1This document describes *changes* to previous versions, that might 2affect Exim's operation, with an unchanged configuration file. For new 3options, and new features, see the NewStuff file next to this ChangeLog. 4 5JH/05 Bug 2819: speed up command-line messages being read in. Previously a 6 time check was being done for every character; replace that with one 7 per buffer. 8 9JH/10 Convert all uses of select() to poll(). FreeBSD 12.2 was found to be 10 handing out large-numbered file descriptors, violating the usual Unix 11 assumption (and required by Posix) that the lowest possible number will be 12 allocated by the kernel when a new one is needed. In the daemon, and any 13 child procesees, values higher than 1024 (being bigger than FD_SETSIZE) 14 are not useable for FD_SET() [and hence select()] and overwrite the stack. 15 Assorted crashes happen. 16 17JH/12 Bug 2838: Fix for i32lp64 hard-align platforms. Found for SPARC Linux, 18 though only once PCRE2 was introduced: the memory accounting used under 19 debug offset allocations by an int, giving a hard trap in early startup. 20 Change to using a size_t. Debug and fix by John Paul Adrian Glaubitz. 21 22 23Exim version 4.95 24----------------- 25 26JH/01 Bug 1329: Fix format of Maildir-format filenames to match other mail- 27 related applications. Previously an "H" was used where available info 28 says that "M" should be, so change to match. 29 30JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used 31 as arguments, so an implementation trying to copy these into a local 32 buffer was taking a taint-enforcement trap. Fix by using dynamically 33 created buffers. Similar fix for radius expansion condition. 34 35JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is 36 reasonable, eg. to count headers. Fix by using dynamically created 37 buffers rather than a local. Do similar fixes for ACL actions "dcc", 38 "log_reject_target", "malware" and "spam"; the arguments are expanded 39 so could be handling tainted values. 40 41JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had 42 broken the (no-op) support for this sendmail command. Restore it 43 to doing nothing, silently, and returning good status. 44 45JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once" 46 record path was given (or the default used) without a leading directory 47 path, an error occurred on trying to open it. Use the transport's working 48 directory. 49 50JH/06 Bug 2594: Change the name used for certificate name checks in the smtp 51 transport. Previously it was the name on the DNS A-record; use instead 52 the head of the CNAME chain leading there (if there is one). This seems 53 to align better with RFC 6125. 54 55JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for 56 smtp_accept_max_per_host allocated resources which were not released 57 when the limit was exceeded. This eventually crashed the daemon. Fix 58 by adding a release action in that path. 59 60JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are 61 expanded; previously using tainted values was rejected. Fix by using 62 dynamically-created buffers. 63 64JH/09 Relax restrictions on ACL verify condition needing access to message 65 headers. Previously they were only permitted in data and non-smtp ACLs; 66 permit also mime, dkim, prdr quit and notquit. Applies to header-syntax, 67 not_blind, header_sender and header_names_ascii verification. 68 69JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once. 70 Previously a macro used one argument twice; when called with the 71 argument as an expression having side-effects, incorrect operation 72 resulted. Use an inlineable function. 73 74JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already 75 held open for a verify callout. Previously this wan not accounted for 76 and a corrupt onward SMTP conversation resulted. 77 78JH/12 Bug 2607: Fix the ${srs_encode } expansion to handle quoted local_parts. 79 Previously they were embedded naively in the constructed address; when 80 needed, strip the quoting and quote the entire local_part. 81 Also make the inbound_srs expansion condition handle quoting. 82 83JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was 84 excluded, not matching the documentation. 85 86JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename 87 was given for the sqlite_dbfile a trap resulted. 88 89JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the 90 "name" argument resulted in a trap. There is no reason to disallow such; 91 this was a coding error. 92 93JH/16 Bug 2615: Fix pause during message reception, on systems that have been 94 suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time 95 spent suspended, ignoring the POSIX definition. Previously we assumed 96 it did and a constant offset from real time could be used as a correction. 97 Change to using the same clock source for the start-of-message and the 98 post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it 99 exists, just to get a clock slightly more aligned to reality. 100 101JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the 102 RFC says it is optional some validators care. The missing char was not 103 intended but triggered by a line-wrap alignment. Discovery and fix by 104 Guillaume Outters, hacked on by JH. 105 106JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the 107 name being quoted was tainted a trap would be taken. Fix by using 108 dynamically created buffers. The routine could have been called by a 109 rewrite with the "h" flag, by using the "-F" command-line option, or 110 by using a "name=" option on a control=submission ACL modifier. 111 112JH/19 SPF: change the Authentication-Results expansion component to give 113 smtp.helo when the sender domain is empty. Previously it gave 114 "smtp.mailfrom=<>" 115 116JH/20 Bug 2631: ACL dnslist conditions now ignore and log any lookups returns 117 not in 127.0.0.0/8 to help in spotting list domains taken over by a 118 domain-parking registrar. 119 120JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. 121 Previously when a whitespace character was specified it was not inserted 122 after removing the newline. 123 124JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be 125 the domain part of the recipient address. This overrides any tls_sni 126 option set, which was previously used. 127 128JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI 129 in quotes. 130 131JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for 132 is_tainted() had an off-by-one error in the overenthusiastic direction. 133 Find and fix by Gavan. Although NetBSD is not a supported platform for 134 4.94 this bug could affect other platforms. 135 136PP/01 Fix default prime selection to be consistent. 137 One path used ike23 still, instead of exim.dev.20160529.3; now both 138 execution flows will use the same DH primes (currently 139 exim.dev.20160529.3). 140 141JH/25 OpenSSL: Fix back-compatibility behaviour surrounding tls_certificates 142 option in smtp transport, to match the documentation. Previously 143 verification was not being done in some cases where it should have been. 144 145JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more 146 than one server was defined and depending on the platform memory layout 147 details, an internal consistency trap could be hit while walking the list 148 of servers. 149 150JH/27 Bug 2648: fix the passing of an authenticator public-name through spool 151 files. The value is used by the authresults expansion item. Previously 152 if this was used in a router or transport, a crash could result. 153 154JH/28 Fix spurious logging of select error. Some platforms, notably FreeBSD, 155 have a sufficient incidence of EINTR returns from select that an 156 interaction with other operations done by the main daemon loop exposed 157 a bug in the error-handling. This was benign apart from the log 158 messages. 159 160JH/29 Bug 2675: add outgoing-interface I= element to deferred "==" log lines, 161 for consistency with delivered "=>" and failed "**" lines. While we're 162 there, handle PRX and TFO. 163 164JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was 165 applied. This resulted, if any header-line rewrite rules were configured, 166 in a panic-log triggerable by sending a message with a long address in 167 a header. Fix by increasing the arbitrary limit to larger than a single 168 (dewrapped) 5322 header line maximum size. 169 170JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option 171 is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with 172 RFC 6648 which deprecates X- options in protocols as a general practice. 173 Changeover between the implementations is handled by the mechanisms 174 already coded. 175 176JH/32 Bug 2599: fix delay of delivery to a local address where there is also 177 a remote which uses callout/hold. Previously the local was queued. 178 179JH/33 Fix a taint trap in the ${listextract } expansion when the source data 180 was tainted. 181 182JH/34 Fix the placement of a multiple-message delivery marker in the delivery 183 log line. The asterisk is now consistently appended to the remote IP 184 (and port, if given), and will also be provided on defer and fail log 185 lines. Previously it could be placed on the local IP if that was being 186 logged, and was only provided on delivery lines. 187 188JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files. 189 190JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext 191 authenticator client_send option. Previously the next char, after a pair 192 was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became 193 ^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the 194 documentation. There is still no way to get a leading ^ immediately 195 after a NUL (ie. for the password of a PLAIN method authenticator. 196 197JH/37 Enforce the expected size, for fixed-size records read from hints-DB 198 files. For bad sizes read, delete the record and whine to paniclog. 199 200JH/38 When logging an AUTH failure, as server, do not include sensitive 201 information. Previously, the credentials would be included if given 202 as part of the AUTH command line and an ACL denied authentication. 203 204JH/39 Bug 2691: fix $local_part_data. When the matching list element 205 referred to a file, bad data was returned. This likely also affected 206 $domain_part_data. 207 208JH/40 The gsasl authenticator now supports caching of the salted password 209 generated by the client-side implementation. This required the addition 210 of a new variable: $auth4. 211 212JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was 213 left undeleted; the attempt to re-create it then failed - resulting in 214 the usual "SIGHUP tp have daemon reload configuration" to not work. 215 This affected any platform not supporting "abstract" Unix-domain 216 sockets (i.e. not Linux). 217 218JH/42 Bug 2693: Harden against a peer which reneges on a 452 "too many 219 recipients" response to RCPT in a later response, with a 250. The 220 previous coding assumed this would not happen, and under PIPELINING 221 would result in both lost and duplicate recipients for a message. 222 223JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers. 224 Previously the weighting was incorrectly applied. Similar fix for socks 225 proxies. Found and fixed by Heiko Schlichting. 226 227JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did 228 not handle sub-lists included using the +namedlist syntax. While 229 investigating, the same found for dns_trust_aa, dns_again_means_nonexist, 230 dnssec_require_domains, dnssec_request_domains, srv_fail_domains, 231 mx_fail_domains. 232 233JH/45 Use a (new) separate store pool-pair for DKIM verify working data. 234 Previously the permanent pool was used, so the sore could not be freed. 235 This meant a connection with many messages would use continually-growing 236 memory. 237 238JH/46 Use an exponentially-increasing block size when malloc'ing store. Do it 239 per-pool so as not to waste too much space. Previously a constant size 240 was used which resulted in O(n^2) behaviour; now we get O(n log n) making 241 DOS attacks harder. The cost is wasted memory use in the larger blocks. 242 243JH/47 Use explicit alloc/free for DNS lookup workspace. This permits using the 244 same space repeatedly, and a smaller process footprint. 245 246JH/48 Use a less bogus-looking filename for a temporary used for DH-parameters 247 for GnuTLS. Previously the name started "%s" which, while not a bug, 248 looked as if if might be one. 249 250JH/49 Bug 2710: when using SOCKS for additional messages after the first (a 251 "continued connection") make the $proxy_* variables available. Previously 252 the information was not passed across the exec() call for subsequent 253 transport executions. This also mean that the log lines for the 254 messages can show the proxy information. 255 256JH/50 Bug 2672: QT elements in log lines, unless disabled, now exclude the 257 receive time. With modern systems the difference is significant. 258 The historical behaviour can be restored by disabling (a new) log_selector 259 "queue_time_exclusive". 260 261JH/51 Taint-check ACL line. Previously, only filenames (for out-of-line ACL 262 content) were specifically tested for. Now, also cover expansions 263 resulting in ACL names and inline ACL content. 264 265JH/52 Fix ${ip6norm:} operator. Previously, any trailing line text was dropped, 266 making it unusable in complex expressions. 267 268JH/53 Bug 2743: fix immediate-delivery via named queue. Previously this would 269 fail with a taint-check on the spoolfile name, and leave the message 270 queued. 271 272HS/01 Enforce absolute PID file path name. 273 274HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process. 275 276PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL. 277 278PP/02 Bug 2643: Correct TLS DH constants. 279 A missing NUL termination in our code-generation tool had led to some 280 incorrect Diffie-Hellman constants in the Exim source. 