$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.170 2005/06/23 10:02:13 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- Exim version 4.52 ----------------- TF/01 Added support for Client SMTP Authorization. See NewStuff for details. PH/01 When a transport filter timed out in a pipe delivery, and the pipe command itself ended in error, the underlying message about the transport filter timeout was being overwritten with the pipe command error. Now the underlying error message should be appended to the second error message. TK/01 Fix poll() being unavailable on Mac OSX 10.2. PH/02 Reduce the amount of output that "make" produces by default. Full output can still be requested. PH/03 The warning log line about a condition test deferring for a "warn" verb was being output only once per connection, rather than after each occurrence (because it was using the same function as for successful "warn" verbs). This seems wrong, so I have changed it. TF/02 Two buglets in acl.c which caused Exim to read a few bytes of memory that it should not have, which might have caused a crash in the right circumstances, but probably never did. PH/04 Installed a modified version of Tony Finch's patch to make submission mode fix the return path as well as the Sender: header line, and to add a /name= option so that you can make the user's friendly name appear in the header line. TF/03 Added the control = fakedefer ACL modifier. TF/04 Added the ratelimit ACL condition. See NewStuff for details. Thanks to Mark Lowes for thorough testing. TK/02 Rewrote SPF support to work with libspf2 versions >1.2.0. TK/03 Merged latest SRS patch from Miles Wilton. PH/05 There's a shambles in IRIX6 - it defines EX_OK in unistd.h which conflicts with the definition in sysexits.h (which is #included earlier). Fortunately, Exim does not actually use EX_OK. The code used to try to preserve the sysexits.h value, by assumimg that macro definitions were scanned for macro replacements. I have been disabused of this notion, so now the code just undefines EX_OK before #including unistd.h. PH/06 There is a timeout for writing blocks of data, set by, e.g. data_timeout in the smtp transport. When a block could not be written in a single write() function, the timeout was being re-applied to each part-write. This seems wrong - if the receiver was accepting one byte at a time it would take for ever. The timeout is now adjusted when this happens. It doesn't have to be particularly precise. TK/04 Added simple SPF lookup method in EXPERIMENTAL_SPF. See NewStuff for details. Thanks to Chris Webb for the patch! PH/07 Added "fullpostmaster" verify option, which does a check to without a domain if the check to fails. SC/01 Eximstats: added -xls and the ability to specify output files (patch written by Frank Heydlauf). SC/02 Eximstats: use FileHandles for outputing results. SC/03 Eximstats: allow any combination of xls, txt, and html output. SC/04 Eximstats: fixed display of large numbers with -nvr option SC/05 Eximstats: fixed merging of reports with empty tables. SC/06 Eximstats: added the -include_original_destination flag SC/07 Eximstats: removed tabs and trailing whitespace. TK/05 Malware: Improve on aveserver error handling. Patch from Alex Miller. TK/06 MBOX spool code: Add real "From " MBOX separator line so the .eml file is really in mbox format (even though most programs do not really care). Patch from Alex Miller. TK/07 MBOX spool code: Add X-Envelope-From: and X-Envelope-To: headers. The latter is generated from $received_to and is only set if the message has one envelope recipient. SA can use these headers, obviously out-of-the-box. Patch from Alex Miller. PH/08 The ${def test on a variable was returning false if the variable's value was "0", contrary to what the specification has always said! The result should be true unless the variable is empty. PH/09 The syntax error of a character other than { following "${if def:variable_name" (after optional whitespace) was not being diagnosed. An expansion such as ${if def:sender_ident:{xxx}{yyy}} in which an accidental colon was present, for example, could give incorrect results. PH/10 Tidied the code in a number of places where the st_size field of a stat() result is used (not including appendfile, where other changes are about to be made). PH/11 Upgraded appendfile so that quotas larger than 2G are now supported. This involved changing a lot of size variables from int to off_t. It should work with maildirs and everything. TK/08 Apply fix provided by Michael Haardt to prevent deadlock in case of spamd dying while we are connected to it. TF/05 Fixed a ${extract error message typo reported by Jeremy Harris PH/12 Applied Alex Kiernan's patch for the API change for the error callback function for BDB 4.3. PH/13 Changed auto_thaw such that it does not apply to bounce messages. PH/14 Imported PCRE 6.0; this was more than just a trivial operation because the sources for PCRE have been