X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/cb7410236c1301a26b91d8290de8599cf0faf049..1e06383a8b5eaaf67910c94c737e8d9b5d16a00a:/doc/doc-txt/ChangeLog diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index acac82061..6d9b28383 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,7 +1,2419 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.250 2005/10/13 13:21:00 ph10 Exp $ +Change log file for Exim from version 4.21 +------------------------------------------- + + +Exim version 4.83 +----------------- + +TF/01 Correctly close the server side of TLS when forking for delivery. + + When a message was received over SMTP with TLS, Exim failed to clear up + the incoming connection properly after forking off the child process to + deliver the message. In some situations the subsequent outgoing + delivery connection happened to have the same fd number as the incoming + connection previously had. Exim would try to use TLS and fail, logging + a "Bad file descriptor" error. + +TF/02 Portability fix for building lookup modules on Solaris when the xpg4 + utilities have not been installed. + +JH/01 Fix memory-handling in use of acl as a conditional; avoid free of + temporary space as the ACL may create new global variables. + +TL/01 LDAP support uses per connection or global context settings, depending + upon the detected version of the libraries at build time. + +TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection + to extract and use the src ip:port in logging and expansions as if it + were a direct connection from the outside internet. + +JH/02 Add ${listextract {number}{list}{success}{fail}}. + +TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents. + Properly escape header and check for NULL return. + +PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok + not dns_use_dnssec. + +JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp. + +TL/04 Add verify = header_names_ascii check to reject email with non-ASCII + characters in header names, implemented as a verify condition. + Contributed by Michael Fischer v. Mollard. + +TL/05 Rename SPF condition results err_perm and err_temp to standardized + results permerror and temperror. Is a backward incompatibility if + the ACL tests for either of these two results. Patch contributed by + user bes-internal on the mailing list. + +JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau. + +JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log + selectors, in both main and reject logs. + +JH/06 Log outbound-TLS and port details, subject to log selectors, for a + failed delivery. + +JH/07 Add malware type "sock" for talking to simple daemon. + +JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport. + +JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in + routers/transports under cutthrough routing. + +JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative + numbers. Touch up "bool" conditional to keep the same definition. + +JH/11 Add dnsdb tlsa lookup. From Todd Lyons. + + +Exim version 4.82 +----------------- + +PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities. + +PP/02 Make -n do something, by making it not do something. + When combined with -bP, the name of an option is not output. + +PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured + by GnuTLS. + +PP/04 First step towards DNSSEC, provide $sender_host_dnssec for + $sender_host_name and config options to manage this, and basic check + routines. + +PP/05 DSCP support for outbound connections and control modifier for inbound. + +PP/06 Cyrus SASL: set local and remote IP;port properties for driver. + (Only plugin which currently uses this is kerberos4, which nobody should + be using, but we should make it available and other future plugins might + conceivably use it, even though it would break NAT; stuff *should* be + using channel bindings instead). + +PP/07 Handle "exim -L " to indicate to use syslog with tag as the process + name; added for Sendmail compatibility; requires admin caller. + Handle -G as equivalent to "control = suppress_local_fixups" (we used to + just ignore it); requires trusted caller. + Also parse but ignore: -Ac -Am -X + Bugzilla 1117. + +TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing. + +TL/02 Add +smtp_confirmation as a default logging option. + +TL/03 Bugzilla 198 - Implement remove_header ACL modifier. + Patch by Magnus Holmgren from 2007-02-20. + +TL/04 Bugzilla 1281 - Spec typo. + Bugzilla 1283 - Spec typo. + Bugzilla 1290 - Spec grammar fixes. + +TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation. + +TL/06 Add Experimental DMARC support using libopendmarc libraries. + +TL/07 Fix an out of order global option causing a segfault. Reported to dev + mailing list by by Dmitry Isaikin. + +JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support. + +JH/02 Support "G" suffix to numbers in ${if comparisons. + +PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL. + +NM/01 Bugzilla 1197 - Spec typo + Bugzilla 1196 - Spec examples corrections + +JH/03 Add expansion operators ${listnamed:name} and ${listcount:string} + +PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called + gnutls_enable_pkcs11, but renamed to more accurately indicate its + function. + +PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC. + Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler. + +JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition + "acl {{name}{arg}...}", and optional args on acl condition + "acl = name arg..." + +JH/05 Permit multiple router/transport headers_add/remove lines. + +JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination. + +JH/07 Avoid using a waiting database for a single-message-only transport. + Performance patch from Paul Fisher. Bugzilla 1262. + +JH/08 Strip leading/trailing newlines from add_header ACL modifier data. + Bugzilla 884. + +JH/09 Add $headers_added variable, with content from use of ACL modifier + add_header (but not yet added to the message). Bugzilla 199. + +JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line. + Pulled from Bugzilla 817 by Wolfgang Breyha. + +PP/11 SECURITY: protect DKIM DNS decoding from remote exploit. + CVE-2012-5671 + (nb: this is the same fix as in Exim 4.80.1) + +JH/11 Add A= logging on delivery lines, and a client_set_id option on + authenticators. + +JH/12 Add optional authenticated_sender logging to A= and a log_selector + for control. + +PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29. + +PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not + advertise SMTP AUTH mechanism to us, instead of a generic + protocol violation error. Also, make Exim more robust to bad + data from the Dovecot auth socket. + +TF/01 Fix ultimate retry timeouts for intermittently deliverable recipients. + + When a queue runner is handling a message, Exim first routes the + recipient addresses, during which it prunes them based on the retry + hints database. After that it attempts to deliver the message to + any remaining recipients. It then updates the hints database using + the retry rules. + + So if a recipient address works intermittently, it can get repeatedly + deferred at routing time. The retry hints record remains fresh so the + address never reaches the final cutoff time. + + This is a fairly common occurrence when a user is bumping up against + their storage quota. Exim had some logic in its local delivery code + to deal with this. However it did not apply to per-recipient defers + in remote deliveries, e.g. over LMTP to a separate IMAP message store. + + This change adds a proper retry rule check during routing so that the + final cutoff time is checked against the message's age. We only do + this check if there is an address retry record and there is not a + domain retry record; this implies that previous attempts to handle + the address had the retry_use_local_parts option turned on. We use + this as an approximation for the destination being like a local + delivery, as in LMTP. + + I suspect this new check makes the old local delivery cutoff check + redundant, but I have not verified this so I left the code in place. + +TF/02 Correct gecos expansion when From: is a prefix of the username. + + Test 0254 submits a message to Exim with the header + + Resent-From: f + + When I ran the test suite under the user fanf2, Exim expanded + the header to contain my full name, whereas it should have added + a Resent-Sender: header. It erroneously treats any prefix of the + username as equal to the username. + + This change corrects that bug. + +GF/01 DCC debug and logging tidyup + Error conditions log to paniclog rather than rejectlog. + Debug lines prefixed by "DCC: " to remove any ambiguity. + +TF/03 Avoid unnecessary rebuilds of lookup-related code. + +PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server. + Bug spotted by Jeremy Harris; was flawed since initial commit. + Would have resulted in OCSP responses post-SNI triggering an Exim + NULL dereference and crash. + +JH/13 Add $router_name and $transport_name variables. Bugzilla 308. + +PP/15 Define SIOCGIFCONF_GIVES_ADDR for GNU Hurd. + Bug