X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/181d9bf8a602a2573d566427803a4c5288a56008..5ce86c4f552071ad7408c40324d5211ab2a2da82:/doc/doc-txt/NewStuff?ds=inline diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index cf4014843..cd1699dc6 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -3,9 +3,524 @@ New Features in Exim This file contains descriptions of new features that have been added to Exim. Before a formal release, there may be quite a lot of detail so that people can -test from the snapshots or the CVS before the documentation is updated. Once +test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.95 +------------ + + 1. The fast-ramp two phase queue run support, previously experimental, is + now supported by default. + + 2. The native SRS support, previously experimental, is now supported. It is + not built unless specified in the Local/Makefile. + + 3. TLS resumption support, previously experimental, is now supported and + included in default builds. + + 4. Single-key LMDB lookups, previously experimental, are now supported. + The support is not built unless specified in the Local/Makefile. + + 5. Option "message_linelength_limit" on the smtp transport to enforce (by + default) the RFC 998 character limit. + + 6. An option to ignore the cache on a lookup. + + 7. Quota checking during reception (i.e. at SMTP time) for appendfile- + transport-managed quotas. + + 8. Sqlite lookups accept a "file=" option to specify a per-operation + db file, replacing the previous prefix to the SQL string (which had + issues when the SQL used tainted values). + + 9. Lsearch lookups accept a "ret=full" option, to return both the portion + of the line matching the key, and the remainder. + +10. A command-line option to have a daemon not create a notifier socket. + +11. Faster TLS startup. When various configuration options contain no + expandable elements, the information can be preloaded and cached rather + than the provious behaviour of always loading at startup time for every + connection. This helps particularly for the CA bundle. + +12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout" + main config option. + +Version 4.94 +------------ + + 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec + file. + + 2. Channel-binding for authenticators is now supported under OpenSSL. + Previously it was GnuTLS-only. + + 3. A msg:defer event. + + 4. Client-side support in the gsasl authenticator. Tested against the + plaintext driver for PLAIN; only against itself for SCRAM-SHA-1 and + SCRAM-SHA-1-PLUS methods. + + 5. Server-side support in the gsasl authenticator for encrypted passwords, as + an alternate for the existing plaintext. + + 6. Variable $local_part_data now also set by router check_local_user option, + with an de-tainted version of $local_part. + + 7. Named-list definitions can now be prefixed "hide" so that "-bP" commands do + not output the content. Previously this could only be done on options. + + 8. As an experimental feature, the dovecot authentication driver supports inet + sockets. Previously it was unix-domain sockets only. + + 9. The ACL control "queue_only" can also be spelled "queue", and now takes an + option "first_pass_route" to do the same as a "-odqs" on the command line. + +10. Items specified for the router and transport headers_remove option can use + a trailing asterisk to specify globbing. + +11. New $queue_size variable. + +12. New variables $local_part_{pre,suf}fix_v. + +13. New main option "sqlite_dbfile", for use in preference to prefixing the + lookup string. The older method fails when tainted variables are used + in the lookup, as the filename becomes tainted. The new method keeps the + filename separate. + +14. Options on the dsearch lookup, to return the full path and to filter + filetypes for matching. + +15. Options on pgsql and mysql lookups, to specify server separate from the + lookup string. + +16. An option on all single-key lookups, to return (on a hit) a de-tainted + version of the lookup key rather than the looked-up data. + +17. $domain_data and $local_part_data are now set by all list-match successes. + Previously only list items that performed lookups did so. + Also, matching list items that are tail-match or RE-match now set the + numeric variables $0 (etc) in the same way os other RE matches. + +18. Expansion item ${listquote {}}. + +19. An option for the ${readsocket {}{}{}} expansion to make the result data + cacheable. + +20. dkim_verify_min_keysizes, a list of minimum acceptable public-key sizes. + +21. bounce_message_file and warn_message_file are now expanded before use. + +22. New main config option spf_smtp_comment_template to customise the + $spf_smtp_comment variable + + + +Version 4.93 +------------ + + 1. An "external" authenticator, per RFC 4422 Appendix A. + + 2. A JSON lookup type, and JSON variants of the forall/any expansion conditions. + + 3. Variables $tls_in_cipher_std, $tls_out_cipher_std giving the RFC names + for ciphersuites. + + 4. Log_selectors "msg_id" (on by default) and "msg_id_created". + + 5. A case_insensitive option for verify=not_blind. + + 6. EXPERIMENTAL_TLS_RESUME optional build feature. See the experimental.spec + file. + + 7. A main option exim_version to override the version Exim + reports in verious