281 Reported by kylon94, code-gen tool fix by Simon Arlott. 282 283PP/03 Impose security length checks on various command-line options. 284 Fixes CVE-2020-SPRSS reported by Qualys. 285 286PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX 287 better. Reported by Qualys. 288 289PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker 290 providing a particularly obnoxious sender full name. 291 Reported by Qualys. 292 293PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase() 294 295PP/07 Refuse to allocate too little memory, block negative/zero allocations. 296 Security guard. 297 298PP/08 Change default for recipients_max from unlimited to 50,000. 299 300PP/09 Fix security issue with too many recipients on a message (to remove a 301 known security problem if someone does set recipients_max to unlimited, 302 or if local additions add to the recipient list). 303 Fixes CVE-2020-RCPTL reported by Qualys. 304 305PP/10 Fix security issue in SMTP verb option parsing 306 Fixes CVE-2020-EXOPT reported by Qualys. 307 308PP/11 Fix security issue in BDAT state confusion. 309 Ensure we reset known-good where we know we need to not be reading BDAT 310 data, as a general case fix, and move the places where we switch to BDAT 311 mode until after various protocol state checks. 312 Fixes CVE-2020-BDATA reported by Qualys. 313 314HS/03 Die on "/../" in msglog file names 315 316QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of 317 the Exim runtime user are allowed to create files. 318 319QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim 320 runtime user. 321 322QS/03 When reading the output from interpreted forward files we do not 323 pass the pipe between the parent and the interpreting process to 324 executed child processes (if any). 325 326QS/04 Always die if requested from internal logging, even is logging is 327 disabled. 328 329JH/54 DMARC: recent versions of the OpenDMARC library appear to have broken 330 the API; compilation noo longer completes with DMARC support included. 331 This affects 1.4.1-1 on Fedora 33 (1.3.2-3 is functional); and has 332 been reported on other platforms. 333 334JH/55 TLS: as server, reject connections with ALPN indicating non-smtp use. 335 336JH/56 Make the majority of info read from config files readonly, for defence-in- 337 depth against exploits. Suggestion by Qualys. 338 Not supported on Solaris 10. 339 340JH/57 Fix control=fakreject for a custom message containing tainted data. 341 Previously this resulted in a log complaint, due to a re-expansion present 342 since fakereject was originally introduced. 343 344JH/58 GnuTLS: Fix certextract expansion. If a second modifier after a tag 345 modifier was given, a loop resulted. 346 347JH/59 DKIM: Fix small-message verification under TLS with chunking. If a 348 pipelined SMTP command followed the BDAT LAST then it would be 349 incorrectly treated as part of the message body, causing a verification 350 fail. 351 352JH/60 Bug 2805: Fix logging of domain-literals in Message_ID: headers. They 353 require looser validation rules than those for 821-level addresses, 354 which only permit IP addresses. 355 356 357Exim version 4.94 358----------------- 359 360JH/01 Avoid costly startup code when not strictly needed. This reduces time 361 for some exim process initialisations. It does mean that the logging 362 of TLS configuration problems is only done for the daemon startup. 363 364JH/02 Early-pipelining support code is now included unless disabled in Makefile. 365 366JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to 367 RFC 8301. They can still be enabled, using the dkim_verify_hashes main 368 option. 369 370JH/04 Support CHUNKING from an smtp transport using a transport_filter, when 371 DKIM signing is being done. Previously a transport_filter would always 372 disable CHUNKING, falling back to traditional DATA. 373 374JH/05 Regard command-line recipients as tainted. 375 376JH/06 Bug 340: Remove the daemon pid file on exit, when due to SIGTERM. 377 378JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the 379 PAM library frees one of the arguments given to it, despite the 380 documentation. Therefore a plain malloc must be used. 381 382JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously 383 on-stack buffers were used, resulting in a taint trap when DSN information 384 copied from a received message was written into the buffer. 385 386JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix 387 the ordering of its ARC headers. This caused a crash. 388 389JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when 390 a new record was being constructed with information from the peer, a trap 391 was taken. 392 393JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive 394 installation would get error messages from DMARC verify, when it hit the 395 nonexistent file indicated by the default. Distros wanting DMARC enabled 396 should both provide the file and set the option. 397 Also enforce no DMARC verification for command-line sourced messages. 398 399JH/12 Fix an uninitialised flag in early-pipelining. Previously connections 400 could, depending on the platform, hang at the STARTTLS response. 401 402JH/13 Bug 2498: Reset a counter used for ARC verify before handling another 403 message on a connection. Previously if one message had ARC headers and 404 the following one did not, a crash could result when adding an 405 Authentication-Results: header. 406 407JH/14 Bug 2500: Rewind some of the common-coding in string handling between the 408 Exim main code and Exim-related utities. The introduction of taint 409 tracking also did many adjustments to string handling. Since then, eximon 410 frequently terminated with an assert failure. 411 412JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and 413 check for 452 responses. This slightly helps the inefficieny of doing 414 a large alias-expansion into a recipient-limited target. The max_rcpt 415 transport option still applies (and at the current default, will override 416 the new feature). The check is done for either cause of synch, and forces 417 a fast-retry of all 452'd recipients using a new MAIL FROM on the same 418 connection. The new facility is not tunable at this time. 419 420JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to 421 library live data was being used, so the results became garbage. Make 422 copies while it is still usable. 423 424JH/17 Logging: when the deliver_time selector ise set, include the DT= field 425 on delivery deferred (==) and failed (**) lines (if a delivery was 426 attemtped). Previously it was only on completion (=>) lines. 427 428JH/18 Authentication: the gsasl driver not provides the $authN variables in time 429 for the expansion of the server_scram_iter and server_scram_salt options. 430 431WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library 432 are now specifically given a NO_DATA response without hitting the system 433 resolver. The library goes on to do the now-standard TXT lookup. 434 Use of dnsdb lookups is not affected. 435 436JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure, 437 only retrieve the errormessage once. Previously two calls to dlerror() 438 were used, and the second one (for mainlog/paniclog) retrieved null 439 information. 440 441JH/20 Taint checking: disallow use of tainted data for 442 - the appendfile transport file and directory options 443 - the pipe transport command 444 - the autoreply transport file, log and once options 445 - file names used by the redirect router (including filter files) 446 - named-queue names 447 - paths used by single-key lookups 448 Previously this was permitted. 449 450JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it 451 adjusted the size of a major service buffer; this failed because the 452 buffer was in use at the time. Change to a compile-time increase in the 453 buffer size, when this authenticator is compiled into exim. 454 455JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The 456 previous fast-mode was untenable in the face of glibs using mmap to 457 support larger malloc requests. 458 459PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c. 460 New values supported, if defined on system where compiled: 461 allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat, 462 no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding 463 464JH/23 Performance improvement in the initial phase of a two-pass queue run. By 465 running a limited number of proceses in parallel, a benefit is gained. The 466 amount varies with the platform hardware and load. The use of the option 467 queue_run_in_order means we cannot do this, as ordering becomes 468 indeterminate. 469 470JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix 471 had introduced a string-copy (for ensuring NUL-termination) which was not 472 appropriate for that case, which can include embedded NUL bytes in the 473 block of data. Investigation showed the copy to actually be needless, the 474 data being length-specified. 475 476JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was 477 done during a receiving connection, and both used TLS, global info was 478 used rather than per-connection info for tracking the state of data 479 queued for transmission. This could result in a connection hang. 480 481JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections. 482 Previously, when delivering serveral messages down a single connection 483 only the first would provide a SIZE. This was due to the size information 484 not being properly tracked. 485 486JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as 487 TAI (at 37 seconds currently), pretend to be in UTC for time-related 488 expansion and logging. Previously, spurious values such as a future 489 minute could be seen. 490 491JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations 492 it could crash from a null-deref. This could also affect the 493 ${addresses: } operator and ${readsock } item. 494 495JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime 496 message following a mime one, the variable was not reset. 497 498JH/30 When an pipelined-connect fails at the first response, assume incorrect 499 cached capability (perhaps the peer reneged?) and immediately retry in 500 non-pipelined mode. 501 502JH/31 Fix spurious detection of timeout while writing to transport filter. 503 504JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously 505 an attempt to copy the string was made before checking it. 506 507JH/33 Fix the dsearch lookup to return an untainted result. Previously the 508 taint of the lookup key was maintained; we now regard the presence in the 509 filesystem as sufficient validation. 510 511JH/34 Fix the readsocket expansion to not segfault when an empty "options" 512 argument is supplied. 513 514JH/35 The dsearch lookup now requires that the directory is an absolute path. 515 Previously this was not checked, and nonempty relative paths made an 516 access under Exim's current working directory. 517 518JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case. 519 Previously no event was raised. 520 521JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE 522 parameter supplied by the sender MAIL FROM command. Previously it was 523 ignored, and only the check_spool_space option value for the required 524 leeway checked. 525 526JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present 527 the size of the signing public-key. Previously it was instead giving 528 the size of the signature hash. 529 530JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now 531 the default. See the (new) dkim_verify_min_keysizes option. 532 533JH/40 Fix a memory-handling bug: when a connection carried multiple messages 534 and an ACL use a lookup for checking either the local_part or domain, 535 stale data could be accessed. Ensure that variable references are 536 dropped between messages. 537 538JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied 539 by the client was not checked as pointing within response data before 540 being used. A malicious client could thus cause an out-of-bounds read and 541 possibly gain authentication. Fix by adding the check. 542 543JH/42 Internationalisation: change the default for downconversion in the smtp 544 transport to be "if needed". Previously it was "as previously set" for 545 the message, which usually meant "if needed" for message-submission but 546 "no" for everything else. However, MTAs have been seen using SMTPUTF8 547 even when the envelope addresses did not need it, resulting in forwarding 548 failures to non-supporting MTAs. A downconvert in such cases will be 549 a no-op on the addresses, merely dropping the use of SMTPUTF8 by the 550 transport. The change does mean that addresses needing conversion will 551 be converted when previously a delivery failure would occur. 552 553JH/43 Fix possible long line in DSN. Previously when a very long SMTP error 554 response was received it would be used unchecked in a fail-DSN, violating 555 standards on line-length limits. Truncate if needed. 556 557HS/01 Remove parameters of the link to www.open-spf.org. The linked form 558 doesn't work. (Additionally add a new main config option to configure the 559 spf_smtp_comment) 560 561 562Exim version 4.93 563----------------- 564 565JH/01 OpenSSL: With debug enabled output keying information sufficient, server 566 side, to decode a TLS 1.3 packet capture. 567 568JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets. 569 Previously the default library behaviour applied, sending two, each in 570 its own TCP segment. 571 572JH/03 Debug output for ACL now gives the config file name and line number for 573 each verb. 574 575JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. 576 577JH/05 DKIM: ensure that dkim_domain elements are lowercased before use. 578 579JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible 580 buffer overrun for (non-chunking) other transports. 