detection, analysis and fix by Samuel Thibault. + Bugzilla 1331, Debian bug #698092. + +SC/01 Update eximstats to watch out for senders sending 'HELO [IpAddr]' + +JH/14 SMTP PRDR (http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt). + Server implementation by Todd Lyons, client by JH. + Only enabled when compiled with EXPERIMENTAL_PRDR. A new + config variable "prdr_enable" controls whether the server + advertises the facility. If the client requests PRDR a new + acl_data_smtp_prdr ACL is called once for each recipient, after + the body content is received and before the acl_smtp_data ACL. + The client is controlled by bolth of: a hosts_try_prdr option + on the smtp transport, and the server advertisement. + Default client logging of deliveries and rejections involving + PRDR are flagged with the string "PRDR". + +PP/16 Fix problems caused by timeouts during quit ACLs trying to double + fclose(). Diagnosis by Todd Lyons. + +PP/17 Update configure.default to handle IPv6 localhost better. + Patch by Alain Williams (plus minor tweaks). + Bugzilla 880. + +PP/18 OpenSSL made graceful with empty tls_verify_certificates setting. + This is now consistent with GnuTLS, and is now documented: the + previous undocumented portable approach to treating the option as + unset was to force an expansion failure. That still works, and + an empty string is now equivalent. + +PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it + clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag, + not performing validation itself. + +PP/20 Added force_command boolean option to pipe transport. + Patch from Nick Koston, of cPanel Inc. + +JH/15 AUTH support on callouts (and hence cutthrough-deliveries). + Bugzilla 321, 823. + +TF/04 Added udpsend ACL modifer and hexquote expansion operator + +PP/21 Fix eximon continuous updating with timestamped log-files. + Broken in a format-string cleanup in 4.80, missed when I repaired the + other false fix of the same issue. + Report and fix from Heiko Schlichting. + Bugzilla 1363. + +PP/22 Guard LDAP TLS usage against Solaris LDAP variant. + Report from Prashanth Katuri. + +PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options. + It's SecureTransport, so affects any MacOS clients which use the + system-integrated TLS libraries, including email clients. + +PP/24 Fix segfault from trying to fprintf() to a NULL stdio FILE* if + using a MIME ACL for non-SMTP local injection. + Report and assistance in diagnosis by Warren Baker. + +TL/08 Adjust exiqgrep to be case-insensitive for sender/receiver. + +JH/16 Fix comparisons for 64b. Bugzilla 1385. + +TL/09 Add expansion variable $authenticated_fail_id to keep track of + last id that failed so it may be referenced in subsequent ACL's. + +TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by + Alexander Miroch. + +TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls + ldap library initialization, allowing self-signed CA's to be + used. Also properly sets require_cert option later in code by + using NULL (global ldap config) instead of ldap handle (per + session). Bug diagnosis and testing by alxgomz. + +TL/12 Enhanced documentation in the ratelimit.pl script provided in + the src/util/ subdirectory. + +TL/13 Bug 1301 - Imported transport SQL logging patch from Axel Rau + renamed to Transport Post Delivery Action by Jeremy Harris, as + EXPERIMENTAL_TPDA. + +TL/14 Bugzilla 1217 - Redis lookup support has been added. It is only enabled + when Exim is compiled with EXPERIMENTAL_REDIS. A new config variable + redis_servers = needs to be configured which will be used by the redis + lookup. Patch from Warren Baker, of The Packet Hub. + +TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard Hall. + +TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a + hostname or reverse DNS when processing a host list. Used suggestions + from multiple comments on this bug. + +TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey. + +TL/18 Had previously added a -CONTINUE option to runtest in the test suite. + Missed a few lines, added it to make the runtest require no keyboard + interaction. + +TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite + contains upper case chars. Make router use caseful_local_part. + +TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS + support when GnuTLS has been built with p11-kit. + + +Exim version 4.80.1 +------------------- + +PP/01 SECURITY: protect DKIM DNS decoding from remote exploit. + CVE-2012-5671 + This, or similar/improved, will also be change PP/11 of 4.82. + + +Exim version 4.80 +----------------- + +PP/01 Handle short writes when writing local log-files. + In practice, only affects FreeBSD (8 onwards). + Bugzilla 1053, with thanks to Dmitry Isaikin. + +NM/01 Bugzilla 949 - Documentation tweak + +NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps + improved. + +NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs. + +PP/02 Implemented gsasl authenticator. + +PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option. + +PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use + `pkg-config foo` for cflags/libs. + +PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent + with rest of GSASL and with heimdal_gssapi. + +PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use + `pkg-config foo` for cflags/libs for the TLS implementation. + +PP/07 New expansion variable $tls_bits; Cyrus SASL server connection + properties get this fed in as external SSF. A number of robustness + and debugging improvements to the cyrus_sasl authenticator. + +PP/08 cyrus_sasl server now expands the server_realm option. + +PP/09 Bugzilla 1214 - Log authentication information in reject log. + Patch by Jeremy Harris. + +PP/10 Added dbmjz lookup type. + +PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid. + +PP/12 MAIL args handles TAB as well as SP, for better interop with + non-compliant senders. + Analysis and variant patch by Todd Lyons. + +NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated + Bug report from Lars Müller (via SUSE), + Patch from Dirk Mueller + +PP/13 tls_peerdn now print-escaped for spool files. + Observed some $tls_peerdn in wild which contained \n, which resulted + in spool file corruption. + +PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options" + values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read + or write after TLS renegotiation, which otherwise led to messages + "Got SSL error 2". + +TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted + as a tracking header (ie: a signed header comes before the signature). + Patch from Wolfgang Breyha. + +JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a + comma-sep list; embedded commas doubled. + +JH/02 Refactored ACL "verify =" logic to table-driven dispatch. + +PP/15 LDAP: Check for errors of TLS initialisation, to give correct + diagnostics. + Report and patch from Dmitry Banschikov. + +PP/16 Removed "dont_insert_empty_fragments" fron "openssl_options". + Removed SSL_clear() after SSL_new() which led to protocol negotiation + failures. We appear to now support TLS1.1+ with Exim. + +PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate + lets Exim select keys and certificates based upon TLS SNI from client. + Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly + before an outbound SMTP session. New log_selector, +tls_sni. + +PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid + NULL dereference. Report and patch from Alun Jones. + +PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage + on less well tested platforms). Obviates NetBSD pkgsrc patch-ac. + Not seeing resolver debug output on NetBSD, but suspect this is a + resolver implementation change. + +PP/20 Revert part of NM/04, it broke log_path containing %D expansions. + Left warnings. Added "eximon gdb" invocation mode. + +PP/21 Defaulting "accept_8bitmime" to true, not false. + +PP/22 Added -bw for inetd wait mode support. + +PP/23 Added PCRE_CONFIG=yes support to Makefile for using pcre-config to + locate the relevant includes and libraries. Made this the default. + +PP/24 Fixed headers_only on smtp transports (was not sending trailing dot). + Bugzilla 1246, report and most of solution from Tomasz Kusy. + +JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m"). + This may cause build issues on older platforms. + +PP/25 Revamped GnuTLS support, passing tls_require_ciphers to + gnutls_priority_init, ignoring Exim options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols (no longer supported). + Added SNI support via GnuTLS too. + Made ${randint:..