X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/fbbd45ff5ade30d38ca60ea5aeccc305501c9174..8c2a478b1f6f8c3fb43317c1e6729b23a3b972b7:/doc/doc-txt/NewStuff diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b9ed8a00d..e21446533 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -3,9 +3,235 @@ New Features in Exim This file contains descriptions of new features that have been added to Exim. Before a formal release, there may be quite a lot of detail so that people can -test from the snapshots or the CVS before the documentation is updated. Once +test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.94 +------------ + + 1. EXPERIMENTAL_SRS_NATIVE optional build feature. See the experimental.spec + file. + + 2. Channel-binding for authenticators is now supported under OpenSSL. + Previously it was GnuTLS-only. + + 3. A msg:defer event. + + 4. Client-side support in the gsasl authenticator. Tested against the + plaintext driver for PLAIN; only against itself for SCRAM-SHA-1 and + SCRAM-SHA-1-PLUS methods. + + 5. Server-side support in the gsasl authenticator for encrypted passwords, as + an alternate for the existing plaintext. + + 6. Variable $local_part_verified, set by the router check_local_part condition + with untainted data. + + 7. Named-list definitions can now be prefixed "hide" so that "-bP" commands do + not output the content. Previously this could only be done on options. + + +Version 4.93 +------------ + + 1. An "external" authenticator, per RFC 4422 Appendix A. + + 2. A JSON lookup type, and JSON variants of the forall/any expansion conditions. + + 3. Variables $tls_in_cipher_std, $tls_out_cipher_std giving the RFC names + for ciphersuites. + + 4. Log_selectors "msg_id" (on by default) and "msg_id_created". + + 5. A case_insensitive option for verify=not_blind. + + 6. EXPERIMENTAL_TLS_RESUME optional build feature. See the experimental.spec + file. + + 7. A main option exim_version to override the version Exim + reports in verious places ($exim_version, $version_number). + + 8. Expansion operator ${sha2_N:} for N=256, 384, 512. + + 9. Router variables, $r_... settable from router options and usable in routers + and transports. + +10. The spf lookup now supports IPv6. + +11. Main options for DKIM verify to filter hash and key types. + +12. With TLS1.3, support for full-chain OCSP stapling. + +13. Dual-certificate stacks on servers now support OCSP stapling, under OpenSSL. + +14: An smtp:ehlo transport event, for observability of the remote offered features. + +15: Support under OpenSSL for writing NSS-style key files for packet-capture + decode. The environment variable SSLKEYLOGFILE is used; if an absolute path + it must indicate a file under the spool directory; if relative the the spool + directory is prepended. Works on the server side only. Support under + GnuTLS was already there, being done purely by the library (server side + only, and exim must be run as root). + +16: Command-line option to move messages from one named queue to another. + +17. Variables $tls_in_ver, $tls_out_ver. + + +Version 4.92 +-------------- + + 1. ${l_header:} and ${l_h:} expansion items, giving a colon-sep + list when there are multiple headers having a given name. This matters + when individual headers are wrapped onto multiple lines; with previous + facilities hard to parse. + + 2. The ${readsocket } expansion item now takes a "tls" option, doing the + obvious thing. + + 3. EXPERIMENTAL_REQUIRETLS and EXPERIMENTAL_PIPE_CONNECT optional build + features. See the experimental.spec file. + + 4. If built with SUPPORT_I18N a "utf8_downconvert" option on the smtp transport. + + 5. A "pipelining" log_selector. + + 6. Builtin macros for supported log_selector and openssl_options values. + + 7. JSON variants of the ${extract } expansion item. + + 8. A "noutf8" debug option, for disabling the UTF-8 characters in debug output. + + 9. TCP Fast Open support on MacOS. + +Version 4.91 +-------------- + + 1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS + version 3.5.6 or later. + + 2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and + OpenSSL versions are moved to mainline support from Experimental. + New SMTP transport option "dane_require_tls_ciphers". + + 3. Feature macros for the compiled-in set of malware scanner interfaces. + + 4. SPF support is promoted from Experimental to mainline status. The template + src/EDITME makefile does not enable its inclusion. + + 5. Logging control for DKIM verification. The existing DKIM log line is + controlled by a "dkim_verbose" selector which is _not_ enabled by default. + A new tag "DKIM=" is added to <= lines by default, controlled by + a "dkim" log_selector. + + 6. Receive duration on <= lines, under a new log_selector "receive_time". + + 7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on + routing rules in the manualroute router. + + 8. Expansion item ${sha3:} / ${sha3_:} now also supported + under OpenSSL version 1.1.1 or later. + + 9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under + GnuTLS 3.6.0 or OpenSSL 1.1.1 or later. + +10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library + version dependent. + +11. "exim -bP macro " returns caller-usable status. + +12. Expansion item ${authresults {}} for creating an + Authentication-Results: header. + +13. EXPERIMENTAL_ARC. See the experimental.spec file. + See also new util/renew-opendmarc-tlds.sh script for use with DMARC/ARC. + +14: A dane:fail event, intended to facilitate reporting. + +15. "Lightweight" support for Redis Cluster. Requires redis_servers list to + contain all the servers in the cluster, all of which must be reachable from + the running exim instance. If the cluster has master/slave replication, the + list must contain all the master and slave servers. + +16. Add an option to the Avast scanner interface: "pass_unscanned". This + allows to treat unscanned files as clean. Files may be unscanned for + several reasons: decompression bombs, broken archives. + + +Version 4.90 +------------ + + 1. PKG_CONFIG_PATH can now be set in Local/Makefile; + wildcards will be expanded, values are collapsed. + + 2. The ${readsocket } expansion now takes an option to not shutdown the + connection after sending the query string. The default remains to do so. + + 3. An smtp transport option "hosts_noproxy_tls" to control whether multiple + deliveries on a single TCP connection can maintain a TLS connection + open. By default disabled for all hosts, doing so saves the cost of + making new TLS sessions, at the cost of having to proxy the data via + another process. Logging is also affected. + + 4. A malware connection type for the FPSCAND protocol. + + 5. An option for recipient verify callouts to hold the connection open for + further recipients and for delivery. + + 6. The reproducible build $SOURCE_DATE_EPOCH environment variable is now + supported. + + 7. Optionally, an alternate format for spool data-files which matches the + wire format - meaning more efficient reception and transmission (at the + cost of difficulty with standard Unix tools). Only used for messages + received using the ESMTP CHUNKING option, and when a new main-section + option "spool_wireformat" (false by default) is set. + + 8. New main configuration option "commandline_checks_require_admin" to + restrict who can use various introspection options. + + 9. New option modifier "no_check" for quota and quota_filecount + appendfile transport. + +10. Variable $smtp_command_history returning a comma-sep list of recent + SMTP commands. + +11. Millisecond timetamps in logs, on log_selector "millisec". Also affects + log elements QT, DT and D, and timstamps in debug output. + +12. TCP Fast Open logging. As a server, logs when the SMTP banner was sent + while still in SYN_RECV state; as a client logs when the connection + is opened with a TFO cookie. + +13. DKIM support for multiple signing, by domain and/or key-selector. + DKIM support for multiple hashes, and for alternate-identity tags. + Builtin macro with default list of signed headers. + Better syntax for specifying oversigning. + The DKIM ACL can override verification status, and status is visible in + the data ACL. + +14. Exipick understands -C|--config for an alternative Exim + configuration file. + +15. TCP Fast Open used, with data-on-SYN, for client SMTP via SOCKS5 proxy, + for ${readsocket } expansions, and for ClamAV. + +16. The "-be" expansion test mode now supports macros. Macros are expanded + in test lines, and new macros can be defined. + +17. Support for server-side dual-certificate-stacks (eg. RSA + ECDSA). + + +Version 4.89 +------------ + + 1. Allow relative config file names for ".include" + + 2. A main-section config option "debug_store" to control the checks on + variable locations during store-reset. Normally false but can be enabled + when a memory corruption issue is suspected on a production system. + + Version 4.88 ------------ @@ -21,7 +247,7 @@ Version 4.88 N can be 224, 256 (default), 384, 512. With GnuTLS 3.5.0 or later, only. - 5. Facility for named queues: A commandline argument can specify + 5. Facility for named queues: A command-line argument can specify the queue name for a queue operation, and an ACL modifier can set the queue to be used for a message. A $queue_name variable gives visibility. @@ -38,8 +264,32 @@ Version 4.88 9. Expansion operator escape8bit, like escape but not touching newline etc.. 10. Feature macros, generated from compile options. All start with "_HAVE_" - and go on with some roughly recognisable name. Use the "-bP macros" - command-line option to see what is present. + and go on with some roughly recognisable name. Driver macros, for + router, transport and authentication drivers; names starting with "_DRIVER_". + Option macros, for each configuration-file option; all start with "_OPT_". + Use the "-bP macros" command-line option to see what is present. + +11. Integer values for options can take a "G" multiplier. + +12. defer=pass option for the ACL control cutthrough_delivery, to reflect 4xx + returns from the target back to the initiator, rather than spooling the + message. + +13. New built-in constants available for tls_dhparam and default changed. + +14. If built with EXPERIMENTAL_QUEUEFILE, a queuefile transport, for writing + out copies of the message