years of being deprecated). The replacements are the ACLs
acl_smtp_mime and acl_not_smtp_mime.
+JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
+ a downgraded non-dane trust-anchor for the TLS connection (CA-style)
+ or even an in-clear connection were permitted. Now, if the host lookup
+ was dnssec and dane was requested then the host is only used if the
+ TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
+ MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
+ if one fails this test.
+ This means that a poorly-configured remote DNS will make it incommunicado;
+ but it protects against a DNS-interception attack on it.
+
+JH/04 Bug 1810: make continued-use of an open smtp transport connection
+ non-noisy when a race steals the message being considered.
+
+JH/05 If main configuration option tls_certificate is unset, generate a
+ selfsigned certificate for inbound TLS connections.
+
+JH/06 Bug 165: hide more cases of password exposure - this time in expansions
+ in rewrites and routers.
+
Exim version 4.87
-----------------
JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
added for tls authenticator.
+HS/03 Add perl_taintmode main config option
+
Exim version 4.85
-----------------