} supplier available, if using not-too-old GnuTLS. + +PP/26 Added EXPERIMENTAL_OCSP for OpenSSL. + +PP/27 Applied dnsdb SPF support patch from Janne Snabb. + Applied second patch from Janne, implementing suggestion to default + multiple-strings-in-record handling to match SPF spec. + +JH/04 Added expansion variable $tod_epoch_l for a higher-precision time. + +PP/28 Fix DCC dcc_header content corruption (stack memory referenced, + read-only, out of scope). + Patch from Wolfgang Breyha, report from Stuart Northfield. + +PP/29 Fix three issues highlighted by clang analyser static analysis. + Only crash-plausible issue would require the Cambridge-specific + iplookup router and a misconfiguration. + Report from Marcin Mirosław. + +PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy. + +PP/31 %D in printf continues to cause issues (-Wformat=security), so for + now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS. + As part of this, removing so much warning spew let me fix some minor + real issues in debug logging. + +PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing + assignment on my part. Fixed. + +PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit + of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by + Janne Snabb (who went above and beyond: thank you). + +PP/34 Validate tls_require_ciphers on startup, since debugging an invalid + string otherwise requires a connection and a bunch more work and it's + relatively easy to get wrong. Should also expose TLS library linkage + problems. + +PP/35 Pull in on Linux, for some portability edge-cases of + 64-bit ${eval} (JH/03). + +PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of + GNU libc to support some of the 64-bit stuff, should not lead to + conflicts. Defined before os.h is pulled in, so if a given platform + needs to override this, it can. + +PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought + protection layer was required, which is not implemented. + Bugzilla 1254, patch from Wolfgang Breyha. + +PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built + into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make + tls_dhparam take prime identifiers. Also unbreak combination of + OpenSSL+DH_params+TLSSNI. + +PP/39 Disable SSLv2 by default in OpenSSL support. + + +Exim version 4.77 +----------------- + +PP/01 Solaris build fix for Oracle's LDAP libraries. + Bugzilla 1109, patch from Stephen Usher. + +TF/01 HP/UX build fix: avoid arithmetic on a void pointer. + +TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o + whitespace trailer + +TF/02 Fix a couple more cases where we did not log the error message + when unlink() failed. See also change 4.74-TF/03. + +TF/03 Make the exiwhat support code safe for signals. Previously Exim might + lock up or crash if it happened to be inside a call to libc when it + got a SIGUSR1 from exiwhat. + + The SIGUSR1 handler appends the current process status to the process + log which is later printed by exiwhat. It used to use the general + purpose logging code to do this, but several functions it calls are + not safe for signals. + + The new output code in the SIGUSR1 handler is specific to the process + log, and simple enough that it's easy to inspect for signal safety. + Removing some special cases also simplifies the general logging code. + Removing the spurious timestamps from the process log simplifies + exiwhat. + +TF/04 Improved ratelimit ACL condition. + + The /noupdate option has been deprecated in favour of /readonly which + has clearer semantics. The /leaky, /strict, and /readonly update modes + are mutually exclusive. The update mode is no longer included in the + database key; it just determines when the database is updated. (This + means that when you upgrde Exim will forget old rate measurements.) + + Exim now checks that the per_* options are used with an update mode that + makes sense for the current ACL. For example, when Exim is processing a + message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify + per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you + must specify per_mail/readonly. If you omit the update mode it defaults to + /leaky where that makes sense (as before) or /readonly where required. + + The /noupdate option is now undocumented but still supported for + backwards compatibility. It is equivalent to /readonly except that in + ACLs where /readonly is required you may specify /leaky/noupdate or + /strict/noupdate which are treated the same as /readonly. + + A useful new feature is the /count= option. This is a generalization + of the per_byte option, so that you can measure the throughput of other + aggregate values. For example, the per_byte option is now equivalent + to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }. + + The per_rcpt option has been generalized using the /count= mechanism + (though it's more complicated than the per_byte equivalence). When it is + used in acl_smtp_rcpt, the per_rcpt option adds recipients to the + measured rate one at a time; if it is used later (e.g. in acl_smtp_data) + or in a non-SMTP ACL it adds all the recipients in one go. (The latter + /count=$recipients_count behaviour used to work only in non-SMTP ACLs.) + Note that using per_rcpt with a non-readonly update mode in more than + one ACL will cause the recipients to be double-counted. (The per_mail + and per_byte options don't have this problem.) + + The handling of very low rates has changed slightly. If the computed rate + is less than the event's count (usually one) then this event is the first + after a long gap. In this case the rate is set to the same as this event's + count, so that the first message of a spam run is counted properly. + + The major new feature is a mechanism for counting the rate of unique + events. The new per_addr option counts the number of different + recipients that someone has sent messages to in the last time period. It + behaves like per_rcpt if all the recipient addresses are different, but + duplicate recipient addresses do not increase the measured rate. Like + the /count= option this is a general mechanism, so the per_addr option + is equivalent to per_rcpt/unique=$local_part@$domain. You can, for + example, measure the rate that a client uses different sender addresses + with the options per_mail/unique=$sender_address. There are further + details in the main documentation. + +TF/05 Removed obsolete $Cambridge$ CVS revision strings. + +TF/06 Removed a few PCRE remnants. + +TF/07 Automatically extract Exim's version number from tags in the git + repository when doing development or release builds. + +PP/02 Raise smtp_cmd_buffer_size to 16kB. + Bugzilla 879. Patch from Paul Fisher. + +PP/03 Implement SSL-on-connect outbound with protocol=smtps on smtp transport. + Heavily based on revision 40f9a89a from Simon Arlott's tree. + Bugzilla 97. + +PP/04 Use .dylib instead of .so for dynamic library loading on MacOS. + +PP/05 Variable $av_failed, true if the AV scanner deferred. + Bugzilla 1078. Patch from John Horne. + +PP/06 Stop make process more reliably on build failure. + Bugzilla 1087. Patch from Heiko Schlittermann. + +PP/07 Make maildir_use_size_file an _expandable_ boolean. + Bugzilla 1089. Patch from Heiko Schlittermann. + +PP/08 Handle ${run} returning more data than OS pipe buffer size. + Bugzilla 1131. Patch from Holger Weiß. + +PP/09 Handle IPv6 addresses with SPF. + Bugzilla 860. Patch from Wolfgang Breyha. + +PP/10 GnuTLS: support TLS 1.2 & 1.1. + Bugzilla 1156. + Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler]. + Bugzilla 1095. + +PP/11 match_* no longer expand right-hand-side by default. + New compile-time build option, EXPAND_LISTMATCH_RHS. + New expansion conditions, "inlist", "inlisti". + +PP/12 fix uninitialised greeting string from PP/03 (smtps client support). + +PP/13 shell and compiler warnings fixes for RC1-RC4 changes. + +PP/14 fix log_write() format string regression from TF/03. + Bugzilla 1152. Patch from Dmitry Isaikin. + + +Exim version 4.76 +----------------- + +PP/01 The new ldap_require_cert option would segfault if used. Fixed. + +PP/02 Harmonised TLS library version reporting; only show if debugging. + Layout now matches that introduced for other libraries in 4.74 PP/03. + +PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1 + +PP/04 New "dns_use_edns0" global option. + +PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid. + Bugzilla 1098. + +PP/06 Extra paranoia around buffer usage at the STARTTLS transition. + nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316 + +TK/01 Updated PolarSSL code to 0.14.2. + Bugzilla 1097. Patch from Andreas Metzler. + +PP/07 Catch divide-by-zero in ${eval:...