re-arranged and more files are now involved. PH/15 The code I had for printing potentially long long variables in PH/11 above was not the best (it lost precision). The length of off_t variables is now inspected at build time, and an appropriate printing format (%ld or %lld) is chosen and #defined by OFF_T_FMT. We also define LONGLONG_T to be "long long int" or "long int". This is needed for the internal formatting function string_vformat(). PH/16 Applied Matthew Newton's patch to exicyclog: "If log_file_path is set in the configuration file to be ":syslog", then the script "guesses" where the logs files are, rather than using the compiled in default. In our case the guess is not the same as the compiled default, so the script suddenly stopped working when I started to use syslog. The patch checks to see if log_file_path is "". If so, it attempts to read it from exim with no configuration file to get the compiled in version, before it falls back to the previous guessing code." TK/09 Added "prvs" and "prvscheck" expansion items. These help a lot with implementing BATV in an Exim configuration. See NewStuff for the gory details. PH/17 Applied Michael Haardt's patch for HP-UX, affecting only the os.h and Makefile that are specific to HP-UX. PH/18 If the "use_postmaster" option was set for a recipient callout together with the "random" option, the postmaster address was used as the MAIL FROM address for the random test, but not for the subsequent recipient test. It is now used for both. PH/19 Applied Michael Haardt's patch to update Sieve to RFC3028bis. "The patch removes a few documentation additions to RFC 3028, because the latest draft now contains them. It adds the new en;ascii-case comparator and a new error check for 8bit text in MIME parts. Comparator and require names are now matched exactly. I enabled the subaddress extension, but it is not well tested yet (read: it works for me)." PH/20 Added macros for time_t as for off_t (see PH/15 above) and used them to rework some of the code of TK/09 above to avoid the hardwired use of "%lld" and "long long". Replaced the call to snprintf() with a call to string_vformat(). PH/21 Added another message to those in 4.51/PH/42, namely "All relevant MX records point to non-existent hosts". PH/22 Fixed some oversights/typos causing bugs when Exim is compiled with experimental DomainKeys support: (1) The filter variables $n0-$n9 and $sn0-$sn9 were broken. (2) On an error such as an illegally used "control", the wrong name for the control was given. These problems did NOT occur unless DomainKeys support was compiled. PH/23 Added daemon_startup_retries and daemon_startup_sleep. PH/24 Added ${if match_ip condition. PH/25 Put debug statements on either side of calls to EXIM_DBOPEN() for hints databases so that it will be absolutely obvious if a crash occurs in the DB library. This is a regular occurrence (often caused by mis-matched db.h files). PH/26 Insert a lot of missing (void) casts for functions such as chown(), chmod(), fcntl(), and sscanf(). These were picked up on a user's system that detects such things. There doesn't seem to be a gcc warning option for this - only an attribute that has to be put on the function's prototype. I'm sure I haven't caught all of these, but it's a start. PH/27 If a dnslookup or manualroute router is set with verify=only, it need not specify a transport. However, if an address that was verified by such a router was the subject of a callout, Exim crashed because it tried to read the rcpt_include_affixes from the non-existent transport. Now it just assumes that the setting of that option is false. This bug was introduced by 4.51/PH/31. Exim version 4.51 ----------------- TK/01 Added Yahoo DomainKeys support via libdomainkeys. See doc/experimental-spec.txt for details. (http://domainkeys.sf.net) TK/02 Fix ACL "control" statement not being available in MIME ACL. TK/03 Fix ACL "regex" condition not being available in MIME ACL. PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used to test Sieve filters that use "vacation". PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch that changes the way the GnuTLS parameters are stored in the cache file. The new format can be generated externally. For backward compatibility, if the data in the cache doesn't make sense, Exim assumes it has read an old-format file, and it generates new data and writes a new file. This means that you can't go back to an older release without removing the file. PH/03 A redirect router that has both "unseen" and "one_time" set does not work if there are any delivery delays because "one_time" forces the parent to be marked "delivered", so its unseen clone is never tried again. For this reason, Exim now forbids the simultaneous setting of these two options. PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are redirected to themselves ("homonym" addresses). Read the long ChangeLog entry if you want to know the details. The