X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/1f5b4c3d3200be53a3a6f2bf6791b70fc543b32f..2d2b05f476c12d85519b3bf8997585c8631004da:/doc/doc-txt/ChangeLog?ds=sidebyside diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 349296817..99e28d07a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,8 +1,1765 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.57 2004/12/22 12:05:45 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.425 2006/11/06 15:50:12 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- +Exim version 4.64 +----------------- +TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a + leftover -K file (the existence of which was triggered by #402). + While we were at it, introduced process PID as part of the -K + filename. This should rule out race conditions when creating + these files. + +TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing + processing considerably. Previous code took too long for large mails, + triggering a timeout which in turn triggers #401. + +TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used + in the DK code in transports.c. sendfile() is not really portable, + hence the _LINUX specificness. + +TF/01 In the add_headers option to the mail command in an Exim filter, + there was a bug that Exim would claim a syntax error in any + header after the first one which had an odd number of characters + in the field name. + +PH/01 If a server that rejects MAIL FROM:<> was the target of a sender + callout verification, Exim cached a "reject" for the entire domain. This + is correct for most verifications, but it is not correct for a recipient + verification with use_sender or use_postmaster set, because in that case + the callout does not use MAIL FROM:<>. Exim now distinguishes the special + case of MAIL FROM:<> rejection from other early rejections (e.g. + rejection of HELO). When verifying a recipient using a non-null MAIL + address, the cache is ignored if it shows MAIL FROM:<> rejection. + Whatever the result of the callout, the value of the domain cache is + left unchanged (for any other kind of callout, getting as far as trying + RCPT means that the domain itself is ok). + +PH/02 Tidied a number of unused variable and signed/unsigned warnings that + gcc 4.1.1 threw up. + +PH/03 On Solaris, an unexpectedly close socket (dropped connection) can + manifest itself as EPIPE rather than ECONNECT. When tidying away a + session, the daemon ignores ECONNECT errors and logs others; it now + ignores EPIPE as well. + +PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c + (quoted-printable decoding). + +PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and + later the small subsequent patch to fix an introduced bug. + +PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer. + +PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}. + +PH/08 An error is now given if message_size_limit is specified negative. + +PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables + to be given (somewhat) arbitrary names. + +JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced + in 4.64-PH/09. + +JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions, + miscellaneous code fixes + +PH/10 Added the log_reject_target ACL modifier to specify where to log + rejections. + +PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_ + hostname. This is wrong, because it relates to the incoming message (and + probably the interface on which it is arriving) and not to the outgoing + callout (which could be using a different interface). This has been + changed to use the value of the helo_data option from the smtp transport + instead - this is what is used when a message is actually being sent. If + there is no remote transport (possible with a router that sets up host + addresses), $smtp_active_hostname is used. + +PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various + tweaks were necessary in order to get it to work (see also 21 below): + (a) The code assumed that strncpy() returns a negative number on buffer + overflow, which isn't the case. Replaced with Exim's string_format() + function. + (b) There were several signed/unsigned issues. I just did the minimum + hacking in of casts. There is scope for a larger refactoring. + (c) The code used strcasecmp() which is not a standard C function. + Replaced with Exim's strcmpic() function. + (d) The code set only $1; it now sets $auth1 as well. + (e) A simple test gave the error "authentication client didn't specify + service in request". It would seem that Dovecot has changed its + interface. Fortunately there's a specification; I followed it and + changed what the client sends and it appears to be working now. + +PH/13 Added $message_headers_raw to provide the headers without RFC 2047 + decoding. + +PH/14 Corrected misleading output from -bv when -v was also used. Suppose the + address A is aliased to B and C, where B exists and C does not. Without + -v the output is "A verified" because verification stops after a + successful redirection if more than one address is generated. However, + with -v the child addresses are also verified. Exim was outputting "A + failed to verify" and then showing the successful verification for C, + with its parentage. It now outputs "B failed to verify", showing B's + parentage before showing the successful verification of C. + +PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to + look up a TXT record in a specific list after matching in a combined + list. + +PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and + RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when + they consult the DNS. I had assumed they would set it the way they + wanted; and indeed my experiments on Linux seem to show that in some + cases they do (I could influence IPv6 lookups but not IPv4 lookups). + To be on the safe side, however, I have now made the interface to + host_find_byname() similar to host_find_bydns(), with an argument + containing the DNS resolver options. The host_find_byname() function now + sets these options at its start, just as host_find_bydns() does. The smtp + transport options dns_qualify_single and dns_search_parents are passed to + host_find_byname() when gethostbyname=TRUE in this transport. Other uses + of host_find_byname() use the default settings of RES_DEFNAMES + (qualify_single) but not RES_DNSRCH (search_parents). + +PH/17 Applied (a modified version of) Nico Erfurth's patch to make + spool_read_header() do less string testing, by means of a preliminary + switch on the second character of optional "-foo" lines. (This is + overdue, caused by the large number of possibilities that now exist. + Originally there were few.) While I was there, I also converted the + str(n)cmp tests so they don't re-test the leading "-" and the first + character, in the hope this might squeeze out yet more improvement. + +PH/18 Two problems with "group" syntax in header lines when verifying: (1) The + flag allowing group syntax was set by the header_syntax check but not + turned off, possible causing trouble later; (2) The flag was not being + set at all for the header_verify test, causing "group"-style headers to + be rejected. I have now set it in this case, and also caused header_ + verify to ignore an empty address taken from a group. While doing this, I + came across some other cases where the code for allowing group syntax + while scanning a header line wasn't quite right (mostly, not resetting + the flag correctly in the right place). These bugs could have caused + trouble for malformed header lines. I hope it is now all correct. + +PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called + with the "reply" argument non-NULL. The code, however (which originally + came from elsewhere) had *some* tests for NULL when it wrote to *reply, + but it didn't always do it. This confused somebody who was copying the + code for some other use. I have removed all the tests. + +PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a + feature that was used to support insecure browsers during the U.S. crypto + embargo. It requires special client support, and Exim is probably the + only MTA that supported it -- and would never use it because real RSA is + always available. This code has been removed, because it had the bad + effect of slowing Exim down by computing (never used) parameters for the + RSA_EXPORT functionality. + +PH/21 On the advice of Timo Sirainen, added a check to the dovecot + authenticator to fail if there's a tab character in the incoming data + (there should never be unless someone is messing about, as it's supposed + to be base64-encoded). Also added, on Timo's advice, the "secured" option + if the connection is using TLS or if the remote IP is the same as the + local IP, and the "valid-client-cert option" if a client certificate has + been verified. + +PH/22 As suggested by Dennis Davis, added a server_condition option to *all* + authenticators. This can be used for authorization after authentication + succeeds. (In the case of plaintext, it servers for both authentication + and authorization.) + +PH/23 Testing for tls_required and lost_connection in a retry rule didn't work + if any retry times were supplied. + +PH/24 Exim crashed if verify=helo was activated during an incoming -bs + connection, where there is no client IP address to check. In this + situation, the verify now always succeeds. + +PH/25 Applied John Jetmore's -Mset patch. + +PH/26 Added -bem to be like -Mset, but loading a message from a file. + +PH/27 In a string expansion for a processed (not raw) header when multiple + headers of the same name were present, leading whitespace was being + removed from all of them, but trailing whitespace was being removed only + from the last one. Now trailing whitespace is removed from each header + before concatenation. Completely empty headers in a concatenation (as + before) are ignored. + +PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John + Jetmore). It would have mis-read ACL variables from pre-4.61 spool files. + +PH/29 [Removed. This was a change that I later backed out, and forgot to + correct the ChangeLog entry (that I had efficiently created) before + committing the later change.] + +PH/30 Exim was sometimes attempting to deliver messages that had suffered + address errors (4xx response to RCPT) over the same connection as other + messages routed to the same hosts. Such deliveries are always "forced", + so retry times are not inspected. This resulted in far too many retries + for the affected addresses. The effect occurred only when there were more + hosts than the hosts_max_try setting in the smtp transport when it had + the 4xx errors. Those hosts that it had tried were not added to the list + of hosts for which the message was waiting, so if all were tried, there + was no problem. Two fixes have been applied: + + (i) If there are any address or message errors in an SMTP delivery, none + of the hosts (tried or untried) are now added to the list of hosts + for which the message is waiting, so the message should not be a + candidate for sending over the same connection that was used for a + successful delivery of some other message. This seems entirely + reasonable: after all the message is NOT "waiting for some host". + This is so "obvious" that I'm not sure why it wasn't done + previously. Hope I haven't missed anything, but it can't do any + harm, as the worst effect is to miss an optimization. + + (ii) If, despite (i), such a delivery is accidentally attempted, the + routing retry time is respected, so at least it doesn't keep + hammering the server. + +PH/31 Installed Andrew Findlay's patch to close the writing end of the socket + in ${readsocket because some servers need this prod. + +PH/32 Added some extra debug output when updating a wait-xxx database. + +PH/33 The hint "could be header name not terminated by colon", which has been + given for certain expansion errors for a long time, was not being given + for the ${if def:h_colon_omitted{... case. + +PH/34 The spec says: "With one important exception, whenever a domain list is + being scanned, $domain contains the subject domain." There was at least + one case where this was not true. + +PH/35 The error "getsockname() failed: connection reset by peer" was being + written to the panic log as well as the main