test from the snapshots or the CVS before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
-Version 4.81
+Version 4.83
+------------
+
+ 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be
+ configured to expect an initial header from a proxy that will make the
+ actual external source IP:host be used in exim instead of the IP of the
+ proxy that is connecting to it.
+
+ 2. New verify option header_names_ascii, which will check to make sure
+ there are no non-ASCII characters in header names. Exim itself handles
+ those non-ASCII characters, but downstream apps may not, so Exim can
+ detect and reject if those characters are present.
+
+ 3. New expansion operator ${utf8clean:string} to replace malformed UTF8
+ codepoints with valid ones.
+
+ 4. New malware type "sock". Talks over a Unix or TCP socket, sending one
+ command line and matching a regex against the return data for trigger
+ and a second regex to extract malware_name. The mail spoofile name can
+ be included in the command line.
+
+ 5. When built with OpenSSL the smtp transport now supports options
+ "tls_verify_hosts" and "tls_try_verify_hosts". If either is set the
+ certificate verification is split from the encryption operation. The
+ default remains that a failed verification cancels the encryption.
+
+
+Version 4.82
------------
1. New command-line option -bI:sieve will list all supported sieve extensions
Unless you really know what you are doing, leave it alone.
4. If not built with DISABLE_DNSSEC, Exim now has the main option
- dns_use_dnssec; if set to 1 then Exim will initialise the resolver library
+ dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
to send the DO flag to your recursive resolver. If you have a recursive
resolver, which can set the Authenticated Data (AD) flag in results, Exim
- can now detect this.
+ can now detect this. Exim does not perform validation itself, instead
+ relying upon a trusted path to the resolver.
Current status: work-in-progress; $sender_host_dnssec variable added.
early in reception rather than at the end; this will affect any timestamp
included. The log line showing delivery is recorded before that showing
reception; it uses a new ">>" tag instead of "=>".
-
+
To support the feature, verify-callout connections can now use ESMTP and TLS.
The usual smtp transport options are honoured, plus a (new, default everything)
hosts_verify_avoid_tls.
for specific access to the information for each connection. The old names
are present for now but deprecated.
- Not yet supported: IGNOREQUOTA, SIZE, PIPELINING, AUTH.
+ Not yet supported: IGNOREQUOTA, SIZE, PIPELINING.
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
- 9. New expansion item ${acl {name}{arg}...} to call an ACL. The argument can
- be accessed by the ACL in $acl_arg1 to $acl_arg9. $acl_narg will be the
- number of arguments. The expansion result is set by a "message =" modifier
- and an "accept" return from the ACL.
+ 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
+ rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
+ modules. For some situations this is desirable, but we expect admin in
+ those situations to know they want the feature. More commonly, it means
+ that GUI user modules get loaded and are broken by the setuid Exim being
+ unable to access files specified in environment variables and passed
+ through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
+ unless this new option is set.
+
+ Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
+ so have also added a build option which can be used to build Exim with GnuTLS
+ but without trying to use any kind of PKCS11 support. Uncomment this in the
+ Local/Makefile:
+
+ AVOID_GNUTLS_PKCS11=yes
+
+10. The "acl = name" condition on an ACL now supports optional arguments.
+ New expansion item "${acl {name}{arg}...}" and expansion condition
+ "acl {{name}{arg}...}" are added. In all cases up to nine arguments
+ can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
+ Variable $acl_narg contains the number of arguments. If the ACL sets
+ a "message =" value this becomes the result of the expansion item,
+ or the value of $value for the expansion condition. If the ACL returns
+ accept the expansion condition is true; if reject, false. A defer
+ return results in a forced fail.
+
+11. Routers and transports can now have multiple headers_add and headers_remove
+ option lines. The concatenated list is used.
+
+12. New ACL modifier "remove_header" can remove headers before message gets
+ handled by routers/transports.
+
+13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured),
+ "aaaa" and "a" lookups is done and the full set of results returned.
+
+14. New expansion variable $headers_added with content from ACL add_header
+ modifier (but not yet added to messsage).
+
+15. New 8bitmime status logging option for received messages. Log field "M8S".
+
+16. New authenticated_sender logging option, adding to log field "A".
+
+17. New expansion variables $router_name and $transport_name. Useful
+ particularly for debug_print as -bt commandline option does not
+ require privilege whereas -d does.
+
+18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a
+ proposed extension to SMTP from Eric Hall.
+
+19. The pipe transport has gained the force_command option, to allow
+ decorating commands from user .forward pipe aliases with prefix
+ wrappers, for instance.
+
+20. Callout connections can now AUTH; the same controls as normal delivery
+ connections apply.
+
+21. Support for DMARC, using opendmarc libs, can be enabled. It adds new
+ options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file.
+ It adds new expansion variables $dmarc_ar_header, $dmarc_status,
+ $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier
+ dmarc_status. It adds new control flags dmarc_disable_verify and
+ dmarc_enable_forensic.
+
+22. Add expansion variable $authenticated_fail_id, which is the username
+ provided to the authentication method which failed. It is available
+ for use in subsequent ACL processing (typically quit or notquit ACLs).
+
+23. New ACL modifer "udpsend" can construct a UDP packet to send to a given
+ UDP host and port.
+
+24. New ${hexquote:..string..} expansion operator converts non-printable
+ characters in the string to \xNN form.
+
+25. Experimental TPDA (Transport Post Delivery Action) function added.
+ Patch provided by Axel Rau.
+
+26. Experimental Redis lookup added. Patch provided by Warren Baker.
+
Version 4.80
------------
gnutls_require_mac & gnutls_require_protocols are no longer supported.
tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority
string, documentation for which is at:
- http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
+ http://www.gnutls.org/manual/html_node/Priority-Strings.html
SNI support has been added to Exim's GnuTLS integration too.
then henceforth you will have to maintain your own local patches to strip
the safeties off.
- 8. There is a new expansion operator, bool_lax{}. Where bool{} uses the ACL
+ 8. There is a new expansion condition, bool_lax{}. Where bool{} uses the ACL
condition logic to determine truth/failure and will fail to expand many
strings, bool_lax{} uses the router condition logic, where most strings
do evaluate true.
Note: bool{00} is false, bool_lax{00} is true.
- 9. Routers now support multiple "condition" tests,
+ 9. Routers now support multiple "condition" tests.
10. There is now a runtime configuration option "tcp_wrappers_daemon_name".
Setting this allows an admin to define which entry in the tcpwrappers