581 582JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under 583 TLS1.3, means that a server rejecting a client certificate is not visible 584 to the client until the first read of encrypted data (typically the 585 response to EHLO). Add detection for that case and treat it as a failed 586 TLS connection attempt, so that the normal retry-in-clear can work (if 587 suitably configured). 588 589JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part 590 and/or domain. Found and fixed by Jason Betts. 591 592JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid 593 configuration). If a CNAME target was not a wellformed name pattern, a 594 crash could result. 595 596JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when 597 the OS reports them interleaved with other addresses. 598 599JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was 600 used both for input and for a verify callout, both encrypted, SMTP 601 responses being sent by the server could be lost. This resulted in 602 dropped connections and sometimes bounces generated by a peer sending 603 to this system. 604 605JH/11 Harden plaintext authenticator against a badly misconfigured client-send 606 string. Previously it was possible to cause undefined behaviour in a 607 library routine (usually a crash). Found by "zerons". 608 609JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no 610 output. 611 612JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old 613 API was removed, so update to use the newer ones. 614 615JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without 616 any timeout set, is taking a long time. Previously we would hang on to a 617 rotated logfile "forever" if the input was arriving with long gaps 618 (a previous attempt to fix addressed lack, for a long time, of initial 619 input). 620 621HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a 622 shared (NFS) environment. The length of the tempfile name is now 623 4 + 16 ("hdr.$message_exim_id") which might break on file 624 systems which restrict the file name length to lower values. 625 (It was "hdr.$pid".) 626 627HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a 628 shared (NFS) environment. 629 630HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it 631 did for all versions <4.90). Notably -M, -m, --invert, -I may be 632 affected. 633 634JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors 635 on some platforms for bit 31. 636 637JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks 638 to changes apparently associated with TLS1.3 handling some of the APIs 639 previously used were either nonfunctional or inappropriate. Strings 640 like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256 641 and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace 642 the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 . 643 This affects log line X= elements, the $tls_{in,out}_cipher variables, 644 and the use of specific cipher names in the encrypted= ACL condition. 645 646JH/17 OpenSSL: the default openssl_options now disables ssl_v3. 647 648JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the 649 verification result was not updated unless hosts_require_ocsp applied. 650 651JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option 652 queue_list_requires_admin set to false, non-admin users were denied the 653 facility. 654 655JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in 656 directory-of-certs mode. Previously they were advertised despite the 657 documentation. 658 659JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. 660 A single TCP connection by a client will now hold a TLS connection open 661 for multiple message deliveries, by default. Previously the default was to 662 not do so. 663 664JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by 665 default. If built with the facility, DANE will be used. The facility 666 SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME". 667 668JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define 669 is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL 670 must be defined and you must still, unless you define DISABLE_TLS, manage 671 the the include-dir and library-file requirements that go with that 672 choice. Non-TLS builds are still supported. 673 674JH/24 Fix duplicated logging of peer name/address, on a transport connection- 675 reject under TFO. 676 677JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by 678 default. If the platform supports and has the facility enabled, it will 679 be requested on all coneections. 680 681JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now 682 controlled by the build-time option SUPPORT_PIPE_CONNECT. 683 684PP/01 Unbreak heimdal_gssapi, broken in 4.92. 685 686JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for 687 success-DSN messages. Previously the From: header was always the default 688 one for these; the option was ignored. 689 690JH/28 Fix the timeout on smtp response to apply to the whole response. 691 Previously it was reset for every read, so a teergrubing peer sending 692 single bytes within the time limit could extend the connection for a 693 long time. Credit to Qualsys Security Advisory Team for the discovery. 694 695JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing 696 delivery address, which leaked information of the results of local 697 forwarding. Change to the original envelope recipient address, per 698 standards. 699 700JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is 701 requested. Previously not bounce was generated and a log entry of 702 error ignored was made. 703 704JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917) 705 706JH/32 Introduce a general tainting mechanism for values read from the input 707 channel, and values derived from them. Refuse to expand any tainted 708 values, to catch one form of exploit. 709 710JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result 711 was unused and the unexpanded text used for the test. Found and 712 fixed by Ruben Jenster. 713 714JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open, 715 an attempt to use a TLS library read routine dereffed a nul pointer, 716 causing a segfault. 717 718JH/35 Bug 2409: filter out-of-spec chars from callout response before using 719 them in our smtp response. 720 721JH/36 Have the general router option retry_use_local_part default to true when 722 any of the restrictive preconditions are set (to anything). Previously it 723 was only for check_local user. The change removes one item of manual 724 configuration which is required for proper retries when a remote router 725 handles a subset of addresses for a domain. 726 727JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file 728 link count into consideration. 729 730HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line 731 caused the extension of big_buffer, the following lines were ignored. 732 733JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in 734 accordance with RFC 2308. Previously there was no expiry, so a longlived 735 receive process (eg. due to ACL delays) versus a short SOA value could 736 surprise. 737 738HS/05 Handle trailing backslash gracefully. (CVE-2019-15846) 739 740JH/39 Promote DMARC support to mainline. 741 742JH/40 Bug 2452: Add a References: header to DSNs. 743 744JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman 745 parameters. The relevant library call is documented as "Deprecated: This 746 function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since 747 3.6.0, DH parameters are negotiated following RFC7919." 748 749HS/06 Change the default of dnssec_request_domains to "*" 750 751JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we 752 carried on and emitted a BDAT command, even when PIPELINING was not 753 active. 754 755JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted 756 buffer was used for the filename, resulting in a trap when tainted 757 arguments (eg. $domain) were used. 758 759JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below; 760 recommended to avoid a possible server-load attack. The feature can be 761 re-enabled via the openssl_options main cofiguration option. 762 763JH/45 local_scan API: documented the current smtp_printf() call. This changed 764 for version 4.90 - adding a "more data" boolean to the arguments. 765 Bumped the ABI version number also, this having been missed previously; 766 release versions 4.90 to 4.92.3 inclusive were effectively broken in 767 respect of usage of smtp_printf() by either local_scan code or libraries 768 accessed via the ${dlfunc } expansion item. Both will need coding 769 adjustment for any calls to smtp_printf() to match the new function 770 signature; a FALSE value for the new argument is always safe. 771 772JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating 773 the file-offset (which the Linux syscall does, and exim expects); this 774 resulted in an indefinite loop. 775 776JH/47 ARC: fix crash in signing, triggered when a configuration error failed 777 to do ARC verification. The Authentication-Results: header line added 778 by the configuration then had no ARC item. 779 780 781Exim version 4.92 782----------------- 783 784JH/01 Remove code calling the customisable local_scan function, unless a new 785 definition "HAVE_LOCAL_SCAN=yes" is present in the Local/Makefile. 786 787JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in 788 non-signal-safe functions being used. 789 790JH/03 Bug 2269: When presented with a received message having a stupidly large 791 number of DKIM-Signature headers, disable DKIM verification to avoid 792 a resource-consumption attack. The limit is set at twenty. 793 794JH/04 Add variables $arc_domains, $arc_oldest_pass for ARC verify. Fix the 795 report of oldest_pass in ${authres } in consequence, and separate out 796 some descriptions of reasons for verification fail. 797 798JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage 799 files in the spool were present and unlocked. A queue-runner could spot 800 them, resulting in a duplicate delivery. Fix that by doing the unlock 801 after the unlink. Investigation by Tim Stewart. Take the opportunity to 802 add more error-checking on spoolfile handling while that code is being 803 messed with. 804 805PP/01 Refuse to open a spool data file (*-D) if it's a symlink. 806 No known attacks, no CVE, this is defensive hardening. 807 808JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and 809 a queue-runner could start a delivery while other operations were ongoing. 810 Cutthrough delivery was a common victim, resulting in duplicate delivery. 811 Found and investigated by Tim Stewart. Fix by using the open message data 812 file handle rather than opening another, and not locally closing it (which 813 releases a lock) for that case, while creating the temporary .eml format 814 file for the MIME ACL. Also applies to "regex" and "spam" ACL conditions. 815 816JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting 817 $sender_verify_failure/$recipient_verify_failure to "random". 818 819JH/08 When generating a selfsigned cert, use serial number 1 since zero is not 820 legitimate. 821 822JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd. 823 Previously this would segfault. 824 825JH/10 Fix ARC signing for case when DKIM signing failed. Previously this would 826 segfault. 827 828JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd 829 like zero, since the resolver should be doing this for us, But we need one 830 as a CNAME but no MX presence gets the CNAME returned; we need to check 831 that doesn't point to an MX to declare it "no MX returned" rather than 832 "error, loop". A new main option is added so the older capability of 833 following some limited number of chain links is maintained. 834 835JH/12 Add client-ip info to non-pass iprev ${authres } lines. 836 837JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol 838 methods. These should support TLS 1.3; they arrived with TLS 1.3 and the 839 now-deprecated earlier definitions used only specified the range up to TLS 840 1.2 (in the older-version library docs). 841 842JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots. 843 844JH/15 Rework TLS client-side context management. Stop using a global, and 845 explicitly pass a context around. This enables future use of TLS for 846 connections to service-daemons (eg. malware scanning) while a client smtp 847 connection is using TLS; with cutthrough connections this is quite likely. 848 849JH/16 Fix ARC verification to do AS checks in reverse order. 850 851JH/17 Support a "tls" option on the ${readsocket } expansion item. 852 853JH/18 Bug 2287: Fix the protocol name (eg utf8esmtp) for multiple messages 854 using the SMTPUTF8 option on their MAIL FROM commands, in one connection. 855 Previously the "utf8" would be re-prepended for every additional message. 856 857JH/19 Reject MAIL FROM commands with SMTPUTF8 when the facility was not advertised. 858 Previously thery were accepted, resulting in issues when attempting to 859 forward messages to a non-supporting MTA. 860 861PP/02 Let -n work with printing macros too, not just options. 862 863JH/20 Bug 2296: Fix cutthrough for >1 address redirection. Previously only 864 one parent address was copied, and bogus data was used at delivery-logging 865 time. Either a crash (after delivery) or bogus log data could result. 866 Discovery and analysis by Tim Stewart. 867 868PP/03 Make ${utf8clean:} expansion operator detect incomplete final character. 869 Previously if the string ended mid-character, we did not insert the 870 promised '?' replacement. 871 872PP/04 Documentation: current string operators work on bytes, not codepoints. 