command, it
158 is now the combination of sender and recipient that is delayed in
159 subsequent queue runs until its retry time is reached. You can revert to
160 the previous behavious, that is, delay the recipient independent of the
161 sender, by setting address_retry_include_sender=false in the smtp
162 transport. However, this can lead to problems with servers that regularly
163 issue 4xx responses to RCPT commands.
165 10. Unary negation and the bitwise logical operators and, or, xor, not, and
166 shift, have been added to the eval: and eval10: expansion items. These
167 items may now contain arithmetic operators (plus, minus, times, divide,
168 remainder, negate), bitwise operators (and, or, xor, not, shift), and
169 parentheses. All operations are carried out using signed integer
170 arithmetic. Operator priorities are as in C, namely:
172 (highest) not, negate
173 times, divide, remainder
175 shift-left, shift-right
180 Binary operators with the same priority are evaluated from left to right.
184 ${eval:1+2*3} yields 7
185 ${eval:(1+2)*3} yields 9
186 ${eval:2+42%5} yields 4
187 ${eval:0xc&5} yields 4
188 ${eval:0xc|5} yields 13
189 ${eval:0xc^5} yields 9
190 ${eval:0xc>>1} yields 6
191 ${eval:0xc<<1} yields 24
192 ${eval:~255&0x1234} yields 4608
193 ${eval:-(~255&0x1234)} yields -4608
195 11. The variables $interface_address and $interface_port have been renamed
196 as $received_ip_address and $received_port, to make it clear that they
197 relate to message reception rather than delivery. (The old names remain
198 available for compatibility.)
200 12. The "message" modifier can now be used on acl verbs to vary the message
201 that is sent when an SMTP command. For example, in a RCPT ACL you could
204 accept <some conditions>
205 message = OK, I'll allow you through today
207 Previously, this message modifier would have had no effect whatsoever.
209 IMPORTANT: The new behaviour applies to "accept" (and "discard") only if
210 there is no occurrence of "endpass" in the statement. If "endpass" is
211 present, the behaviour reverts to the old case, where "message" applies to
212 rejection. This is for backwards compatibility.
214 It is always possible to rewrite ACL statements so that "endpass" is not
215 needed (and indeed it is no longer used in the default configuration, and
216 is somewhat not recommended nowadays because it causes confusion.)
218 It is now generally true that the "message" modifier sets up a text string
219 that is expanded and used as a response message if the current statement
220 terminates the ACL. The expansion happens at the time Exim decides that the
221 ACL is to end, not at the time it processes "message". If the expansion
222 fails, or generates an empty string, the modifier is ignored.
224 For ACLs that are triggered by SMTP commands, the message is returned as
225 part of the SMTP response. In this situation, the message may begin with an
226 overriding SMTP response code, optionally followed by an "extended response
227 code". However, the first digit of the supplied response code must be the
228 same as would be sent by default. A panic occurs if it is not. For the
229 predata ACL, note that the default success code is 354, not 2xx.
231 However, notwithstanding the previous paragraph, for the QUIT ACL, unlike
232 the others, the message modifier cannot override the 221 response code.
234 In the case of the "connect" ACL, accepting with a message modifier
235 overrides the value of smtp_banner.
237 The ACL test specified by acl_smtp_helo happens when the client issues the
238 HELO or EHLO commands, after the tests specified by helo_accept_junk_hosts,
239 helo_allow_chars and helo(_try)_verify_hosts. An acceptance message
240 modifier for EHLO/HELO may not contain more than one line (it will be
241 truncated at the first newline and a panic logged), and it cannot affect
249 1. There is a new Boolean option called filter_prepend_home for the redirect
252 2. There is a new acl, set by acl_not_smtp_start, which is run right at the
253 start of receiving a non-SMTP message, before any of the message has been
256 3. When an SMTP error message is specified in a "message" modifier in an ACL,
257 or in a :fail: or :defer: message in a redirect router, Exim now checks the
258 start of the message for an SMTP error code.
260 4. There is a new parameter for LDAP lookups called "referrals", which takes
261 one of the settings "follow" (the default) or "nofollow".
263 5. Version 20070721.2 of exipick now included, offering these new options:
265 After all other sorting options have bee processed, reverse order
266 before displaying messages (-R is synonym).
268 Randomize order of matching messages before displaying.
270 Instead of displaying the matching messages, display the sum
272 --sort <variable>[,<variable>...]
273 Before displaying matching messages, sort the messages according to
274 each messages value for each variable.
276 Negate the value for every test (returns inverse output from the
277 same criteria without --not).
283 1. The ${readsocket expansion item now supports Internet domain sockets as well
284 as Unix domain sockets. If the first argument begins "inet:", it must be of
285 the form "inet:host:port". The port is mandatory; it may be a number or the
286 name of a TCP port in /etc/services. The host may be a name, or it may be an
287 IP address. An ip address may optionally be enclosed in square brackets.
288 This is best for IPv6 addresses. For example:
290 ${readsocket{inet:[::1]:1234}{<request data>}...
292 Only a single host name may be given, but if looking it up yield more than
293 one IP address, they are each tried in turn until a connection is made. Once
294 a connection has been made, the behaviour is as for ${readsocket with a Unix
297 2. If a redirect router sets up file or pipe deliveries for more than one
298 incoming address, and the relevant transport has batch_max set greater than
299 one, a batch delivery now occurs.
301 3. The appendfile transport has a new option called maildirfolder_create_regex.
302 Its value is a regular expression. For a maildir delivery, this is matched
303 against the maildir directory; if it matches, Exim ensures that a
304 maildirfolder file is created alongside the new, cur, and tmp directories.
310 The documentation is up-to-date for the 4.61 release. Major new features since
311 the 4.60 release are:
313 . An option called disable_ipv6, to disable the use of IPv6 completely.
315 . An increase in the number of ACL variables to 20 of each type.
317 . A change to use $auth1, $auth2, and $auth3 in authenticators instead of $1,
318 $2, $3, (though those are still set) because the numeric variables get used
319 for other things in complicated expansions.
321 . The default for rfc1413_query_timeout has been changed from 30s to 5s.
323 . It is possible to use setclassresources() on some BSD OS to control the
324 resources used in pipe deliveries.
326 . A new ACL modifier called add_header, which can be used with any verb.
328 . More errors are detectable in retry rules.
330 There are a number of other additions too.
336 The documentation is up-to-date for the 4.60 release. Major new features since
337 the 4.50 release are:
339 . Support for SQLite.
341 . Support for IGNOREQUOTA in LMTP.
343 . Extensions to the "submission mode" features.
345 . Support for Client SMTP Authorization (CSA).
347 . Support for ratelimiting hosts and users.
349 . New expansion items to help with the BATV "prvs" scheme.
351 . A "match_ip" condition, that matches an IP address against a list.
353 There are many more minor changes.