log, but it isn't really + panic-worthy as it just means the connection died rather early on. I have + removed the panic log writing for the ECONNRESET error when getsockname() + fails. + +PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue + runs only) independently of the message's sender address. This meant + that, if the 4xx error was in fact related to the sender, a different + message to the same recipient with a different sender could confuse + things. In particualar, this can happen when sending to a greylisting + server, but other circumstances could also provoke similar problems. + I have changed the default so that the retry time for these errors is now + based a combination of the sender and recipient addresses. This change + can be overridden by setting address_retry_include_sender=false in the + smtp transport. + + +Exim version 4.63 +----------------- + +SC/01 Use a glob alias rather than an array ref in eximstats generated + parser. This improves both readability and performance. + +SC/02 Collect SpamAssassin and rejection statistics in eximstats. + Don't display local sender or destination tables in eximstats unless + there is data to show. + Added average volumes into the eximstats top table text output. + +SC/03 Collect data on the number of addresses (recipients) as well + as the number of messages in eximstats. + +TF/01 Correct an error in the documentation for the redirect router. Exim + does (usually) call initgroups() when daemonizing. + +TF/02 Call initgroups() when dropping privilege in exim.c, so that Exim runs + with consistent privilege compared to when running as a daemon. + +TF/03 Note in the spec that $authenticated_id is not set for local + submissions from trusted users. + +TF/04 The ratelimit per_rcpt option now works correctly in acl_not_smtp. + Thanks to Dean Brooks for the patch. + +TF/05 Make it easier to get SMTP authentication and TLS/SSL support working + by adding some example configuration directives to the default + configuration file. A little bit of work is required to uncomment the + directives and define how usernames and passwords are checked, but + there is now a framework to start from. + +PH/01 Added #define LDAP_DEPRECATED 1 to ldap.c because some of the "old" + functions that Exim currently uses aren't defined in ldap.h for OpenLDAP + without this. I don't know how relevant this is to other LDAP libraries. + +PH/02 Add the verb name to the "unknown ACL verb" error. + +PH/03 Magnus Holmgren's patch for filter_prepend_home. + +PH/03 Fixed Bugzilla #101: macro definition between ACLs doesn't work. + +PH/04 Applied Magnus Holmgren's patch to fix Bugzilla #98: transport's home + directory not expanded when it should be if an expanded home directory + was set for the address (which is overridden by the transport). + +PH/05 Applied Alex Kiernan's patch to fix Bugzilla #99: a problem with + libradius. + +PH/06 Added acl_not_smtp_start, based on Johannes Berg's patch, and set the + bit to forbid control=suppress_local_fixups in the acl_not_smtp ACL, + because it is too late at that time, and has no effect. + +PH/07 Changed ${quote_pgsql to quote ' as '' instead of \' because of a + security issue with \' (bugzilla #107). I could not use the + PQescapeStringConn() function, because it needs a PGconn value as one of + its arguments. + +PH/08 When testing addresses using -bt, indicate those final addresses that + are duplicates that would not cause an additional delivery. At least one + person was confused, thinking that -bt output corresponded to deliveries. + (Suppressing duplicates isn't a good idea as you lose the information + about possibly different redirections that led to the duplicates.) + +PH/09 Applied patch from Erik to use select() instead of poll() in spam.c on + systems where poll() doesn't work, in particular OS X. + +PH/10 Added more information to debugging output for retry time not reached. + +PH/11 Applied patch from Arkadiusz Miskiewicz to apply a timeout to read + operations in malware.c. + +PH/12 Applied patch from Magnus Holmgren to include the "h" tag in Domain Keys + signatures. + +PH/13 If write_rejectlog was set false when logging was sent to syslog with + syslog_duplication set false, log lines that would normally be written + both the the main log and to the reject log were not written to syslog at + all. + +PH/14 In the default configuration, change the use of "message" in ACL warn + statements to "add_header". + +PH/15 Diagnose a filter syntax error for "seen", "unseen", or "noerror" if not + not followed by a command (e.g. "seen endif"). + +PH/16 Recognize SMTP codes at the start of "message" in ACLs and after :fail: + and :defer: in a redirect router. Add forbid_smtp_code to suppress the + latter. + +PH/17 Added extra conditions to the default value of delay_warning_condition + so that it is now: + + ${if or { \ + { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} } \ + { match{$h_precedence:}{(?i)bulk|list|junk} } \ + { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} } \ + }{no}{yes}} + + The Auto-Submitted: and various List- headers are standardised, whereas I + don't think Precedence: ever was. + +PH/18 Refactored debugging code in route_finduser() to show more information, + in particular, the error code if getpwnam() issues one. + +PH/19 Added PQsetClientEncoding(conn, "SQL_ASCII") to the pgsql code module. + This is apparently needed in addition to the PH/07 change above to avoid + any possible encoding problems. + +PH/20 Perl can change the locale. Exim was resetting it after a ${perl call, + but not after initializing Perl. + +PH/21 Added a call to PQsetNoticeProcessor() to catch pgsql "notices" and + output them only if debugging. By default they are written stderr, + apparently, which is not desirable. + +PH/22 Added Alain Williams' LDAP patch to support setting REFERRALS=off on + queries. + +JJ/01 exipick: added --reverse (and -R synonym), --random, --size, --sort and + --not options + +JJ/02 exipick: rewrote --help documentation to hopefully make more clear. + +PH/23 Made -oMaa and -oMt work with -bh and -bs to pretend the connection is + authenticated or an ident call has been made. Suppress the default + values for $authenticated_id and $authenticated_sender (but permit -oMai + and -oMas) when testing with -bh. + +PH/24 Re-jigged the order of the tests in the default configuration so that the + tests for valid domains and recipients precede the DNS black list and CSA + tests, on the grounds that those ones are more expensive. + +PH/25 Exim was not testing for a space following SMTP commands such as EHLO + that require one. Thus, EHLORHUBARB was interpreted as a valid command. + This bug exists in every version of Exim that I still have, right back to + 0.12. + +PH/26 (n)wildlsearch lookups are documented as being done case-insensitively. + However, an attempt to turn on case-sensitivity in a regex key by + including (?-i) didn't work because the subject string was already + lowercased, and the effects were non-intuitive. It turns out that a + one-line patch can be used to allow (?-i) to work as expected. + + +Exim version 4.62 +----------------- + +TF/01 Fix the add_header change below (4.61 PH/55) which had a bug that (amongst + other effects) broke the use of negated acl sub-conditions. + +PH/01 ${readsocket now supports Internet domain sockets (modified John Jetmore + patch). + +PH/02 When tcp-wrappers is called from Exim, it returns only "deny" or "allow". + "Deny" causes Exim to reject the incoming connection with a 554 error. + Unfortunately, if there is a major crisis, such as a disk failure, + tcp-wrappers gives "deny", whereas what one would like would be some + kind of temporary error. A kludge has been added to help with this. + Before calling hosts_ctl(), errno is set zero. If the result is "deny", a + 554 error is used if errno is still zero or contains ENOENT (which occurs + if either of the /etc/hosts.{allow,deny} files is missing). Otherwise, a + 451 error is used. + +PH/03 Add -lutil to the default FreeBSD LIBS setting. + +PH/04 Change PH/19 for 4.61 was too wide. It should not be applied to host + errors. Otherwise a message that provokes a temporary error (when other + messages do not) can cause a whole host to time out. + +PH/05 Batch deliveries by appendfile and pipe transports did not work when the + addresses were routed directly to files or pipes from a redirect router. + File deliveries just didn't batch; pipe deliveries might have suffered + odd errors. + +PH/06 A failure to get a lock for a hints database would erroneously always say + "Failed to get write lock", even when it was really a read lock. + +PH/07 The appendfile transport was creating MBX lock files with a fixed mode + of 0600. This has been changed to use the value of the lockfile_mode + option (which defaults to 0600). + +PH/08 Applied small patch from the Sieve maintainer. + +PH/09 If maildir_quota_directory_regex was set to exclude (say) the .Trash + folder from quota calculations, a direct delivery into this folder messed + up the contents of the maildirsize file. This was because the regex was + used only to exclude .Trash (or whatever) when the size of the mailbox + was calculated. There was no check that a delivery was happening into an + excluded directory. This bug has been fixed by ignoring all quota + processing for deliveries into excluded directories. + +PH/10 Added the maildirfolder_create_regex option to appendfile. + + +Exim version 4.61 +----------------- + +PH/01 The code for finding all the local interface addresses on a FreeBSD + system running IPv6 was broken. This may well have applied to all BSD + systems, as well as to others that have similar system calls. The broken + code found IPv4 interfaces correctly, but gave incorrect values for the + IPv6 interfaces. In particular, ::1 was not found. The effect in Exim was + that it would not match correctly against @[] and not recognize the IPv6 + addresses as local. + +PH/02 The ipliteral router was not recognizing addresses of the form user@ + [ipv6:....] because it didn't know about the "ipv6:" prefix. + +PH/03 Added disable_ipv6. + +PH/04 Changed $reply_address to use the raw form of the headers instead of the + decoded form, because it is most often used to construct To: headers + lines in autoreplies, and the decoded form may well be syntactically + invalid. However, $reply_address has leading white space removed, and all + newlines turned into spaces so that the autoreply transport does not + grumble. + +PH/05 If group was specified without a user on a router, and no group or user + was specified on a transport, the group from the router was ignored. + +PH/06 Increased the number of ACL variables to 20 of each type, and arranged + for visible compile-time settings that can be used to change these + numbers, for those that want even more. Backwards compatibility with old + spool files has been maintained. However, going back to a previous Exim + release will lost any variables that are in spool files. + +PH/07 Two small changes when running in the test harness: increase delay when + passing a TCP/IP connection to a new process, in case the original + process has to generate a bounce, and remove special handling of + 127.0.0.2 (sic), which is no longer necessary. + +PH/08 Changed debug output of dbfn_open() flags from numbers to names, so as to + be the same on different OS. + +PH/09 Moved a debug statement in filter processing to avoid a race problem when + testing. + +JJ/01 exipick: fixed bug where -b (brief) output option showed "Vars:" + whether --show-vars was specified or not + +JJ/02 exipick: Added support for new ACL variable spool format introduced + in 4.61-PH/06 + +PH/10 Fixed another bug related to PH/04 above: if an incoming message had a + syntactically invalid From: or Reply-to: line, and a filter used this to + generate an autoreply, and therefore failed to obtain an address for the + autoreply, Exim could try to deliver to a non-existent relative file + name, causing unrelated and misleading errors. What now happens is that + it logs this as a hard delivery error, but does not attempt to create a + bounce message. + +PH/11 The exinext utility has a -C option for testing purposes, but although + the given file was scanned by exinext itself; it wasn't being