873 874JH/21 Change as many as possible of the global flags into one-bit bitfields; these 875 should pack well giving a smaller memory footprint so better caching and 876 therefore performance. Group the declarations where this can't be done so 877 that the byte-sized flag variables are not interspersed among pointer 878 variables, giving a better chance of good packing by the compiler. 879 880JH/22 Bug 1896: Fix the envelope from for DMARC forensic reports to be possibly 881 non-null, to avoid issues with sites running BATV. Previously reports were 882 sent with an empty envelope sender so looked like bounces. 883 884JH/23 Bug 2318: Fix the noerror command within filters. It wasn't working. 885 The ignore_error flag wasn't being returned from the filter subprocess so 886 was not set for later routers. Investigation and fix by Matthias Kurz. 887 888JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient, 889 and a msg:complete for the whole, when a message is manually removed using 890 -Mrm. Developement by Matthias Kurz, hacked on by JH. 891 892JH/25 Avoid fixed-size buffers for pathnames in DB access. This required using 893 a "Gnu special" function, asprintf() in the DB utility binary builds; I 894 hope that is portable enough. 895 896JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS. Previously it was also 897 requiring a known-CA anchor certificate; make it now rely entirely on the 898 TLSA as an anchor. Checking the name on the leaf cert against the name 899 on the A-record for the host is still done for TA (but not for EE mode). 900 901JH/27 Fix logging of proxy address. Previously, a pointless "PRX=[]:0" would be 902 included in delivery lines for non-proxied connections, when compiled with 903 SUPPORT_SOCKS and running with proxy logging enabled. 904 905JH/28 Bug 2314: Fire msg:fail:delivery event even when error is being ignored. 906 Developement by Matthias Kurz, tweaked by JH. While in that bit of code, 907 move the existing event to fire before the normal logging of message 908 failure so that custom logging is bracketed by normal logging. 909 910JH/29 Bug 2322: A "fail" command in a non-system filter (file) now fires the 911 msg:fail:internal event. Developement by Matthias Kurz. 912 913JH/30 Bug 2329: Increase buffer size used for dns lookup from 2k, which was 914 far too small for todays use of crypto signatures stored there. Go all 915 the way to the max DNS message size of 64kB, even though this might be 916 overmuch for IOT constrained device use. 917 918JH/31 Fix a bad use of a copy function, which could be used to pointlessly 919 copy a string over itself. The library routine is documented as not 920 supporting overlapping copies, and on MacOS it actually raised a SIGABRT. 921 922JH/32 For main options check_spool_space and check_inode_space, where the 923 platform supports 64b integers, support more than the previous 2^31 kB 924 (i.e. more than 2 TB). Accept E, P and T multipliers in addition to 925 the previous G, M, k. 926 927JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the 928 $authenticated_fail_id variable on authentication failure. Previously 929 it was unset. 930 931JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048. RHEL 8.0 932 OpenSSL didn't want to use such a weak key. Do for GnuTLS also, and for 933 more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to 934 GNUTLS_SEC_PARAM_MEDIUM. 935 936JH/35 OpenSSL: fail the handshake when SNI processing hits a problem, server 937 side. Previously we would continue as if no SNI had been received. 938 939JH/36 Harden the handling of string-lists. When a list consisted of a sole 940 "<" character, which should be a list-separator specification, we walked 941 off past the nul-terimation. 942 943JH/37 Bug 2341: Send "message delayed" warning MDNs (restricted to external 944 causes) even when the retry time is not yet met. Previously they were 945 not, meaning that when (say) an account was over-quota and temp-rejecting, 946 and multiple senders' messages were queued, only one sender would get 947 notified on each configured delay_warning cycle. 948 949JH/38 Bug 2351: Log failures to extract envelope addresses from message headers. 950 951JH/39 OpenSSL: clear the error stack after an SSL_accept(). With anon-auth 952 cipher-suites, an error can be left on the stack even for a succeeding 953 accept; this results in impossible error messages when a later operation 954 actually does fail. 955 956AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they 957 return error codes indicating retry. Under TLS1.3 this becomes required. 958 959JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT. Previously 960 it only wrote the new authenticators, resulting in a lack of tracking of 961 peer changes of ESMTP extensions until the next cache flush. 962 963JH/41 Fix the loop reading a message header line to check for integer overflow, 964 and more-often against header_maxsize. Previously a crafted message could 965 induce a crash of the recive process; now the message is cleanly rejected. 966 967JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option. It had 968 been totally disabled for all of 4.91. Discovery and fix by "Mad Alex". 969 970 971Exim version 4.91 972----------------- 973 974GF/01 DEFER rather than ERROR on redis cluster MOVED response. 975 When redis_servers is set to a list of > 1 element, and the Redis servers 976 in that list are in cluster configuration, convert the REDIS_REPLY_ERROR 977 case of MOVED into a DEFER case instead, thus moving the query onto the 978 next server in the list. For a cluster of N elements, all N servers must 979 be defined in redis_servers. 980 981GF/02 Catch and remove uninitialized value warning in exiqsumm 982 Check for existence of @ARGV before looking at $ARGV[0] 983 984JH/01 Replace the store_release() internal interface with store_newblock(), 985 which internalises the check required to safely use the old one, plus 986 the allocate and data copy operations duplicated in both (!) of the 987 extant use locations. 988 989JH/02 Disallow '/' characters in queue names specified for the "queue=" ACL 990 modifier. This matches the restriction on the commandline. 991 992JH/03 Fix pgsql lookup for multiple result-tuples with a single column. 993 Previously only the last row was returned. 994 995JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously 996 we assumed that tags in the header were well-formed, and parsed the 997 element content after inspecting only the first char of the tag. 998 Assumptions at that stage could crash the receive process on malformed 999 input. 1000 1001JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL. 1002 While running the DKIM ACL we operate on the Permanent memory pool so that 1003 variables created with "set" persist to the DATA ACL. Also (at any time) 1004 DNS lookups that fail create cache records using the Permanent pool. But 1005 expansions release any allocations made on the current pool - so a dnsdb 1006 lookup expansion done in the DKIM ACL releases the memory used for the 1007 DNS negative-cache, and bad things result. Solution is to switch to the 1008 Main pool for expansions. 1009 While we're in that code, add checks on the DNS cache during store_reset, 1010 active in the testsuite. 1011 Problem spotted, and debugging aided, by Wolfgang Breyha. 1012 1013JH/06 Fix issue with continued-connections when the DNS shifts unreliably. 1014 When none of the hosts presented to a transport match an already-open 1015 connection, close it and proceed with the list. Previously we would 1016 queue the message. Spotted by Lena with Yahoo, probably involving 1017 round-robin DNS. 1018 1019JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL. 1020 Previously a spurious "250 OK id=" response was appended to the proper 1021 failure response. 1022 1023JH/08 The "support for" informational output now, which built with Content 1024 Scanning support, has a line for the malware scanner interfaces compiled 1025 in. Interface can be individually included or not at build time. 1026 1027JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included 1028 by the template makefile "src/EDITME". The "STREAM" support for an older 1029 ClamAV interface method is removed. 1030 1031JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of 1032 rows affected is given instead). 1033 1034JH/11 The runtime Berkeley DB library version is now additionally output by 1035 "exim -d -bV". Previously only the compile-time version was shown. 1036 1037JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating 1038 SMTP connection. Previously, when one had more recipients than the 1039 first, an abortive onward connection was made. Move to full support for 1040 multiple onward connections in sequence, handling cutthrough connection 1041 for all multi-message initiating connections. 1042 1043JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by 1044 routers. Previously, a multi-recipient message would fail to match the 1045 onward-connection opened for the first recipient, and cause its closure. 1046 1047JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as 1048 a timeout on read on a GnuTLS initiating connection, resulting in the 1049 initiating connection being dropped. This mattered most when the callout 1050 was marked defer_ok. Fix to keep the two timeout-detection methods 1051 separate. 1052 1053JH/15 Relax results from ACL control request to enable cutthrough, in 1054 unsupported situations, from error to silently (except under debug) 1055 ignoring. This covers use with PRDR, frozen messages, queue-only and 1056 fake-reject. 1057 1058HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) 1059 1060JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc 1061 metadata, resulting in a crash in free(). 1062 1063PP/01 Fix broken Heimdal GSSAPI authenticator integration. 1064 Broken in f2ed27cf5, missing an equals sign for specified-initialisers. 1065 Broken also in d185889f4, with init system revamp. 1066 1067JH/17 Bug 2113: Fix conversation closedown with the Avast malware scanner. 1068 Previously we abruptly closed the connection after reading a malware- 1069 found indication; now we go on to read the "scan ok" response line, 1070 and send a quit. 1071 1072JH/18 Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail 1073 ACL. Previously, a crash would result. 1074 1075JH/19 Speed up macro lookups during configuration file read, by skipping non- 1076 macro text after a replacement (previously it was only once per line) and 1077 by skipping builtin macros when searching for an uppercase lead character. 1078 1079JH/20 DANE support moved from Experimental to mainline. The Makefile control 1080 for the build is renamed. 1081 1082JH/21 Fix memory leak during multi-message connections using STARTTLS. A buffer 1083 was allocated for every new TLS startup, meaning one per message. Fix 1084 by only allocating once (OpenSSL) or freeing on TLS-close (GnuTLS). 1085 1086JH/22 Bug 2236: When a DKIM verification result is overridden by ACL, DMARC 1087 reported the original. Fix to report (as far as possible) the ACL 1088 result replacing the original. 1089 1090JH/23 Fix memory leak during multi-message connections using STARTTLS under 1091 OpenSSL. Certificate information is loaded for every new TLS startup, 1092 and the resources needed to be freed. 1093 1094JH/24 Bug 2242: Fix exim_dbmbuild to permit directoryless filenames. 1095 1096JH/25 Fix utf8_downconvert propagation through a redirect router. Previously it 1097 was not propagated. 1098 1099JH/26 Bug 2253: For logging delivery lines under PRDR, append the overall 1100 DATA response info to the (existing) per-recipient response info for 1101 the "C=" log element. It can have useful tracking info from the 1102 destination system. Patch from Simon Arlott. 1103 1104JH/27 Bug 2251: Fix ldap lookups that return a single attribute having zero- 1105 length value. Previously this would segfault. 1106 1107HS/02 Support Avast multiline protoocol, this allows passing flags to 1108 newer versions of the scanner. 1109 1110JH/28 Ensure that variables possibly set during message acceptance are marked 1111 dead before release of memory in the daemon loop. This stops complaints 1112 about them when the debug_store option is enabled. Discovered specifically 1113 for sender_rate_period, but applies to a whole set of variables. 1114 Do the same for the queue-runner and queue-list loops, for variables set 1115 from spool message files. Do the same for the SMTP per-message loop, for 1116 certain variables indirectly set in ACL operations. 1117 1118JH/29 Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such 1119 as a multi-recipient message from a mailinglist manager). The coding had 1120 an arbitrary cutoff number of characters while checking for more input; 1121 enforced by writing a NUL into the buffer. This corrupted long / fast 1122 input. The problem was exposed more widely when more pipelineing of SMTP 1123 responses was introduced, and one Exim system was feeding another. 1124 The symptom is log complaints of SMTP syntax error (NUL chars) on the 1125 receiving system, and refused recipients seen by the sending system 1126 (propating to people being dropped from mailing lists). 1127 Discovered and pinpointed by David Carter. 1128 1129JH/30 The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being 1130 replaced by the ${authresults } expansion. 1131 1132JH/31 Bug 2257: Fix pipe transport to not use a socket-only syscall. 1133 1134HS/03 Set a handler for SIGTERM and call exit(3) if running as PID 1. This 1135 allows proper process termination in container environments. 1136 1137JH/32 Bug 2258: Fix spool_wireformat in combination with LMTP transport. 1138 Previously the "final dot" had a newline after it; ensure it is CR,LF. 1139 1140JH/33 SPF: remove support for the "spf" ACL condition outcome values "err_temp" 1141 and "err_perm", deprecated since 4.83 when the RFC-defined words 1142 "temperror" and "permerror" were introduced. 