X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/2a4be8f93bd41c49707fe5e6ce2d782b709b551c..5b68f6e43d7d8d07cbb8825c9520c20eaeac64b6:/doc/doc-txt/NewStuff diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index d0997d1f0..795944868 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.48 2005/05/31 10:58:18 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.57 2005/08/01 13:20:28 ph10 Exp $ New Features in Exim -------------------- @@ -8,6 +8,45 @@ but have not yet made it into the main manual (which is most conveniently updated when there is a relatively large batch of changes). The doc/ChangeLog file contains a listing of all changes, including bug fixes. +Exim version 4.53 +----------------- + +TK/01 Added the "success_on_redirect" address verification option. When an + address generates new addresses during routing, Exim will abort + verification with "success" when more than one address has been + generated, but continue to verify a single new address. The latter + does not happen when the new "success_on_redirect" option is set, like + + require verify = recipient/success_on_redirect/callout=10s + + In that case, verification will succeed when a router generates a new + address. + +PH/01 Support for SQLite database lookups has been added. This is another + query-style lookup, but it is slightly different from the others because + a file name is required in addition to the SQL query. This is because an + SQLite database is a single file and there is no daemon as in other SQL + databases. The interface to Exim requires the name of the file, as an + absolute path, to be given at the start of the query. It is separated + from the query by white space. This means that the path name cannot + contain white space. Here is a lookup expansion example: + + ${lookup sqlite {/some/thing/sqlitedb \ + select name from aliases where id='ph10';}} + + In a list, the syntax is similar. For example: + + domainlist relay_domains = sqlite;/some/thing/sqlitedb \ + select * from relays where ip='$sender_host_address'; + + The only character affected by the ${quote_sqlite: operator is a single + quote, which it doubles. + + Note that you must set LOOKUP_SQLITE=yes in Local/Makefile in order to + obtain SQLite support, and you will also need to add -lsqlite3 to the + EXTRALIBS setting. And of course, you have to install SQLite on your + host first. + Exim version 4.52 ----------------- @@ -150,6 +189,12 @@ TF/04 There is a new ratelimit ACL condition which can be used to measure example, you can limit the sending rate of each authenticated user, independent of the computer they are sending from, by setting the key to $authenticated_id. The default key is $sender_host_address. + Internally, Exim includes the smoothing constant p and the options in + the lookup key because they alter the meaning of the stored data. + This is not true for the limit m, so you can alter the configured + maximum rate and Exim will still remember clients' past behaviour, + but if you alter the other ratelimit parameters Exim will effectively + forget their past behaviour. Each ratelimit condition can have up to two options. The first option specifies what Exim measures the rate of, and the second specifies how @@ -235,6 +280,14 @@ TF/04 There is a new ratelimit ACL condition which can be used to measure cdb {DB/ratelimits.cdb} \ {$value} {RATELIMIT} } + Warning: if you have a busy server with a lot of ratelimit tests, + especially with the per_rcpt option, you may suffer from a performance + bottleneck caused by locking on the ratelimit hints database. Apart from + making your ACLs less complicated, you can reduce the problem by using a + RAM disk for Exim's hints directory, /var/spool/exim/db/. However this + means that Exim will lose its hints data after a reboot (including retry + hints, the callout cache, and ratelimit data). + TK/01 Added an 'spf' lookup type that will return an SPF result for a given email address (the key) and an IP address (the database): @@ -252,6 +305,145 @@ PH/02 There's a new verify callout option, "fullpostmaster", which first acts fails, it tries just , without a domain, in accordance with the specification in RFC 2821. +PH/03 The action of the auto_thaw option has been changed. It no longer applies + to frozen bounce messages. + +TK/02 There are two new expansion items to help with the implementation of + the BATV "prvs" scheme in an Exim configuration: + + + ${prvs {
}{}{[KEYNUM]}} + + The "prvs" expansion item takes three arguments: A qualified RFC2821 + email address, a key and an (optional) key number. All arguments are + expanded before being used, so it is easily possible to lookup a key + and key number using the address as the lookup key. The key number is + optional and defaults to "0". The item will expand to a "prvs"-signed + email address, to be typically used with the "return_path" option on + a smtp transport. The decision if BATV should be used with a given + sender/recipient pair should be done on router level, to avoid having + to set "max_rcpt = 1" on the transport. + + + ${prvscheck {
