X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/f33253cce3438c5b28a3b1fa7de162d16aa3e9f5..ad4c5ff9c1656eb9691fb1687ce7e0c59291ebda:/doc/doc-txt/NewStuff diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 9d7ac9d13..76947300e 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,5 +1,3 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.161 2009/11/16 19:06:35 nm4 Exp $ - New Features in Exim -------------------- @@ -8,16 +6,566 @@ Before a formal release, there may be quite a lot of detail so that people can test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.85 +------------ + + 1. If built with EXPERIMENTAL_DANE feature enabled, Exim will follow the + DANE smtp draft to assess a secure chain of trust of the certificate + used to establish the TLS connection based on a TLSA record in the + domain of the sender. + + 2. The EXPERIMENTAL_TPDA feature has been renamed to EXPERIMENTAL_EVENT + and several new events have been created. The reason is because it has + been expanded beyond just firing events during the transport phase. Any + existing TPDA transport options will have to be rewritten to use a new + $event_name expansion variable in a condition. Refer to the + experimental-spec.txt for details and examples. + + 3. The EXPERIMENTAL_CERTNAMES features is an enhancement to verify that + server certs used for TLS match the result of the MX lookup. It does + not use the same mechanism as DANE. + + +Version 4.84 +------------ + + +Version 4.83 +------------ + + 1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be + configured to expect an initial header from a proxy that will make the + actual external source IP:host be used in exim instead of the IP of the + proxy that is connecting to it. + + 2. New verify option header_names_ascii, which will check to make sure + there are no non-ASCII characters in header names. Exim itself handles + those non-ASCII characters, but downstream apps may not, so Exim can + detect and reject if those characters are present. + + 3. New expansion operator ${utf8clean:string} to replace malformed UTF8 + codepoints with valid ones. + + 4. New malware type "sock". Talks over a Unix or TCP socket, sending one + command line and matching a regex against the return data for trigger + and a second regex to extract malware_name. The mail spoolfile name can + be included in the command line. + + 5. The smtp transport now supports options "tls_verify_hosts" and + "tls_try_verify_hosts". If either is set the certificate verification + is split from the encryption operation. The default remains that a failed + verification cancels the encryption. + + 6. New SERVERS override of default ldap server list. In the ACLs, an ldap + lookup can now set a list of servers to use that is different from the + default list. + + 7. New command-line option -C for exiqgrep to specify alternate exim.conf + file when searching the queue. + + 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. + + 9. Support for DNSSEC on outbound connections. + +10. New variables "tls_(in,out)_(our,peer)cert" and expansion item + "certextract" to extract fields from them. Hash operators md5 and sha1 + work over them for generating fingerprints, and a new sha256 operator + for them added. + +11. PRDR is now supported dy default. + +12. OCSP stapling is now supported by default. + +13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output + Delivery Status Notification messages in MIME format, and negociate + DSN features per RFC 3461. + + +Version 4.82 +------------ + + 1. New command-line option -bI:sieve will list all supported sieve extensions + of this Exim build on standard output, one per line. + ManageSieve (RFC 5804) providers managing scripts for use by Exim should + query this to establish the correct list to include in the protocol's + SIEVE capability line. + + 2. If the -n option is combined with the -bP option, then the name of an + emitted option is not output, only the value (if visible to you). + For instance, "exim -n -bP pid_file_path" should just emit a pathname + followed by a newline, and no other text. + + 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now + has a "tls_dh_min_bits" option, to set the minimum acceptable number of + bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites) + acceptable for security. (Option accepted but ignored if using OpenSSL). + Defaults to 1024, the old value. May be lowered only to 512, or raised as + far as you like. Raising this may hinder TLS interoperability with other + sites and is not currently recommended. Lowering this will permit you to + establish a TLS session which is not as secure as you might like. + + Unless you really know what you are doing, leave it alone. + + 4. If not built with DISABLE_DNSSEC, Exim now has the main option + dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library + to send the DO flag to your recursive resolver. If you have a recursive + resolver, which can set the Authenticated Data (AD) flag in results, Exim + can now detect this. Exim does not perform validation itself, instead + relying upon a trusted path to the resolver. + + Current status: work-in-progress; $sender_host_dnssec variable added. + + 5. DSCP support for outbound connections: on a transport using the smtp driver, + set "dscp = ef", for instance, to cause the connections