1143 1144JH/34 Re-introduce enforcement of no cutthrough delivery on transports having 1145 transport-filters or DKIM-signing. The restriction was lost in the 1146 consolidation of verify-callout and delivery SMTP handling. 1147 Extend the restriction to also cover ARC-signing. 1148 1149JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses) 1150 in defer=pass mode supply a 450 to the initiator. Previously the message 1151 would be spooled. 1152 1153PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, 1154 tls_require_ciphers is used as before. 1155 1156HS/03 Malware Avast: Better match the Avast multiline protocol. Add 1157 "pass_unscanned". Only tmpfails from the scanner are written to 1158 the paniclog, as they may require admin intervention (permission 1159 denied, license issues). Other scanner errors (like decompression 1160 bombs) do not cause a paniclog entry. 1161 1162JH/36 Fix reinitialisation of DKIM logging variable between messages. 1163 Previously it was possible to log spurious information in receive log 1164 lines. 1165 1166JH/37 Bug 2255: Revert the disable of the OpenSSL session caching. This 1167 triggered odd behaviour from Outlook Express clients. 1168 1169PP/03 Add util/renew-opendmarc-tlds.sh script for safe renewal of public 1170 suffix list. 1171 1172JH/38 DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form, 1173 since the IETF WG has not yet settled on that versus the original 1174 "bare" representation. 1175 1176JH/39 Fix syslog logging for syslog_timestamp=no and log_selector +millisec. 1177 Previously the millisecond value corrupted the output. 1178 Fix also for syslog_pid=no and log_selector +pid, for which the pid 1179 corrupted the output. 1180 1181 1182Exim version 4.90 1183----------------- 1184 1185JH/01 Rework error string handling in TLS interface so that the caller in 1186 more cases is responsible for logging. This permits library-sourced 1187 string to be attached to addresses during delivery, and collapses 1188 pairs of long lines into single ones. 1189 1190PP/01 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly 1191 during configuration. Wildcards are allowed and expanded. 1192 1193JH/02 Rework error string handling in DKIM to pass more info back to callers. 1194 This permits better logging. 1195 1196JH/03 Rework the transport continued-connection mechanism: when TLS is active, 1197 do not close it down and have the child transport start it up again on 1198 the passed-on TCP connection. Instead, proxy the child (and any 1199 subsequent ones) for TLS via a unix-domain socket channel. Logging is 1200 affected: the continued delivery log lines do not have any DNSSEC, TLS 1201 Certificate or OCSP information. TLS cipher information is still logged. 1202 1203JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of 1204 identical IP addresses on different listening ports. Will also affect 1205 "exiwhat" output. 1206 1207PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers; 1208 add noisy ifdef guards to special-case this sillyness. 1209 Patch from Bernd Kuhls. 1210 1211JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger 1212 than 255 are no longer allowed. 1213 1214JH/06 Default openssl_options to include +no_ticket, to reduce load on peers. 1215 Disable the session-cache too, which might reduce our load. Since we 1216 currrectly use a new context for every connection, both as server and 1217 client, there is no benefit for these. 1218 GnuTLS appears to not support tickets server-side by default (we don't 1219 call gnutls_session_ticket_enable_server()) but client side is enabled 1220 by default on recent versions (3.1.3 +) unless the PFS priority string 1221 is used (3.2.4 +). 1222 1223PP/03 Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at 1224 <https://reproducible-builds.org/specs/source-date-epoch/>. 1225 1226JH/07 Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously 1227 the check for any unsuccessful recipients did not notice the limit, and 1228 erroneously found still-pending ones. 1229 1230JH/08 Pipeline CHUNKING command and data together, on kernels that support 1231 MSG_MORE. Only in-clear (not on TLS connections). 1232 1233JH/09 Avoid using a temporary file during transport using dkim. Unless a 1234 transport-filter is involved we can buffer the headers in memory for 1235 creating the signature, and read the spool data file once for the 1236 signature and again for transmission. 1237 1238JH/10 Enable use of sendfile in Linux builds as default. It was disabled in 1239 4.77 as the kernel support then wasn't solid, having issues in 64bit 1240 mode. Now, it's been long enough. Add support for FreeBSD also. 1241 1242JH/11 Bug 2104: Fix continued use of a transport connection with TLS. In the 1243 case where the routing stage had gathered several addresses to send to 1244 a host before calling the transport for the first, we previously failed 1245 to close down TLS in the old transport process before passing the TCP 1246 connection to the new process. The new one sent a STARTTLS command 1247 which naturally failed, giving a failed delivery and bloating the retry 1248 database. Investigation and fix prototype from Wolfgang Breyha. 1249 1250JH/12 Fix check on SMTP command input synchronisation. Previously there were 1251 false-negatives in the check that the sender had not preempted a response 1252 or prompt from Exim (running as a server), due to that code's lack of 1253 awareness of the SMTP input buffering. 1254 1255PP/04 Add commandline_checks_require_admin option. 1256 Exim drops privileges sanely, various checks such as -be aren't a 1257 security problem, as long as you trust local users with access to their 1258 own account. When invoked by services which pass untrusted data to 1259 Exim, this might be an issue. Set this option in main configuration 1260 AND make fixes to the calling application, such as using `--` to stop 1261 processing options. 1262 1263JH/13 Do pipelining under TLS. Previously, although safe, no advantage was 1264 taken. Now take care to pack both (client) MAIL,RCPT,DATA, and (server) 1265 responses to those, into a single TLS record each way (this usually means 1266 a single packet). As a side issue, smtp_enforce_sync now works on TLS 1267 connections. 1268 1269PP/05 OpenSSL/1.1: use DH_bits() for more accurate DH param sizes. This 1270 affects you only if you're dancing at the edge of the param size limits. 1271 If you are, and this message makes sense to you, then: raise the 1272 configured limit or use OpenSSL 1.1. Nothing we can do for older 1273 versions. 1274 1275JH/14 For the "sock" variant of the malware scanner interface, accept an empty 1276 cmdline element to get the documented default one. Previously it was 1277 inaccessible. 1278 1279JH/15 Fix a crash in the smtp transport caused when two hosts in succession 1280 are unsuable for non-message-specific reasons - eg. connection timeout, 1281 banner-time rejection. 1282 1283JH/16 Fix logging of delivery remote port, when specified by router, under 1284 callout/hold. 1285 1286PP/06 Repair manualroute's ability to take options in any order, even if one 1287 is the name of a transport. 1288 Fixes bug 2140. 1289 1290HS/01 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369) 1291 1292JH/17 Change the list-building routines interface to use the expanding-string 1293 triplet model, for better allocation and copying behaviour. 1294 1295JH/18 Prebuild the data-structure for "builtin" macros, for faster startup. 1296 Previously it was constructed the first time a possibly-matching string 1297 was met in the configuration file input during startup; now it is done 1298 during compilation. 1299 1300JH/19 Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy- 1301 compatible one, to avoid the (poorly documented) possibility of a config 1302 file in the working directory redirecting the DB files, possibly correpting 1303 some existing file. CVE-2017-10140 assigned for BDB. 1304 1305JH/20 Bug 2147: Do not defer for a verify-with-callout-and-random which is not 1306 cache-hot. Previously, although the result was properly cached, the 1307 initial verify call returned a defer. 1308 1309JH/21 Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but 1310 the main verify for receipient in uncached-mode. 1311 1312JH/22 Retire historical build files to an "unsupported" subdir. These are 1313 defined as "ones for which we have no current evidence of testing". 1314 1315JH/23 DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field, 1316 if present. Previously it was ignored. 1317 1318JH/24 Start using specified-initialisers in C structure init coding. This is 1319 a C99 feature (it's 2017, so now considered safe). 1320 1321JH/25 Use one-bit bitfields for flags in the "addr" data structure. Previously 1322 if was a fixed-sized field and bitmask ops via macros; it is now more 1323 extensible. 1324 1325PP/07 GitHub PR 56: Apply MariaDB build fix. 1326 Patch provided by Jaroslav Škarvada. 1327 1328PP/08 Bug 2161: Fix regression in sieve quoted-printable handling introduced 1329 during Coverity cleanups [4.87 JH/47] 1330 Diagnosis and fix provided by Michael Fischer v. Mollard. 1331 1332JH/26 Fix DKIM bug: when the pseudoheader generated for signing was exactly 1333 the right size to place the terminating semicolon on its own folded 1334 line, the header hash was calculated to an incorrect value thanks to 1335 the (relaxed) space the fold became. 1336 1337HS/02 Fix Bug 2130: large writes from the transport subprocess were chunked 1338 and confused the parent. 1339 1340JH/27 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process 1341 which could crash as a result. This could lead to undeliverable messages. 1342 1343JH/28 Logging: "next input sent too soon" now shows where input was truncated 1344 for log purposes. 1345 1346JH/29 Fix queue_run_in_order to ignore the PID portion of the message ID. This 1347 matters on fast-turnover and PID-randomising systems, which were getting 1348 out-of-order delivery. 1349 1350JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for 1351 a possibly-overlapping copy. The symptom was that "Remote host closed 1352 connection in response to HELO" was logged instead of the actual 4xx 1353 error for the HELO. 1354 1355JH/31 Fix CHUNKING code to properly flush the unwanted chunk after an error. 1356 Previously only that bufferd was discarded, resulting in SYMTP command 1357 desynchronisation. 1358 1359JH/32 DKIM: when a message has multiple signatures matching an identity given 1360 in dkim_verify_signers, run the dkim acl once for each. Previously only 1361 one run was done. Bug 2189. 1362 1363JH/33 Downgrade an unfound-list name (usually a typo in the config file) from 1364 "panic the current process" to "deliberately defer". The panic log is 1365 still written with the problem list name; the mail and reject logs now 1366 get a temp-reject line for the message that was being handled, saying 1367 something like "domains check lookup or other defer". The SMTP 451 1368 message is still "Temporary local problem". 1369 1370JH/34 Bug 2199: Fix a use-after-free while reading smtp input for header lines. 1371 A crafted sequence of BDAT commands could result in in-use memory beeing 1372 freed. CVE-2017-16943. 1373 1374HS/03 Bug 2201: Fix checking for leading-dot on a line during headers reading 1375 from SMTP input. Previously it was always done; now only done for DATA 1376 and not BDAT commands. CVE-2017-16944. 1377 1378JH/35 Bug 2201: Flush received data in BDAT mode after detecting an error fatal 1379 to the message (such as an overlong header line). Previously this was 1380 not done and we did not exit BDAT mode. Followon from the previous item 1381 though a different problem. 1382 1383 1384Exim version 4.89 1385----------------- 1386 1387JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules 1388 than -2003 did; needs libidn2 in addition to libidn. 1389 1390JH/02 The path option on a pipe transport is now expanded before use. 1391 1392PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections. 1393 Patch provided by "Björn", documentation fix added too. 1394 1395JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was 1396 missing a wire-to-host endian conversion. 1397 1398JH/04 Bug 2004: fix CHUNKING in non-PIPELINEING mode. Chunk data following 1399 close after a BDAT command line could be taken as a following command, 1400 giving a synch failure. Fix by only checking for synch immediately 1401 before acknowledging the chunk. 1402 1403PP/02 GitHub PR 52: many spelling fixes, which include fixing parsing of 1404 no_require_dnssec option and creation of _HAVE_TRANSPORT_APPEND_MAILDIR 1405 macro. Patches provided by Josh Soref. 1406 1407JH/05 Have the EHLO response advertise VRFY, if there is a vrfy ACL defined. 1408 Previously we did not; the RFC seems ambiguous and VRFY is not listed 1409 by IANA as a service extension. However, John Klensin suggests that we 1410 should. 1411 1412JH/06 Bug 2017: Fix DKIM verification in -bh test mode. The data feed into 1413 the dkim code may be unix-mode line endings rather than smtp wire-format 1414 CRLF, so prepend a CR to any bare LF. 1415 1416JH/07 Rationalise the coding for callout smtp conversations and transport ones. 1417 As a side-benfit, callouts can now use PIPELINING hence fewer round-trips. 1418 1419JH/08 Bug 2016: Fix DKIM verification vs. CHUNKING. Any BDAT commands after 1420 the first were themselves being wrongly included in the feed into dkim 1421 processing; with most chunk sizes in use this resulted in an incorrect 1422 body hash calculated value. 1423 1424JH/09 Bug 2014: permit inclusion of a DKIM-Signature header in a received 1425 DKIM signature block, for verification. Although advised against by 1426 standards it is specifically not ruled illegal. 1427 1428JH/10 Bug 2025: Fix reception of (quoted) local-parts with embedded spaces. 1429 1430JH/11 Bug 2029: Fix crash in DKIM verification when a message signature block is 1431 missing a body hash (the bh= tag). 