passed on + when Exim was called. + +PH/12 In the smtp transport, treat an explicit ECONNRESET error the same as + an end-of-file indication when reading a command response. + +PH/13 Domain literals for IPv6 were not recognized unless IPv6 support was + compiled. In many other places in Exim, IPv6 addresses are always + recognized, so I have changed this. It also means that IPv4 domain + literals of the form [IPV4:n.n.n.n] are now always recognized. + +PH/14 When a uid/gid is specified for the queryprogram router, it cannot be + used if the router is not running as root, for example, when verifying at + ACL time, or when using -bh. The debugging output from this situation was + non-existent - all you got was a failure to exec. I have made two + changes: + + (a) Failures to set uid/gid, the current directory, or a process leader + in a subprocess such as that created by queryprogram now generate + suitable debugging ouput when -d is set. + + (b) The queryprogram router detects when it is not running as root, + outputs suitable debugging information if -d is set, and then runs + the subprocess without attempting to change uid/gid. + +PH/15 Minor change to Makefile for building test_host (undocumented testing + feature). + +PH/16 As discussed on the list in Nov/Dec: Exim no longer looks at the + additional section of a DNS packet that returns MX or SRV records. + Instead, it always explicitly searches for A/AAAA records. This avoids + major problems that occur when a DNS server includes only records of one + type (A or AAAA) in an MX/SRV packet. A byproduct of this change has + fixed another bug: if SRV records were looked up and the corresponding + address records were *not* found in the additional section, the port + values from the SRV records were lost. + +PH/17 If a delivery to a pipe, file, or autoreply was deferred, Exim was not + using the correct key (the original address) when searching the retry + rules in order to find which one to use for generating the retry hint. + +PH/18 If quota_warn_message contains a From: header, Exim now refrains from + adding the default one. Similarly, if it contains a Reply-To: header, the + errors_reply_to option, if set, is not used. + +PH/19 When calculating a retry time, Exim used to measure the "time since + failure" by looking at the "first failed" field in the retry record. Now + it does not use this if it is later than than the arrival time of the + message. Instead it uses the arrival time. This makes for better + behaviour in cases where some deliveries succeed, thus re-setting the + "first failed" field. An example is a quota failure for a huge message + when small messages continue to be delivered. Without this change, the + "time since failure" will always be short, possible causing more frequent + delivery attempts for the huge message than are intended. + [Note: This change was subsequently modified - see PH/04 for 4.62.] + +PH/20 Added $auth1, $auth2, $auth3 to contain authentication data (as well as + $1, $2, $3) because the numerical variables can be reset during some + expansion items (e.g. "match"), thereby losing the authentication data. + +PH/21 Make -bV show the size of off_t variables so that the test suite can + decide whether to run tests for quotas > 2G. + +PH/22 Test the values given for quota, quota_filecount, quota_warn_threshold, + mailbox_size, and mailbox_filecount in the appendfile transport. If a + filecount value is greater than 2G or if a quota value is greater than 2G + on a system where the size of off_t is not greater than 4, a panic error + is given. + +PH/23 When a malformed item such as 1.2.3/24 appears in a host list, it can + never match. The debug and -bh output now contains an explicit error + message indicating a malformed IPv4 address or mask. + +PH/24 An host item such as 1.2.3.4/abc was being treated as the IP address + 1.2.3.4 without a mask. Now it is not recognized as an IP address, and + PH/23 above applies. + +PH/25 Do not write to syslog when running in the test harness. The only + occasion when this arises is a failure to open the main or panic logs + (for which there is an explicit test). + +PH/26 Added the /no_tell option to "control=freeze". + +PH/27 If a host name lookup failed very early in a connection, for example, if + the IP address matched host_lookup and the reverse lookup yielded a name + that did not have a forward lookup, an error message of the form "no IP + address found for host xxx.xxx.xxx (during SMTP connection from NULL)" + could be logged. Now it outputs the IP address instead of "NULL". + +PH/28 An enabling patch from MH: add new function child_open_exim2() which + allows the sender and the authenticated sender to be set when + submitting a message from within Exim. Since child_open_exim() is + documented for local_scan(), the new function should be too. + +PH/29 In GnuTLS, a forced expansion failure for tls_privatekey was not being + ignored. In both GnuTLS and OpenSSL, an expansion of tls_privatekey that + results in an empty string is now treated as unset. + +PH/30 Fix eximon buffer overflow bug (Bugzilla #73). + +PH/31 Added sender_verify_fail logging option. + +PH/32 In November 2003, the code in Exim that added an empty Bcc: header when + needed by RFC 822 but not by RFC 2822 was commented out. I have now + tidied the source and removed it altogether. + +PH/33 When a queue run was abandoned because the load average was too high, a + log line was always written; now it is written only if the queue_run log + selector is set. In addition, the log line for abandonment now contains + information about the queue run such as the pid. This is always present + in "start" and "stop" lines but was omitted from the "abandon" line. + +PH/34 Omit spaces between a header name and the colon in the error message that + is given when verify = headers_syntax fails (if there are lots of them, + the message gets confusing). + +PH/35 Change the default for dns_check_names_pattern to allow slashes within + names, as there are now some PTR records that contain slashes. This check + is only to protect against broken name servers that fall over on strange + characters, so the fact that it applies to all lookups doesn't matter. + +PH/36 Now that the new test suite is complete, we can remove some of the + special code in Exim that was needed for the old test suite. For example, + sorting DNS records because real resolvers return them in an arbitrary + order. The new test suite's fake resolver always returns records in the + same order. + +PH/37 When running in the test harness, use -odi for submitted messages (e.g. + bounces) except when queue_only is set, to avoid logging races between + the different processes. + +PH/38 Panic-die if .include specifies a non-absolute path. + +PH/39 A tweak to the "H" retry rule from its user. + +JJ/03 exipick: Removed parentheses from 'next' and 'last' calls that specified + a label. They prevented compilation on older perls. + +JJ/04 exipick: Refactored code to prevent implicit split to @_ which caused + a warning to be raised on newish perls. + +JJ/05 exipick: Fixed bug where -bpc always showed a count of all messages + on queue. Changes to match documented behaviour of showing count of + messages matching specified criteria. + +PH/40 Changed the default ident timeout from 30s to 5s. + +PH/41 Added support for the use of login_cap features, on those BSD systems + that have them, for controlling the resources used by pipe deliveries. + +PH/42 The content-scanning code uses fopen() to create files in which to put + message data. Previously it was not paying any attention to the mode of + the files. Exim runs with umask(0) because the rest of the code creates + files with open(), and sets the required mode explicitly. Thus, these + files were ending up world-writeable. This was not a big issue, because, + being within the spool directory, they were not world-accessible. I have + created a function called modefopen, which takes an additional mode + argument. It sets umask(777), creates the file, chmods it to the required + mode, then resets the umask. All the relevant calls to fopen() in the + content scanning code have been changed to use this function. + +PH/43 If retry_interval_max is set greater than 24 hours, it is quietly reset + to 24 hours. This avoids potential overflow problems when processing G + and H retry rules. I suspect nobody ever tinkers with this value. + +PH/44 Added STRIP_COMMAND=/usr/bin/strip to the FreeBSD Makefile. + +PH/45 When the plaintext authenticator is running as a client, the server's + challenges are checked to ensure they are valid base64 strings. By + default, the authentication attempt is cancelled if an invalid string is + received. Setting client_ignore_invalid_base64 true ignores these errors. + The decoded challenge strings are now placed in $auth1, $auth2, etc. as + they are received. Thus, the responses can be made to depend on the + challenges. If an invalid string is ignored, an empty string is placed in + the variable. + +PH/46 Messages that are created by the autoreply transport now contains a + References: header, in accordance with RFCs 2822 and 3834. + +PH/47 Added authenticated_sender_force to the smtp transport. + +PH/48 The ${prvs expansion was broken on systems where time_t was long long. + +PH/49 Installed latest patch from the Sieve maintainer. + +PH/50 When an Exim quota was set without a file count quota, and mailbox_size + was also set, the appendfile transport was unnecessarily scanning a + directory of message files (e.g. for maildir delivery) to find the count + of files (along with the size), even though it did not need this + information. It now does the scan only if it needs to find either the + size of the count of files. + +PH/51 Added ${time_eval: to convert Exim time strings into seconds. + +PH/52 Two bugs concerned with error handling when the smtp transport is + used in LMTP mode: + + (i) Exim was not creating retry information for temporary errors given + for individual recipients after the DATA command when the smtp transport + was used in LMTP mode. This meant that they could be retried too + frequently, and not timed out correctly. + + (ii) Exim was setting the flag that allows error details to be returned + for LMTP errors on RCPT commands, but not for LMTP errors for individual + recipients that were returned after the DATA command. + +PH/53 This is related to PH/52, but is more general: for any failing address, + when detailed error information was permitted to be returned to the + sender, but the error was temporary, then after the final timeout, only + "retry timeout exceeded" was returned. Now it returns the full error as + well as "retry timeout exceeded". + +PH/54 Added control=allow_auth_unadvertised, as it seems there are clients that + do this, and (what is worse) MTAs that accept it. + +PH/55 Added the add_header modified to ACLs. The use of "message" with "warn" + will now be deprecated. + +PH/56 New os.c-cygwin from the Cygwin maintainer. + +JJ/06 exipick: added --unsorted option to allow unsorted output in all output + formats (previously only available in exim formats via -bpr, -bpru, + and -bpra. Now also available in native and exiqgrep formats) + +JJ/07 exipick: added --freeze and --thaw options to allow faster interaction + with very large, slow to parse queues + +JJ/08 exipick: added ! as generic prefix to negate any criteria format + +JJ/09 exipick: miscellaneous performance enhancements (~24% improvements) + +PH/57 Tidies in SMTP dialogue display in debug output: (i) It was not showing + responses to authentication challenges, though it was showing the + challenges; (ii) I've removed the CR characters from the debug output for + SMTP output lines. + +PH/58 Allow for the insertion of a newline as well as a space when a string + is turned into more than one encoded-word during RFC 2047 encoding. The + Sieve code now uses this. + +PH/59 Added the following errors that can be detected in retry rules: mail_4xx, + data_4xx, lost_connection, tls_required. + +PH/60 When a VRFY deferred or FAILED, the log message rather than the user + message was being sent as an SMTP response. + +PH/61 Add -l and -k options to exicyclog. + +PH/62 When verifying, if an address was redirected to one new address, so that + verification