X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/29f89cad0cf7be1977f6ed36d27ac9b651aec9e2..b10e4ec2bc7b74e062939d573cf9e93a9a939890:/doc/doc-txt/NewStuff diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b70fa5e68..7f54b8f6c 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,5 +1,3 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.141 2007/02/14 14:59:01 ph10 Exp $ - New Features in Exim -------------------- @@ -8,362 +6,734 @@ Before a formal release, there may be quite a lot of detail so that people can test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. -Version 4.67 +Version 4.82 ------------ - 1. There is a new log selector called smtp_no_mail, which is not included in - the default setting. When it is set, a line is written to the main log - whenever an accepted SMTP connection terminates without having issued a - MAIL command. This includes both the case when the connection is dropped, - and the case when QUIT is used. Note that it does not include cases where - the connection is rejected right at the start (by an ACL, or because there - are too many connections, or whatever). These cases already have their own - log lines. - - The log line that is written contains the identity of the client in the - usual way, followed by D= and a time, which records the duration of the - connection. If the connection was authenticated, this fact is logged - exactly as it is for an incoming message, with an A= item. If the - connection was encrypted, CV=, DN=, and X= items may appear as they do for - an incoming message, controlled by the same logging options. - - Finally, if any SMTP commands were issued during the connection, a C= item - is added to the line, listing the commands that were used. For example, - - C=EHLO,QUIT - - shows that the client issued QUIT straight after EHLO. If there were fewer - than 20 commands, they are all listed. If there were more than 20 commands, - the last 20 are listed, preceded by "...". However, with the default - setting of 10 for smtp_accep_max_nonmail, the connection will in any case - be aborted before 20 non-mail commands are processed. + 1. New command-line option -bI:sieve will list all supported sieve extensions + of this Exim build on standard output, one per line. + ManageSieve (RFC 5804) providers managing scripts for use by Exim should + query this to establish the correct list to include in the protocol's + SIEVE capability line. + + 2. If the -n option is combined with the -bP option, then the name of an + emitted option is not output, only the value (if visible to you). + For instance, "exim -n -bP pid_file_path" should just emit a pathname + followed by a newline, and no other text. + + 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now + has a "tls_dh_min_bits" option, to set the minimum acceptable number of + bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites) + acceptable for security. (Option accepted but ignored if using OpenSSL). + Defaults to 1024, the old value. May be lowered only to 512, or raised as + far as you like. Raising this may hinder TLS interoperability with other + sites and is not currently recommended. Lowering this will permit you to + establish a TLS session which is not as secure as you might like. + + Unless you really know what you are doing, leave it alone. + + 4. If not built with DISABLE_DNSSEC, Exim now has the main option + dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library + to send the DO flag to your recursive resolver. If you have a recursive + resolver, which can set the Authenticated Data (AD) flag in results, Exim + can now detect this. Exim does not perform validation itself, instead + relying upon a trusted path to the resolver. + + Current status: work-in-progress; $sender_host_dnssec variable added. + + 5. DSCP support for outbound connections: on a transport using the smtp driver, + set "dscp = ef", for instance, to cause the connections to have the relevant + DSCP (IPv4 TOS or IPv6 TCLASS) value in the header. + + Similarly for inbound connections, there is a new control modifier, dscp, + so "warn control = dscp/ef" in the connect ACL, or after authentication. + + Supported values depend upon system libraries. "exim -bI:dscp" to list the + ones Exim knows of. You can also set a raw number 0..0x3F. + + 6. The -G command-line flag is no longer ignored; it is now equivalent to an + ACL setting "control = suppress_local_fixups". The -L command-line flag + is now accepted and forces use of syslog, with the provided tag as the + process name. A few other flags used by Sendmail are now accepted and + ignored. + + 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery" + ACL modifier; works for single-recipient mails which are recieved on and + deliverable via SMTP. Using the connection made for a recipient verify, + if requested before the verify, or a new one made for the purpose while + the inbound connection is still active. The bulk of the mail item is copied + direct from the inbound socket to the outbound (as well as the spool file). + When the source notifies the end of data, the data acceptance by the destination + is negociated before the acceptance is sent to the source. If the destination + does not accept the mail item, for example due to content-scanning, the item + is not accepted from the source and therefore there is no need to generate + a bounce mail. This is of benefit when providing a secondary-MX service. + The downside is that delays are under the control of the ultimate destination + system not your own. + + The Recieved-by: header on items delivered by cutthrough is generated + early in reception rather than at the end; this will affect any timestamp + included. The log line showing delivery is recorded before that showing + reception; it uses a new ">>" tag instead of "=>". + + To support the feature, verify-callout connections can now use ESMTP and TLS. + The usual smtp transport options are honoured, plus a (new, default everything) + hosts_verify_avoid_tls. + + New variable families named tls_in_cipher, tls_out_cipher etc. are introduced + for specific access to the information for each connection. The old names + are present for now but deprecated. + + Not yet supported: IGNOREQUOTA, SIZE, PIPELINING. + + 8. New expansion operators ${listnamed:name} to get the content of a named list + and ${listcount:string} to count the items in a list. + + 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS + rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 + modules. For some situations this is desirable, but we expect admin in + those situations to know they want the feature. More commonly, it means + that GUI user modules get loaded and are broken by the setuid Exim being + unable to access files specified in environment variables and passed + through, thus breakage. So we explicitly inhibit the PKCS11 initialisation + unless this new option is set. + +10. The "acl = name" condition on an ACL now supports optional arguments. + New expansion item "${acl {name}{arg}...