}. + Fixes bugzilla 1102. + +PP/08 Condition negation of bool{}/bool_lax{} did not negate. Fixed. + Bugzilla 1104. + +TK/02 Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a + format-string attack -- SECURITY: remote arbitrary code execution. + +TK/03 SECURITY - DKIM signature header parsing was double-expanded, second + time unintentionally subject to list matching rules, letting the header + cause arbitrary Exim lookups (of items which can occur in lists, *not* + arbitrary string expansion). This allowed for information disclosure. + +PP/09 Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to + INT_MIN/-1 -- value coerced to INT_MAX. + + +Exim version 4.75 +----------------- + +NM/01 Workround for PCRE version dependency in version reporting + Bugzilla 1073 + +TF/01 Update valgrind.h and memcheck.h to copies from valgrind-3.6.0. + This fixes portability to compilers other than gcc, notably + Solaris CC and HP-UX CC. Fixes Bugzilla 1050. + +TF/02 Bugzilla 139: Avoid using the += operator in the modular lookup + makefiles for portability to HP-UX and POSIX correctness. + +PP/01 Permit LOOKUP_foo enabling on the make command-line. + Also via indented variable definition in the Makefile. + (Debugging by Oliver Heesakkers). + +PP/02 Restore caching of spamd results with expanded spamd_address. + Patch from author of expandable spamd_address patch, Wolfgang Breyha. + +PP/03 Build issue: lookups-Makefile now exports LC_ALL=C + Improves build reliability. Fix from: Frank Elsner + +NM/02 Fix wide character breakage in the rfc2047 coding + Fixes bug 1064. Patch from Andrey N. Oktyabrski + +NM/03 Allow underscore in dnslist lookups + Fixes bug 1026. Patch from Graeme Fowler + +PP/04 Bugzilla 230: Support TLS-enabled LDAP (in addition to ldaps). + Code patches from Adam Ciarcinski of NetBSD. + +NM/04 Fixed exiqgrep to cope with mailq missing size issue + Fixes bug 943. + +PP/05 Bugzilla 1083: when lookup expansion defers, escape the output which + is logged, to avoid truncation. Patch from John Horne. + +PP/06 Bugzilla 1042: implement freeze_signal on pipe transports. + Patch from Jakob Hirsch. + +PP/07 Bugzilla 1061: restrict error messages sent over SMTP to not reveal + SQL string expansion failure details. + Patch from Andrey Oktyabrski. + +PP/08 Bugzilla 486: implement %M datestamping in log filenames. + Patch from Simon Arlott. + +PP/09 New lookups functionality failed to compile on old gcc which rejects + extern declarations in function scope. + Patch from Oliver Fleischmann + +PP/10 Use sig_atomic_t for flags set from signal handlers. + Check getgroups() return and improve debugging. + Fixed developed for diagnosis in bug 927 (which turned out to be + a kernel bug). + +PP/11 Bugzilla 1055: Update $message_linecount for maildir_tag. + Patch from Mark Zealey. + +PP/12 Bugzilla 1056: Improved spamd server selection. + Patch from Mark Zealey. + +PP/13 Bugzilla 1086: Deal with maildir quota file races. + Based on patch from Heiko Schlittermann. + +PP/14 Bugzilla 1019: DKIM multiple signature generation fix. + Patch from Uwe Doering, sign-off by Michael Haardt. + +NM/05 Fix to spam.c to accommodate older gcc versions which dislike + variable declaration deep within a block. Bug and patch from + Dennis Davis. + +PP/15 lookups-Makefile IRIX compatibilty coercion. + +PP/16 Make DISABLE_DKIM build knob functional. + +NM/06 Bugzilla 968: child_open_uid: restore default SIGPIPE handler + Patch by Simon Arlott + +TF/03 Fix valgrind.h portability to C89 compilers that do not support + variable argument macros. Our copy now differs from upstream. + + +Exim version 4.74 +----------------- + +TF/01 Failure to get a lock on a hints database can have serious + consequences so log it to the panic log. + +TF/02 Log LMTP confirmation messages in the same way as SMTP, + controlled using the smtp_confirmation log selector. + +TF/03 Include the error message when we fail to unlink a spool file. + +DW/01 Bugzilla 139: Support dynamically loaded lookups as modules. + With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux + for maintaining out-of-tree patches for some time. + +PP/01 Bugzilla 139: Documentation and portability issues. + Avoid GNU Makefile-isms, let Exim continue to build on BSD. + Handle per-OS dynamic-module compilation flags. + +PP/02 Let /dev/null have normal permissions. + The 4.73 fixes were a little too stringent and complained about the + permissions on /dev/null. Exempt it from some checks. + Reported by Andreas M. Kirchwitz. + +PP/03 Report version information for many libraries, including + Exim version information for dynamically loaded libraries. Created + version.h, now support a version extension string for distributors + who patch heavily. Dynamic module ABI change. + +PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a + privilege escalation vulnerability whereby the Exim run-time user + can cause root to append content of the attacker's choosing to + arbitrary files. + +PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code. + (Wolfgang Breyha) + +PP/06 Bugzilla 1071: fix delivery logging with untrusted macros. + If dropping privileges for untrusted macros, we disabled normal logging + on the basis that it would fail; for the Exim run-time user, this is not + the case, and it resulted in successful deliveries going unlogged. + Fixed. Reported by Andreas Metzler. + + +Exim version 4.73 +----------------- + +PP/01 Date: & Message-Id: revert to normally being appended to a message, + only prepend for the Resent-* case. Fixes regression introduced in + Exim 4.70 by NM/22 for Bugzilla 607. + +PP/02 Include check_rfc2047_length in configure.default because we're seeing + increasing numbers of administrators be bitten by this. + +JJ/01 Added DISABLE_DKIM and comment to src/EDITME + +PP/03 Bugzilla 994: added openssl_options main configuration option. + +PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads. + +PP/05 Bugzilla 834: provide a permit_coredump option for pipe transports. + +PP/06 Adjust NTLM authentication to handle SASL Initial Response. + +PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but + without a peer certificate, leading to a segfault because of an + assumption that peers always have certificates. Be a little more + paranoid. Problem reported by Martin Tscholak. + +PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content + filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes + NB: ClamAV planning to remove STREAM in "middle of 2010". + CL also introduces -bmalware, various -d+acl logging additions and + more caution in buffer sizes. + +PP/09 Implemented reverse_ip expansion operator. + +PP/10 Bugzilla 937: provide a "debug" ACL control. + +PP/11 Bugzilla 922: Documentation dusting, patch provided by John Horne. + +PP/12 Bugzilla 973: Implement --version. + +PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0. + +PP/14 Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. + +PP/15 Bugzilla 816: support multiple condition rules on Routers. + +PP/16 Add bool_lax{} expansion operator and use that for combining multiple + condition rules, instead of bool{}. Make both bool{} and bool_lax{} + ignore trailing whitespace. + +JJ/02 prevent non-panic DKIM error from being sent to paniclog + +JJ/03 added tcp_wrappers_daemon_name to allow host entries other than + "exim" to be used + +PP/17 Fix malware regression for cmdline scanner introduced in PP/08. + Notification from Dr Andrew Aitchison. + +PP/18 Change ClamAV response parsing to be more robust and to handle ClamAV's + ExtendedDetectionInfo response format. + Notification from John Horne. + +PP/19 OpenSSL 1.0.0a compatibility const-ness change, should be backwards + compatible. + +PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http: + XSL and documented dependency on system catalogs, with examples of how + it normally works. + +DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store + access. + +DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour + of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a + configuration file which is writeable by the Exim user or group. + +DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability + of configuration files to cover files specified with the -C option if + they are going to be used with root privileges, not just the default + configuration file. + +DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY + option (effectively making it always true). + +DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration + files to be used while preserving root privileges. + +DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure + that rogue child processes cannot use them. + +PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim + run-time user, instead of root. + +PP/28 Add WHITELIST_D_MACROS option to let some macros be overridden by the + Exim run-time user without dropping privileges. + +DW/29 Remove use of va_copy() which breaks pre-C99 systems. Duplicate the + result string, instead of calling string_vformat() twice with the same + arguments. + +DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not + for other users. Others should always drop root privileges if they use + -C on the command line, even for a whitelisted configure file. + +DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes. + +NM/01 Fixed bug #1002 - Message loss when using multiple deliveries + + +Exim version 4.72 +----------------- + +JJ/01 installed exipick 20100104.1, adding $max_received_linelength, + $data_path, and $header_path variables; fixed documentation bugs and + typos + +JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow + exipick to access non-standard spools, including the "frozen" queue + (Finput) + +NM/01 Bugzilla 965: Support mysql stored procedures. + Patch from Alain Williams + +NM/02 Bugzilla 961: Spacing fix (syntax error) on Makefile directives for NetBSD + +NM/03 Bugzilla 955: Documentation fix for max_rcpts. + Patch from Andreas Metzler + +NM/04 Bugzilla 954: Fix for unknown responses from Dovecot authenticator. + Patch from Kirill Miazine + +NM/05 Bugzilla 671: Added umask to procmail