places ($exim_version, $version_number). + + 8. Expansion operator ${sha2_N:} for N=256, 384, 512. + + 9. Router variables, $r_... settable from router options and usable in routers + and transports. + +10. The spf lookup now supports IPv6. + +11. Main options for DKIM verify to filter hash and key types. + +12. With TLS1.3, support for full-chain OCSP stapling. + +13. Dual-certificate stacks on servers now support OCSP stapling, under OpenSSL. + +14: An smtp:ehlo transport event, for observability of the remote offered features. + +15: Support under OpenSSL for writing NSS-style key files for packet-capture + decode. The environment variable SSLKEYLOGFILE is used; if an absolute path + it must indicate a file under the spool directory; if relative the the spool + directory is prepended. Works on the server side only. Support under + GnuTLS was already there, being done purely by the library (server side + only, and exim must be run as root). + +16: Command-line option to move messages from one named queue to another. + +17. Variables $tls_in_ver, $tls_out_ver. + + +Version 4.92 +-------------- + + 1. ${l_header:} and ${l_h:} expansion items, giving a colon-sep + list when there are multiple headers having a given name. This matters + when individual headers are wrapped onto multiple lines; with previous + facilities hard to parse. + + 2. The ${readsocket } expansion item now takes a "tls" option, doing the + obvious thing. + + 3. EXPERIMENTAL_REQUIRETLS and EXPERIMENTAL_PIPE_CONNECT optional build + features. See the experimental.spec file. + + 4. If built with SUPPORT_I18N a "utf8_downconvert" option on the smtp transport. + + 5. A "pipelining" log_selector. + + 6. Builtin macros for supported log_selector and openssl_options values. + + 7. JSON variants of the ${extract } expansion item. + + 8. A "noutf8" debug option, for disabling the UTF-8 characters in debug output. + + 9. TCP Fast Open support on MacOS. + +Version 4.91 +-------------- + + 1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS + version 3.5.6 or later. + + 2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and + OpenSSL versions are moved to mainline support from Experimental. + New SMTP transport option "dane_require_tls_ciphers". + + 3. Feature macros for the compiled-in set of malware scanner interfaces. + + 4. SPF support is promoted from Experimental to mainline status. The template + src/EDITME makefile does not enable its inclusion. + + 5. Logging control for DKIM verification. The existing DKIM log line is + controlled by a "dkim_verbose" selector which is _not_ enabled by default. + A new tag "DKIM=" is added to <= lines by default, controlled by + a "dkim" log_selector. + + 6. Receive duration on <= lines, under a new log_selector "receive_time". + + 7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on + routing rules in the manualroute router. + + 8. Expansion item ${sha3:} / ${sha3_:} now also supported + under OpenSSL version 1.1.1 or later. + + 9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under + GnuTLS 3.6.0 or OpenSSL 1.1.1 or later. + +10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library + version dependent. + +11. "exim -bP macro " returns caller-usable status. + +12. Expansion item ${authresults {}} for creating an + Authentication-Results: header. + +13. EXPERIMENTAL_ARC. See the experimental.spec file. + See also new util/renew-opendmarc-tlds.sh script for use with DMARC/ARC. + +14: A dane:fail event, intended to facilitate reporting. + +15. "Lightweight" support for Redis Cluster. Requires redis_servers list to + contain all the servers in the cluster, all of which must be reachable from + the running exim instance. If the cluster has master/slave replication, the + list must contain all the master and slave servers. + +16. Add an option to the Avast scanner interface: "pass_unscanned". This + allows to treat unscanned files as clean. Files may be unscanned for + several reasons: decompression bombs, broken archives. + + +Version 4.90 +------------ + + 1. PKG_CONFIG_PATH can now be set in Local/Makefile; + wildcards will be expanded, values are collapsed. + + 2. The ${readsocket } expansion now takes an option to not shutdown the + connection after sending the query string. The default remains to do so. + + 3. An smtp transport option "hosts_noproxy_tls" to control whether multiple + deliveries on a single TCP connection can maintain a TLS connection + open. By default disabled for all hosts, doing so saves the cost of + making new TLS sessions, at the cost of having to proxy the data via + another process. Logging is also affected. + + 4. A malware connection type for the FPSCAND protocol. + + 5. An option for recipient verify callouts to hold the connection open for + further recipients and for delivery. + + 6. The reproducible build $SOURCE_DATE_EPOCH environment variable is now + supported. + + 7. Optionally, an alternate format for spool data-files which matches the + wire format - meaning more efficient reception and transmission (at the + cost of difficulty with standard Unix tools). Only used for messages + received using the ESMTP CHUNKING option, and when a new main-section + option "spool_wireformat" (false by default) is set. + + 8. New main configuration option "commandline_checks_require_admin" to + restrict who can use various introspection options. + + 9. New option modifier "no_check" for quota and quota_filecount + appendfile transport. + +10. Variable $smtp_command_history returning a comma-sep list of recent + SMTP commands. + +11. Millisecond timetamps in logs, on log_selector "millisec". Also affects + log elements QT, DT and D, and timstamps in debug output. + +12. TCP Fast Open logging. As a server, logs when the SMTP banner was sent + while still in SYN_RECV state; as a client logs when the connection + is opened with a TFO cookie. + +13. DKIM support for multiple signing, by domain and/or key-selector. + DKIM support for multiple hashes, and for alternate-identity tags. + Builtin macro with default list of signed headers. + Better syntax for specifying oversigning. + The DKIM ACL can override verification status, and status is visible in + the data ACL. + +14. Exipick understands -C|--config for an alternative Exim + configuration file. + +15. TCP Fast Open used, with data-on-SYN, for client SMTP via SOCKS5 proxy, + for ${readsocket } expansions, and for ClamAV. + +16. The "-be" expansion test mode now supports macros. Macros are expanded + in test lines, and new macros can be defined. + +17. Support for server-side dual-certificate-stacks (eg. RSA + ECDSA). + + +Version 4.89 +------------ + + 1. Allow relative config file names for ".include" + + 2. A main-section config option "debug_store" to control the checks on + variable locations during store-reset. Normally false but can be enabled + when a memory corruption issue is suspected on a production system. + + +Version 4.88 +------------ + + 1. The new perl_taintmode option allows to run the embedded perl + interpreter in taint mode. + + 2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines. + + 3. Speculative debugging, via a "kill" option to the "control=debug" ACL + modifier. + + 4. New expansion item ${sha3:} / ${sha3_:}. + N can be 224, 256 (default), 384, 512. + With GnuTLS 3.5.0 or later, only. + + 5. Facility for named queues: A command-line argument can specify + the queue name for a queue operation, and an ACL modifier can set + the queue to be used for a message. A $queue_name variable gives + visibility. + + 6. New expansion operators base32/base32d. + + 7. The CHUNKING ESMTP extension from RFC 3030. May give some slight + performance increase and network load decrease. Main config option + chunking_advertise_hosts, and smtp transport option hosts_try_chunking + for control. + + 8. LMDB lookup support, as Experimental. Patch supplied by Andrew Colin Kissa. + + 9. Expansion operator escape8bit, like escape but not touching newline etc.. + +10. Feature macros, generated from compile options. All start with "_HAVE_" + and go on with some roughly recognisable name. Driver macros, for + router, transport and authentication drivers; names starting with "_DRIVER_". + Option macros, for each configuration-file option; all start with "_OPT_". + Use the "-bP macros" command-line option to see what is present. + +11. Integer values for options can take a "G" multiplier. + +12. defer=pass option for the ACL control cutthrough_delivery, to reflect 4xx + returns from the target back to the initiator, rather than spooling the + message. + +13. New built-in constants available for tls_dhparam and default changed. + +14. If built with EXPERIMENTAL_QUEUEFILE, a queuefile transport, for writing + out copies of the message spool files for use by 3rd-party scanners. + +15. A new option on the smtp transport, hosts_try_fastopen. If the system + supports it (on Linux it must be enabled in the kernel by the sysadmin) + try to use RFC 7413 "TCP Fast Open". No data is sent on the SYN segment + but it permits a peer that also supports the facility to send its SMTP + banner immediately after the SYN,ACK segment rather then waiting for + another ACK - so saving up to one roundtrip time. Because it requires + previous communication with the peer (we save a cookie from it) this + will only become active on frequently-contacted destinations. + +16. A new syslog_pid option to suppress PID duplication in syslog lines. + + +Version 4.87 +------------ + + 1. The ACL conditions regex and mime_regex now capture substrings + into numeric variables $regex1 to 9, like the "match" expansion condition. + + 2. New $callout_address variable records the address used for a spam=, + malware= or verify= callout. + + 3. Transports now take a "max_parallel" option, to limit concurrency. + + 4. Expansion operators ${ipv6norm:} and ${ipv6denorm:}. + The latter expands to a 8-element colon-sep set of hex digits including + leading zeroes. A trailing ipv4-style dotted-decimal set is converted + to hex. Pure ipv4 addresses are converted to IPv4-mapped IPv6. + The former operator strips leading zeroes and collapses the longest + set of 0-groups to a double-colon. + + 5. New "-bP config" support, to dump the effective configuration. + + 6. New $dkim_key_length variable. + + 7. New base64d and base64 expansion items (the existing str2b64 being a + synonym of the latter). Add support in base64 for certificates. + + 8. New main configuration option "bounce_return_linesize_limit" to + avoid oversize bodies in bounces. The default value matches RFC + limits. + + 