}" and expansion condition + "acl {{name}{arg}...}" are added. In all cases up to nine arguments + can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL. + Variable $acl_narg contains the number of arguments. If the ACL sets + a "message =" value this becomes the result of the expansion item, + or the value of $value for the expansion condition. If the ACL returns + accept the expansion condition is true; if reject, false. A defer + return results in a forced fail. + +11. Routers and transports can now have multiple headers_add and headers_remove + option lines. The concatenated list is used. + +12. New ACL modifier "remove_header" can remove headers before message gets + handled by routers/transports. + +13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured), + "aaaa" and "a" lookups is done and the full set of results returned. + +14. New expansion variable $headers_added with content from ACL add_header + modifier (but not yet added to messsage). + +15. New 8bitmime status logging option for received messages. Log field "M8S". + +16. New authenticated_sender logging option, adding to log field "A". + +17. New expansion variables $router_name and $transport_name. Useful + particularly for debug_print as -bt commandline option does not + require privilege whereas -d does. - 2. When an item in a dnslists list is followed by = and & and a list of IP - addresses, in order to restrict the match to specific results from the DNS - lookup, the behaviour was not clear when the lookup returned more than one - IP address. For example, consider the condition +18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a + proposed extension to SMTP from Eric Hall. + +19. The pipe transport has gained the force_command option, to allow + decorating commands from user .forward pipe aliases with prefix + wrappers, for instance. + +20. Callout connections can now AUTH; the same controls as normal delivery + connections apply. - dnslists = a.b.c=127.0.0.1 +21. Support for DMARC, using opendmarc libs, can be enabled. It adds new + options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file. + It adds new expansion variables $dmarc_ar_header, $dmarc_status, + $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier + dmarc_status. It adds new control flags dmarc_disable_verify and + dmarc_enable_forensic. - What happens if the DNS lookup for the incoming IP address yields both - 127.0.0.1 and 127.0.0.2 by means of two separate DNS records? Is the - condition true because at least one given value was found, or is it false - because at least one of the found values was not listed? And how does this - affect negated conditions? +22. Add expansion variable $authenticated_fail_id, which is the username + provided to the authentication method which failed. It is available + for use in subsequent ACL processing (typically quit or notquit ACLs). + +23. New ACL modifer "udpsend" can construct a UDP packet to send to a given + UDP host and port. + +24. New ${hexquote:..string..} expansion operator converts non-printable + characters in the string to \xNN form. + +25. Experimental TPDA (Transport Post Delivery Action) function added. + Patch provided by Axel Rau. + +26. Experimental Redis lookup added. Patch provided by Warren Baker. - The behaviour of = and & has not been changed; however, the text below - documents it more clearly. In addition, two new additional conditions (== - and =&) have been added, to permit the "other" behaviour to be configured. - A DNS lookup may yield more than one record. Thus, the result of the lookup - for a dnslists check may yield more than one IP address. The question then - arises as to whether all the looked up addresses must be listed, or whether - just one is good enough. Both possibilities are provided for: +Version 4.80 +------------ - . If = or & is used, the condition is true if any one of the looked up - IP addresses matches one of the listed addresses. Consider: + 1. New authenticator driver, "gsasl". Server-only (at present). + This is a SASL interface, licensed under GPL, which can be found at + http://www.gnu.org/software/gsasl/. + This system does not provide sources of data for authentication, so + careful use needs to be made of the conditions in Exim. - dnslists = a.b.c=127.0.0.1 + 2. New authenticator driver, "heimdal_gssapi". Server-only. + A replacement for using cyrus_sasl with Heimdal, now that $KRB5_KTNAME + is no longer honoured for setuid programs by Heimdal. Use the + "server_keytab" option to point to the keytab. - If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is - true because 127.0.0.1 matches. + 3. The "pkg-config" system can now be used when building Exim to reference + cflags and library information for lookups and authenticators, rather + than having to update "CFLAGS", "AUTH_LIBS", "LOOKUP_INCLUDE" and + "LOOKUP_LIBS" directly. Similarly for handling the TLS library support + without adjusting "TLS_INCLUDE" and "TLS_LIBS". - . If == or =& is used, the condition is true only if every one of the - looked up IP addresses matches one of the listed addresses. Consider: + In addition, setting PCRE_CONFIG=yes will query the pcre-config tool to + find the headers and libraries for PCRE. - dnslists = a.b.c==127.0.0.1 + 4. New expansion variable $tls_bits. - If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is - false because 127.0.0.2 is not listed. You would need to have + 5. New lookup type, "dbmjz". Key is an Exim list, the elements of which will + be joined together with ASCII NUL characters to construct the key to pass + into the DBM library. Can be used with gsasl to access