example. + +JJ/03 installed exipick 20100323.0, fixing doc bug + +NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail + directory. Notification and patch from Dan Rosenberg. + +TK/01 PDKIM: Upgrade PolarSSL files to upstream version 0.12.1. + +TK/02 Improve log output when DKIM signing operation fails. + +MH/01 Treat the transport option dkim_domain as a colon separated + list, not as a single string, and sign the message with each element, + omitting multiple occurences of the same signer. + +NM/07 Null terminate DKIM strings, Null initialise DKIM variable + Bugzilla 985, 986. Patch by Simon Arlott + +NM/08 Bugzilla 967. dnsdb DNS TXT record bug fix (DKIM-related) + Patch by Simon Arlott + +PP/01 Bugzilla 989: CVE-2010-2024 - work round race condition on + MBX locking. Notification from Dan Rosenberg. + + +Exim version 4.71 +----------------- + +TK/01 Bugzilla 912: Fix DKIM segfault on empty headers/body. + +NM/01 Bugzilla 913: Documentation fix for gnutls_* options. + +NM/02 Bugzilla 722: Documentation for randint. Better randomness defaults. + +NM/03 Bugzilla 847: Enable DNSDB lookup by default. + +NM/04 Bugzilla 915: Flag broken perl installation during build. + + +Exim version 4.70 +----------------- + +TK/01 Added patch by Johannes Berg that expands the main option + "spamd_address" if it starts with a dollar sign. + +TK/02 Write list of recipients to X-Envelope-Sender header when building + the mbox-format spool file for content scanning (suggested by Jakob + Hirsch). + +TK/03 Added patch by Wolfgang Breyha that adds experimental DCC + (http://www.dcc-servers.net/) support via dccifd. Activated by + setting EXPERIMENTAL_DCC=yes in Local/Makefile. + +TK/04 Bugzilla 673: Add f-protd malware scanner support. Patch submitted + by Mark Daniel Reidel . + +NM/01 Bugzilla 657: Embedded PCRE removed from the exim source tree. + When building exim an external PCRE library is now needed - + PCRE is a system library on the majority of modern systems. + See entry on PCRE_LIBS in EDITME file. + +NM/02 Bugzilla 646: Removed unwanted C/R in Dovecot authenticator + conversation. Added nologin parameter to request. + Patch contributed by Kirill Miazine. + +TF/01 Do not log submission mode rewrites if they do not change the address. + +TF/02 Bugzilla 662: Fix stack corruption before exec() in daemon.c. + +NM/03 Bugzilla 602: exicyclog now handles panic log, and creates empty + log files in place. Contributed by Roberto Lima. + +NM/04 Bugzilla 667: Close socket used by dovecot authenticator. + +TF/03 Bugzilla 615: When checking the local_parts router precondition + after a local_part_suffix or local_part_prefix option, Exim now + does not use the address's named list lookup cache, since this + contains cached lookups for the whole local part. + +NM/05 Bugzilla 521: Integrated SPF Best Guess support contributed by + Robert Millan. Documentation is in experimental-spec.txt. + +TF/04 Bugzilla 668: Fix parallel build (make -j). + +NM/05.2 Bugzilla 437: Prevent Maildir aux files being created with mode 000. + +NM/05.3 Bugzilla 598: Improvement to Dovecot authenticator handling. + Patch provided by Jan Srzednicki. + +TF/05 Leading white space used to be stripped from $spam_report which + wrecked the formatting. Now it is preserved. + +TF/06 Save $spam_score, $spam_bar, and $spam_report in spool files, so + that they are available at delivery time. + +TF/07 Fix the way ${extract is skipped in the untaken branch of a conditional. + +TF/08 TLS error reporting now respects the incoming_interface and + incoming_port log selectors. + +TF/09 Produce a more useful error message if an SMTP transport's hosts + setting expands to an empty string. + +NM/06 Bugzilla 744: EXPN did not work under TLS. + Patch provided by Phil Pennock. + +NM/07 Bugzilla 769: Extraneous comma in usage fprintf + Patch provided by Richard Godbee. + +NM/08 Fixed erroneous documentation references to smtp_notquit_acl to be + acl_smtp_notquit, added index entry. + +NM/09 Bugzilla 787: Potential buffer overflow in string_format. + Patch provided by Eugene Bujak. + +NM/10 Bugzilla 770: Problem on some platforms modifying the len parameter to + accept(). Patch provided by Maxim Dounin. + +NM/11 Bugzilla 749: Preserve old behaviour of blanks comparing equal to zero. + Patch provided by Phil Pennock. + +NM/12 Bugzilla 497: Correct behaviour of exiwhat when no config exists. + +NM/13 Bugzilla 590: Correct handling of Resent-Date headers. + Patch provided by Brad "anomie" Jorsch. + +NM/14 Bugzilla 622: Added timeout setting to transport filter. + Patch provided by Dean Brooks. + +TK/05 Add native DKIM support (does not depend on external libraries). + +NM/15 Bugzilla 854: Removed code that symlinks to pcre as its no longer useful. + Patch provided by Graeme Fowler. + +NM/16 Bugzilla 851: Documentation example syntax fix. + +NM/17 Changed NOTICE file to remove references to embedded PCRE. + +NM/18 Bugzilla 894: Fix issue with very long lines including comments in + lsearch. + +NM/19 Bugzilla 745: TLS version reporting. + Patch provided by Phil Pennock. + +NM/20 Bugzilla 167: bool: condition support. + Patch provided by Phil Pennock. + +NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken + clients. Patch provided by Phil Pennock. + +NM/22 Bugzilla 607: prepend (not append) Resent-Message-ID and Resent-Date. + Patch provided by Brad "anomie" Jorsch. + +NM/23 Bugzilla 687: Fix misparses in eximstats. + Patch provided by Heiko Schlittermann. + +NM/24 Bugzilla 688: Fix exiwhat to handle log_selector = +pid. + Patch provided by Heiko Schlittermann. + +NM/25 Bugzilla 727: Use transport mode as default mode for maildirsize file. + plus update to original patch. + +NM/26 Bugzilla 799: Documentation correction for ratelimit. + +NM/27 Bugzilla 802: Improvements to local interface IP addr detection. + Patch provided by David Brownlee. + +NM/28 Bugzilla 807: Improvements to LMTP delivery logging. + +NM/29 Bugzilla 862, 866, 875: Documentation bugfixes. + +NM/30 Bugzilla 888: TLS documentation bugfixes. + +NM/31 Bugzilla 896: Dovecot buffer overrun fix. + +NM/32 Bugzilla 889: Change all instances of "expr" in shell scripts to "expr --" + Unlike the original bugzilla I have changed all shell scripts in src tree. + +NM/33 Bugzilla 898: Transport filter timeout fix. + Patch by Todd Rinaldo. + +NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches. + Patch by Serge Demonchaux. + +NM/35 Bugzilla 39: Base64 decode bug fixes. + Patch by Jakob Hirsch. + +NM/36 Bugzilla 909: Correct connect() call in dcc code. + +NM/37 Bugzilla 910: Correct issue with relaxed/simple handling. + +NM/38 Bugzilla 908: Removed NetBSD3 support as no longer needed. + +NM/39 Bugzilla 911: Fixed MakeLinks build script. + + +Exim version 4.69 +----------------- + +TK/01 Add preliminary DKIM support. Currently requires a forked version of + ALT-N's libdkim that I have put here: + http://duncanthrax.net/exim-experimental/ + + Note to Michael Haardt: I had to rename some vars in sieve.c. They + were called 'true' and it seems that C99 defines that as a reserved + keyword to be used with 'bool' variable types. That means you could + not include C99-style headers which use bools without triggering + build errors in sieve.c. + +NM/01 Bugzilla 592: --help option is handled incorrectly if exim is invoked + as mailq or other aliases. Changed the --help handling significantly + to do whats expected. exim_usage() emits usage/help information. + +SC/01 Added the -bylocaldomain option to eximstats. + +NM/02 Bugzilla 619: Defended against bad data coming back from gethostbyaddr. + +NM/03 Bugzilla 613: Documentation fix for acl_not_smtp. + +NM/04 Bugzilla 628: PCRE update to 7.4 (work done by John Hall). + + +Exim version 4.68 +----------------- + +PH/01 Another patch from the Sieve maintainer. + +PH/02 When an IPv6 address is converted to a string for single-key lookup + in an address list (e.g. for an item such as "net24-dbm;/net/works"), + dots are used instead of colons so that keys in lsearch files need not + contain colons. This was done some time before quoting was made available + in lsearch files. However, iplsearch files do require colons in IPv6 keys + (notated using the quote facility) so as to distinguish them from IPv4 + keys. This meant that lookups for IP addresses in host lists did not work + for iplsearch lookups. + + This has been fixed by arranging for IPv6 addresses to be expressed with + colons if the lookup type is iplsearch. This is not incompatible, because + previously such lookups could never work. + + The situation is now rather anomolous, since one *can* have colons in + ordinary lsearch keys. However, making the change in all cases is + incompatible and would probably break a number of configurations. + +TK/01 Change PRVS address formatting scheme to reflect latests BATV draft + version. + +MH/01 The "spam" ACL condition code contained a sscanf() call with a %s + conversion specification without a maximum field width, thereby enabling + a rogue spamd server to cause a buffer overflow. While nobody in their + right mind would setup Exim to query an untrusted spamd