1432 1433JH/12 Bug 2018: Re-order Proxy Protocol startup versus TLS-on-connect startup. 1434 It seems that HAProxy sends the Proxy Protocol information in clear and 1435 only then does a TLS startup, so do the same. 1436 1437JH/13 Bug 2027: Avoid attempting to use TCP Fast Open for non-transport client 1438 TCP connections (such as for Spamd) unless the daemon successfully set 1439 Fast Open mode on its listening sockets. This fixes breakage seen on 1440 too-old kernels or those not configured for Fast Open, at the cost of 1441 requiring both directions being enabled for TFO, and TFO never being used 1442 by non-daemon-related Exim processes. 1443 1444JH/14 Bug 2000: Reject messages recieved with CHUNKING but with malformed line 1445 endings, at least on the first header line. Try to canonify any that get 1446 past that check, despite the cost. 1447 1448JH/15 Angle-bracket nesting (an error inserted by broken sendmails) levels are 1449 now limited to an arbitrary five deep, while parsing addresses with the 1450 strip_excess_angle_brackets option enabled. 1451 1452PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and 1453 instead leave the unprompted TLS handshake in socket buffer for the 1454 TLS library to consume. 1455 1456PP/04 Bug 2018: Also handle Proxy Protocol v2 safely. 1457 1458PP/05 FreeBSD compat: handle that Ports no longer create /usr/bin/perl 1459 1460JH/16 Drop variables when they go out of scope. Memory management drops a whole 1461 region in one operation, for speed, and this leaves assigned pointers 1462 dangling. Add checks run only under the testsuite which checks all 1463 variables at a store-reset and panics on a dangling pointer; add code 1464 explicitly nulling out all the variables discovered. Fixes one known 1465 bug: a transport crash, where a dangling pointer for $sending_ip_address 1466 originally assigned in a verify callout, is re-used. 1467 1468PP/06 Drop '.' from @INC in various Perl scripts. 1469 1470PP/07 Switch FreeBSD iconv to always use the base-system libc functions. 1471 1472PP/08 Reduce a number of compilation warnings under clang; building with 1473 CC=clang CFLAGS+=-Wno-dangling-else -Wno-logical-op-parentheses 1474 should be warning-free. 1475 1476JH/17 Fix inbound CHUNKING when DKIM disabled at runtime. 1477 1478HS/01 Fix portability problems introduced by PP/08 for platforms where 1479 realloc(NULL) is not equivalent to malloc() [SunOS et al]. 1480 1481HS/02 Bug 1974: Fix missing line terminator on the last received BDAT 1482 chunk. This allows us to accept broken chunked messages. We need a more 1483 general solution here. 1484 1485PP/09 Wrote util/chunking_fixqueue_finalnewlines.pl to help recover 1486 already-broken messages in the queue. 1487 1488JH/18 Bug 2061: Fix ${extract } corrupting an enclosing ${reduce } $value. 1489 1490JH/19 Fix reference counting bug in routing-generated-address tracking. 1491 1492 1493Exim version 4.88 1494----------------- 1495 1496JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination 1497 supports it and a size is available (ie. the sending peer gave us one). 1498 1499JH/02 The obsolete acl condition "demime" is removed (finally, after ten 1500 years of being deprecated). The replacements are the ACLs 1501 acl_smtp_mime and acl_not_smtp_mime. 1502 1503JH/03 Upgrade security requirements imposed for hosts_try_dane: previously 1504 a downgraded non-dane trust-anchor for the TLS connection (CA-style) 1505 or even an in-clear connection were permitted. Now, if the host lookup 1506 was dnssec and dane was requested then the host is only used if the 1507 TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority 1508 MXs) will be tried (for hosts_try_dane though not for hosts_require_dane) 1509 if one fails this test. 1510 This means that a poorly-configured remote DNS will make it incommunicado; 1511 but it protects against a DNS-interception attack on it. 1512 1513JH/04 Bug 1810: make continued-use of an open smtp transport connection 1514 non-noisy when a race steals the message being considered. 1515 1516JH/05 If main configuration option tls_certificate is unset, generate a 1517 self-signed certificate for inbound TLS connections. 1518 1519JH/06 Bug 165: hide more cases of password exposure - this time in expansions 1520 in rewrites and routers. 1521 1522JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 1523 and logged a warning sing 4.83; now they are a configuration file error. 1524 1525JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name 1526 (lacking @domain). Apply the same qualification processing as RCPT. 1527 1528JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. 1529 1530JH/10 Support ${sha256:} applied to a string (as well as the previous 1531 certificate). 1532 1533JH/11 Cutthrough: avoid using the callout hints db on a verify callout when 1534 a cutthrough deliver is pending, as we always want to make a connection. 1535 This also avoids re-routing the message when later placing the cutthrough 1536 connection after a verify cache hit. 1537 Do not update it with the verify result either. 1538 1539JH/12 Cutthrough: disable when verify option success_on_redirect is used, and 1540 when routing results in more than one destination address. 1541 1542JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim 1543 signing (which inhibits the cutthrough capability). Previously only 1544 the presence of an option was tested; now an expansion evaluating as 1545 empty is permissible (obviously it should depend only on data available 1546 when the cutthrough connection is made). 1547 1548JH/14 Fix logging of errors under PIPELINING. Previously the log line giving 1549 the relevant preceding SMTP command did not note the pipelining mode. 1550 1551JH/15 Fix counting of empty lines in $body_linecount and $message_linecount. 1552 Previously they were not counted. 1553 1554JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same 1555 as one having no matching records. Previously we deferred the message 1556 that needed the lookup. 1557 1558JH/17 Fakereject: previously logged as a normal message arrival "<="; now 1559 distinguished as "(=". 1560 1561JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work 1562 for missing MX records. Previously it only worked for missing A records. 1563 1564JH/19 Bug 1850: support Radius libraries that return REJECT_RC. 1565 1566JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops 1567 after the data-go-ahead and data-ack. Patch from Jason Betts. 1568 1569JH/21 Bug 1846: Send DMARC forensic reports for reject and quarantine results, 1570 even for a "none" policy. Patch from Tony Meyer. 1571 1572JH/22 Fix continued use of a connection for further deliveries. If a port was 1573 specified by a router, it must also match for the delivery to be 1574 compatible. 1575 1576JH/23 Bug 1874: fix continued use of a connection for further deliveries. 1577 When one of the recipients of a message was unsuitable for the connection 1578 (has no matching addresses), we lost track of needing to mark it 1579 deferred. As a result mail would be lost. 1580 1581JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO. 1582 1583JH/25 Decoding ACL controls is now done using a binary search; the source code 1584 takes up less space and should be simpler to maintain. Merge the ACL 1585 condition decode tables also, with similar effect. 1586 1587JH/26 Fix problem with one_time used on a redirect router which returned the 1588 parent address unchanged. A retry would see the parent address marked as 1589 delivered, so not attempt the (identical) child. As a result mail would 1590 be lost. 1591 1592JH/27 Fix a possible security hole, wherein a process operating with the Exim 1593 UID can gain a root shell. Credit to http://www.halfdog.net/ for 1594 discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim 1595 itself :( 1596 1597JH/28 Enable {spool,log} filesystem space and inode checks as default. 1598 Main config options check_{log,spool}_{inodes,space} are now 1599 100 inodes, 10MB unless set otherwise in the configuration. 1600 1601JH/29 Fix the connection_reject log selector to apply to the connect ACL. 1602 Previously it only applied to the main-section connection policy 1603 options. 1604 1605JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. 1606 1607PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created 1608 by me. Added RFC7919 DH primes as an alternative. 1609 1610PP/02 Unbreak build via pkg-config with new hash support when crypto headers 1611 are not in the system include path. 1612 1613JH/31 Fix longstanding bug with aborted TLS server connection handling. Under 1614 GnuTLS, when a session startup failed (eg because the client disconnected) 1615 Exim did stdio operations after fclose. This was exposed by a recent 1616 change which nulled out the file handle after the fclose. 1617 1618JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is 1619 signed directly by the cert-signing cert, rather than an intermediate 1620 OCSP-signing cert. This is the model used by LetsEncrypt. 1621 1622JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT. 1623 1624HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on 1625 an incoming connection. 1626 1627HS/02 Bug 1802: Do not half-close the connection after sending a request 1628 to rspamd. 1629 1630HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2 1631 fallback to "prime256v1". 1632 1633JH/34 SECURITY: Use proper copy of DATA command in error message. 1634 Could leak key material. Remotely exploitable. CVE-2016-9963. 1635 1636 1637Exim version 4.87 1638----------------- 1639 1640JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16 1641 and 3.4.4 - once the server is enabled to respond to an OCSP request 1642 it does even when not requested, resulting in a stapling non-aware 1643 client dropping the TLS connection. 1644 1645TF/01 Code cleanup: Overhaul the debug_selector and log_selector machinery to 1646 support variable-length bit vectors. No functional change. 1647 1648TF/02 Improve the consistency of logging incoming and outgoing interfaces. 1649 The I= interface field on outgoing lines is now after the H= remote 1650 host field, same as incoming lines. There is a separate 1651 outgoing_interface log selector which allows you to disable the 1652 outgoing I= field. 1653 1654JH/02 Bug 728: Close logfiles after a daemon-process "exceptional" log write. 1655 If not running log_selector +smtp_connection the mainlog would be held 1656 open indefinitely after a "too many connections" event, including to a 1657 deleted file after a log rotate. Leave the per net connection logging 1658 leaving it open for efficiency as that will be quickly detected by the 1659 check on the next write. 1660 1661HS/01 Bug 1671: Fix post transport crash. 1662 Processing the wait-<transport> messages could crash the delivery 1663 process if the message IDs didn't exist for some reason. When 1664 using 'split_spool_directory=yes' the construction of the spool 1665 file name failed already, exposing the same netto behaviour. 1666 1667JH/03 Bug 425: Capture substrings in $regex1, $regex2 etc from regex & 1668 mime_regex ACL conditions. 1669 1670JH/04 Bug 1686: When compiled with EXPERIMENTAL_DSN_INFO: Add extra information 1671 to DSN fail messages (bounces): remote IP, remote greeting, remote response 1672 to HELO, local diagnostic string. 1673 1674JH/05 Downgrade message for a TLS-certificate-based authentication fail from 1675 log line to debug. Even when configured with a tls authenticator many 1676 client connections are expected to not authenticate in this way, so 1677 an authenticate fail is not an error. 1678 1679HS/02 Add the Exim version string to the process info. This way exiwhat 1680 gives some more detail about the running daemon. 1681 1682JH/06 Bug 1395: time-limit caching of DNS lookups, to the TTL value. This may 1683 matter for fast-change records such as DNSBLs. 1684 1685JH/07 Bug 1678: Always record an interface option value, if set, as part of a 1686 retry record, even if constant. There may be multiple transports with 1687 different interface settings and the retry behaviour needs to be kept 1688 distinct. 1689 1690JH/08 Bug 1586: exiqgrep now refuses to run if there are unexpected arguments. 1691 1692JH/09 Bug 1700: ignore space & tab embedded in base64 during decode. 1693 1694JH/10 Bug 840: fix log_defer_output option of pipe transport 1695 1696JH/11 Bug 830: use same host for all RCPTS of a message, even under 1697 hosts_randomize. This matters a lot when combined with mua_wrapper. 1698 1699JH/12 Bug 1706: percent and underbar characters are no longer escaped by the 1700 ${quote_pgsql:<string>} operator. 1701 1702JH/13 Bug 1708: avoid misaligned access in cached lookup. 1703 1704JH/14 Change header file name for freeradius-client. Relevant if compiling 1705 with Radius support; from the Gentoo tree and checked under Fedora. 1706 1707JH/15 Bug 1712: Introduce $prdr_requested flag variable 1708 1709JH/16 Bug 1714: Permit an empty string as expansion result for transport 1710 option transport_filter, meaning no filtering. 1711 1712JH/17 Bug 1713: Fix non-PDKIM_DEBUG build. Patch from Jasen Betts. 1713 1714JH/18 Bug 1709: When built with TLS support, the tls_advertise_hosts option now 1715 defaults to "*" (all hosts). The variable is now available when not built 1716 with TLS, default unset, mainly to enable keeping the testsuite sane. 1717 If a server certificate is not supplied (via tls_certificate) an error is 1718 logged, and clients will find TLS connections fail on startup. Presumably 1719 they will retry in-clear. 1720 Packagers of Exim are strongly encouraged to create a server certificate 1721 at installation time. 1722 1723HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency 1724 with the $config_file variable. 