sasldb2 files as + used by Cyrus SASL. - dnslists = a.b.c==127.0.0.1,127.0.0.2 + 6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1. - for the condition to be true. + Avoid release 1.0.1a if you can. Note that the default value of + "openssl_options" is no longer "+dont_insert_empty_fragments", as that + increased susceptibility to attack. This may still have interoperability + implications for very old clients (see version 4.31 change 37) but + administrators can choose to make the trade-off themselves and restore + compatibility at the cost of session security. - When ! is used to negate IP address matching, it inverts the result, giving - the precise opposite of the behaviour above. Thus: + 7. Use of the new expansion variable $tls_sni in the main configuration option + tls_certificate will cause Exim to re-expand the option, if the client + sends the TLS Server Name Indication extension, to permit choosing a + different certificate; tls_privatekey will also be re-expanded. You must + still set these options to expand to valid files when $tls_sni is not set. - . If != or !& is used, the condition is true if none of the looked up IP - addresses matches one of the listed addresses. Consider: + The SMTP Transport has gained the option tls_sni, which will set a hostname + for outbound TLS sessions, and set $tls_sni too. - dnslists = a.b.c!&0.0.0.1 + A new log_selector, +tls_sni, has been added, to log received SNI values + for Exim as a server. - If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is - false because 127.0.0.1 matches. + 8. The existing "accept_8bitmime" option now defaults to true. This means + that Exim is deliberately not strictly RFC compliant. We're following + Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default. + Those who disagree, or know that they are talking to mail servers that, + even today, are not 8-bit clean, need to turn off this option. - . If !== or !=& is used, the condition is true there is at least one looked - up IP address that does not match. Consider: + 9. Exim can now be started with -bw (with an optional timeout, given as + -bw). With this, stdin at startup is a socket that is + already listening for connections. This has a more modern name of + "socket activation", but forcing the activated socket to fd 0. We're + interested in adding more support for modern variants. - dnslists = a.b.c!=&0.0.0.1 +10. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffix + for numbers indicates multiplication by 1024^3. - If the DNS lookup yields both 127.0.0.1 and 127.0.0.2, the condition is - true, because 127.0.0.2 does not match. You would need to have +11. The GnuTLS support has been revamped; the three options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols are no longer supported. + tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority + string, documentation for which is at: + http://www.gnutls.org/manual/html_node/Priority-Strings.html - dnslists = a.b.c!=&0.0.0.1,0.0.0.2 + SNI support has been added to Exim's GnuTLS integration too. - for the condition to be false. + For sufficiently recent GnuTLS libraries, ${randint:..} will now use + gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness. - When the DNS lookup yields only a single IP address, there is no difference - between = and == and between & and =&. +12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file + is now available. If the contents of the file are valid, then Exim will + send that back in response to a TLS status request; this is OCSP Stapling. + Exim will not maintain the contents of the file in any way: administrators + are responsible for ensuring that it is up-to-date. - 3. Up till now, the only control over which cipher suites GnuTLS uses has been - for the cipher algorithms. New options have been added to allow some of the - other parameters to be varied. Here is complete documentation for the - available features: - - GnuTLS allows the caller to specify separate lists of permitted key - exchange methods, main cipher algorithms, and MAC algorithms. These may be - used in any combination to form a specific cipher suite. This is unlike - OpenSSL, where complete cipher names can be passed to its control function. - GnuTLS also allows a list of acceptable protocols to be supplied. - - For compatibility with OpenSSL, the tls_require_ciphers option can be set - to complete cipher suite names such as RSA_ARCFOUR_SHA, but for GnuTLS this - option controls only the cipher algorithms. Exim searches each item in the - list for the name of an available algorithm. For example, if the list - contains RSA_AES_SHA, then AES is recognized, and the behaviour is exactly - the same as if just AES were given. - - There are additional options called gnutls_require_kx, gnutls_require_mac, - and gnutls_require_protocols that can be used to restrict the key exchange - methods, MAC algorithms, and protocols, respectively. These options are - ignored if OpenSSL is in use. - - All four options are available as global options, controlling how Exim - behaves as a server, and also as options of the smtp transport, controlling - how Exim behaves as a client. All the values are string expanded. After - expansion, the values must be colon-separated lists, though the separator - can be changed in the usual way. - - Each of the four lists starts out with a default set of algorithms. If the - first item in one of the "require" options does _not_ start with an - exclamation mark, all the default items are deleted. In this case, only - those that are explicitly specified can be used. If the first item in one - of the "require" items _does_ start with an exclamation mark, the defaults - are left on the list. - - Then, any item that starts with an exclamation mark causes the relevant - entry to be removed from the list, and any item that does not start with an - exclamation mark causes a new entry to be added to the list. Unrecognized - items in the list are ignored. Thus: - - tls_require_ciphers = !ARCFOUR - - allows all the defaults except ARCFOUR, whereas - - tls_require_ciphers = AES : 3DES - - allows only cipher suites that use AES or 3DES. For tls_require_ciphers - the recognized names are AES_256, AES_128, AES (both of the preceding), - 3DES, ARCFOUR_128, ARCFOUR_40, and ARCFOUR (both of the preceding). The - default list does not contain all of these; it just has AES_256, AES_128, - 3DES, and ARCFOUR_128. - - For gnutls_require_kx, the recognized names are DHE_RSA, RSA (which - includes DHE_RSA), DHE_DSS, and DHE (which includes both DHE_RSA and - DHE_DSS). The default list contains RSA, DHE_DSS, DHE_RSA. - - For gnutls_require_mac, the recognized names are SHA (synonym SHA1), and - MD5. The default list contains SHA, MD5. - - For gnutls_require_protocols, the recognized names are TLS1 and SSL3. - The default list contains TLS1, SSL3. - - In a server, the order of items in these lists is unimportant. The server - will advertise the availability of all the relevant cipher suites. However, - in a client, the order in the tls_require_ciphers list specifies a - preference order for the cipher algorithms. The first one in the client's - list that is also advertised by the server is tried first. - - 4. There is a new compile-time option called ENABLE_DISABLE_FSYNC. You must - not set this option unless you really, really, really understand what you - are doing. No pre-compiled distributions of Exim should ever set this - option. When it is set, Exim compiles a runtime option called - disable_fsync. If this is set true, Exim no longer calls fsync() to force - updated files' data to be written to disc. Unexpected events such as - crashes and power outages may cause data to be lost or scrambled. Beware. - - When ENABLE_DISABLE_FSYNC is not set, a reference to disable_fsync in a - runtime configuration generates an "unknown option" error. - - 5. There is a new variable called $smtp_count_at_connection_start. The name - is deliberately long, in order to emphasize what the contents are. This - variable is set greater than zero only in processes spawned by the Exim - daemon for handling incoming SMTP connections. When the daemon accepts a - new connection, it increments this variable. A copy of the variable is - passed to the child process that handles the connection, but its value is - fixed, and never changes. It is only an approximation of how many incoming - connections there actually are, because many other connections may come and - go while a single connection is being processed. When a child process - terminates, the daemon decrements the variable. - - 6. There's a new control called no_pipelining, which does what its name - suggests. It turns off the advertising of the PIPELINING extension to SMTP. - To be useful, this control must be obeyed before Exim sends its response to - an EHLO command. Therefore, it should normally appear in an ACL controlled - by acl_smtp_connect or acl_smtp_helo. + See "experimental-spec.txt" for more details. - 7. There are two new variables called $sending_ip_address and $sending_port. - These are set whenever an SMTP connection to another host has been set up, - and they contain the IP address and port of the local interface that is - being used. They are of interest only on hosts that have more than on IP - address that want to take on different personalities depending on which one - is being used. +13. ${lookup dnsdb{ }} supports now SPF record types. They are handled + identically to TXT record lookups. - 8. The expansion of the helo_data option in the smtp transport now happens - after the connection to the server has been made. This means that it can - use the value of $sending_ip_address (see 7 above) to vary the text of the - message. For example, if you want the string that is used for helo_data to - be obtained by a DNS lookup of the interface address, you could use this: +14. New expansion variable $tod_epoch_l for higher-precision time. - helo_data = ${lookup dnsdb{ptr=$sending_ip_address}{$value}\ - {$primary_hostname}} +15. New global option tls_dh_max_bits, defaulting to current value of NSS + hard-coded limit of DH ephemeral bits, to fix interop problems caused by + GnuTLS 2.12 library recommending a bit count higher than NSS supports. - The use of helo_data applies both to sending messages and when doing - callouts. +16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier. + Option can now be a path or an identifier for a standard prime. + If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23". + Set to "historic" to get the old GnuTLS behaviour of auto-generated DH + primes. - 9. There is a new expansion operator ${rfc2047d: that decodes strings that - are encoded as per RFC 2047. Binary zero bytes are replaced by question - marks. Characters are converted into the character set defined by - headers_charset. Overlong RFC 2047 "words" are not recognized unless - check_rfc2047_length is set false. +17. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS). + Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL + install was not built with OPENSSL_NO_SSL2 ("no-ssl2"). -10. There is a new log selector called "pid", which causes the current process - id to be added to every log line, in square brackets, immediately after the - time and date. -11. Exim has been modified so that it flushes SMTP output before implementing - a delay in an ACL. It also flushes the output before performing a callout, - as this can take a substantial time. These behaviours can be disabled by - obeying control = no_delay_flush or control = no_callout_flush, - respectively, at some earlier stage of the connection. The effect of the - new default behaviour is to disable the PIPELINING optimization in these - situations, in order to avoid unexpected timeouts in clients. +Version 4.77 +------------ -12. There are two new expansion conditions that iterate over a list. They are - called forany and forall, and they are used like this: + 1. New options for the ratelimit ACL condition: /count= and /unique=. + The /noupdate option has been replaced by a /readonly option. - ${if forany{}{}{}{}} - ${if forall{}{}{}{}} + 2. The SMTP transport's protocol option may now be set to "smtps", to + use SSL-on-connect outbound. - The first argument is expanded, and the result is treated as a list. By - default, the list separator is a colon, but it can be changed by the normal - method. The second argument is interpreted as a condition that is to be - applied to each item in the list in turn. During the interpretation of the - condition, the current list item is placed in a variable called $item. + 3. New variable $av_failed, set true