spool files for use by 3rd-party scanners. + +15. A new option on the smtp transport, hosts_try_fastopen. If the system + supports it (on Linux it must be enabled in the kernel by the sysadmin) + try to use RFC 7413 "TCP Fast Open". No data is sent on the SYN segment + but it permits a peer that also supports the facility to send its SMTP + banner immediately after the SYN,ACK segment rather then waiting for + another ACK - so saving up to one roundtrip time. Because it requires + previous communication with the peer (we save a cookie from it) this + will only become active on frequently-contacted destinations. + +16. A new syslog_pid option to suppress PID duplication in syslog lines. Version 4.87 @@ -68,7 +318,7 @@ Version 4.87 synonym of the latter). Add support in base64 for certificates. 8. New main configuration option "bounce_return_linesize_limit" to - avoid oversize bodies in bounces. The dafault value matches RFC + avoid oversize bodies in bounces. The default value matches RFC limits. 9. New $initial_cwd expansion variable. @@ -88,7 +338,7 @@ Version 4.86 5. Assorted options on malware= and spam= scanners. - 6. A commandline option to write a comment into the logfile. + 6. A command-line option to write a comment into the logfile. 7. If built with EXPERIMENTAL_SOCKS feature enabled, the smtp transport can be configured to make connections via socks5 proxies. @@ -116,7 +366,7 @@ Version 4.85 ------------ 1. If built with EXPERIMENTAL_DANE feature enabled, Exim will follow the - DANE smtp draft to assess a secure chain of trust of the certificate + DANE SMTP draft to assess a secure chain of trust of the certificate used to establish the TLS connection based on a TLSA record in the domain of the sender. @@ -183,7 +433,7 @@ Version 4.83 12. OCSP stapling is now supported by default. 13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output - Delivery Status Notification messages in MIME format, and negociate + Delivery Status Notification messages in MIME format, and negotiate DSN features per RFC 3461. @@ -238,20 +488,20 @@ Version 4.82 ignored. 7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery" - ACL modifier; works for single-recipient mails which are recieved on and + ACL modifier; works for single-recipient mails which are received on and deliverable via SMTP. Using the connection made for a recipient verify, if requested before the verify, or a new one made for the purpose while the inbound connection is still active. The bulk of the mail item is copied direct from the inbound socket to the outbound (as well as the spool file). When the source notifies the end of data, the data acceptance by the destination - is negociated before the acceptance is sent to the source. If the destination + is negotiated before the acceptance is sent to the source. If the destination does not accept the mail item, for example due to content-scanning, the item is not accepted from the source and therefore there is no need to generate a bounce mail. This is of benefit when providing a secondary-MX service. The downside is that delays are under the control of the ultimate destination system not your own. - The Recieved-by: header on items delivered by cutthrough is generated + The Received-by: header on items delivered by cutthrough is generated early in reception rather than at the end; this will affect any timestamp included. The log line showing delivery is recorded before that showing reception; it uses a new ">>" tag instead of "=>". @@ -312,7 +562,7 @@ Version 4.82 16. New authenticated_sender logging option, adding to log field "A". 17. New expansion variables $router_name and $transport_name. Useful - particularly for debug_print as -bt commandline option does not + particularly for debug_print as -bt command-line option does not require privilege whereas -d does. 18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a @@ -330,13 +580,14 @@ Version 4.82 It adds new expansion variables $dmarc_ar_header, $dmarc_status, $dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier dmarc_status. It adds new control flags dmarc_disable_verify and - dmarc_enable_forensic. + dmarc_enable_forensic. The default for the dmarc_tld_file option is + "/etc/exim/opendmarc.tlds" and can be changed via EDITME. 22. Add expansion variable $authenticated_fail_id, which is the username provided to the authentication method which failed. It is available for use in subsequent ACL processing (typically quit or notquit ACLs). -23. New ACL modifer "udpsend" can construct a UDP packet to send to a given +23. New ACL modifier "udpsend" can construct a UDP packet to send to a given UDP host and port. 24. New ${hexquote:..string..} expansion operator converts non-printable @@ -771,7 +1022,7 @@ Version 4.68 longest line that was received as part of the message, not counting the line termination character(s). - 7. Host lists can now include +ignore_defer and +include_defer, analagous to + 7. Host lists can now include +ignore_defer and +include_defer, analogous to +ignore_unknown and +include_unknown. These options should be used with care, probably only in non-critical host lists such as whitelists.