1725 1726JH/19 Two additional event types: msg:rcpt:defer and msg:rcpt:host:defer. Both 1727 in transport context, after the attempt, and per-recipient. The latter type 1728 is per host attempted. The event data is the error message, and the errno 1729 information encodes the lookup type (A vs. MX) used for the (first) host, 1730 and the trailing two digits of the smtp 4xx response. 1731 1732GF/01 Bug 1715: Fix for race condition in exicyclog, where exim could attempt 1733 to write to mainlog (or rejectlog, paniclog) in the window between file 1734 creation and permissions/ownership being changed. Particularly affects 1735 installations where exicyclog is run as root, rather than exim user; 1736 result is that the running daemon panics and dies. 1737 1738JH/20 Bug 1701: For MySQL lookups, support MySQL config file option group names. 1739 1740JH/21 Bug 1720: Add support for priority groups and weighted-random proxy 1741 selection for the EXPERIMENTAL_SOCKS feature, via new per-proxy options 1742 "pri" and "weight". Note that the previous implicit priority given by the 1743 list order is no longer honoured. 1744 1745JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalization 1746 for DKIM processing. 1747 1748JH/23 Move SOCKS5 support from Experimental to mainline, enabled for a build 1749 by defining SUPPORT_SOCKS. 1750 1751JH/26 Move PROXY support from Experimental to mainline, enabled for a build 1752 by defining SUPPORT_PROXY. Note that the proxy_required_hosts option 1753 is renamed to hosts_proxy, and the proxy_{host,target}_{address,port}. 1754 variables are renamed to proxy_{local,external}_{address,port}. 1755 1756JH/27 Move Internationalisation support from Experimental to mainline, enabled 1757 for a build by defining SUPPORT_I18N 1758 1759JH/28 Bug 1745: Fix redis lookups to handle (quoted) spaces embedded in parts 1760 of the query string, and make ${quote_redis:} do that quoting. 1761 1762JH/29 Move Events support from Experimental to mainline, enabled by default 1763 and removable for a build by defining DISABLE_EVENT. 1764 1765JH/30 Updated DANE implementation code to current from Viktor Dukhovni. 1766 1767JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly 1768 cached by the daemon. 1769 1770JH/32 Move Redis support from Experimental to mainline, enabled for a build 1771 by defining LOOKUP_REDIS. The libhiredis library is required. 1772 1773JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit 1774 keys are given for lookup. 1775 1776JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM 1777 support, by using OpenSSL or GnuTLS library ones. This means DKIM is 1778 only supported when built with TLS support. The PolarSSL SHA routines 1779 are still used when the TLS library is too old for convenient support. 1780 1781JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option 1782 openssl_options), for security. OpenSSL forces this from version 1.1.0 1783 server-side so match that on older versions. 1784 1785JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh 1786 allocation for $value could be released as the expansion processing 1787 concluded, but leaving the global pointer active for it. 1788 1789JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response, 1790 and to use the domains and local_parts ACL conditions. 1791 1792JH/38 Fix cutthrough bug with body lines having a single dot. The dot was 1793 incorrectly not doubled on cutthrough transmission, hence seen as a 1794 body-termination at the receiving system - resulting in truncated mails. 1795 Commonly the sender saw a TCP-level error, and retransmitted the message 1796 via the normal store-and-forward channel. This could result in duplicates 1797 received - but deduplicating mailstores were liable to retain only the 1798 initial truncated version. 1799 1800JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64. 1801 1802JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS. 1803 1804JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While 1805 we're in there, support oversigning also; bug 1309. 1806 1807JH/42 Bug 1796: Fix error logged on a malware scanner connection failure. 1808 1809HS/04 Add support for keep_environment and add_environment options. 1810 1811JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain; 1812 either intentional arithmetic overflow during PRNG, or testing config- 1813 induced overflows. 1814 1815JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough 1816 delivery resulted in actual delivery. Cancel cutthrough before DATA 1817 stage. 1818 1819JH/45 Fix cutthrough, when connection not opened by verify and target hard- 1820 rejects a recipient: pass the reject to the originator. 1821 1822JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs. 1823 Many were false-positives and ignorable, but it's worth fixing the 1824 former class. 1825 1826JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also 1827 for the new environment-manipulation done at startup. Move the routines 1828 from being local to tls.c to being global via the os.c file. 1829 1830JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing 1831 an extract embedded as result-arg for a map, the first arg for extract 1832 is unavailable so we cannot tell if this is a numbered or keyed 1833 extraction. Accept either. 1834 1835 1836Exim version 4.86 1837----------------- 1838 1839JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now 1840 expanded. 1841 1842JH/02 The smtp transport option "multi_domain" is now expanded. 1843 1844JH/03 The smtp transport now requests PRDR by default, if the server offers 1845 it. 1846 1847JH/04 Certificate name checking on server certificates, when exim is a client, 1848 is now done by default. The transport option tls_verify_cert_hostnames 1849 can be used to disable this per-host. The build option 1850 EXPERIMENTAL_CERTNAMES is withdrawn. 1851 1852JH/05 The value of the tls_verify_certificates smtp transport and main options 1853 default to the word "system" to access the system default CA bundle. 1854 For GnuTLS, only version 3.0.20 or later. 1855 1856JH/06 Verification of the server certificate for a TLS connection is now tried 1857 (but not required) by default. The verification status is now logged by 1858 default, for both outbound TLS and client-certificate supplying inbound 1859 TLS connections 1860 1861JH/07 Changed the default rfc1413 lookup settings to disable calls. Few 1862 sites use this now. 1863 1864JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery 1865 Status Notification (bounce) messages are now MIME format per RFC 3464. 1866 Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised 1867 under the control of the dsn_advertise_hosts option, and routers may 1868 have a dsn_lasthop option. 1869 1870JH/09 A timeout of 2 minutes is now applied to all malware scanner types by 1871 default, modifiable by a malware= option. The list separator for 1872 the options can now be changed in the usual way. Bug 68. 1873 1874JH/10 The smtp_receive_timeout main option is now expanded before use. 1875 1876JH/11 The incoming_interface log option now also enables logging of the 1877 local interface on delivery outgoing connections. 1878 1879JH/12 The cutthrough-routing facility now supports multi-recipient mails, 1880 if the interface and destination host and port all match. 1881 1882JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a 1883 /defer_ok option. 1884 1885JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd. 1886 Patch from Andrew Lewis. 1887 1888JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition) 1889 now supports optional time-restrictions, weighting, and priority 1890 modifiers per server. Patch originally by <rommer@active.by>. 1891 1892JH/16 The spamd_address main option now supports a mixed list of local 1893 and remote servers. Remote servers can be IPv6 addresses, and 1894 specify a port-range. 1895 1896JH/17 Bug 68: The spamd_address main option now supports an optional 1897 timeout value per server. 1898 1899JH/18 Bug 1581: Router and transport options headers_add/remove can 1900 now have the list separator specified. 1901 1902JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry 1903 option values. 1904 1905JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails 1906 under OpenSSL. 1907 1908JH/21 Support for the A6 type of dns record is withdrawn. 1909 1910JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters 1911 rather than the verbs used. 1912 1913JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size 1914 from 255 to 1024 chars. 1915 1916JH/24 Verification callouts now attempt to use TLS by default. 1917 1918HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) 1919 are generic router options now. The defaults didn't change. 1920 1921JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. 1922 Original patch from Alexander Shikoff, worked over by JH. 1923 1924HS/02 Bug 1575: exigrep falls back to autodetection of compressed 1925 files if ZCAT_COMMAND is not executable. 1926 1927JH/26 Bug 1539: Add timeout/retry options on dnsdb lookups. 1928 1929JH/27 Bug 286: Support SOA lookup in dnsdb lookups. 1930 1931JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN. 1932 Normally benign, it bites when the pair was led to by a CNAME; 1933 modern usage is to not canonicalize the domain to a CNAME target 1934 (and we were inconsistent anyway for A-only vs AAAA+A). 1935 1936JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards. 1937 1938JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse, 1939 when evaluating $sender_host_dnssec. 1940 1941JH/31 Check the HELO verification lookup for DNSSEC, adding new 1942 $sender_helo_dnssec variable. 1943 1944JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve. 1945 1946JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log. 1947 1948JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues. 1949 1950JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was 1951 documented as working, but never had. Support all but $spam_report. 1952 1953JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command 1954 added for tls authenticator. 1955 1956HS/03 Add perl_taintmode main config option 1957 1958 1959Exim version 4.85 1960----------------- 1961 1962TL/01 When running the test suite, the README says that variables such as 1963 no_msglog_check are global and can be placed anywhere in a specific 1964 test's script, however it was observed that placement needed to be near 1965 the beginning for it to behave that way. Changed the runtest perl 1966 script to read through the entire script once to detect and set these 1967 variables, reset to the beginning of the script, and then run through 1968 the script parsing/test process like normal. 1969 1970TL/02 The BSD's have an arc4random API. One of the functions to induce 1971 adding randomness was arc4random_stir(), but it has been removed in 1972 OpenBSD 5.5. Detect this OpenBSD version and skip calling this 1973 function when detected. 1974 1975JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now 1976 cause callback expansion. 1977 1978TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that 1979 syntax errors in an expansion can be treated as a string instead of 1980 logging or causing an error, due to the internal use of bool_lax 1981 instead of bool when processing it. 1982 1983JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for 1984 server certificates when making smtp deliveries. 1985 1986JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups. 1987 1988JH/04 Add ${sort {list}{condition}{extractor}} expansion item. 1989 1990TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep. 1991 1992TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups. 1993 Merged patch from Sebastian Wiedenroth. 1994 1995JH/05 Fix results-pipe from transport process. Several recipients, combined 1996 with certificate use, exposed issues where response data items split 1997 over buffer boundaries were not parsed properly. This eventually 1998 resulted in duplicates being sent. This issue only became common enough 1999 to notice due to the introduction of connection certificate information, 2000 the item size being so much larger. Found and fixed by Wolfgang Breyha. 2001 2002JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed 2003 size buffer was used, resulting in syntax errors when an expansion 2004 exceeded it. 2005 2006JH/07 Add support for directories of certificates when compiled with a GnuTLS 2007 version 3.3.6 or later. 2008 2009JH/08 Rename the TPDA experimental facility to Event Actions. The #ifdef 2010 is EXPERIMENTAL_EVENT, the main-configuration and transport options 2011 both become "event_action", the variables become $event_name, $event_data 2012 and $event_defer_errno. There is a new variable $verify_mode, usable in 2013 routers, transports and related events. The tls:cert event is now also 2014 raised for inbound connections, if the main configuration event_action 2015 option is defined. 2016 2017TL/06 In test suite, disable OCSP for old versions of openssl which contained 2018 early OCSP support, but no stapling (appears to be less than 1.0.0). 2019 2020JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on 2021 server certificate names available under the smtp transport option 2022 "tls_verify_cert_hostname" now do not permit multi-component wildcard 2023 matches. 2024 2025JH/10 Time-related extraction expansions from certificates now use the main 2026 option "timezone" setting for output formatting, and are consistent 2027 between OpenSSL and GnuTLS compilations. Bug 1541. 2028 2029JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047- 2030 encoded parameter in the incoming message. Bug 1558. 2031 2032JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now 2033 include certificate info, eximon was claiming there were spoolfile 2034 syntax errors. 2035 2036JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return. 