to have the relevant + DSCP (IPv4 TOS or IPv6 TCLASS) value in the header. + + Similarly for inbound connections, there is a new control modifier, dscp, + so "warn control = dscp/ef" in the connect ACL, or after authentication. + + Supported values depend upon system libraries. "exim -bI:dscp" to list the + ones Exim knows of. You can also set a raw number 0..0x3F. + + 6. The -G command-line flag is no longer ignored; it is now equivalent to an + ACL setting "control = suppress_local_fixups". The -L command-line flag + is now accepted and forces use of syslog, with the provided tag as the + process name. A few other flags used by Sendmail are now accepted and + ignored. + + 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery" + ACL modifier; works for single-recipient mails which are recieved on and + deliverable via SMTP. Using the connection made for a recipient verify, + if requested before the verify, or a new one made for the purpose while + the inbound connection is still active. The bulk of the mail item is copied + direct from the inbound socket to the outbound (as well as the spool file). + When the source notifies the end of data, the data acceptance by the destination + is negociated before the acceptance is sent to the source. If the destination + does not accept the mail item, for example due to content-scanning, the item + is not accepted from the source and therefore there is no need to generate + a bounce mail. This is of benefit when providing a secondary-MX service. + The downside is that delays are under the control of the ultimate destination + system not your own. + + The Recieved-by: header on items delivered by cutthrough is generated + early in reception rather than at the end; this will affect any timestamp + included. The log line showing delivery is recorded before that showing + reception; it uses a new ">>" tag instead of "=>". + + To support the feature, verify-callout connections can now use ESMTP and TLS. + The usual smtp transport options are honoured, plus a (new, default everything) + hosts_verify_avoid_tls. + + New variable families named tls_in_cipher, tls_out_cipher etc. are introduced + for specific access to the information for each connection. The old names + are present for now but deprecated. + + Not yet supported: IGNOREQUOTA, SIZE, PIPELINING. + + 8. New expansion operators ${listnamed:name} to get the content of a named list + and ${listcount:string} to count the items in a list. + + 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS + rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 + modules. For some situations this is desirable, but we expect admin in + those situations to know they want the feature. More commonly, it means + that GUI user modules get loaded and are broken by the setuid Exim being + unable to access files specified in environment variables and passed + through, thus breakage. So we explicitly inhibit the PKCS11 initialisation + unless this new option is set. + + Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability, + so have also added a build option which can be used to build Exim with GnuTLS + but without trying to use any kind of PKCS11 support. Uncomment this in the + Local/Makefile: + + AVOID_GNUTLS_PKCS11=yes + +10. The "acl = name" condition on an ACL now supports optional arguments. + New expansion item "${acl {name}{arg}...}" and expansion condition + "acl {{name}{arg}...}" are added. In all cases up to nine arguments + can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL. + Variable $acl_narg contains the number of arguments. If the ACL sets + a "message =" value this becomes the result of the expansion item, + or the value of $value for the expansion condition. If the ACL returns + accept the expansion condition is true; if reject, false. A defer + return results in a forced fail. + +11. Routers and transports can now have multiple headers_add and headers_remove + option lines. The concatenated list is used. + +12. New ACL modifier "remove_header" can remove headers before message gets + handled by routers/transports. + +13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured), + "aaaa" and "a" lookups is done and the full set of results returned. + +14. New expansion variable $headers_added with content from ACL add_header + modifier (but not yet added to messsage). + +15. New 8bitmime status logging option for received messages. Log field "M8S". + +16. New authenticated_sender logging option, adding to log field "A". + +17. New expansion variables $router_name and $transport_name. Useful + particularly for debug_print as -bt commandline option does not + require privilege whereas -d does. + +18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a + proposed extension to SMTP from Eric Hall. + +19. The pipe transport has gained the force_command option, to allow + decorating commands from user .forward pipe aliases with prefix + wrappers, for instance. + +20. Callout connections can now AUTH; the same controls as normal delivery + connections apply. + +21. Support for DMARC, using opendmarc libs, can be enabled. It adds new + options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file. + It adds new expansion variables $dmarc_ar_header, $dmarc_status, + $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier + dmarc_status. It adds new control flags dmarc_disable_verify and + dmarc_enable_forensic. + +22. Add expansion variable $authenticated_fail_id, which is the username + provided to the authentication method which failed. It is available + for use in subsequent ACL processing (typically quit or notquit ACLs). + +23. New ACL modifer "udpsend" can construct a UDP packet to send to a given + UDP host and port. + +24. New ${hexquote:..string..