server, an + attacker that gains access to a server running spamd could potentially + exploit this vulnerability to run arbitrary code as the Exim user. + +TK/02 Bugzilla 502: Apply patch to make the SPF-Received: header use + $primary_hostname instead of what libspf2 thinks the hosts name is. + +MH/02 The dsearch lookup now uses lstat(2) instead of stat(2) to look for + a directory entry by the name of the lookup key. Previously, if a + symlink pointed to a non-existing file or a file in a directory that + Exim lacked permissions to read, a lookup for a key matching that + symlink would fail. Now it is enough that a matching directory entry + exists, symlink or not. (Bugzilla 503.) + +PH/03 The body_linecount and body_zerocount variables are now exported in the + local_scan API. + +PH/04 Added the $dnslist_matched variable. + +PH/05 Unset $tls_cipher and $tls_peerdn before making a connection as a client. + This means they are set thereafter only if the connection becomes + encrypted. + +PH/06 Added the client_condition to authenticators so that some can be skipped + by clients under certain conditions. + +PH/07 The error message for a badly-placed control=no_multiline_responses left + "_responses" off the end of the name. + +PH/08 Added -Mvc to output a copy of a message in RFC 2822 format. + +PH/09 Tidied the code for creating ratelimiting keys, creating them explicitly + (without spaces) instead of just copying the configuration text. + +PH/10 Added the /noupdate option to the ratelimit ACL condition. + +PH/11 Added $max_received_linelength. + +PH/12 Added +ignore_defer and +include_defer to host lists. + +PH/13 Installed PCRE version 7.2. This needed some changes because of the new + way in which PCRE > 7.0 is built. + +PH/14 Implemented queue_only_load_latch. + +PH/15 Removed an incorrect (int) cast when reading the value of SIZE in a + MAIL command. The effect was to mangle the value on 64-bit systems. + +PH/16 Another patch from the Sieve maintainer. + +PH/17 Added the NOTQUIT ACL, based on a patch from Ted Cooper. + +PH/18 If a system quota error occurred while trying to create the file for + a maildir delivery, the message "Mailbox is full" was not appended to the + bounce if the delivery eventually timed out. Change 4.67/27 below applied + only to a quota excession during the actual writing of the file. + +PH/19 It seems that peer DN values may contain newlines (and other non-printing + characters?) which causes problems in log lines. The DN values are now + passed through string_printing() before being added to log lines. + +PH/20 Added the "servers=" facility to MySQL and PostgreSQL lookups. (Oracle + and InterBase are left for another time.) + +PH/21 Added message_body_newlines option. + +PH/22 Guard against possible overflow in moan_check_errorcopy(). + +PH/23 POSIX allows open() to be a macro; guard against that. + +PH/24 If the recipient of an error message contained an @ in the local part + (suitably quoted, of course), incorrect values were put in $domain and + $local_part during the evaluation of errors_copy. + + +Exim version 4.67 +----------------- + +MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address + is unset (happens when testing with -bh and -oMi isn't used). Thanks to + Jan Srzednicki. + +PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not + issue a MAIL command. + +PH/02 In an ACL statement such as + + deny dnslists = X!=127.0.0.2 : X=127.0.0.2 + + if a client was not listed at all, or was listed with a value other than + 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list, + the condition was not true (as it should be), so access was not denied. + The bug was that the ! inversion was incorrectly passed on to the second + item. This has been fixed. + +PH/03 Added additional dnslists conditions == and =& which are different from + = and & when the dns lookup returns more than one IP address. + +PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the + cipher suites used by GnuTLS. These options are ignored by OpenSSL. + +PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_ + FSYNC, which compiles an option called disable_fsync that allows for + bypassing fsync(). The documentation is heavily laced with warnings. + +SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket. + +PH/06 Some tidies to the infrastructure of the Test Suite that is concerned + with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT + to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile, + including adding "make clean"; (3) Added -fPIC when compiling the test + dynamically loaded module, to get rid of a warning. + +MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce + message fails, move_frozen_messages = true and ignore_bounce_errors_after + = 0s. The bug is otherwise harmless. + +PH/07 There was a bug in the dovecot authenticator such that the value of + $auth1 could be overwritten, and so not correctly preserved, after a + successful authentication. This usually meant that the value preserved by + the server_setid option was incorrect. + +PH/08 Added $smtp_count_at_connection_start, deliberately with a long name. + +PH/09 Installed PCRE release 7.0. + +PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being + run for batched SMTP input. It is now run at the start of every message + in the batch. While fixing this I discovered that the process information + (output by running exiwhat) was not always getting set for -bs and -bS + input. This is fixed, and it now also says "batched" for BSMTP. + +PH/11 Added control=no_pipelining. + +PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's + patch, slightly modified), and move the expansion of helo_data till after + the connection is made in the smtp transport (so it can use these + values). + +PH/13 Added ${rfc2047d: to decoded RFC 2047 strings. + +PH/14 Added log_selector = +pid. + +PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set. + +PH/16 Add ${if forany and ${if forall. + +PH/17 Added dsn_from option to vary the From: line in DSNs. + +PH/18 Flush SMTP output before performing a callout, unless control = + no_callout_flush is set. + +PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender + was true (the default) a successful delivery failed to delete the retry + item, thus causing premature timeout of the address. The bug is now + fixed. + +PH/20 Added hosts_avoid_pipelining to the smtp transport. + +PH/21 Long custom messages for fakedefer and fakereject are now split up + into multiline reponses in the same way that messages for "deny" and + other ACL rejections are. + +PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep, + with slight modification. + +PH/23 Applied sieve patches from the maintainer "tracking the latest notify + draft, changing the syntax and factoring some duplicate code". + +PH/24 When the log selector "outgoing_port" was set, the port was shown as -1 + for deliveries of the second and subsequent messages over the same SMTP + connection. + +PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and + ${reduce, with only minor "tidies". + +SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match. + +PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its + expansion side effects. + +PH/27 When a message times out after an over-quota error from an Exim-imposed + quota, the bounce message says "mailbox is full". This message was not + being given when it was a system quota that was exceeded. It now should + be the same. + +MH/03 Made $recipients available in local_scan(). local_scan() already has + better access to the recipient list through recipients_list[], but + $recipients can be useful in postmaster-provided expansion strings. + +PH/28 The $smtp_command and $smtp_command_argument variables were not correct + in the case of a MAIL command with additional options following the + address, for example: MAIL FROM: SIZE=1234. The option settings + were accidentally chopped off. + +PH/29 SMTP synchronization checks are implemented when a command is read - + there is a check that no more input is waiting when there shouldn't be + any. However, for some commands, a delay in an ACL can mean that it is + some time before the response is written. In this time, more input might + arrive, invalidly. So now there are extra checks after an ACL has run for + HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when + pipelining has not been advertised. + +PH/30 MH's patch to allow iscntrl() characters to be list separators. + +PH/31 Unlike :fail:, a custom message specified with :defer: was not being + returned in the SMTP response when smtp_return_error_details was false. + This has been fixed. + +PH/32 Change the Dovecot authenticator to use read() and write() on the socket + instead of the C I/O that was originally supplied, because problems were + reported on Solaris. + +PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in + Exim which did not show up earlier: it was assuming that a call to + SSL_CTX_set_info_callback() might give an error value. In fact, there is + no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback() + was a macro that