if the AV scanner deferred; ie, when + there is a problem talking to the AV scanner, or the AV scanner running. - - For forany, interpretation stops if the condition is true for any item, - and the yes-string is then expanded. If the condition is false for all - items in the list, the no-string is expanded. + 4. New expansion conditions, "inlist" and "inlisti", which take simple lists + and check if the search item is a member of the list. This does not + support named lists, but does subject the list part to string expansion. - - For forall, interpration stops if the condition is false for any item, - and the no-string is then expanded. If the condition is true for all - items in the list, the yes-string is expanded. + 5. Unless the new EXPAND_LISTMATCH_RHS build option is set when Exim was + built, Exim no longer performs string expansion on the second string of + the match_* expansion conditions: "match_address", "match_domain", + "match_ip" & "match_local_part". Named lists can still be used. - Note that negation of forany means that the condition must be false for all - items for the overall condition to succeed, and negation of forall means - that the condition must be false for at least one item. - In this example, the list separator is changed to a comma: +Version 4.76 +------------ - ${if forany{<, $recipients}{match{$item}{^user3@}}{yes}{no}} + 1. The global option "dns_use_edns0" may be set to coerce EDNS0 usage on + or off in the resolver library. - Outside a forany/forall condition, the value of $item is an empty string. - Its value is saved and restored while forany/forall is being processed, to - enable these expansion items to be nested. -13. There's a new global option called dsn_from that can be used to vary the - contents of From: lines in bounces and other automatically generated - messages ("delivery status notifications" - hence the name of the option). - The default setting is: +Version 4.75 +------------ - dsn_from = Mail Delivery System + 1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there + is now LDAP/TLS support, given sufficiently modern OpenLDAP client + libraries. The following global options have been added in support of + this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key, + ldap_cipher_suite, ldap_require_cert, ldap_start_tls. - The value is expanded every time it is needed. If the expansion fails, a - panic is logged, and the default setting is used. + 2. The pipe transport now takes a boolean option, "freeze_signal", default + false. When true, if the external delivery command exits on a signal then + Exim will freeze the message in the queue, instead of generating a bounce. -14. The smtp transport has a new option called hosts_avoid_pipelining. It can - be used to suppress the use of PIPELINING to certain hosts, while still - supporting the other SMTP extensions (cf hosts_avoid_tls). + 3. Log filenames may now use %M as an escape, instead of %D (still available). + The %M pattern expands to yyyymm, providing month-level resolution. -15. By default, exigrep does case-insensitive matches. There is now a -I option - that makes it case-sensitive. This may give a performance improvement when - searching large log files. Without -I, the Perl pattern matches use the /i - option; with -I they don't. In both cases it is possible to change the case - sensitivity within the pattern using (?i) or (?-i). + 4. The $message_linecount variable is now updated for the maildir_tag option, + in the same way as $message_size, to reflect the real number of lines, + including any header additions or removals from transport. -14. A number of new features have been added to string expansions to make it - easier to process lists of items, typically addresses. These are as - follows: + 5. When contacting a pool of SpamAssassin servers configured in spamd_address, + Exim now selects entries randomly, to better scale in a cluster setup. + + +Version 4.74 +------------ - * ${addresses:} + 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux) + the flaw permitted the Exim run-time user to cause root to append to + arbitrary files of the attacker's choosing, with the content based + on content supplied by the attacker. - The string (after expansion) is interpreted as a list of addresses in RFC - 2822 format, such as can be found in a To: or Cc: header line. The - operative address (local-part@domain) is extracted from each item, and the - result of the expansion is a colon-separated list, with appropriate - doubling of colons should any happen to be present in the email addresses. - Syntactically invalid RFC2822 address items are omitted from the output. + 2. Exim now supports loading some lookup types at run-time, using your + platform's dlopen() functionality. This has limited platform support + and the intention is not to support every variant, it's limited to + dlopen(). This permits the main Exim binary to not be linked against + all the libraries needed for all the lookup types. + + +Version 4.73 +------------ + + NOTE: this version is not guaranteed backwards-compatible, please read the + items below carefully + + 1. A new main configuration option, "openssl_options", is available if Exim + is built with SSL support provided by OpenSSL. The option allows + administrators to specify OpenSSL options to be used on connections; + typically this is to set bug compatibility features which the OpenSSL + developers have not enabled by default. There may be security + consequences for certain options, so these should not be changed + frivolously. + + 2. A new pipe transport option, "permit_coredumps", may help with problem + diagnosis in some scenarios. Note that Exim is typically installed as + a setuid binary, which on most OSes will inhibit coredumps by default, + so that safety mechanism would have to be overridden for this option to + be able to take effect. + + 3. ClamAV 0.95 is now required for ClamAV support in Exim, unless + Local/Makefile sets: WITH_OLD_CLAMAV_STREAM=yes + Note that this switches Exim to use a new API ("INSTREAM") and a future + release of ClamAV will remove support for the old API ("STREAM"). + + The av_scanner option, when set to "clamd", now takes an optional third + part, "local", which causes Exim to pass a filename to ClamAV instead of + the file content. This is the same