} expansion operator converts non-printable + characters in the string to \xNN form. + +25. Experimental TPDA (Transport Post Delivery Action) function added. + Patch provided by Axel Rau. + +26. Experimental Redis lookup added. Patch provided by Warren Baker. + + +Version 4.80 +------------ + + 1. New authenticator driver, "gsasl". Server-only (at present). + This is a SASL interface, licensed under GPL, which can be found at + http://www.gnu.org/software/gsasl/. + This system does not provide sources of data for authentication, so + careful use needs to be made of the conditions in Exim. + + 2. New authenticator driver, "heimdal_gssapi". Server-only. + A replacement for using cyrus_sasl with Heimdal, now that $KRB5_KTNAME + is no longer honoured for setuid programs by Heimdal. Use the + "server_keytab" option to point to the keytab. + + 3. The "pkg-config" system can now be used when building Exim to reference + cflags and library information for lookups and authenticators, rather + than having to update "CFLAGS", "AUTH_LIBS", "LOOKUP_INCLUDE" and + "LOOKUP_LIBS" directly. Similarly for handling the TLS library support + without adjusting "TLS_INCLUDE" and "TLS_LIBS". + + In addition, setting PCRE_CONFIG=yes will query the pcre-config tool to + find the headers and libraries for PCRE. + + 4. New expansion variable $tls_bits. + + 5. New lookup type, "dbmjz". Key is an Exim list, the elements of which will + be joined together with ASCII NUL characters to construct the key to pass + into the DBM library. Can be used with gsasl to access sasldb2 files as + used by Cyrus SASL. + + 6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1. + + Avoid release 1.0.1a if you can. Note that the default value of + "openssl_options" is no longer "+dont_insert_empty_fragments", as that + increased susceptibility to attack. This may still have interoperability + implications for very old clients (see version 4.31 change 37) but + administrators can choose to make the trade-off themselves and restore + compatibility at the cost of session security. + + 7. Use of the new expansion variable $tls_sni in the main configuration option + tls_certificate will cause Exim to re-expand the option, if the client + sends the TLS Server Name Indication extension, to permit choosing a + different certificate; tls_privatekey will also be re-expanded. You must + still set these options to expand to valid files when $tls_sni is not set. + + The SMTP Transport has gained the option tls_sni, which will set a hostname + for outbound TLS sessions, and set $tls_sni too. + + A new log_selector, +tls_sni, has been added, to log received SNI values + for Exim as a server. + + 8. The existing "accept_8bitmime" option now defaults to true. This means + that Exim is deliberately not strictly RFC compliant. We're following + Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default. + Those who disagree, or know that they are talking to mail servers that, + even today, are not 8-bit clean, need to turn off this option. + + 9. Exim can now be started with -bw (with an optional timeout, given as + -bw). With this, stdin at startup is a socket that is + already listening for connections. This has a more modern name of + "socket activation", but forcing the activated socket to fd 0. We're + interested in adding more support for modern variants. + +10. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffix + for numbers indicates multiplication by 1024^3. + +11. The GnuTLS support has been revamped; the three options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols are no longer supported. + tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority + string, documentation for which is at: + http://www.gnutls.org/manual/html_node/Priority-Strings.html + + SNI support has been added to Exim's GnuTLS integration too. + + For sufficiently recent GnuTLS libraries, ${randint:..} will now use + gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness. + +12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file + is now available. If the contents of the file are valid, then Exim will + send that back in response to a TLS status request; this is OCSP Stapling. + Exim will not maintain the contents of the file in any way: administrators + are responsible for ensuring that it is up-to-date. + + See "experimental-spec.txt" for more details. + +13. ${lookup dnsdb{ }} supports now SPF record types. They are handled + identically to TXT record lookups. + +14. New expansion variable $tod_epoch_l for higher-precision time. + +15. New global option tls_dh_max_bits, defaulting to current value of NSS + hard-coded limit of DH ephemeral bits, to fix interop problems caused by + GnuTLS 2.12 library recommending a bit count higher than NSS supports. + +16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier. + Option can now be a path or an identifier for a standard prime. + If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23". + Set to "historic" to get the old GnuTLS behaviour of auto-generated DH + primes. + +17. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS). + Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL + install was not built with OPENSSL_NO_SSL2 ("no-ssl2"). + + +Version 4.77 +------------ + + 1. New options for the ratelimit ACL condition: /count= and /unique=. + The /noupdate option has been replaced by a /readonly option. + + 2. The SMTP transport's protocol option may now be set to "smtps", to + use SSL-on-connect outbound. + + 3. New variable $av_failed, set true if the AV scanner deferred; ie, when + there is a problem talking to the AV scanner, or the AV scanner running. + + 4. New expansion conditions, "inlist" and "inlisti", which take simple lists + and check if the search item is a member of the list. This does not + support named lists, but does subject the list part to string expansion. + + 5. Unless the new EXPAND_LISTMATCH_RHS build option is set when Exim was + built, Exim no longer performs string expansion on the second string of + the match_* expansion conditions: "match_address", "match_domain", + "match_ip" & "match_local_part". Named lists can still be used. + + +Version 4.76 +------------ + + 1. The global option "dns_use_edns0" may be set to coerce EDNS0 usage on + or off in the resolver library. + + +Version 4.75 +------------ + + 1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there + is now LDAP/TLS support, given sufficiently modern OpenLDAP client + libraries. The following global options have been added in support of + this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key, + ldap_cipher_suite, ldap_require_cert, ldap_start_tls. + + 2. The pipe transport now takes a boolean option, "freeze_signal", default + false. When true, if the external delivery command exits on a signal then + Exim will freeze the message in the queue, instead of generating a bounce. + + 3. Log filenames may now use %M as an escape, instead of %D (still available). + The %M pattern expands to yyyymm, providing month-level resolution. + + 4. The $message_linecount variable is now updated for the maildir_tag option, + in the same way as $message_size, to reflect the real number of lines, + including any header additions or removals from transport. + + 5. When contacting a pool of SpamAssassin servers configured in spamd_address, + Exim now selects entries randomly, to better scale in a cluster setup. + + +Version 4.74 +------------ + + 1. SECURITY FIX: privilege escalation flaw fixed. On Linux (and only Linux) + the flaw permitted the Exim run-time user to cause root to append to + arbitrary files of the attacker's choosing, with the content based + on content supplied by the attacker. + + 2. Exim now supports loading some lookup types at run-time, using your + platform's dlopen() functionality. This has limited platform support + and the intention is not to support every variant, it's limited to + dlopen(). This permits the main Exim binary to not be linked against + all the libraries needed for all the lookup types. + + +Version 4.73 +------------ + + NOTE: this version is not guaranteed backwards-compatible, please read the + items below carefully + + 1. A new main configuration option, "openssl_options", is available if Exim + is built with SSL support provided by OpenSSL. The option allows + administrators to specify OpenSSL options to be used on connections; + typically this is to set bug compatibility features which the OpenSSL + developers have not enabled by default. There may be security + consequences for certain options, so these should not be changed + frivolously. + + 2. A new pipe transport option, "permit_coredumps", may help with problem + diagnosis in some scenarios. Note that Exim is typically installed as + a setuid binary, which on most OSes will inhibit coredumps by default, + so that safety mechanism would have to be overridden for this option to + be able to take effect. + + 3. ClamAV 0.95 is now required for ClamAV support in Exim, unless + Local/Makefile sets: WITH_OLD_CLAMAV_STREAM=yes + Note that this switches Exim to use a new API ("INSTREAM") and a future + release of ClamAV will remove support for the old API ("STREAM"). + + The av_scanner option, when set to "clamd", now takes an optional third + part, "local", which causes Exim to pass a filename to ClamAV instead of + the file content. This is the same behaviour as when clamd is pointed at + a Unix-domain socket. For example: + + av_scanner = clamd:192.0.2.3 1234:local + + ClamAV's ExtendedDetectionInfo response format is now handled. + + 4. There is now a -bmalware option, restricted to admin users. This option + takes one parameter, a filename, and scans that file with Exim's + malware-scanning framework. This is intended purely as a debugging aid + to ensure that Exim's scanning is working, not to replace other tools. + Note that the ACL framework is not invoked, so if av_scanner references + ACL variables without a fallback then this will fail. + + 5. There is a new expansion operator, "reverse_ip", which will reverse IP + addresses; IPv4 into dotted quad, IPv6 into dotted nibble. Examples: + + ${reverse_ip:192.0.2.4} + -> 4.2.0.192 + ${reverse_ip:2001:0db8:c42:9:1:abcd:192.0.2.3} + -> 3.0.2.0.0.0.0.c.d.c.b.a.1.0.0.0.9.0.0.0.2.4.c.0.8.b.d.0.1.0.0.2 + + 6. There is a new ACL control called "debug", to enable debug logging. + This allows selective logging of certain incoming transactions within + production environments, with some care. It takes two options, "tag" + and "opts"; "tag" is included in the filename of the log and "opts" + is used as per the -d command-line option. Examples, which + don't all make sense in all contexts: + + control = debug + control = debug/tag=.