X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/4f6ae5c314e5c3e462313f3b53c917f36b131bf4..27b9e5f4d269b123e51beee76ab3c7f72521fead:/doc/doc-txt/ChangeLog?ds=sidebyside diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 9f275a9db..454d34311 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,6 +1,63 @@ Change log file for Exim from version 4.21 ------------------------------------------- +Exim version 4.88 +----------------- +JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination + supports it and a size is available (ie. the sending peer gave us one). + +JH/02 The obsolete acl condition "demime" is removed (finally, after ten + years of being deprecated). The replacements are the ACLs + acl_smtp_mime and acl_not_smtp_mime. + +JH/03 Upgrade security requirements imposed for hosts_try_dane: previously + a downgraded non-dane trust-anchor for the TLS connection (CA-style) + or even an in-clear connection were permitted. Now, if the host lookup + was dnssec and dane was requested then the host is only used if the + TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority + MXs) will be tried (for hosts_try_dane though not for hosts_require_dane) + if one fails this test. + This means that a poorly-configured remote DNS will make it incommunicado; + but it protects against a DNS-interception attack on it. + +JH/04 Bug 1810: make continued-use of an open smtp transport connection + non-noisy when a race steals the message being considered. + +JH/05 If main configuration option tls_certificate is unset, generate a + selfsigned certificate for inbound TLS connections. + +JH/06 Bug 165: hide more cases of password exposure - this time in expansions + in rewrites and routers. + +JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 + and logged a warning sing 4.83; now they are a configuration file error. + +JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name + (lacking @domain). Apply the same qualification processing as RCPT. + +JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. + +JH/10 Support ${sha256:} applied to a string (as well as the previous + certificate). + +JH/11 Cutthrough: avoid using the callout hints db on a verify callout when + a cutthrough deliver is pending, as we always want to make a connection. + This also avoids re-routing the message when later placing the cutthrough + connection after a verify cache hit. + Do not update it with the verify result either. + +JH/12 Cutthrough: disable when verify option success_on_redirect is used, and + when routing results in more than one destination address. + +JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim + signing (which inhibits the cutthrough capability). Previously only + the presence of an option was tested; now an expansion evaluating as + empty is permissible (obviously it should depend only on data available + when the cutthrough connection is made). + +JH/14 Fakereject: previously logged as a norml message arrival "<="; now + distinguished as "(=". + Exim version 4.87 ----------------- @@ -142,20 +199,64 @@ JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM support, by using OpenSSL or GnuTLS library ones. This means DKIM is - only supported when built with TLS support. + only supported when built with TLS support. The PolarSSL SHA routines + are still used when the TLS library is too old for convenient support. JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option openssl_options), for security. OpenSSL forces this from version 1.1.0 server-side so match that on older versions. -JH/36 Fix a longstanding bug in memory use by the ${run } expansion: A fresh +JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh allocation for $value could be released as the expansion processing - concluded, but leaving the global pointer active for it. Possibly - involved in Bug 1778. + concluded, but leaving the global pointer active for it. JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response, and to use the domains and local_parts ACL conditions. +JH/38 Fix cutthrough bug with body lines having a single dot. The dot was + incorrectly not doubled on cutthrough transmission, hence seen as a + body-termination at the receiving system - resulting in truncated mails. + Commonly the sender saw a TCP-level error, and retransmitted the message + via the normal store-and-forward channel. This could result in duplicates + received - but deduplicating mailstores were liable to retain only the + initial truncated version. + +JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64. + +JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS. + +JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While + we're in there, support oversigning also; bug 1309. + +JH/42 Bug 1796: Fix error logged on a malware scanner connection failure. + +HS/04 Add support for keep_environment and add_environment options. + +JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain; + either intentional arithmetic overflow during PRNG, or testing config- + induced overflows. + +JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough + delivery resulted in actual delivery. Cancel cutthrough before DATA + stage. + +JH/45 Fix cutthrough, when connection not opened by verify and target hard- + rejects a recipient: pass the reject to the originator. + +JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs. + Many were false-positives and ignorable, but it's worth fixing the + former class. + +JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also + for the new environment-manipulation done at startup. Move the routines + from being local to tls.c to being global via the os.c file. + +JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing + an extract embedded as result-arg for a map, the first arg for extract + is unavailable so we cannot tell if this is a numbered or keyed + extraction. Accept either. + + Exim version 4.86 ----------------- @@ -223,7 +324,7 @@ JH/18 Bug 1581: Router and transport options headers_add/remove can now have the list separator specified. JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry - option values. + option values. JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails under OpenSSL. @@ -238,7 +339,7 @@ JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size JH/24 Verification callouts now attempt to use TLS by default. -HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) +HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) are generic router options now. The defaults didn't change. JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. @@ -276,6 +377,8 @@ JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command added for tls authenticator. +HS/03 Add perl_taintmode main config option + Exim version 4.85 ----------------- @@ -856,7 +959,7 @@ PP/12 MAIL args handles TAB as well as SP, for better interop with Analysis and variant patch by Todd Lyons. NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated - Bug report from Lars Müller (via SUSE), + Bug report from Lars Müller (via SUSE), Patch from Dirk Mueller PP/13 tls_peerdn now print-escaped for spool files.