became an assignment, so it seemed to work. This has + changed to a proper function call with a void return, hence the compile + error. Exim's code has been fixed. + +PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit + cpus. + +PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify". + +PH/36 Applied John Jetmore's patch to add -v functionality to exigrep. + +PH/37 If a message is not accepted after it has had an id assigned (e.g. + because it turns out to be too big or there is a timeout) there is no + "Completed" line in the log. When some messages of this type were + selected by exigrep, they were listed as "not completed". Others were + picked up by some special patterns. I have improved the selection + criteria to be more general. + +PH/38 The host_find_failed option in the manualroute router can now be set + to "ignore", to completely ignore a host whose IP address cannot be + found. If all hosts are ignored, the behaviour is controlled by the new + host_all_ignored option. + +PH/39 In a list of hosts for manualroute, if one item (either because of multi- + homing or because of multiple MX records with /mx) generated more than + one IP address, and the following item turned out to be the local host, + all the secondary addresses of the first item were incorrectly removed + from the list, along with the local host and any following hosts (which + is what is supposed to happen). + +PH/40 When Exim receives a message, it writes the login name, uid, and gid of + whoever called Exim into the -H file. In the case of the daemon it was + behaving confusingly. When first started, it used values for whoever + started the daemon, but after a SIGHUP it used the Exim user (because it + calls itself on a restart). I have changed the code so that it now always + uses the Exim user. + +PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a + message are rejected with the same error (e.g. no authentication or bad + sender address), and a DATA command is nevertheless sent (as can happen + with PIPELINING or a stupid MUA), the error message that was given to the + RCPT commands is included in the rejection of the DATA command. This is + intended to be helpful for MUAs that show only the final error to their + users. + +PH/42 Another patch from the Sieve maintainer. + +SC/02 Eximstats - Differentiate between permanent and temporary rejects. + Eximstats - Fixed some broken HTML links and added missing column headers + (Jez Hancock). + Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email + columns for Rejects, Temp Rejects, Ham, and Spam rows. + +SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables. + +PH/43 Yet another patch from the Sieve maintainer. + +PH/44 I found a way to check for a TCP/IP connection going away before sending + the response to the final '.' that terminates a message, but only in the + case where the client has not sent further data following the '.' + (unfortunately, this is allowed). However, in many cases there won't be + any further data because there won't be any more messages to send. A call + to select() can be used: if it shows that the input is "ready", there is + either input waiting, or the socket has been closed. An attempt to read + the next input character can distinguish the two cases. Previously, Exim + would have sent an OK response which the client would never have see. + This could lead to message repetition. This fix should cure that, at + least in a lot of common cases. + +PH/45 Do not advertise STARTTLS in response to HELP unless it would be + advertised in response to EHLO. + + +Exim version 4.66 +----------------- + +PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one + fixed by 4.65/MH/01 (is this a record?) are fixed: + + (i) An empty string was always treated as zero by the numeric comparison + operators. This behaviour has been restored. + + (ii) It is documented that the numeric comparison operators always treat + their arguments as decimal numbers. This was broken in that numbers + starting with 0 were being interpreted as octal. + + While fixing these problems I realized that there was another issue that + hadn't been noticed. Values of message_size_limit (both the global option + and the transport option) were treated as octal if they started with 0. + The documentation was vague. These values are now always treated as + decimal, and I will make that clear in the documentation. + + +Exim version 4.65 +----------------- + +TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with + Linux large file support (_FILE_OFFSET_BITS=64) on older glibc + versions. (#438) + +MH/01 Don't check that the operands of numeric comparison operators are + integers when their expansion is in "skipping" mode (fixes bug + introduced by 4.64-PH/07). + +PH/01 If a system filter or a router generates more than SHRT_MAX (32767) + child addresses, Exim now panics and dies. Previously, because the count + is held in a short int, deliveries were likely to be lost. As such a + large number of recipients for a single message is ridiculous + (performance will be very, very poor), I have chosen to impose a limit + rather than extend the field. + + +Exim version 4.64 +----------------- + +TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a + leftover -K file (the existence of which was triggered by #402). + While we were at it, introduced process PID as part of the -K + filename. This should rule out race conditions when creating + these files. + +TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing + processing considerably. Previous code took too long for large mails, + triggering a timeout which in turn triggers #401. + +TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used + in the DK code in transports.c. sendfile() is not really portable, + hence the _LINUX specificness. + +TF/01 In the add_headers option to the mail command in an Exim filter, + there was a bug that Exim would claim a syntax error in any + header after the first one which had an odd number of characters + in the field name. + +PH/01 If a server that rejects MAIL FROM:<> was the target of a sender + callout verification, Exim cached a "reject" for the entire domain. This + is correct for most verifications, but it is not correct for a recipient + verification with use_sender or use_postmaster set, because in that case + the callout does not use MAIL FROM:<>. Exim now distinguishes the special + case of MAIL FROM:<> rejection from other early rejections (e.g. + rejection of HELO). When verifying a recipient using a non-null MAIL + address, the cache is ignored if it shows MAIL FROM:<> rejection. + Whatever the result of the callout, the value of the domain cache is + left unchanged (for any other kind of callout, getting as far as trying + RCPT means that the domain itself is ok). + +PH/02 Tidied a number of unused variable and signed/unsigned warnings that + gcc 4.1.1 threw up. + +PH/03 On Solaris, an unexpectedly close socket (dropped connection) can + manifest itself as EPIPE rather than ECONNECT. When tidying away a + session, the daemon ignores ECONNECT errors and logs others; it now + ignores EPIPE as well. + +PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c + (quoted-printable decoding). + +PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and + later the small subsequent patch to fix an introduced bug. + +PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer. + +PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}. + +PH/08 An error is now given if message_size_limit is specified negative. + +PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables + to be given (somewhat) arbitrary names. + +JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced + in 4.64-PH/09. + +JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions, + miscellaneous code fixes + +PH/10 Added the log_reject_target ACL modifier to specify where to log + rejections. + +PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_ + hostname. This is wrong, because it relates to the incoming message (and + probably the interface on which it is arriving) and not to the outgoing + callout (which could be using a different interface). This has been + changed to use the value of the helo_data option from the smtp transport + instead - this is what is used when a message is actually being sent. If + there is no remote transport (possible with a router that sets up host + addresses), $smtp_active_hostname is used. + +PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various + tweaks were necessary in order to get it to work (see also 21 below): + (a) The code assumed that strncpy() returns a negative number on buffer + overflow, which isn't the case. Replaced with Exim's string_format() + function. + (b) There were several signed/unsigned issues. I just did the minimum + hacking in of casts. There is scope for a larger refactoring. + (c) The code used strcasecmp() which is not a standard C function. + Replaced with Exim's strcmpic() function. + (d) The code set only $1; it now sets $auth1 as well. + (e) A simple test gave the error "authentication client didn't specify + service in request". It would seem that Dovecot has changed its + interface. Fortunately there's a specification; I followed it and + changed what the client sends and it appears to be working now. + +PH/13 Added $message_headers_raw to provide the headers without RFC 2047 + decoding. + +PH/14 Corrected misleading output from -bv when -v was also used. Suppose the + address A is aliased to B and C, where B exists and C does not. Without + -v the output is "A verified" because verification stops after a + successful redirection if more than one address is generated. However, + with -v the child addresses are also verified. Exim was outputting "A + failed to verify" and then showing the successful verification for C, + with its parentage. It now outputs "B failed to verify", showing B's + parentage before showing the successful verification of C. + +PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to + look up a TXT record in a specific list after matching in a combined + list. + +PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and + RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when + they consult the DNS. I had assumed they would set it the way they + wanted; and indeed my experiments on Linux seem to show that in some + cases they do (I could influence IPv6 lookups but not IPv4 lookups). + To be on the safe side, however, I have now made the interface to + host_find_byname() similar to host_find_bydns(), with an argument + containing the DNS resolver options. The host_find_byname() function now + sets these options at its start, just as host_find_bydns() does. The smtp + transport options dns_qualify_single and dns_search_parents are passed to + host_find_byname() when gethostbyname=TRUE in this transport. Other uses + of host_find_byname() use the default settings of RES_DEFNAMES + (qualify_single) but not RES_DNSRCH (search_parents). + +PH/17 Applied (a modified version of) Nico Erfurth's patch to make + spool_read_header() do less string testing, by means of a preliminary + switch on the second character of optional "-foo" lines. (This is + overdue, caused by the large number of possibilities that now exist. + Originally there were few.) While I was there, I also converted the + str(n)cmp tests so they don't re-test the leading "-" and the first + character, in the hope this might squeeze out yet more improvement. + +PH/18 Two problems with "group" syntax in header lines when verifying: (1) The + flag allowing group syntax was set by the header_syntax check but not + turned off, possible causing trouble later; (2) The flag was not being + set at all for the header_verify test, causing "group"-style headers to + be rejected. I have now set it in this case, and also caused header_ + verify to ignore an empty address taken from a group. While doing this, I + came across some other cases where the code for allowing group syntax + while scanning a header line wasn't quite right (mostly, not resetting + the flag correctly in the right place). These bugs could have caused + trouble for malformed header lines. I hope it is now all correct. + +PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called + with the "reply" argument non-NULL. The code, however (which originally + came from elsewhere) had *some* tests for NULL when it wrote to *reply, + but it didn't always do it. This confused somebody who was copying the + code for some other use. I have removed all the tests. + +PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a + feature that was used to support insecure browsers during the U.S. crypto + embargo. It requires special client support, and Exim is probably the + only MTA that supported it -- and would never use it because real RSA is + always available. This code has been removed, because it had the bad + effect of slowing Exim down by computing (never used) parameters for the + RSA_EXPORT functionality. + +PH/21 On the advice of Timo Sirainen, added a check to the dovecot + authenticator to fail if there's a tab character in the incoming data + (there should never be unless someone is messing about, as it's supposed + to be base64-encoded). Also added, on Timo's advice, the "secured" option + if the connection is using TLS or if the remote IP is the same as the + local IP, and the "valid-client-cert option" if a client certificate has + been verified. + +PH/22 As suggested by Dennis Davis, added a server_condition option to *all* + authenticators. This can be used for authorization after authentication + succeeds. (In the case of plaintext, it servers for both authentication + and authorization.) + +PH/23 Testing for tls_required and lost_connection in a retry rule didn't work + if any retry times were supplied. + +PH/24 Exim crashed if verify=helo was activated during an incoming -bs + connection, where there is no client IP address to check. In this + situation, the verify now always succeeds. + +PH/25 Applied John Jetmore's -Mset patch. + +PH/26 Added -bem to be like -Mset, but loading a message from a file. + +PH/27 In a string expansion for a processed (not raw) header when multiple + headers of the same name were present, leading whitespace was being + removed from all of them, but trailing whitespace was being removed only + from the last one. Now trailing whitespace is removed from each header + before concatenation. Completely empty headers in a concatenation (as + before) are ignored. + +PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John + Jetmore). It would have mis-read ACL variables from pre-4.61 spool files. + +PH/29 [Removed. This was a change that I later backed out, and forgot to + correct the ChangeLog entry (that I had efficiently created) before + committing the later change.] + +PH/30 Exim was sometimes attempting to deliver messages that had suffered + address errors (4xx response to RCPT) over the same connection as other + messages routed to the same hosts. Such deliveries are always "forced", + so retry times are not inspected. This resulted in far too many retries + for the affected addresses. The effect occurred only when there were more + hosts than the hosts_max_try setting in the smtp transport when it had + the 4xx errors. Those hosts that it had tried were not added to the list + of hosts for which the message was waiting, so if all were tried, there + was no problem. Two fixes have been applied: + + (i) If there are any address or message errors in an SMTP delivery, none + of the hosts (tried or untried) are now added to the list of hosts + for which the message is waiting, so the message should not be a + candidate for sending over the same connection that was used for a + successful delivery of some other message. This seems entirely + reasonable: after all the message is NOT "waiting for some host". + This is so "obvious" that I'm not sure why it wasn't done + previously. Hope I haven't missed anything, but it can't do any + harm, as the worst effect is to miss an optimization. + + (ii) If, despite (i), such a delivery is accidentally attempted, the + routing retry time is respected, so at least it doesn't keep + hammering the server. + +PH/31 Installed Andrew Findlay's patch to close the writing end of the socket + in ${readsocket because some servers need this prod. + +PH/32 Added some extra debug output when updating a wait-xxx database. + +PH/33 The hint "could be header name not terminated by colon", which has been + given for certain expansion errors for a long time, was not being given + for the ${if def:h_colon_omitted{... case. + +PH/34 The spec says: "With one important exception, whenever a domain list is + being scanned, $domain contains the subject domain." There was at least + one case where this was not true. + +PH/35 The error "getsockname() failed: connection reset by peer" was being + written to the panic log as well as the main log, but it isn't really + panic-worthy as it just means the connection died rather early on. I have + removed the panic log writing for the ECONNRESET error when getsockname() + fails. + +PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue + runs only) independently of the message's sender address. This meant + that, if the 4xx error was in fact related to the sender, a different + message to the same recipient with a different sender could confuse + things. In particualar, this can happen when sending to a greylisting + server, but other circumstances could also provoke similar problems. + I have changed the default so that the retry time for these errors is now + based a combination of the sender and recipient addresses. This change + can be overridden by setting address_retry_include_sender=false in the + smtp transport. + +PH/37 For LMTP over TCP/IP (the smtp transport), error responses from the + remote server are returned as part of bounce messages. This was not + happening for LMTP over a pipe (the lmtp transport), but now it is the + same for both kinds of LMTP. + +PH/38 Despite being documented as not happening, Exim was rewriting addresses + in header lines that were in fact CNAMEs. This is no longer the case. + +PH/39 If -R or -S was given with -q