9. New $initial_cwd expansion variable. + + +Version 4.86 +------------ + + 1. Support for using the system standard CA bundle. + + 2. New expansion items $config_file, $config_dir, containing the file + and directory name of the main configuration file. Also $exim_version. + + 3. New "malware=" support for Avast. + + 4. New "spam=" variant option for Rspamd. + + 5. Assorted options on malware= and spam= scanners. + + 6. A command-line option to write a comment into the logfile. + + 7. If built with EXPERIMENTAL_SOCKS feature enabled, the smtp transport can + be configured to make connections via socks5 proxies. + + 8. If built with EXPERIMENTAL_INTERNATIONAL, support is included for + the transmission of UTF-8 envelope addresses. + + 9. If built with EXPERIMENTAL_INTERNATIONAL, an expansion item for a commonly + used encoding of Maildir folder names. + +10. A logging option for slow DNS lookups. + +11. New ${env {}} expansion. + +12. A non-SMTP authenticator using information from TLS client certificates. + +13. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS. + Patch originally by Wolfgang Breyha. + +14. Main option "dns_trust_aa" for trusting your local nameserver at the + same level as DNSSEC. + +Version 4.85 +------------ + + 1. If built with EXPERIMENTAL_DANE feature enabled, Exim will follow the + DANE SMTP draft to assess a secure chain of trust of the certificate + used to establish the TLS connection based on a TLSA record in the + domain of the sender. + + 2. The EXPERIMENTAL_TPDA feature has been renamed to EXPERIMENTAL_EVENT + and several new events have been created. The reason is because it has + been expanded beyond just firing events during the transport phase. Any + existing TPDA transport options will have to be rewritten to use a new + $event_name expansion variable in a condition. Refer to the + experimental-spec.txt for details and examples. + + 3. The EXPERIMENTAL_CERTNAMES features is an enhancement to verify that + server certs used for TLS match the result of the MX lookup. It does + not use the same mechanism as DANE. + + +Version 4.84 +------------ + + +Version 4.83 +------------ + + 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be + configured to expect an initial header from a proxy that will make the + actual external source IP:host be used in exim instead of the IP of the + proxy that is connecting to it. + + 2. New verify option header_names_ascii, which will check to make sure + there are no non-ASCII characters in header names. Exim itself handles + those non-ASCII characters, but downstream apps may not, so Exim can + detect and reject if those characters are present. + + 3. New expansion operator ${utf8clean:string} to replace malformed UTF8 + codepoints with valid ones. + + 4. New malware type "sock". Talks over a Unix or TCP socket, sending one + command line and matching a regex against the return data for trigger + and a second regex to extract malware_name. The mail spoolfile name can + be included in the command line. + + 5. The smtp transport now supports options "tls_verify_hosts" and + "tls_try_verify_hosts". If either is set the certificate verification + is split from the encryption operation. The default remains that a failed + verification cancels the encryption. + + 6. New SERVERS override of default ldap server list. In the ACLs, an ldap + lookup can now set a list of servers to use that is different from the + default list. + + 7. New command-line option -C for exiqgrep to specify alternate exim.conf + file when searching the queue. + + 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. + + 9. Support for DNSSEC on outbound connections. + +10. New variables "tls_(in,out)_(our,peer)cert" and expansion item + "certextract" to extract fields from them. Hash operators md5 and sha1 + work over them for generating fingerprints, and a new sha256 operator + for them added. + +11. PRDR is now supported dy default. + +12. OCSP stapling is now supported by default. + +13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output + Delivery Status Notification messages in MIME format, and negotiate + DSN features per RFC 3461. + + Version 4.82 ------------ @@ -32,10 +547,11 @@ Version 4.82 Unless you really know what you are doing, leave it alone. 4. If not built with DISABLE_DNSSEC, Exim now has the main option - dns_use_dnssec; if set to 1 then Exim will initialise the resolver library + dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library to send the DO flag to your recursive resolver. If you have a recursive resolver, which can set the Authenticated Data (AD) flag in results, Exim - can now detect this. + can now detect this. Exim does not perform validation itself, instead + relying upon a trusted path to the resolver. Current status: work-in-progress; $sender_host_dnssec variable added. @@ -56,20 +572,20 @@ Version 4.82 ignored. 