fix, however, neglected to consider the case when local delivery batching is involved. The test for "previously delivered" was not happening when checking to see if an address could be batched with a previous (undelivered) one; under certain circumstances this could lead to multiple deliveries to the same address. PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T in its include files, and this causes problems building Exim. PH/06 A number of "verify =" ACL conditions have no options (e.g. verify = header_syntax) but Exim was just ignoring anything given after a slash. In particular, this caused confusion with an attempt to use "verify = reverse_host_lookup/defer_ok". An error is now given when options are supplied for verify items that do not have them. (Maybe reverse_host_ lookup should have a defer_ok option, but that's a different point.) PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as defined by RFC 821) to 2048, because there were problems with some AUTH commands, and RFC 1869 says the size should be increased for extended SMTP commands that take arguments. PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony Finch). PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an "unknown" error; now it says that the functionality isn't in the binary. PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in an address' error message when a string expansion fails (syntax or whatever). Otherwise the password may appear in the log. Following change PH/42 below, there is no longer a chance of it appearing in a bounce message. PH/11 Installed exipick version 20050225.0 from John Jetmore. PH/12 If the last host in a fallback_hosts list was multihomed, only the first of its addresses was ever tried. (Bugzilla bug #2.) PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed the result incorrectly in the debug output. (It correctly added a newline to what was transported.) TF/01 Added $received_time. PH/14 Modified the default configuration to add an acl_smtp_data ACL, with commented out examples of how to interface to a virus scanner and to SpamAssassin. Also added commented examples of av_scanner and spamd_address settings. PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions and controls are allowed in which ACLs. There were a couple of minor errors. Some of the entries in the conditions table (which is a table of where they are NOT allowed) were getting very unwieldy; rewrote them as a negation of where the condition IS allowed. PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer. PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the header file does not have a version number, so I've had to invent a new value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new API. The code is untested by me (my Linux distribution still has 0.3.2 of radiusclient), but it was contributed by a Radius user. PH/18 Installed Lars Mainka's patch for the support of CRL collections in files or directories, for OpenSSL. PH/19 When an Exim process that is running as root has to create an Exim log file, it does so in a subprocess that runs as exim:exim so as to get the ownership right at creation (otherwise, other Exim processes might see the file with the wrong ownership). There was no test for failure of this fork() call, which would lead to the process getting stuck as it waited for a non-existent subprocess. Forks do occasionally fail when resources run out. I reviewed all the other calls to fork(); they all seem to check for failure. PH/20 When checking for unexpected SMTP input at connect time (before writing the banner), Exim was not dealing correctly with a non-positive return from the read() function. If the client had disconnected by this time, the result was a log entry for a synchronization error with an empty string after "input=" when read() returned zero. If read() returned -1 (an event I could not check), uninitialized data bytes were printed. There were reports of junk text (parts of files, etc) appearing after "input=". PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages. PH/22 Added support for macro redefinition, and (re)definition in between driver and ACL definitions. PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then forgetting to use the resulting value; it was using the unexpanded value. PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it hadn't been configured. The fix is from Juergen Kreileder, who understands it better than I do: "Here's what I see happening with three configured cyrus_sasl authenticators configured (plain, login, cram-md5): On startup auth_cyrus_sasl_init() gets called for each of these. This means three calls to sasl_listmech() without a specified mech_list. => SASL tests which mechs of all available mechs actually work => three warnings about OTP not working => the returned list contains: plain, login, cram-md5, digest-md5, ... With the patch, sasl_listmech() also gets called three times. But now SASL's