}{}{}} + + The "prvscheck" expansion item takes three arguments. Argument 1 is + expanded first. When the expansion does not yield a SYNTACTICALLY + valid "prvs"-scheme address, the whole "prvscheck" item expands to + the empty string. If
is a "prvs"-encoded address after + expansion, two expansion variables are set up: + + $prvscheck_address Contains the "prvs"-decoded version of + the address from argument 1. + + $prvscheck_keynum Contains the key number extracted from + the "prvs"-address in argument 1. + + These two variables can be used in the expansion code of argument 2 + to retrieve the . The VALIDITY of the "prvs"-signed address + is then checked. The result is stored in yet another expansion + variable: + + $prvscheck_result Contains the result of a "prvscheck" + expansion: Unset (the empty string) for + failure, "1" for success. + + The "prvscheck" expansion expands to the empty string if
+ is not a SYNTACTICALLY valid "prvs"-scheme address. Otherwise, + argument 3 defines what "prvscheck" expands to: If argument 3 + is the empty string, "prvscheck" expands to the decoded version + of the address (no matter if it is CRYPTOGRAPHICALLY valid or not). + If argument 3 expands to a non-empty string, "prvscheck" expands + to that string. + + + Usage example + ------------- + + Macro: + + PRVSCHECK_SQL = ${lookup mysql{SELECT secret FROM batv_prvs WHERE \ + sender='${quote_mysql:$prvscheck_address}'}{$value}} + + RCPT ACL: + + # Bounces: drop unsigned addresses for BATV senders + deny message = This address does not send an unsigned reverse path. + senders = : + recipients = +batv_recipients + + # Bounces: In case of prvs-signed address, check signature. + deny message = Invalid reverse path signature. + senders = : + condition = ${prvscheck {$local_part@$domain}{PRVSCHECK_SQL}{1}} + !condition = $prvscheck_result + + Top-Level Router: + + batv_redirect: + driver = redirect + data = ${prvscheck {$local_part@$domain}{PRVSCHECK_SQL}{}} + + Transport (referenced by router that makes decision if + BATV is applicable): + + external_smtp_batv: + driver = smtp + return_path = ${prvs {$return_path} \ + {${lookup mysql{SELECT \ + secret FROM batv_prvs WHERE \ + sender='${quote_mysql:$sender_address}'} \ + {$value}fail}}} + +PH/04 There are two new options that control the retrying done by the daemon + at startup when it cannot immediately bind a socket (typically because + the socket is already in use). The default values reproduce what were + built-in constants previously: daemon_startup_retries defines the number + of retries after the first failure (default 9); daemon_startup_sleep + defines the length of time to wait between retries (default 30s). + +PH/05 There is now a new ${if condition called "match_ip". It is similar to + match_domain, etc. It must be followed by two argument strings. The first + (after expansion) must be an IP address or an empty string. The second + (after expansion) is a restricted host list that can match only an IP + address, not a host name. For example: + + ${if match_ip{$sender_host_address}{1.2.3.4:5.6.7.8}{...}{...}} + + The specific types of host list item that are permitted in the list are + shown below. Consult the manual section on host lists for further + details. + + . An IP address, optionally with a CIDR mask. + + . A single asterisk matches any IP address. + + . An empty item matches only if the IP address is empty. This could be + useful for testing for a locally submitted message or one from specific + hosts in a single test such as + + ${if match_ip{$sender_host_address}{:4.3.2.1:...}{...}{...}} + + where the first item in the list is the empty string. + + . The item @[] matches any of the local host's interface addresses. + + . Lookups are assumed to be "net-" style lookups, even if "net-" is not + specified. Thus, the following are equivalent: + + ${if match_ip{$sender_host_address}{lsearch;/some/file}... + ${if match_ip{$sender_host_address}{net-lsearch;/some/file}... + + You do need to specify the "net-" prefix if you want to specify a + specific address mask, for example, by using "net24-". + +PH/06 The "+all" debug selector used to set the flags for all possible output; + it is something that people tend to use semi-automatically when + generating debug output for me or for the list. However, by including + "+memory", an awful lot of output that is very rarely of interest was + generated. I have changed this so that "+all" no longer includes + "+memory". However, "-all" still turns everything off. + Version 4.51 ------------