that might affect a running system.
+Exim version 4.88
+-----------------
+
+ * The "demime" ACL condition, deprecated for the past 10 years, has
+ now been removed.
+
+ * Old GnuTLS configuration options "gnutls_require_kx", "gnutls_require_mac",
+ and "gnutls_require_protocols" have now been removed. (Inoperative from
+ 4.80, per below; logging warnings since 4.83, again per below).
+
+
+Exim version 4.83
+-----------------
+
+ * SPF condition results renamed "permerror" and "temperror". The old
+ names are still accepted for back-compatability, for this release.
+
+ * TLS details are now logged on rejects, subject to log selectors.
+
+ * Items in headers_remove lists must now have any embedded list-separators
+ doubled.
+
+ * Attempted use of the deprecated options "gnutls_require_kx" et. al.
+ now result in logged warning.
+
+
+Exim version 4.82
+-----------------
+
+ * New option gnutls_allow_auto_pkcs11 defaults false; if you have GnuTLS 2.12.0
+ or later and do want PKCS11 modules to be autoloaded, then set this option.
+
+ * A per-transport wait-<name> database is no longer updated if the transport
+ sets "connection_max_messages" to 1, as it can not be used and causes
+ unnecessary serialisation and load. External tools tracking the state of
+ Exim by the hints databases may need modification to take this into account.
+
+ * The av_scanner option can now accept multiple clamd TCP targets, all other
+ setting limitations remain.
+
+
Exim version 4.80
-----------------
the message. No tool has been provided as we believe this is a rare
occurence.
+ * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support
+ SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no
+ actual usage. You can re-enable with the "openssl_options" Exim option,
+ in the main configuration section. Note that supporting SSLv2 exposes
+ you to ciphersuite downgrade attacks.
+
* With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built
against 1.0.1a then you will get a warning message and the
"openssl_options" value will not parse "no_tlsv1_1": the value changes
"openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression".
COMPATIBILITY WARNING: The default value of "openssl_options" is no longer
- "+dont_insert_empty_fragments". We default to unset. That old default was
- grandfathered in from before openssl_options became a configuration option.
+ "+dont_insert_empty_fragments". We default to "+no_sslv2".
+ That old default was grandfathered in from before openssl_options became a
+ configuration option.
Empty fragments are inserted by default through TLS1.0, to partially defend
against certain attacks; TLS1.1+ change the protocol so that this is not
needed. The DIEF SSL option was required for some old releases of mail
is instead given to gnutls_priority_init(3), which expects a priority string;
this behaviour is much closer to the OpenSSL behaviour. See:
- http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
+ http://www.gnutls.org/manual/html_node/Priority-Strings.html
for fuller documentation of the strings parsed. The three gnutls_require_*
options are still parsed by Exim and, for this release, silently ignored.