behaviour as when clamd is pointed at + a Unix-domain socket. For example: + + av_scanner = clamd:192.0.2.3 1234:local + + ClamAV's ExtendedDetectionInfo response format is now handled. + + 4. There is now a -bmalware option, restricted to admin users. This option + takes one parameter, a filename, and scans that file with Exim's + malware-scanning framework. This is intended purely as a debugging aid + to ensure that Exim's scanning is working, not to replace other tools. + Note that the ACL framework is not invoked, so if av_scanner references + ACL variables without a fallback then this will fail. + + 5. There is a new expansion operator, "reverse_ip", which will reverse IP + addresses; IPv4 into dotted quad, IPv6 into dotted nibble. Examples: + + ${reverse_ip:192.0.2.4} + -> 4.2.0.192 + ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3} + -> 3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2 + + 6. There is a new ACL control called "debug", to enable debug logging. + This allows selective logging of certain incoming transactions within + production environments, with some care. It takes two options, "tag" + and "opts"; "tag" is included in the filename of the log and "opts" + is used as per the -d command-line option. Examples, which + don't all make sense in all contexts: + + control = debug + control = debug/tag=.$sender_host_address + control = debug/opts=+expand+acl + control = debug/tag=.$message_exim_id/opts=+expand + + 7. It has always been implicit in the design and the documentation that + "the Exim user" is not root. src/EDITME said that using root was + "very strongly discouraged". This is not enough to keep people from + shooting themselves in the foot in days when many don't configure Exim + themselves but via package build managers. The security consequences of + running various bits of network code are severe if there should be bugs in + them. As such, the Exim user may no longer be root. If configured + statically, Exim will refuse to build. If configured as ref:user then Exim + will exit shortly after start-up. If you must shoot yourself in the foot, + then henceforth you will have to maintain your own local patches to strip + the safeties off. + + 8. There is a new expansion condition, bool_lax{}. Where bool{} uses the ACL + condition logic to determine truth/failure and will fail to expand many + strings, bool_lax{} uses the router condition logic, where most strings + do evaluate true. + Note: bool{00} is false, bool_lax{00} is true. + + 9. Routers now support multiple "condition" tests. + +10. There is now a runtime configuration option "tcp_wrappers_daemon_name". + Setting this allows an admin to define which entry in the tcpwrappers + config file will be used to control access to the daemon. This option + is only available when Exim is built with USE_TCP_WRAPPERS. The + default value is set at build time using the TCP_WRAPPERS_DAEMON_NAME + build option. + +11. [POSSIBLE CONFIG BREAKAGE] The default value for system_filter_user is now + the Exim run-time user, instead of root. + +12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and + is forced on. This is mitigated by the new build option + TRUSTED_CONFIG_LIST which defines a list of configuration files which + are trusted; one per line. If a config file is owned by root and matches + a pathname in the list, then it may be invoked by the Exim build-time + user without Exim relinquishing root privileges. + +13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically + trusted to supply -D overrides on the command-line. Going + forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that + include the main config. As a transition mechanism, we are temporarily + providing a work-around: the new build option WHITELIST_D_MACROS provides + a colon-separated list of macro names which may be overridden by the Exim + run-time user. The values of these macros are constrained to the regex + ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values). + + +Version 4.72 +------------ + + 1. TWO SECURITY FIXES: one relating to mail-spools which are globally + writable, the other to locking of MBX folders (not mbox). + + 2. MySQL stored procedures are now supported. + + 3. The dkim_domain transport option is now a list, not a single string, and + messages will be signed for each element in the list (discarding + duplicates). + + 4. The 4.70 release unexpectedly changed the behaviour of dnsdb TXT lookups + in the presence of multiple character strings within the RR. Prior to 4.70, + only the first string would be returned. The dnsdb lookup now, by default, + preserves the pre-4.70 semantics, but also now takes an extended output + separator specification. The separator can be followed by a semicolon, to + concatenate the individual text strings together with no join character, + or by a comma and a second separator character, in which case the text + strings within a TXT record are joined on that second character. + Administrators are reminded that DNS provides no ordering guarantees + between multiple records in an RRset. For example: + + foo.example. IN TXT "a" "b" "c" + foo.example. IN TXT "d" "e" "f" + + ${lookup dnsdb{>/ txt=foo.example}} -> "a/d" + ${lookup dnsdb{>/; txt=foo.example}} -> "def/abc" + ${lookup dnsdb{>/,+ txt=foo.example}} -> "a+b+c/d+e+f" + + +Version 4.70 / 4.71 +------------------- + + 1. Native DKIM support without an external library. + (Note that if no action to prevent it is taken, a straight upgrade will + result in DKIM verification of all signed incoming emails. See spec + for details on conditionally disabling) + + 2. Experimental DCC support via dccifd (contributed by Wolfgang Breyha). + + 3. There is now a bool{} expansion condition which maps certain strings to + true/false condition values (most likely of use in conjunction with the + and{} expansion operator). + + 4. The $spam_score, $spam_bar and $spam_report variables are now available + at delivery time. + + 5. exim -bP now supports "macros", "macro_list" or "macro MACRO_NAME" as + options, provided that Exim is invoked by an admin_user. + + 6. There is a new option gnutls_compat_mode, when linked against GnuTLS, + which increases compatibility with older clients at the cost of decreased + security. Don't set this unless you need to support such clients. + + 7. There is a new expansion operator, ${randint:...