mech_list option is set to the server_mech specified in the the authenticator. Or in other words, the answer from sasl_listmech() gets limited to just the mech you're testing for (which is different for each call.) => the return list contains just 'plain' or 'login', 'cram-md5' or nothing depending on the value of ob->server_mech. I've just tested the patch: Authentication still works fine, unavailable mechs specified in the exim configuration are still caught, and the auth.log warnings about OTP are gone." PH/25 When debugging is enabled, the contents of the command line are added to the debugging output, even when log_selector=+arguments is not specified. PH/26 Change scripts/os-type so that when "uname -s" returns just "GNU", the answer is "GNU", and only if the return is "GNU/something" is the answer "Linux". PH/27 $acl_verify_message is now set immediately after the failure of a verification in an ACL, and so is available in subsequent modifiers. In particular, the message can be preserved by coding like this: warn !verify = sender set acl_m0 = $acl_verify_message Previously, $acl_verify_message was set only while expanding "message" and "log_message" when a very denied access. PH/28 Modified OS/os.c-Linux with -#ifndef OS_LOAD_AVERAGE +#if !defined(OS_LOAD_AVERAGE) && defined(__linux__) to make Exim compile on kfreebsd-gnu. (I'm totally confused about the nomenclature these days.) PH/29 Installed patch from the Sieve maintainer that adds the options sieve_useraddress and sieve_subaddress to the redirect router. PH/30 In these circumstances: . Two addresses routed to the same list of hosts; . First host does not offer TLS; . First host accepts first address; . First host gives temporary error to second address; . Second host offers TLS and a TLS session is established; . Second host accepts second address. Exim incorrectly logged both deliveries with the TLS parameters (cipher and peerdn, if requested) that were in fact used only for the second address. PH/31 When doing a callout as part of verifying an address, Exim was not paying attention to any local part prefix or suffix that was matched by the router that accepted the address. It now behaves in the same way as it does for delivery: the affixes are removed from the local part unless rcpt_include_affixes is set on the transport. PH/32 Add the sender address, as F=<...>, to the log line when logging a timeout during the DATA phase of an incoming message. PH/33 Sieve envelope tests were broken for match types other than :is. I have applied a patch sanctioned by the Sieve maintainer. PH/34 Change 4.50/80 broke Exim in that it could no longer handle cases where the uid or gid is negative. A case of a negative gid caused this to be noticed. The fix allows for either to be negative. PH/35 ACL_WHERE_MIME is now declared unconditionally, to avoid too much code clutter, but the tables that are indexed by ACL_WHERE_xxx values had been overlooked. PH/36 The change PH/12 above was broken. Fixed it. PH/37 Exim used to check for duplicate addresses in the middle of routing, on the grounds that routing the same address twice would always produce the same answer. This might have been true once, but it is certainly no longer true now. Routing a child address may depend on the previous routing that produced that child. Some complicated redirection strategies went wrong when messages had multiple recipients, and made Exim's behaviour dependent on the order in which the addresses were given. I have moved the duplicate checking until after the routing is complete. Exim scans the addresses that are assigned to local and remote transports, and removes any duplicates. This means that more work will be done, as duplicates will always all be routed, but duplicates are presumably rare, so I don't expect this is of any significance. For deliveries to pipes, files, and autoreplies, the duplicate checking still happens during the routing process, since they are not going to be routed further. PH/38 Installed a patch from Ian Freislich, with the agreement of Tom Kistner. It corrects a timeout issue with spamd. This is Ian's comment: "The background is that sometimes spamd either never reads data from a connection it has accepted, or it never writes response data. The exiscan spam.