continued, and the new address failed or deferred after + having set something in $address_data, the value of $address_data was not + passed back to the ACL. This was different to the case when no + redirection occurred. The value is now passed back in both cases. + +PH/63 Changed the macro HAVE_LOGIN_CAP (see PH/41 for this release above) to + HAVE_SETCLASSRESOURCES because there are different APIs in use that all + use login_cap.h, so on its own it isn't the distinguishing feature. The + new name refers directly to the setclassresources() function. + +PH/65 Added configuration files for NetBSD3. + +PH/66 Updated OS/Makefile-HP-UX for gcc 4.1.0 with HP-UX 11. + +PH/67 Fixed minor infelicity in the sorting of addresses to ensure that IPv6 + is preferred over IPv4. + +PH/68 The bounce_return_message and bounce_return_body options were not being + honoured for bounces generated during the reception of non-SMTP messages. + In particular, this applied to messages rejected by the ACL. This bug has + been fixed. However, if bounce_return_message is true and bounce_return_ + body is false, the headers that are returned for a non-SMTP message + include only those that have been read before the error was detected. + (In the case of an ACL rejection, they have all been read.) + +PH/69 The HTML version of the specification is now built in a directory called + spec_html instead of spec.html, because the latter looks like a path with + a MIME-type, and this confuses some software. + +PH/70 Catch two compiler warnings in sieve.c. + +PH/71 Fixed an obscure and subtle bug (thanks Alexander & Matthias). The + function verify_get_ident() calls ip_connect() to connect a socket, but + if the "connect()" function timed out, ip_connect() used to close the + socket. However, verify_get_ident() also closes the socket later, and in + between Exim writes to the log, which may get opened at this point. When + the socket was closed in ip_connect(), the log could get the same file + descriptor number as the socket. This naturally causes chaos. The fix is + not to close the socket in ip_connect(); the socket should be closed by + the function that creates it. There was only one place in the code where + this was missing, in the iplookup router, which I don't think anybody now + uses, but I've fixed it anyway. + +PH/72 Make dns_again_means_nonexist apply to lookups using gethostbyname() as + well as to direct DNS lookups. Otherwise the handling of names in host + lists is inconsistent and therefore confusing. + + +Exim version 4.60 +----------------- + +PH/01 Two changes to the default runtime configuration: + + (1) Move the checks for relay_from_hosts and authenticated clients from + after to before the (commented out) DNS black list checks. + + (2) Add control=submission to the relay_from_hosts and authenticated + clients checks, on the grounds that messages accepted by these + statements are most likely to be submissions. + +PH/02 Several tidies to the handling of ${prvs and ${prvscheck: + + (1) Generate an error if the third argument for the ${prvs expansion is + not a single digit. + + (2) Treat a missing third argument of ${prvscheck as if it were an empty + string. + + (3) Reset the variables that are obtained from the first argument of + ${prvscheck and used in the second argument before leaving the code, + because their memory is reclaimed, so using them afterwards may do + silly things. + + (4) Tidy up the code for expanding the arguments of ${prvscheck one by + one (it's much easier than Tom thought :-). + + (5) Because of (4), we can now allow for the use of $prvscheck_result + inside the third argument. + +PH/03 For some reason, the default setting of PATH when running a command from + a pipe transport was just "/usr/bin". I have changed it to + "/bin:/usr/bin". + +PH/04 SUPPORT_TRANSLATE_IP_ADDRESS and MOVE_FROZEN_MESSAGES did not cause + anything to be listed in the output from -bV. + +PH/05 When a filter generated an autoreply, the entire To: header line was + quoted in the delivery log line, like this: + + => >A.N.Other ... + + This has been changed so that it extracts the operative address. There + may be more than one such address. If so, they are comma-separated, like + this: + + => >ano@some.domain,ona@other.domain ... + +PH/06 When a client host used a correct literal IP address in a HELO or EHLO + command, (for example, EHLO [1.2.3.4]) and the client's IP address was + not being looked up in the rDNS to get a host name, Exim was showing the + IP address twice in Received: lines, even though the IP addresses were + identical. For example: + + Received: from [1.2.3.4] (helo=[1.2.3.4]) + + However, if the real host name was known, it was omitting the HELO data + if it matched the actual IP address. This has been tidied up so that it + doesn't show the same IP address twice. + +PH/07 When both +timestamp and +memory debugging was on, the value given by + $tod_xxx expansions could be wrong, because the tod_stamp() function was + called by the debug printing, thereby overwriting the timestamp buffer. + Debugging no longer uses the tod_stamp() function when +timestamp is set. + +PH/08 When the original message was included in an autoreply transport, it + always said "this is a copy of the message, including all the headers", + even if body_only or headers_only was set. It now gives an appropriate + message. + +PH/09 Applied a patch from the Sieve maintainer which: + + o fixes some comments + o adds the (disabled) notify extension core + o adds some debug output for the result of if/elsif tests + o points to the current vacation draft in the documentation + and documents the missing references header update + + and most important: + + o fixes a bug in processing the envelope test (when testing + multiple envelope elements, the last element determinted the + result) + +PH/10 Exim was violating RFC 3834 ("Recommendations for Automatic Responses to + Electronic Mail") by including: + + Auto-submitted: auto-generated + + in the messages that it generates (bounce messages and others, such as + warnings). In the case of bounce messages for non-SMTP mesages, there was + also a typo: it was using "Auto_submitted" (underscore instead of + hyphen). Since every message generated by Exim is necessarily in response + to another message, thes have all been changed to: + + Auto-Submitted: auto-replied + + in accordance with these statements in the RFC: + + The auto-replied keyword: + + - SHOULD be used on messages sent in direct response to another + message by an automatic process, + + - MUST NOT be used on manually-generated messages, + + - MAY be used on Delivery Status Notifications (DSNs) and Message + Disposition Notifications (MDNs), + + - MUST NOT be used on messages generated by automatic or periodic + processes, except for messages which are automatic responses to + other messages. + +PH/11 Added "${if def:sender_address {(envelope-from <$sender_address>)\n\t}}" + to the default Received: header definition. + +PH/12 Added log selector acl_warn_skipped (default on). + +PH/13 After a successful wildlsearch lookup, discard the values of numeric + variables because (a) they are in the wrong storage pool and (b) even if + they were copied, it wouldn't work properly because of the caching. + +PH/14 Add check_rfc2047_length to disable enforcement of RFC 2047 length + checking when decoding. Apparently there are clients that generate + overlong encoded strings. Why am I not surprised? + +PH/15 If the first argument of "${if match_address" was not empty, but did not + contain an "@" character, Exim crashed. Now it writes a panic log message + and treats the condition as false. + +PH/16 In autoreply, treat an empty string for "once" the same as unset. + +PH/17 A further patch from the Sieve maintainer: "Introduce the new Sieve + extension "envelope-auth". The code is finished and in agreement with + other implementations, but there is no documentation so far and in fact, + nobody wrote the draft yet. This extension is currently #undef'ed, thus + not changing the active code. + + Print executed "if" and "elsif" statements when debugging is used. This + helps a great deal to understand what a filter does. + + Document more things not specified clearly in RFC3028. I had all this + sorted out, when out of a sudden new issues came to my mind. Oops." + +PH/18 Exim was not recognizing the "net-" search type prefix in match_ip lists + (Bugzilla #53). + +PH/19 Exim expands the IPv6 address given to -bh to its full non-abbreviated + canonical form (as documented). However, after a host name lookup from + the IP address, check_host() was doing a simple string comparison with + addresses acquired from the DNS when checking that the found name did + have the original IP as one of its addresses. Since any found IPv6 + addresses are likely to be in abbreviated form, the comparison could + fail. Luckily, there already exists a function for doing the comparison + by converting both addresses to binary, so now that is used instead of + the text comparison. + +PH/20 There was another similar case to PH/19, when a complete host name was + given in a host list; looking up its IP address could give an abbreviated + form, whereas the current host's name might or might not be abbreviated. + The same fix has been applied. + + +Exim version 4.54 +----------------- + +PH/01 The ${base62: operator adjusted itself to base 36 when BASE_62 was + set to 36 (for Darwin and Cygwin), but the ${base62d: operator did not. + It now does. + +PH/02 Two minor problems detected in Cygwin: the os.{c,h} files had lost */ on + the CVS lines, and there was a missing #if HAVE_IPV6 in host.c. + +PH/03 Typo: missing ".o" in src/pcre/Makefile. + +PH/04 Tighten up "personal" tests: Instead of testing for any "List-" + header line, restrict the check to what is listed in RFCs 2369 and 2929. + Also, for "Auto-Submitted", treat anything other than "no" as + non-personal, in accordance with RFC 3834. (Previously it treated + anything starting "auto-" as non-personal.) + +TF/01 The control=submission/name=... option had a problem with syntax + errors if the name included a slash character. The /name= option + now slurps the rest of the string, so it can include any characters + but it must come last in the list of options (after /sender_retain + or /domain=). + +PH/05 Some modifications to the interface to the fake nameserver for the new + testing suite. + + + +Exim version 4.53 +----------------- + +TK/01 Added the "success_on_redirect" address verification option. See + NewStuff for rationale and an example. + +PH/01 Added support for SQLite, basic code supplied by David Woodhouse. + +PH/02 Patch to exigrep to allow it to work on syslog lines. + +PH/03 When creating an mbox file for a virus/spam scan, use fseek() instead of + fread() to skip over the body file's header line, because in Cygwin the + header line is locked and is inaccessible. + +PH/04 Added $message_exim_id, ultimately to replace $message_id (they will both + co-exist for some time) to make it clear that it is the Exim ID that is + referenced, not the Message-ID: header line. + +PH/05 Replaced all Tom's calls to snprintf() with calls to the internal + string_format() function, because snprintf() does not exist on all + operating systems. + +PH/06 The use of forbid_filter_existstest now also locks out the use of the + ${stat: expansion item. + +PH/07 Changed "SMTP protocol violation: synchronization error" into "SMTP + protocol synchronization error", to keep the pedants happy. + +PH/08 Arrange for USE_INET_NTOA_FIX to be set in config.h for AIX systems as + well as for IRIX systems, when gcc is being used. See the host.c source + file for comments. + +PH/09 Installed latest Cygwin configuration files from the Cygwin maintainer. + +PH/10 Named domain lists were not working if used in a queue_smtp_domains + setting. + +PH/11 Added support for the IGNOREQUOTA extension to LMTP, both to the lmtp + transport and to the smtp transport in LMTP mode. + +TK/02 Remove one case of BASE64 error detection FTTB (undocumented anyway). + +PH/12 There was a missing call to search_tidyup() before the fork() in rda.c to + run a filter in a subprocess. This could lead to confusion in subsequent + lookups in the parent process. There should also be a search_tidyup() at + the