} which will produce a + "random" number less than the supplied integer. This randomness is + not guaranteed to be cryptographically strong, but depending upon how + Exim was built may be better than the most naive schemes. + + 8. Exim now explicitly ensures that SHA256 is available when linked against + OpenSSL. + + 9. The transport_filter_timeout option now applies to SMTP transports too. + + +Version 4.69 +------------ + + 1. Preliminary DKIM support in Experimental. + + +Version 4.68 +------------ - It is possible to specify a character other than colon for the output - separator by starting the string with > followed by the new separator - character. For example: + 1. The body_linecount and body_zerocount C variables are now exported in the + local_scan API. + + 2. When a dnslists lookup succeeds, the key that was looked up is now placed + in $dnslist_matched. When the key is an IP address, it is not reversed in + this variable (though it is, of course, in the actual lookup). In simple + cases, for example: + + deny dnslists = spamhaus.example + + the key is also available in another variable (in this case, + $sender_host_address). In more complicated cases, however, this is not + true. For example, using a data lookup might generate a dnslists lookup + like this: + + deny dnslists = spamhaus.example/<|192.168.1.2|192.168.6.7|... + + If this condition succeeds, the value in $dnslist_matched might be + 192.168.6.7 (for example). + + 3. Authenticators now have a client_condition option. When Exim is running as + a client, it skips an authenticator whose client_condition expansion yields + "0", "no", or "false". This can be used, for example, to skip plain text + authenticators when the connection is not encrypted by a setting such as: + + client_condition = ${if !eq{$tls_cipher}{}} + + Note that the 4.67 documentation states that $tls_cipher contains the + cipher used for incoming messages. In fact, during SMTP delivery, it + contains the cipher used for the delivery. The same is true for + $tls_peerdn. - ${addresses:>& The Boss , sec@base.ment (dogsbody)} + 4. There is now a -Mvc option, which outputs a copy of the + message to the standard output, in RFC 2822 format. The option can be used + only by an admin user. - expands to "ceo@up.stairs&sec@base.ment". Compare ${address (singular), - which extracts the working address from a single RFC2822 address. + 5. There is now a /noupdate option for the ratelimit ACL condition. It + computes the rate and checks the limit as normal, but it does not update + the saved data. This means that, in relevant ACLs, it is possible to lookup + the existence of a specified (or auto-generated) ratelimit key without + incrementing the ratelimit counter for that key. - * ${map{}{}} + In order for this to be useful, another ACL entry must set the rate + for the same key somewhere (otherwise it will always be zero). - After expansion, is interpreted as a list, colon-separated by - default, but the separator can be changed in the usual way. For each item - in this list, its value is place in $item, and then is expanded - and added to the output as an item in a new list. The separator used for - the output list is the same as the one used for the input, but is not - included in the output. For example: + Example: - ${map{a:b:c}{[$item]}} ${map{<- x-y-z}{($item)}} + acl_check_connect: + # Read the rate; if it doesn't exist or is below the maximum + # we update it below + deny ratelimit = 100 / 5m / strict / noupdate + log_message = RATE: $sender_rate / $sender_rate_period \ + (max $sender_rate_limit) - expands to "[a]:[b]:[c] (x)-(y)-(z)". At the end of the expansion, the - value of $item is restored to what it was before. + [... some other logic and tests...] - * ${filter{}{}} + warn ratelimit = 100 / 5m / strict / per_cmd + log_message = RATE UPDATE: $sender_rate / $sender_rate_period \ + (max $sender_rate_limit) + condition = ${if le{$sender_rate}{$sender_rate_limit}} - After expansion, is interpreted as a list, colon-separated by - default, but the separator can be changed in the usual way. For each item - in this list, its value is place in $item, and then the condition is - evaluated. If the condition is true, $item is added to the output as an - item in a new list; if the condition is false, the item is discarded. The - separator used for the output list is the same as the one used for the - input, but is not included in the output. For example: + accept - ${filter{a:b:c}{!eq{$item}{b}} + 6. The variable $max_received_linelength contains the number of bytes in the + longest line that was received as part of the message, not counting the + line termination character(s). - yields "a:c". At the end of the expansion, the value of $item is restored - to what it was before. + 7. Host lists can now include +ignore_defer and +include_defer, analagous to + +ignore_unknown and +include_unknown. These options should be used with + care, probably only in non-critical host lists such as whitelists. - * ${reduce{}{}{}} + 8. There's a new option called queue_only_load_latch, which defaults true. + If set false when queue_only_load is greater than zero, Exim re-evaluates + the load for each incoming message in an SMTP session. Otherwise, once one + message is queued, the remainder are also. + + 9. There is a new ACL, specified by acl_smtp_notquit, which is run in most + cases when an SMTP session ends without sending QUIT. However, when Exim + itself is is bad trouble, such as being unable to write to its log files, + this ACL is not run, because it might try to do things (such as write to + log files) that make the situation even worse. + + Like the QUIT ACL, this new ACL is provided to make it possible to gather + statistics. Whatever it returns (accept or deny) is immaterial. The "delay" + modifier is forbidden in this ACL. + + When the NOTQUIT ACL is running, the variable $smtp_notquit_reason is set + to a string that indicates the reason for the termination of the SMTP + connection. The possible values are: + + acl-drop Another ACL issued a "drop" command + bad-commands Too many unknown or non-mail commands + command-timeout Timeout while reading SMTP commands + connection-lost The SMTP connection has been lost + data-timeout Timeout while reading message data + local-scan-error The local_scan() function crashed + local-scan-timeout The local_scan() function timed out + signal-exit SIGTERM or SIGINT + synchronization-error SMTP synchronization error + tls-failed TLS failed to start + + In most cases when an SMTP connection is closed without having received + QUIT, Exim sends an SMTP response message before actually closing the + connection. With the exception of acl-drop, the default message can be + overridden by the "message" modifier in the NOTQUIT ACL. In the case of a + "drop" verb in another ACL, it is the message from the other ACL that is + used. + +10. For MySQL and PostgreSQL lookups, it is now possible to specify a list of + servers with individual queries. This is done by starting the query with + "servers=x:y:z;", where each item in the list may take one of two forms: + + (1) If it is just a host name, the appropriate global option (mysql_servers + or pgsql_servers) is searched for a host of the same name, and the + remaining parameters (database, user, password) are taken from there. + + (2) If it contains any slashes, it is taken as a complete parameter set. + + The list of servers is used in exactly the same was as the global list. + Once a connection to a server has happened and a query has been + successfully executed, processing of the lookup ceases. + + This feature is intended for use in master/slave situations where updates + are occurring, and one wants to update a master rather than a slave. If the + masters are in the list for reading, you might have: + + mysql_servers = slave1/db/name/pw:slave2/db/name/pw:master/db/name/pw + + In an updating lookup, you could then write + + ${lookup mysql{servers=master; UPDATE ...} + + If, on the other hand, the master is not to be used for reading lookups: + + pgsql_servers = slave1/db/name/pw:slave2/db/name/pw + + you can still update the master by + + ${lookup pgsql{servers=master/db/name/pw; UPDATE ...} + +11. The message_body_newlines option (default FALSE, for backwards + compatibility) can be used to control whether newlines are present in + $message_body and $message_body_end. If it is FALSE, they are replaced by + spaces. + + +Version 4.67 +------------ + + 1. There is a new log selector called smtp_no_mail, which is not included in + the default setting. When it is set, a line is written to the main log + whenever an accepted SMTP connection terminates without having issued a + MAIL command. + + 2. When an item in a dnslists list is followed by = and & and a list of IP + addresses, the behaviour was not clear when the lookup returned more than + one IP address. This has been solved by the addition of == and =& for "all" + rather than the default "any" matching. + + 3. Up till now, the only control over which cipher suites GnuTLS uses has been + for the cipher algorithms. New options have been added to allow some of the + other parameters to be varied. + + 4. There is a new compile-time option called ENABLE_DISABLE_FSYNC. When it is + set, Exim compiles a runtime option called disable_fsync. + + 5. There is a new variable called $smtp_count_at_connection_start. + + 6. There's a new control called no_pipelining. + + 7. There are two new variables called $sending_ip_address and $sending_port. + These are set whenever an SMTP connection to another host has been set up. + + 8. The expansion of the helo_data option in the smtp transport now happens + after the connection to the server has been made. + + 9. There is a new expansion operator ${rfc2047d: that decodes strings that + are encoded as per RFC 2047. + +10. There is a new log selector called "pid", which causes the current process + id to be added to every log line, in square brackets, immediately after the + time and date. + +11. Exim has been modified so that it flushes SMTP output before implementing + a delay in an ACL. It also flushes the output before performing a callout, + as this can take a substantial time. These behaviours can be disabled by + obeying control = no_delay_flush or control = no_callout_flush, + respectively, at some earlier stage of the connection. + +12. There are two new expansion conditions that iterate over a list. They are + called forany and forall. + +13. There's a new global option called dsn_from that can be used to vary the + contents of From: lines in bounces and other automatically generated + messages ("delivery status notifications" - hence the name of the option). + +14. The smtp transport has a new option called hosts_avoid_pipelining. + +15. By default, exigrep does case-insensitive matches. There is now a -I option + that makes it case-sensitive. - The ${reduce expansion operation reduces a list to a single, scalar string. - After expansion, is interpreted as a list, colon-separated by - default, but the separator can be changed in the usual way. Then - is expanded and assigned to the $value variable. After this, each item in - the list is assigned to $item in turn, and is expanded - for each of them. The result of that expansion is assigned to $value before - the next iteration. When the end of the list is reached, the final value of - $value is added to the expansion string. The ${reduce expansion item can be - used in a number of ways. For example, to add up a list of numbers: +16. A number of new features ("addresses", "map", "filter", and "reduce") have + been added to string expansions to make it easier to process lists of + items, typically addresses. - ${reduce {<, 1,2,3}{0}{${eval:$value+$item}}} +17. There's a new ACL modifier called "continue". It does nothing of itself, + and processing of the ACL always continues with the next condition or + modifier. It is provided so that the side effects of expanding its argument + can be used. - The result of that expansion would be "6". The maximum of a list of numbers - can be found: +18. It is now possible to use newline and other control characters (those with + values less than 32, plus DEL) as separators in lists. - ${reduce {3:0:9:4:6}{0}{${if >{$item}{$value}{$item}{$value}}}} +19. The exigrep utility now has a -v option, which inverts the matching + condition. - At the end of a ${reduce expansion, the values of $item and $value is - restored to what they were before. +20. The host_find_failed option in the manualroute router can now be set to + "ignore". Version 4.66