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery" - ACL modifier; works for single-recipient mails which are recieved on and + ACL modifier; works for single-recipient mails which are received on and deliverable via SMTP. Using the connection made for a recipient verify, if requested before the verify, or a new one made for the purpose while the inbound connection is still active. The bulk of the mail item is copied direct from the inbound socket to the outbound (as well as the spool file). When the source notifies the end of data, the data acceptance by the destination - is negociated before the acceptance is sent to the source. If the destination + is negotiated before the acceptance is sent to the source. If the destination does not accept the mail item, for example due to content-scanning, the item is not accepted from the source and therefore there is no need to generate a bounce mail. This is of benefit when providing a secondary-MX service. The downside is that delays are under the control of the ultimate destination system not your own. - The Recieved-by: header on items delivered by cutthrough is generated + The Received-by: header on items delivered by cutthrough is generated early in reception rather than at the end; this will affect any timestamp included. The log line showing delivery is recorded before that showing reception; it uses a new ">>" tag instead of "=>". @@ -82,12 +598,12 @@ Version 4.82 for specific access to the information for each connection. The old names are present for now but deprecated. - Not yet supported: IGNOREQUOTA, SIZE, PIPELINING, AUTH. + Not yet supported: IGNOREQUOTA, SIZE, PIPELINING. 8. New expansion operators ${listnamed:name} to get the content of a named list and ${listcount:string} to count the items in a list. - 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS + 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 modules. For some situations this is desirable, but we expect admin in those situations to know they want the feature. More commonly, it means @@ -96,6 +612,13 @@ Version 4.82 through, thus breakage. So we explicitly inhibit the PKCS11 initialisation unless this new option is set. + Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability, + so have also added a build option which can be used to build Exim with GnuTLS + but without trying to use any kind of PKCS11 support. Uncomment this in the + Local/Makefile: + + AVOID_GNUTLS_PKCS11=yes + 10. The "acl = name" condition on an ACL now supports optional arguments. New expansion item "${acl {name}{arg}...}" and expansion condition "acl {{name}{arg}...}" are added. In all cases up to nine arguments @@ -116,18 +639,48 @@ Version 4.82 "aaaa" and "a" lookups is done and the full set of results returned. 14. New expansion variable $headers_added with content from ACL add_header - modifier (but not yet added to messsage). + modifier (but not yet added to message). 15. New 8bitmime status logging option for received messages. Log field "M8S". - 16. New authenticated_sender logging option, adding to log field "A". 17. New expansion variables $router_name and $transport_name. Useful - particularly for debug_print as -bt commandline option does not - require privilege whereas -d does. As a side-effect the router accepting - for verification is visible in ACLs. + particularly for debug_print as -bt command-line option does not + require privilege whereas -d does. + +18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a + proposed extension to SMTP from Eric Hall. + +19. The pipe transport has gained the force_command option, to allow + decorating commands from user .forward pipe aliases with prefix + wrappers, for instance. + +20. Callout connections can now AUTH; the same controls as normal delivery + connections apply. + +21. Support for DMARC, using opendmarc libs, can be enabled. It adds new + options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file. + It adds new expansion variables $dmarc_ar_header, $dmarc_status, + $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier + dmarc_status. It adds new control flags dmarc_disable_verify and + dmarc_enable_forensic. The default for the dmarc_tld_file option is + "/etc/exim/opendmarc.tlds" and can be changed via EDITME. + +22. Add expansion variable $authenticated_fail_id, which is the username + provided to the authentication method which failed. It is available + for use in subsequent ACL processing (typically quit or notquit ACLs). + +23. New ACL modifier "udpsend" can construct a UDP packet to send to a given + UDP host and port. + +24. New ${hexquote:..string..} expansion operator converts non-printable + characters in the string to \xNN form. + +25. Experimental TPDA (Transport Post Delivery Action) function added. + Patch provided by Axel Rau. +26. Experimental Redis lookup added. Patch provided by Warren Baker. Version 4.80 @@ -200,7 +753,7 @@ Version 4.80 gnutls_require_mac & gnutls_require_protocols are no longer supported. tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority string, documentation for which is at: - http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + http://www.gnutls.org/manual/html_node/Priority-Strings.html SNI support has been added to Exim's GnuTLS integration too. @@ -553,7 +1106,7 @@ Version 4.68 longest line that was received as part of the message, not counting the line termination character(s). - 7. Host lists can now include +ignore_defer and +include_defer, analagous to + 7. Host lists can now include +ignore_defer and +include_defer, analogous to +ignore_unknown and +include_unknown. These options should be used with care, probably only in non-critical host lists such as whitelists.