[ch] uses a 3600 second timeout on spamd socket reads, further, it blindly assumes that writes won't block so it may never time out." PH/39 Allow G after quota size as well as K and M. PH/40 The value set for $authenticated_id in an authenticator may not contain binary zeroes or newlines because the value is written to log lines and to spool files. There was no check on this. Now the value is run through the string_printing() function so that such characters are converted to printable escape sequences. PH/41 $message_linecount is a new variable that contains the total number of lines in the message. Compare $body_linecount, which is the count for the body only. PH/42 Exim no longer gives details of delivery errors for specific addresses in bounce and delay warning messages, except in certain special cases, which are as follows: (a) An SMTP error message from a remote host; (b) A message specified in a :fail: redirection; (c) A message specified in a "fail" command in a system filter; (d) A message specified in a FAIL return from the queryprogram router; (e) A message specified by the cannot_route_message router option. In these cases only, Exim does include the error details in bounce and warning messages. There are also a few cases where bland messages such as "unrouteable address" or "local delivery error" are given. PH/43 $value is now also set for the "else" part of a ${run expansion. PH/44 Applied patch from the Sieve maintainer: "The vacation draft is still being worked on, but at least Exim now implements the latest version to play with." PH/45 In a pipe transport, although a timeout while waiting for the pipe process to complete was treated as a delivery failure, a timeout while writing the message to the pipe was logged, but erroneously treated as a successful delivery. Such timeouts include transport filter timeouts. For consistency with the overall process timeout, these timeouts are now treated as errors, giving rise to delivery failures by default. However, there is now a new Boolean option for the pipe transport called timeout_defer, which, if set TRUE, converts the failures into defers for both kinds of timeout. A transport filter timeout is now identified in the log output. PH/46 The "scripts/Configure-config.h" script calls "make" at one point. On systems where "make" and "gmake" are different, calling "gmake" at top level broke things. I've arranged for the value of $(MAKE) to be passed from the Makefile to this script so that it can call the same version of "make". A note about Exim versions 4.44 and 4.50 ---------------------------------------- Exim 4.50 was meant to be the next release after 4.43. It contains a lot of changes of various kinds. As a consequence, a big documentation update was needed. This delayed the release for rather longer than seemed good, especially in the light of a couple of (minor) security issues. Therefore, the changes that fixed bugs were backported into 4.43, to create a 4.44 maintenance release. So 4.44 and 4.50 are in effect two different branches that both start from 4.43. I have left the 4.50 change log unchanged; it contains all the changes since 4.43. The change log for 4.44 is below; many of its items are identical to those for 4.50. This seems to be the most sensible way to preserve the historical information. Exim version 4.50 ----------------- 1. Minor wording change to the doc/README.SIEVE file. 2. Change 4.43/35 introduced a bug: if quota_filecount was set, the computation of the current number of files was incorrect. 3. Closing a stable door: arrange to panic-die if setitimer() ever fails. The bug fixed in 4.43/37 would have been diagnosed quickly if this had been in place. 4. Give more explanation in the error message when the command for a transport filter fails to execute. 5. There are several places where Exim runs a non-Exim command in a subprocess. The SIGUSR1 signal should be disabled for these processes. This was being done only for the command run by the queryprogram router. It is now done for all such subprocesses. The other cases are: ${run, transport filters, and the commands run by the lmtp and pipe transports. 6. Added CONFIGURE_GROUP build-time option. 7. Some older OS have a limit of 256 on the maximum number of file descriptors. Exim was using setrlimit() to set 1000 as a large value unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these systems. I've change it so that if it can't get 1000, it tries for 256. 8. "control=submission" was allowed, but had no effect, in a DATA ACL. This was an oversight, and furthermore, ever since the addition of extra controls (e.g. 4.43/32), the checks on when to allow different forms of "control" were broken. There should now be diagnostics for all cases when a control that does not make sense is encountered. 9. Added the /retain_sender option to "control=submission". 10. $recipients is now available in the predata ACL (oversight). 11. Tidy the search cache before the fork to do a delivery from a message received from the command line. Otherwise the child will trigger a lookup failure and thereby defer the delivery if it tries to use (for example) a cached ldap connection that the parent has called unbind on. 12. If verify=recipient was followed by verify=sender in a RCPT ACL, the value of $address_data from the recipient verification was clobbered by the sender verification. 13. The value of address_data from a sender verification is now available in $sender_address_data in subsequent conditions in the ACL statement. 14. Added forbid_sieve_filter and forbid_exim_filter to the redirect router. 15. Added a new option "connect=