$sender_host_address + control = debug/opts=+expand+acl + control = debug/tag=.$message_exim_id/opts=+expand + + 7. It has always been implicit in the design and the documentation that + "the Exim user" is not root. src/EDITME said that using root was + "very strongly discouraged". This is not enough to keep people from + shooting themselves in the foot in days when many don't configure Exim + themselves but via package build managers. The security consequences of + running various bits of network code are severe if there should be bugs in + them. As such, the Exim user may no longer be root. If configured + statically, Exim will refuse to build. If configured as ref:user then Exim + will exit shortly after start-up. If you must shoot yourself in the foot, + then henceforth you will have to maintain your own local patches to strip + the safeties off. + + 8. There is a new expansion condition, bool_lax{}. Where bool{} uses the ACL + condition logic to determine truth/failure and will fail to expand many + strings, bool_lax{} uses the router condition logic, where most strings + do evaluate true. + Note: bool{00} is false, bool_lax{00} is true. + + 9. Routers now support multiple "condition" tests. + +10. There is now a runtime configuration option "tcp_wrappers_daemon_name". + Setting this allows an admin to define which entry in the tcpwrappers + config file will be used to control access to the daemon. This option + is only available when Exim is built with USE_TCP_WRAPPERS. The + default value is set at build time using the TCP_WRAPPERS_DAEMON_NAME + build option. + +11. [POSSIBLE CONFIG BREAKAGE] The default value for system_filter_user is now + the Exim run-time user, instead of root. + +12. [POSSIBLE CONFIG BREAKAGE] ALT_CONFIG_ROOT_ONLY is no longer optional and + is forced on. This is mitigated by the new build option + TRUSTED_CONFIG_LIST which defines a list of configuration files which + are trusted; one per line. If a config file is owned by root and matches + a pathname in the list, then it may be invoked by the Exim build-time + user without Exim relinquishing root privileges. + +13. [POSSIBLE CONFIG BREAKAGE] The Exim user is no longer automatically + trusted to supply -D overrides on the command-line. Going + forward, we recommend using TRUSTED_CONFIG_LIST with shim configs that + include the main config. As a transition mechanism, we are temporarily + providing a work-around: the new build option WHITELIST_D_MACROS provides + a colon-separated list of macro names which may be overridden by the Exim + run-time user. The values of these macros are constrained to the regex + ^[A-Za-z0-9_/.-]*$ (which explicitly does allow for empty values). + + +Version 4.72 +------------ + + 1. TWO SECURITY FIXES: one relating to mail-spools which are globally + writable, the other to locking of MBX folders (not mbox). + + 2. MySQL stored procedures are now supported. + + 3. The dkim_domain transport option is now a list, not a single string, and + messages will be signed for each element in the list (discarding + duplicates). + + 4. The 4.70 release unexpectedly changed the behaviour of dnsdb TXT lookups + in the presence of multiple character strings within the RR. Prior to 4.70, + only the first string would be returned. The dnsdb lookup now, by default, + preserves the pre-4.70 semantics, but also now takes an extended output + separator specification. The separator can be followed by a semicolon, to + concatenate the individual text strings together with no join character, + or by a comma and a second separator character, in which case the text + strings within a TXT record are joined on that second character. + Administrators are reminded that DNS provides no ordering guarantees + between multiple records in an RRset. For example: + + foo.example. IN TXT "a" "b" "c" + foo.example. IN TXT "d" "e" "f" + + ${lookup dnsdb{>/ txt=foo.example}} -> "a/d" + ${lookup dnsdb{>/; txt=foo.example}} -> "def/abc" + ${lookup dnsdb{>/,+ txt=foo.example}} -> "a+b+c/d+e+f" + Version 4.70 / 4.71 ------------------- 1. Native DKIM support without an external library. + (Note that if no action to prevent it is taken, a straight upgrade will + result in DKIM verification of all signed incoming emails. See spec + for details on conditionally disabling) 2. Experimental DCC support via dccifd (contributed by Wolfgang Breyha). 3. There is now a bool{} expansion condition which maps certain strings to - true/false condition values (most likely of use in conjuction with the + true/false condition values (most likely of use in conjunction with the and{} expansion operator). 4. The $spam_score, $spam_bar and $spam_report variables are now available @@ -41,6 +589,12 @@ Version 4.70 / 4.71 9. The transport_filter_timeout option now applies to SMTP transports too. +Version 4.69 +------------ + + 1. Preliminary DKIM support in Experimental. + + Version 4.68 ------------