end of the subprocess. + +PH/13 Previously, if "verify = helo" was set in an ACL, the condition was true + only if the host matched helo_try_verify_hosts, which caused the + verification to occur when the EHLO/HELO command was issued. The ACL just + tested the remembered result. Now, if a previous verification attempt has + not happened, "verify = helo" does it there and then. + +JJ/01 exipick: added $message_exim_id variable (see 4.53-PH/04) + +TK/03 Fix log output including CR from clamd. + +PH/14 A reference to $reply_address when Reply-to: was empty and From: did not + exist provoked a memory error which could cause a segfault. + +PH/15 Installed PCRE 6.2 + +PH/17 Defined BIND_8_COMPAT in the Darwin os.h file. + +PH/18 Reversed 4.52/PH/17 because the HP-UX user found it wasn't the cause + of the problem. Specifically, suggested +O2 rather than +O1 for the + HP-UX compiler. + +PH/19 Added sqlite_lock_timeout option (David Woodhouse's patch). + +PH/20 If a delivery was routed to a non-standard port by means of an SRV + record, the port was not correctly logged when the outgoing_port log + selector was set (it logged the transort's default port). + +PH/21 Added support for host-specific ports to manualroute, queryprogram, + fallback_hosts, and "hosts" in the smtp transport. + +PH/22 If the log selector "outgoing_port" is set, the port is now also given on + host errors such as "Connection refused". + +PH/23 Applied a patch to fix problems with exim-4.52 while doing radius + authentication with radiusclient 0.4.9: + + - Error returned from rc_read_config was caught wrongly + - Username/password not passed on to radius server due to wrong length. + + The presumption is that some radiusclient API changes for 4.51/PH/17 + were not taken care of correctly. The code is still untested by me (my + Linux distribution still has 0.3.2 of radiusclient), but it was + contributed by a Radius user. + +PH/24 When doing a callout, the value of $domain wasn't set correctly when + expanding the "port" option of the smtp transport. + +TK/04 MIME ACL: Fix buffer underrun that occurs when EOF condition is met + while reading a MIME header. Thanks to Tom Hughes for a patch. + +PH/24 Include config.h inside local_scan.h so that configuration settings are + available. + +PH/25 Make $smtp_command_argument available after all SMTP commands. This means + that in an ACL for RCPT (for example), you can examine exactly what was + received. + +PH/26 Exim was recognizing IPv6 addresses of the form [IPv6:....] in EHLO + commands, but it was not correctly comparing the address with the actual + client host address. Thus, it would show the EHLO address in Received: + header lines when this was not necessary. + +PH/27 Added the % operator to ${eval:}. + +PH/28 Exim tries to create and chdir to its spool directory when it starts; + it should be ignoring failures (because with -C, for example, it has lost + privilege). It wasn't ignoring creation failures other than "already + exists". + +PH/29 Added "crypteq" to the list of supported features that Exim outputs when + -bV or -d is used. + +PH/30 Fixed (presumably very longstanding) bug in exim_dbmbuild: if it failed + because an input line was too long, either on its own, or by virtue of + too many continuations, the temporary file was not being removed, and the + return code was incorrect. + +PH/31 Missing "BOOL" in function definition in filtertest.c. + +PH/32 Applied Sieve patches from the maintainer. + +TK/05 Domainkeys: Accomodate for a minor API change in libdomainkeys 0.67. + +PH/33 Added "verify = not_blind". + +PH/34 There are settings for CHOWN_COMMAND and MV_COMMAND that can be used in + Local/Makefile (with some defaults set). These are used in built scripts + such as exicyclog, but they have never been used in the exim_install + script (though there are many overriding facilities there). I have + arranged that the exim_install script now takes note of these two + settings. + +PH/35 Installed configuration files for Dragonfly. + +PH/36 When a locally submitted message by a trusted user did not contain a + From: header, and the sender address was obtained from -f or from an SMTP + MAIL command, and the trusted user did not use -F to supply a sender + name, $originator_name was incorrectly used when constructing a From: + header. Furthermore, $originator_name was used for submission mode + messages from external hosts without From: headers in a similar way, + which is clearly wrong. + +PH/37 Added control=suppress_local_fixups. + +PH/38 When log_selector = +received_sender was set, and the addition of the + sender made the log line's construction buffer exactly full, or one byte + less than full, an overflow happened when the terminating "\n" was + subsequently added. + +PH/39 Added a new log selector, "unknown_in_list", which provokes a log entry + when the result of a list match is failure because a DNS lookup failed. + +PH/40 RM_COMMAND is now used in the building process. + +PH/41 Added a "distclean" target to the top-level Makefile; it deletes all + the "build-* directories that it finds. + +PH/42 (But a TF fix): In a domain list, Exim incorrectly matched @[] if the IP + address in a domain literal was a prefix of an interface address. + +PH/43 (Again a TF fix): In the dnslookup router, do not apply widen_domains + when verifying a sender address, unless rewrite_headers is false. + +PH/44 Wrote a long comment about why errors_to addresses are verified as + recipients, not senders. + +TF/01 Add missing LIBS=-lm to OS/Makefile-OpenBSD which was overlooked when + the ratelimit ACL was added. + +PH/45 Added $smtp_command for the full command (cf $smtp_command_argument). + +PH/46 Added extra information about PostgreSQL errors to the error string. + +PH/47 Added an interface to a fake DNS resolver for use by the new test suite, + avoiding the need to install special zones in a real server. This is + backwards compatible; if it can't find the fake resolver, it drops back. + Thus, both old and new test suites can be run. + +TF/02 Added util/ratelimit.pl + +TF/03 Minor fix to the ratelimit code to improve its behaviour in case the + clock is set back in time. + +TF/04 Fix the ratelimit support in exim_fixdb. Patch provided by Brian + Candler . + +TF/05 The fix for PH/43 was not completely correct; widen_domains is always + OK for addresses that are the result of redirections. + +PH/48 A number of further additions for the benefit of the new test suite, + including a fake gethostbyname() that interfaces to the fake DNS resolver + (see PH/47 above). + +TF/06 The fix for widen_domains has also been applied to qualify_single and + search_parents which are the other dnslookup options that can cause + header rewrites. + +PH/49 Michael Haardt's randomized retrying, but as a separate retry parameter + type ("H"). + +PH/50 Make never_users, trusted_users, admin_groups, trusted_groups expandable. + +TF/07 Exim produced the error message "an SRV record indicated no SMTP + service" if it encountered an MX record with an empty target hostname. + The message is now "an MX or SRV record indicated no SMTP service". + +TF/08 Change PH/13 introduced the possibility that verify=helo may defer, + if the DNS of the sending site is misconfigured. This is quite a + common situation. This change restores the behaviour of treating a + helo verification defer as a failure. + +PH/51 If self=fail was set on a router, the bounce message did not include the + actual error message. + + +Exim version 4.52 +----------------- + +TF/01 Added support for Client SMTP Authorization. See NewStuff for details. + +PH/01 When a transport filter timed out in a pipe delivery, and the pipe + command itself ended in error, the underlying message about the transport + filter timeout was being overwritten with the pipe command error. Now the + underlying error message should be appended to the second error message. + +TK/01 Fix poll() being unavailable on Mac OSX 10.2. + +PH/02 Reduce the amount of output that "make" produces by default. Full output + can still be requested. + +PH/03 The warning log line about a condition test deferring for a "warn" verb + was being output only once per connection, rather than after each + occurrence (because it was using the same function as for successful + "warn" verbs). This seems wrong, so I have changed it. + +TF/02 Two buglets in acl.c which caused Exim to read a few bytes of memory that + it should not have, which might have caused a crash in the right + circumstances, but probably never did. + +PH/04 Installed a modified version of Tony Finch's patch to make submission + mode fix the return path as well as the Sender: header line, and to + add a /name= option so that you can make the user's friendly name appear + in the header line. + +TF/03 Added the control = fakedefer ACL modifier. + +TF/04 Added the ratelimit ACL condition. See NewStuff for details. Thanks to + Mark Lowes for thorough testing. + +TK/02 Rewrote SPF support to work with libspf2 versions >1.2.0. + +TK/03 Merged latest SRS patch from Miles Wilton. + +PH/05 There's a shambles in IRIX6 - it defines EX_OK in unistd.h which conflicts + with the definition in sysexits.h (which is #included earlier). + Fortunately, Exim does not actually use EX_OK. The code used to try to + preserve the sysexits.h value, by assumimg that macro definitions were + scanned for macro replacements. I have been disabused of this notion, + so now the code just undefines EX_OK before #including unistd.h. + +PH/06 There is a timeout for writing blocks of data, set by, e.g. data_timeout + in the smtp transport. When a block could not be written in a single + write() function, the timeout was being re-applied to each part-write. + This seems wrong - if the receiver was accepting one byte at a time it + would take for ever. The timeout is now adjusted when this happens. It + doesn't have to be particularly precise. + +TK/04 Added simple SPF lookup method in EXPERIMENTAL_SPF. See NewStuff for + details. Thanks to Chris Webb for the patch! + +PH/07 Added "fullpostmaster" verify option, which does a check to + without a domain if the check to fails. + +SC/01 Eximstats: added -xls and the ability to specify output files + (patch written by Frank Heydlauf). + +SC/02 Eximstats: use FileHandles for outputing results. + +SC/03 Eximstats: allow any combination of xls, txt, and html output. + +SC/04 Eximstats: fixed display of large numbers with -nvr option + +SC/05 Eximstats: fixed merging of reports with empty tables. + +SC/06 Eximstats: added the -include_original_destination flag + +SC/07 Eximstats: removed tabs and trailing whitespace. + +TK/05 Malware: Improve on aveserver error handling. Patch from Alex Miller. + +TK/06 MBOX spool code: Add real "From " MBOX separator line + so the .eml file is really in mbox format (even though + most programs do not really care). Patch from Alex Miller. + +TK/07 MBOX spool code: Add X-Envelope-From: and X-Envelope-To: headers. + The latter is generated from $received_to and is only set if the + message has one envelope recipient. SA can use these headers, + obviously out-of-the-box. Patch from Alex Miller. + +PH/08 The ${def test on a variable was returning false if the variable's + value was "0", contrary to what the specification has always said! + The result should be true unless the variable is empty. + +PH/09 The syntax error of a character other than { following "${if + def:variable_name" (after optional whitespace) was not being diagnosed. + An expansion such as ${if def:sender_ident:{xxx}{yyy}} in which an + accidental colon was present, for example, could give incorrect results. + +PH/10 Tidied the code in a number of places where the st_size field of a stat() + result is used (not including appendfile, where other changes are about + to be made). + +PH/11 Upgraded appendfile so that quotas larger than 2G are now supported. + This involved changing a lot of size variables from int to off_t. It + should work with maildirs and everything. + +TK/08 Apply fix provided by Michael Haardt to prevent deadlock in case of + spamd dying while we are connected to it. + +TF/05 Fixed a ${extract error message typo reported by Jeremy Harris + + +PH/12 Applied Alex Kiernan's patch for the API change for the error callback + function for BDB 4.3. + +PH/13 Changed auto_thaw such that it does not apply to bounce messages. + +PH/14 Imported PCRE 6.0; this was more than just a trivial operation because + the sources for PCRE have been re-arranged and more files are now + involved. + +PH/15 The code I had for printing potentially long long variables in PH/11 + above was not the best (it lost precision). The length of off_t variables + is now inspected at build time, and an appropriate printing format (%ld + or %lld) is chosen and #defined by OFF_T_FMT. We also define LONGLONG_T + to be "long long int" or "long int". This is needed for the internal + formatting function string_vformat(). + +PH/16 Applied Matthew Newton's patch to exicyclog: "If log_file_path is set in + the configuration file to be ":syslog", then the script "guesses" where + the logs files are, rather than using the compiled in default. In our + case the guess is not the same as the compiled default, so the script + suddenly stopped working when I started to use syslog. The patch checks + to see if log_file_path is "". If so, it attempts to read it from exim + with no configuration file to get the compiled in version, before it + falls back to the previous guessing code." + +TK/09 Added "prvs" and "prvscheck" expansion items. These help a lot with + implementing BATV in an Exim configuration. See NewStuff for the gory + details. + +PH/17 Applied Michael Haardt's patch for HP-UX, affecting only the os.h and + Makefile that are specific to HP-UX. + +PH/18 If the "use_postmaster" option was set for a recipient callout together + with the "random" option, the postmaster address was used as the MAIL + FROM address for the random test, but not for the subsequent recipient + test. It is now used for both. + +PH/19 Applied Michael Haardt's patch to update Sieve to RFC3028bis. "The + patch removes a few documentation additions to RFC 3028, because the + latest draft now contains them. It adds the new en;ascii-case comparator + and a new error check for 8bit text in MIME parts. Comparator and + require names are now matched exactly. I enabled the subaddress + extension, but it is not well tested yet (read: it works for me)." + +PH/20 Added macros for time_t as for off_t (see PH/15 above) and used them to + rework some of the code of TK/09 above to avoid the hardwired use of + "%lld" and "long long". Replaced the call to snprintf() with a call to + string_vformat(). + +PH/21 Added some other messages to those in 4.51/PH/42, namely "All relevant MX + records point to non-existent hosts", "retry timeout exceeded", and + "retry time not reached for any host after a long failure period". + +PH/22 Fixed some oversights/typos causing bugs when Exim is compiled with + experimental DomainKeys support: + + (1) The filter variables $n0-$n9 and $sn0-$sn9 were broken. + (2) On an error such as an illegally used "control", the wrong name for + the control was given. + + These problems did NOT occur unless DomainKeys support was compiled. + +PH/23 Added daemon_startup_retries and daemon_startup_sleep. + +PH/24 Added ${if match_ip condition. + +PH/25 Put debug statements on either side of calls to EXIM_DBOPEN() for hints + databases so that it will be absolutely obvious if a crash occurs in the + DB library. This is a regular occurrence (often caused by mis-matched + db.h files). + +PH/26 Insert a lot of missing (void) casts for functions such as chown(), + chmod(), fcntl(), sscanf(), and other functions from stdio.h. These were + picked up on a user's system that detects such things. There doesn't seem + to be a gcc warning option for this - only an attribute that has to be + put on the function's prototype. It seems that in Fedora Core 4 they have + set this on a number of new functions. No doubt there will be more in due + course. + +PH/27 If a dnslookup or manualroute router is set with verify=only, it need not + specify a transport. However, if an address that was verified by such a + router was the subject of a callout, Exim crashed because it tried to + read the rcpt_include_affixes from the non-existent transport. Now it + just assumes that the setting of that option is false. This bug was + introduced by 4.51/PH/31. + +PH/28 Changed -d+all to exclude +memory, because that information is very + rarely of interest, but it makes the output a lot bigger. People tend to + do -d+all out of habit. + +PH/29 Removed support for the Linux-libc5 build, as it is obsolete and the + code in os-type was giving problems when libc.so lives in lib64, like on + x86_64 Fedora Core. + +PH/30 Exim's DNS code uses the original T_xxx names for DNS record times. These + aren't the modern standard, and it seems that some systems' include files + don't always have them. Exim was already checking for some of the newer + ones like T_AAAA, and defining it itself. I've added checks for all the + record types that Exim uses. + +PH/31 When using GnuTLS, if the parameters cache file did not exist, Exim was + not automatically generating a new one, as it is supposed to. This + prevented TLS from working. If the file did exist, but contained invalid + data, a new version was generated, as expected. It was only the case of a + non-existent file that was broken. + +TK/10 Domainkeys: Fix a bug in verification that caused a crash in conjunction + with a change in libdomainkeys > 0.64. + +TK/11 Domainkeys: Change the logic how the "testing" policy flag is retrieved + from DNS. If the selector record carries the flag, it now has + precedence over the domain-wide flag. + +TK/12 Cleared some compiler warnings related to SPF, SRS and DK code. + +PH/32 In mua_wrapper mode, if an smtp transport configuration error (such as + the use of a port name that isn't defined in /etc/services) occurred, the + message was deferred as in a normal delivery, and thus remained on the + spool, instead of being failed because of the mua_wrapper setting. This + is now fixed, and I tidied up some of the mua_wrapper messages at the + same time. + +SC/08 Eximstats: whilst parsing the mainlog(s), store information about + the messages in a hash of arrays rather than using individual hashes. + This is a bit cleaner and results in dramatic memory savings, albeit + at a slight CPU cost. + +SC/09 Eximstats: added the -show_rt and the -show_dt flags + as requested by Marc Sherman. + +SC/10 Eximstats: added histograms for user specified patterns as requested + by Marc Sherman. + +SC/11 Eximstats: v1.43 - bugfix for pattern histograms with -h0 specified. + +PH/33 Patch from the Cygwin maintainer to add "b" to all occurences of + fopen() in the content-scanning modules that did not already have it. + + +Exim version 4.51 +----------------- + +TK/01 Added Yahoo DomainKeys support via libdomainkeys. See + doc/experimental-spec.txt for details. (http://domainkeys.sf.net) + +TK/02 Fix ACL "control" statement not being available in MIME ACL. + +TK/03 Fix ACL "regex" condition not being available in MIME ACL. + +PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used + to test Sieve filters that use "vacation". + +PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch + that changes the way the GnuTLS parameters are stored in the cache file. + The new format can be generated externally. For backward compatibility, + if the data in the cache doesn't make sense, Exim assumes it has read an + old-format file, and it generates new data and writes a new file. This + means that you can't go back to an older release without removing the + file. + +PH/03 A redirect router that has both "unseen" and "one_time" set does not + work if there are any delivery delays because "one_time" forces the + parent to be marked "delivered", so its unseen clone is never tried + again. For this reason, Exim now forbids the simultaneous setting of + these two options. + +PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are + redirected to themselves ("homonym" addresses). Read the long ChangeLog + entry if you want to know the details. The fix, however, neglected to + consider the case when local delivery batching is involved. The test for + "previously delivered" was not happening when checking to see if an + address could be batched with a previous (undelivered) one; under + certain circumstances this could lead to multiple deliveries to the same + address. + +PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T + in its include files, and this causes problems building Exim. + +PH/06 A number of "verify =" ACL conditions have no options (e.g. verify = + header_syntax) but Exim was just ignoring anything given after a slash. + In particular, this caused confusion with an attempt to use "verify = + reverse_host_lookup/defer_ok". An error is now given when options are + supplied for verify items that do not have them. (Maybe reverse_host_ + lookup should have a defer_ok option, but that's a different point.) + +PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as + defined by RFC 821) to 2048, because there were problems with some AUTH + commands, and RFC 1869 says the size should be increased for extended + SMTP commands that take arguments. + +PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony + Finch). + +PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an + "unknown" error; now it says that the functionality isn't in the binary. + +PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in + an address' error message when a string expansion fails (syntax or + whatever). Otherwise the password may appear in the log. Following change + PH/42 below, there is no longer a chance of it appearing in a bounce + message. + +PH/11 Installed exipick version 20050225.0 from John Jetmore. + +PH/12 If the last host in a fallback_hosts list was multihomed, only the first + of its addresses was ever tried. (Bugzilla bug #2.) + +PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed + the result incorrectly in the debug output. (It correctly added a newline + to what was transported.) + +TF/01 Added $received_time. + +PH/14 Modified the default configuration to add an acl_smtp_data ACL, with + commented out examples of how to interface to a virus scanner and to + SpamAssassin. Also added commented examples of av_scanner and + spamd_address settings. + +PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions + and controls are allowed in which ACLs. There were a couple of minor + errors. Some of the entries in the conditions table (which is a table of + where they are NOT allowed) were getting very unwieldy; rewrote them as a + negation of where the condition IS allowed. + +PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer. + +PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the + header file does not have a version number, so I've had to invent a new + value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new + API. The code is untested by me (my Linux distribution still has 0.3.2 of + radiusclient), but it was contributed by a Radius user. + +PH/18 Installed Lars Mainka's patch for the support of CRL collections in + files or directories, for OpenSSL. + +PH/19 When an Exim process that is running as root has to create an Exim log + file, it does so in a subprocess that runs as exim:exim so as to get the + ownership right at creation (otherwise, other Exim processes might see + the file with the wrong ownership). There was no test for failure of this + fork() call, which would lead to the process getting stuck as it waited + for a non-existent subprocess. Forks do occasionally fail when resources + run out. I reviewed all the other calls to fork(); they all seem to check + for failure. + +PH/20 When checking for unexpected SMTP input at connect time (before writing + the banner), Exim was not dealing correctly with a non-positive return + from the read() function. If the client had disconnected by this time, + the result was a log entry for a synchronization error with an empty + string after "input=" when read() returned zero. If read() returned -1 + (an event I could not check), uninitialized data bytes were printed. + There were reports of junk text (parts of files, etc) appearing after + "input=". + +PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages. + +PH/22 Added support for macro redefinition, and (re)definition in between + driver and ACL definitions. + +PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then + forgetting to use the resulting value; it was using the unexpanded value. + +PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it + hadn't been configured. The fix is from Juergen Kreileder, who + understands it better than I do: + + "Here's what I see happening with three configured cyrus_sasl + authenticators configured (plain, login, cram-md5): + + On startup auth_cyrus_sasl_init() gets called for each of these. + This means three calls to sasl_listmech() without a specified mech_list. + => SASL tests which mechs of all available mechs actually work + => three warnings about OTP not working + => the returned list contains: plain, login, cram-md5, digest-md5, ... + + With the patch, sasl_listmech() also gets called three times. But now + SASL's mech_list option is set to the server_mech specified in the the + authenticator. Or in other words, the answer from sasl_listmech() + gets limited to just the mech you're testing for (which is different + for each call.) + => the return list contains just 'plain' or 'login', 'cram-md5' or + nothing depending on the value of ob->server_mech. + + I've just tested the patch: Authentication still works fine, + unavailable mechs specified in the exim configuration are still + caught, and the auth.log warnings about OTP are gone." + +PH/25 When debugging is enabled, the contents of the command line are added + to the debugging output, even when log_selector=+arguments is not + specified. + +PH/26 Change scripts/os-type so that when "uname -s" returns just "GNU", the + answer is "GNU", and only if the return is "GNU/something" is the answer + "Linux". + +PH/27 $acl_verify_message is now set immediately after the failure of a + verification in an ACL, and so is available in subsequent modifiers. In + particular, the message can be preserved by coding like this: + + warn !verify = sender + set acl_m0 = $acl_verify_message + + Previously, $acl_verify_message was set only while expanding "message" + and "log_message" when a very denied access. + +PH/28 Modified OS/os.c-Linux with + + -#ifndef OS_LOAD_AVERAGE + +#if !defined(OS_LOAD_AVERAGE) && defined(__linux__) + + to make Exim compile on kfreebsd-gnu. (I'm totally confused about the + nomenclature these days.) + +PH/29 Installed patch from the Sieve maintainer that adds the options + sieve_useraddress and sieve_subaddress to the redirect router. + +PH/30 In these circumstances: + . Two addresses routed to the same list of hosts; + . First host does not offer TLS; + . First host accepts first address; + . First host gives temporary error to second address; + . Second host offers TLS and a TLS session is established; + . Second host accepts second address. + Exim incorrectly logged both deliveries with the TLS parameters (cipher + and peerdn, if requested) that were in fact used only for the second + address. + +PH/31 When doing a callout as part of verifying an address, Exim was not paying + attention to any local part prefix or suffix that was matched by the + router that accepted the address. It now behaves in the same way as it + does for delivery: the affixes are removed from the local part unless + rcpt_include_affixes is set on the transport. + +PH/32 Add the sender address, as F=<...>, to the log line when logging a + timeout during the DATA phase of an incoming message. + +PH/33 Sieve envelope tests were broken for match types other than :is. I have + applied a patch sanctioned by the Sieve maintainer. + +PH/34 Change 4.50/80 broke Exim in that it could no longer handle cases where + the uid or gid is negative. A case of a negative gid caused this to be + noticed. The fix allows for either to be negative. + +PH/35 ACL_WHERE_MIME is now declared unconditionally, to avoid too much code + clutter, but the tables that are indexed by ACL_WHERE_xxx values had been + overlooked. + +PH/36 The change PH/12 above was broken. Fixed it. + +PH/37 Exim used to check for duplicate addresses in the middle of routing, on + the grounds that routing the same address twice would always produce the + same answer. This might have been true once, but it is certainly no + longer true now. Routing a child address may depend on the previous + routing that produced that child. Some complicated redirection strategies + went wrong when messages had multiple recipients, and made Exim's + behaviour dependent on the order in which the addresses were given. + + I have moved the duplicate checking until after the routing is complete. + Exim scans the addresses that are assigned to local and remote + transports, and removes any duplicates. This means that more work will be + done, as duplicates will always all be routed, but duplicates are + presumably rare, so I don't expect this is of any significance. + + For deliveries to pipes, files, and autoreplies, the duplicate checking + still happens during the routing process, since they are not going to be + routed further. + +PH/38 Installed a patch from Ian Freislich, with the agreement of Tom Kistner. + It corrects a timeout issue with spamd. This is Ian's comment: "The + background is that sometimes spamd either never reads data from a + connection it has accepted, or it never writes response data. The exiscan + spam.[ch] uses a 3600 second timeout on spamd socket reads, further, it + blindly assumes that writes won't block so it may never time out." + +PH/39 Allow G after quota size as well as K and M. + +PH/40 The value set for $authenticated_id in an authenticator may not contain + binary zeroes or newlines because the value is written to log lines and + to spool files. There was no check on this. Now the value is run through + the string_printing() function so that such characters are converted to + printable escape sequences. + +PH/41 $message_linecount is a new variable that contains the total number of + lines in the message. Compare $body_linecount, which is the count for the + body only. + +PH/42 Exim no longer gives details of delivery errors for specific addresses in + bounce and delay warning messages, except in certain special cases, which + are as follows: + + (a) An SMTP error message from a remote host; + (b) A message specified in a :fail: redirection; + (c) A message specified in a "fail" command in a system filter; + (d) A message specified in a FAIL return from the queryprogram router; + (e) A message specified by the cannot_route_message router option. + + In these cases only, Exim does include the error details in bounce and + warning messages. There are also a few cases where bland messages such + as "unrouteable address" or "local delivery error" are given. + +PH/43 $value is now also set for the "else" part of a ${run expansion. + +PH/44 Applied patch from the Sieve maintainer: "The vacation draft is still + being worked on, but at least Exim now implements the latest version to + play with." + +PH/45 In a pipe transport, although a timeout while waiting for the pipe + process to complete was treated as a delivery failure, a timeout while + writing the message to the pipe was logged, but erroneously treated as a + successful delivery. Such timeouts include transport filter timeouts. For + consistency with the overall process timeout, these timeouts are now + treated as errors, giving rise to delivery failures by default. However, + there is now a new Boolean option for the pipe transport called + timeout_defer, which, if set TRUE, converts the failures into defers for + both kinds of timeout. A transport filter timeout is now identified in + the log output. + +PH/46 The "scripts/Configure-config.h" script calls "make" at one point. On + systems where "make" and "gmake" are different, calling "gmake" at top + level broke things. I've arranged for the value of $(MAKE) to be passed + from the Makefile to this script so that it can call the same version of + "make". + + +A note about Exim versions 4.44 and 4.50 +---------------------------------------- + +Exim 4.50 was meant to be the next release after 4.43. It contains a lot of +changes of various kinds. As a consequence, a big documentation update was +needed. This delayed the release for rather longer than seemed good, especially +in the light of a couple of (minor) security issues. Therefore, the changes +that fixed bugs were backported into 4.43, to create a 4.44 maintenance +release. So 4.44 and 4.50 are in effect two different branches that both start +from 4.43. + +I have left the 4.50 change log unchanged; it contains all the changes since +4.43. The change log for 4.44 is below; many of its items are identical to +those for 4.50. This seems to be the most sensible way to preserve the +historical information. + + Exim version 4.50 ----------------- @@ -234,10 +1991,15 @@ Exim version 4.50 But simultaneously result of request was absolutely normal ldap result, so I produce this patch..." + Later: it seems that not all versions of LDAP support LDAP_RES_SEARCH_ + REFERENCE, so I have modified the code to exclude the patch when that macro + is not defined. + 55. Some experimental protocols are using DNS PTR records for new purposes. The keys for these records are domain names, not reversed IP addresses. The - dnsdb lookup now tests whether it's key is an IP address. If not, it leaves - it alone. Component reversal etc. now happens only for IP addresses. + dnsdb PTR lookup now tests whether its key is an IP address. If not, it + leaves it alone. Component reversal etc. now happens only for IP addresses. + CAN-2005-0021 56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP. @@ -253,6 +2015,314 @@ Exim version 4.50 (2) The default for smtp_banner uses $smtp_active_hostname instead of $primary_hostname. +60. The host_aton() function is supposed to be passed a string that is known + to be a valid IP address. However, in the case of IPv6 addresses, it was + not checking this. This is a hostage to fortune. Exim now panics and dies + if the condition is not met. A case was found where this could be provoked + from a dnsdb PTR lookup with an IPv6 address that had more than 8 + components; fortuitously, this particular loophole had already been fixed + by change 4.50/55 above. + + If there are any other similar loopholes, the new check in host_aton() + itself should stop them being exploited. The report I received stated that + data on the command line could provoke the exploit when Exim was running as + exim, but did not say which command line option was involved. All I could + find was the use of -be with a bad dnsdb PTR lookup, and in that case it is + running as the user. + CAN-2005-0021 + +61. There was a buffer overflow vulnerability in the SPA authentication code + (which came originally from the Samba project). I have added a test to the + spa_base64_to_bits() function which I hope fixes it. + CAN-2005-0022 + +62. Configuration update for GNU/Hurd and variations. Updated Makefile-GNU and + os.h-GNU, and added configuration files for GNUkFreeBSD and GNUkNetBSD. + +63. The daemon start-up calls getloadavg() while still root for those OS that + need the first call to be done as root, but it missed one case: when + deliver_queue_load_max is set with deliver_drop_privilege. This is + necessary for the benefit of the queue runner, because there is no re-exec + when deliver_drop_privilege is set. + +64. A call to exiwhat cut short delays set up by "delay" modifiers in ACLs. + This has been fixed. + +65. Caching of lookup data for "hosts =" ACL conditions, when a named host list + was in use, was not putting the data itself into the right store pool; + consequently, it could be overwritten for a subsequent message in the same + SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked + the caching.) + +66. Added hosts_max_try_hardlimit to the smtp transport, default 50. + +67. The string_is_ip_address() function returns 0, 4, or 6, for "no an IP + address", "IPv4 address", and "IPv6 address", respectively. Some calls of + the function were treating the return as a boolean value, which happened to + work because 0=false and not-0=true, but is not correct code. + +68. The host_aton() function was not handling scoped IPv6 addresses (those + with, for example, "%eth0" on the end) correctly. + +69. Fixed some compiler warnings in acl.c for the bitmaps specified with + negated items (that is, ~something) in unsigned ints. Some compilers + apparently mutter when there is no cast. + +70. If an address verification called from an ACL failed, and did not produce a + user-specific message (i.e. there was only a "system" message), nothing was + put in $acl_verify_message. In this situation, it now puts the system + message there. + +71. Change 4.23/11 added synchronization checking at the start of an SMTP + session; change 4.31/43 added the unwanted input to the log line - except + that it did not do this in the start of session case. It now does. + +72. After a timeout in a callout SMTP session, Exim still sent a QUIT command. + This is wrong and can cause the other end to generate a synchronization + error if it is another Exim or anything else that does the synchronization + check. A QUIT command is no longer sent after a timeout. + +73. $host_lookup_deferred has been added, to make it easier to detect DEFERs + during host lookups. + +74. The defer_ok option of callout verification was not working if it was used + when verifying addresses in header lines, that is, for this case: + + verify = header_sender/callout=defer_ok + +75. A backgrounded daemon closed stdin/stdout/stderr on entry; this meant that + those file descriptors could be used for SMTP connections. If anything + wrote to stderr (the example that came up was "warn" in embedded Perl), it + could be sent to the SMTP client, causing chaos. The daemon now opens + stdin, stdout, and stderr to /dev/null when it puts itself into the + background. + +76. Arrange for output from Perl's "warn" command to be written to Exim's main + log by default. The user can override this with suitable Perl magic. + +77. The use of log_message on a "discard" ACL verb, which is supposed to add to + the log message when discard triggers, was not working for the DATA ACL or + for the non-SMTP ACL. + +78. Error message wording change in sieve.c. + +79. If smtp_accept_max_per_host was set, the number of connections could be + restricted to fewer than expected, because the daemon was trying to set up + a new connection before checking whether the processes handling previous + connections had finished. The check for completed processes is now done + earlier. On busy systems, this bug wouldn't be noticed because something + else would have woken the daemon, and it would have reaped the completed + process earlier. + +80. If a message was submitted locally by a user whose login name contained one + or more spaces (ugh!), the spool file that Exim wrote was not re-readable. + It caused a spool format error. I have fixed the spool reading code. A + related problem was that the "from" clause in the Received: line became + illegal because of the space(s). It is now covered by ${quote_local_part. + +81. Included the latest eximstats from Steve (adds average sizes to HTML Top + tables). + +82. Updated OS/Makefile-AIX as per message from Mike Meredith. + +83. Patch from Sieve maintainer to fix unterminated string problem in + "vacation" handling. + +84. Some minor changes to the Linux configuration files to help with other + OS variants using glibc. + +85. One more patch for Sieve to update vacation handling to latest spec. + + +---------------------------------------------------- +See the note above about the 4.44 and 4.50 releases. +---------------------------------------------------- + + +Exim version 4.44 +----------------- + + 1. Change 4.43/35 introduced a bug that caused file counts to be + incorrectly computed when quota_filecount was set in an appendfile + transport + + 2. Closing a stable door: arrange to panic-die if setitimer() ever fails. The + bug fixed in 4.43/37 would have been diagnosed quickly if this had been in + place. + + 3. Give more explanation in the error message when the command for a transport + filter fails to execute. + + 4. There are several places where Exim runs a non-Exim command in a + subprocess. The SIGUSR1 signal should be disabled for these processes. This + was being done only for the command run by the queryprogram router. It is + now done for all such subprocesses. The other cases are: ${run, transport + filters, and the commands run by the lmtp and pipe transports. + + 5. Some older OS have a limit of 256 on the maximum number of file + descriptors. Exim was using setrlimit() to set 1000 as a large value + unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these + systems. I've change it so that if it can't get 1000, it tries for 256. + + 6. "control=submission" was allowed, but had no effect, in a DATA ACL. This + was an oversight, and furthermore, ever since the addition of extra + controls (e.g. 4.43/32), the checks on when to allow different forms of + "control" were broken. There should now be diagnostics for all cases when a + control that does not make sense is encountered. + + 7. $recipients is now available in the predata ACL (oversight). + + 8. Tidy the search cache before the fork to do a delivery from a message + received from the command line. Otherwise the child will trigger a lookup + failure and thereby defer the delivery if it tries to use (for example) a + cached ldap connection that the parent has called unbind on. + + 9. If verify=recipient was followed by verify=sender in a RCPT ACL, the value + of $address_data from the recipient verification was clobbered by the + sender verification. + +10. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0 + was its contents. (It was OK if the option was not defined at all.) + +11. A "Completed" log line is now written for messages that are removed from + the spool by the -Mrm option. + +12. $host_address is now set to the target address during the checking of + ignore_target_hosts. + +13. When checking ignore_target_hosts for an ipliteral router, no host name was + being passed; this would have caused $sender_host_name to have been used if + matching the list had actually called for a host name (not very likely, + since this list is usually IP addresses). A host name is now passed as + "[x.x.x.x]". + +14. Changed the calls that set up the SIGCHLD handler in the daemon to use the + code that specifies a non-restarting handler (typically sigaction() in + modern systems) in an attempt to fix a rare and obscure crash bug. + +15. Narrowed the window for a race in the daemon that could cause it to ignore + SIGCHLD signals. This is not a major problem, because they are used only to + wake it up if nothing else does. + +16. A malformed maildirsize file could cause Exim to calculate negative values + for the mailbox size or file count. Odd effects could occur as a result. + The maildirsize information is now recalculated if the size or filecount + end up negative. + +17. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this + support for a long time. Removed HAVE_SYS_VFS_H. + +18. Updated exipick to current release from John Jetmore. + +19. Allow an empty sender to be matched against a lookup in an address list. + Previously the only cases considered were a regular expression, or an + empty pattern. + +20. Exim went into a mad DNS lookup loop when doing a callout where the + host was specified on the transport, if the DNS lookup yielded more than + one IP address. + +21. The RFC2047 encoding function was originally intended for short strings + such as real names; it was not keeping to the 75-character limit for + encoded words that the RFC imposes. It now respects the limit, and + generates multiple encoded words if necessary. To be on the safe side, I + have increased the buffer size for the ${rfc2047: expansion operator from + 1024 to 2048 bytes. + +22. Failure to deliver a bounce message always caused it to be frozen, even if + there was an errors_to setting on the router. The errors_to setting is now + respected. + +23. If an IPv6 address is given for -bh or -bhc, it is now converted to the + canonical form (fully expanded) before being placed in + $sender_host_address. + +24. Updated eximstats to version 1.33 + +25. Include certificate and key file names in error message when GnuTLS fails + to set them up, because the GnuTLS error message doesn't include the name + of the failing file when there is a problem reading it. + +26. Expand error message when OpenSSL has problems setting up cert/key files. + As per change 25. + +27. Reset the locale to "C" after calling embedded Perl, in case it was changed + (this can affect the format of dates). + +28. exim_tidydb, when checking for the continued existence of a message for + which it has found a message-specific retry record, was not finding + messages that were in split spool directories. Consequently, it was + deleting retry records that should have stayed in existence. + +29. eximstats updated to version 1.35 + 1.34 - allow eximstats to parse syslog lines as well as mainlog lines + 1.35 - bugfix such that pie charts by volume are generated correctly + +30. The SPA authentication driver was not abandoning authentication and moving + on to the next authenticator when an expansion was forced to fail, + contradicting the general specification for all authenticators. Instead it + was generating a temporary error. It now behaves as specified. + +31. The default ordering of permitted cipher suites for GnuTLS was pessimal + (the order specifies the preference for clients). The order is now AES256, + AES128, 3DES, ARCFOUR128. + +31. Small patch to Sieve code - explicitly set From: when generating an + autoreply. + +32. Exim crashed if a remote delivery caused a very long error message to be + recorded - for instance if somebody sent an entire SpamAssassin report back + as a large number of 550 error lines. This bug was coincidentally fixed by + increasing the size of one of Exim's internal buffers (big_buffer) that + happened as part of the Exiscan merge. However, to be on the safe side, I + have made the code more robust (and fixed the comments that describe what + is going on). + +33. Some experimental protocols are using DNS PTR records for new purposes. The + keys for these records are domain names, not reversed IP addresses. The + dnsdb PTR lookup now tests whether its key is an IP address. If not, it + leaves it alone. Component reversal etc. now happens only for IP addresses. + CAN-2005-0021 + +34. The host_aton() function is supposed to be passed a string that is known + to be a valid IP address. However, in the case of IPv6 addresses, it was + not checking this. This is a hostage to fortune. Exim now panics and dies + if the condition is not met. A case was found where this could be provoked + from a dnsdb PTR lookup with an IPv6 address that had more than 8 + components; fortuitously, this particular loophole had already been fixed + by change 4.50/55 or 4.44/33 above. + + If there are any other similar loopholes, the new check in host_aton() + itself should stop them being exploited. The report I received stated that + data on the command line could provoke the exploit when Exim was running as + exim, but did not say which command line option was involved. All I could + find was the use of -be with a bad dnsdb PTR lookup, and in that case it is + running as the user. + CAN-2005-0021 + +35. There was a buffer overflow vulnerability in the SPA authentication code + (which came originally from the Samba project). I have added a test to the + spa_base64_to_bits() function which I hope fixes it. + CAN-2005-0022 + +36. The daemon start-up calls getloadavg() while still root for those OS that + need the first call to be done as root, but it missed one case: when + deliver_queue_load_max is set with deliver_drop_privilege. This is + necessary for the benefit of the queue runner, because there is no re-exec + when deliver_drop_privilege is set. + +37. Caching of lookup data for "hosts =" ACL conditions, when a named host list + was in use, was not putting the data itself into the right store pool; + consequently, it could be overwritten for a subsequent message in the same + SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked + the caching.) + +38. Sometimes the final signoff response after QUIT could fail to get + transmitted in the non-TLS case. Testing !tls_active instead of tls_active + < 0 before doing a fflush(). This bug looks as though it goes back to the + introduction of TLS in release 3.20, but "sometimes" must have been rare + because the tests only now provoked it. + Exim version 4.43 -----------------