2037 2038JH/14 Log delivery-related information more consistently, using the sequence 2039 "H=<name> [<ip>]" wherever possible. 2040 2041TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which 2042 are problematic for Debian distribution, omit them from the release 2043 tarball. 2044 2045JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature. 2046 2047JH/16 Fix string representation of time values on 64bit time_t architectures. 2048 Bug 1561. 2049 2050JH/17 Fix a null-indirection in certextract expansions when a nondefault 2051 output list separator was used. 2052 2053 2054Exim version 4.84 2055----------------- 2056TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static 2057 checkers that were complaining about end of non-void function with no 2058 return. 2059 2060JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers. 2061 This was a regression introduced in 4.83 by another bugfix. 2062 2063JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled. 2064 2065TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when 2066 EXPERIMENTAL_DSN is enabled. Fix from Wolfgang Breyha. 2067 2068 2069Exim version 4.83 2070----------------- 2071 2072TF/01 Correctly close the server side of TLS when forking for delivery. 2073 2074 When a message was received over SMTP with TLS, Exim failed to clear up 2075 the incoming connection properly after forking off the child process to 2076 deliver the message. In some situations the subsequent outgoing 2077 delivery connection happened to have the same fd number as the incoming 2078 connection previously had. Exim would try to use TLS and fail, logging 2079 a "Bad file descriptor" error. 2080 2081TF/02 Portability fix for building lookup modules on Solaris when the xpg4 2082 utilities have not been installed. 2083 2084JH/01 Fix memory-handling in use of acl as a conditional; avoid free of 2085 temporary space as the ACL may create new global variables. 2086 2087TL/01 LDAP support uses per connection or global context settings, depending 2088 upon the detected version of the libraries at build time. 2089 2090TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection 2091 to extract and use the src ip:port in logging and expansions as if it 2092 were a direct connection from the outside internet. PPv2 support was 2093 updated based on HAProxy spec change in May 2014. 2094 2095JH/02 Add ${listextract {number}{list}{success}{fail}}. 2096 2097TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents. 2098 Properly escape header and check for NULL return. 2099 2100PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok 2101 not dns_use_dnssec. 2102 2103JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp. 2104 2105TL/04 Add verify = header_names_ascii check to reject email with non-ASCII 2106 characters in header names, implemented as a verify condition. 2107 Contributed by Michael Fischer v. Mollard. 2108 2109TL/05 Rename SPF condition results err_perm and err_temp to standardized 2110 results permerror and temperror. Previous values are deprecated but 2111 still accepted. In a future release, err_perm and err_temp will be 2112 completely removed, which will be a backward incompatibility if the 2113 ACL tests for either of these two old results. Patch contributed by 2114 user bes-internal on the mailing list. 2115 2116JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau. 2117 2118JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log 2119 selectors, in both main and reject logs. 2120 2121JH/06 Log outbound-TLS and port details, subject to log selectors, for a 2122 failed delivery. 2123 2124JH/07 Add malware type "sock" for talking to simple daemon. 2125 2126JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport. 2127 2128JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in 2129 routers/transports under cutthrough routing. 2130 2131JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative 2132 numbers. Touch up "bool" conditional to keep the same definition. 2133 2134TL/06 Remove duplicated language in spec file from 4.82 TL/16. 2135 2136JH/11 Add dnsdb tlsa lookup. From Todd Lyons. 2137 2138JH/12 Expand items in router/transport headers_add or headers_remove lists 2139 individually rather than the list as a whole. Bug 1452. 2140 2141 Required for reasonable handling of multiple headers_ options when 2142 they may be empty; requires that headers_remove items with embedded 2143 colons must have them doubled (or the list-separator changed). 2144 2145TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly 2146 view the policy declared in the DMARC record. Currently, $dmarc_status 2147 is a combined value of both the record presence and the result of the 2148 analysis. 2149 2150JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. 2151 2152JH/14 New options dnssec_request_domains, dnssec_require_domains on the 2153 dnslookup router and the smtp transport (applying to the forward 2154 lookup). 2155 2156TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list 2157 of ldap servers used for a specific lookup. Patch provided by Heiko 2158 Schlichting. 2159 2160JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups. 2161 New variable $lookup_dnssec_authenticated for observability. 2162 2163TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use. 2164 Patch submitted by Lars Timman. 2165 2166JH/19 EXPERIMENTAL_OCSP support under GnuTLS. Bug 1459. 2167 2168TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim. 2169 Requires trusted mode and valid format message id, aborts otherwise. 2170 Patch contributed by Heiko Schlichting. 2171 2172JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item 2173 certextract with support for various fields. Bug 1358. 2174 2175JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling 2176 is requested by default, modifiable by smtp transport option 2177 hosts_request_ocsp. 2178 2179JH/22 Expansion operators ${md5:string} and ${sha1:string} can now 2180 operate on certificate variables to give certificate fingerprints 2181 Also new ${sha256:cert_variable}. 2182 2183JH/23 The PRDR feature is moved from being Experimental into the mainline. 2184 2185TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from 2186 Christian Aistleitner. 2187 2188JH/24 The OCSP stapling feature is moved from Experimental into the mainline. 2189 2190TL/12 Bug 1444: Fix improper \r\n sequence handling when writing spool 2191 file. Patch from Wolfgang Breyha. 2192 2193JH/25 Expand the coverage of the delivery $host and $host_address to 2194 client authenticators run in verify callout. Bug 1476. 2195 2196JH/26 Port service names are now accepted for tls_on_connect_ports, to 2197 align with daemon_smtp_ports. Bug 72. 2198 2199TF/03 Fix udpsend. The ip_connectedsocket() function's socket type 2200 support and error reporting did not work properly. 2201 2202TL/13 Bug 1495: Exiqgrep check if -C config file specified on cli exists 2203 and is readable. Patch from Andrew Colin Kissa. 2204 2205TL/14 Enhance documentation of ${run expansion and how it parses the 2206 commandline after expansion, particularly in the case when an 2207 unquoted variable expansion results in an empty value. 2208 2209JH/27 The TLS SNI feature was broken in 4.82. Fix it. 2210 2211PP/02 Fix internal collision of T_APL on systems which support RFC3123 2212 by renaming away from it. Addresses GH issue 15, reported by 2213 Jasper Wallace. 2214 2215JH/28 Fix parsing of MIME headers for parameters with quoted semicolons. 2216 2217TL/15 SECURITY: prevent double expansion in math comparison functions 2218 (can expand unsanitized data). Not remotely exploitable. 2219 CVE-2014-2972 2220 2221 2222Exim version 4.82 2223----------------- 2224 2225PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities. 2226 2227PP/02 Make -n do something, by making it not do something. 2228 When combined with -bP, the name of an option is not output. 2229 2230PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured 2231 by GnuTLS. 2232 2233PP/04 First step towards DNSSEC, provide $sender_host_dnssec for 2234 $sender_host_name and config options to manage this, and basic check 2235 routines. 2236 2237PP/05 DSCP support for outbound connections and control modifier for inbound. 2238 2239PP/06 Cyrus SASL: set local and remote IP;port properties for driver. 2240 (Only plugin which currently uses this is kerberos4, which nobody should 2241 be using, but we should make it available and other future plugins might 2242 conceivably use it, even though it would break NAT; stuff *should* be 2243 using channel bindings instead). 2244 2245PP/07 Handle "exim -L <tag>" to indicate to use syslog with tag as the process 2246 name; added for Sendmail compatibility; requires admin caller. 2247 Handle -G as equivalent to "control = suppress_local_fixups" (we used to 2248 just ignore it); requires trusted caller. 2249 Also parse but ignore: -Ac -Am -X<logfile> 2250 Bugzilla 1117. 2251 2252TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing. 2253 2254TL/02 Add +smtp_confirmation as a default logging option. 2255 2256TL/03 Bugzilla 198 - Implement remove_header ACL modifier. 2257 Patch by Magnus Holmgren from 2007-02-20. 2258 2259TL/04 Bugzilla 1281 - Spec typo. 2260 Bugzilla 1283 - Spec typo. 2261 Bugzilla 1290 - Spec grammar fixes. 2262 2263TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation. 2264 2265TL/06 Add Experimental DMARC support using libopendmarc libraries. 2266 2267TL/07 Fix an out of order global option causing a segfault. Reported to dev 2268 mailing list by by Dmitry Isaikin. 2269 2270JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support. 2271 2272JH/02 Support "G" suffix to numbers in ${if comparisons. 2273 2274PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL. 2275 2276NM/01 Bugzilla 1197 - Spec typo 2277 Bugzilla 1196 - Spec examples corrections 2278 2279JH/03 Add expansion operators ${listnamed:name} and ${listcount:string} 2280 2281PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called 2282 gnutls_enable_pkcs11, but renamed to more accurately indicate its 2283 function. 2284 2285PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC. 2286 Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler. 2287 2288JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition 2289 "acl {{name}{arg}...}", and optional args on acl condition 2290 "acl = name arg..." 2291 2292JH/05 Permit multiple router/transport headers_add/remove lines. 2293 2294JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination. 2295 2296JH/07 Avoid using a waiting database for a single-message-only transport. 2297 Performance patch from Paul Fisher. Bugzilla 1262. 2298 2299JH/08 Strip leading/trailing newlines from add_header ACL modifier data. 2300 Bugzilla 884. 2301 2302JH/09 Add $headers_added variable, with content from use of ACL modifier 2303 add_header (but not yet added to the message). Bugzilla 199. 2304 2305JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line. 2306 Pulled from Bugzilla 817 by Wolfgang Breyha. 2307 2308PP/11 SECURITY: protect DKIM DNS decoding from remote exploit. 2309 CVE-2012-5671 2310 (nb: this is the same fix as in Exim 4.80.1) 2311 2312JH/11 Add A= logging on delivery lines, and a client_set_id option on 2313 authenticators. 2314 2315JH/12 Add optional authenticated_sender logging to A= and a log_selector 2316 for control. 2317 2318PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29. 2319 2320PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not 2321 advertise SMTP AUTH mechanism to us, instead of a generic 2322 protocol violation error. Also, make Exim more robust to bad 2323 data from the Dovecot auth socket. 2324 2325TF/01 Fix ultimate retry timeouts for intermittently deliverable recipients. 2326 2327 When a queue runner is handling a message, Exim first routes the 2328 recipient addresses, during which it prunes them based on the retry 2329 hints database. After that it attempts to deliver the message to 2330 any remaining recipients. It then updates the hints database using 2331 the retry rules. 2332 2333 So if a recipient address works intermittently, it can get repeatedly 2334 deferred at routing time. The retry hints record remains fresh so the 2335 address never reaches the final cutoff time. 2336 2337 This is a fairly common occurrence when a user is bumping up against 2338 their storage quota. Exim had some logic in its local delivery code 2339 to deal with this. However it did not apply to per-recipient defers 2340 in remote deliveries, e.g. over LMTP to a separate IMAP message store. 2341 2342 This change adds a proper retry rule check during routing so that the 2343 final cutoff time is checked against the message's age. We only do 2344 this check if there is an address retry record and there is not a 2345 domain retry record; this implies that previous attempts to handle 2346 the address had the retry_use_local_parts option turned on. We use 2347 this as an approximation for the destination being like a local 2348 delivery, as in LMTP. 2349 2350 I suspect this new check makes the old local delivery cutoff check 2351 redundant, but I have not verified this so I left the code in place. 2352 2353TF/02 Correct gecos expansion when From: is a prefix of the username. 2354 2355 Test 0254 submits a message to Exim with the header 2356 2357 Resent-From: f 2358 2359 When I ran the test suite under the user fanf2, Exim expanded 2360 the header to contain my full name, whereas it should have added 2361 a Resent-Sender: header. It erroneously treats any prefix of the 2362 username as equal to the username. 2363 2364 This change corrects that bug. 2365 2366GF/01 DCC debug and logging tidyup 2367 Error conditions log to paniclog rather than rejectlog. 2368 Debug lines prefixed by "DCC: " to remove any ambiguity. 2369 2370TF/03 Avoid unnecessary rebuilds of lookup-related code. 2371 2372PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server. 2373 Bug spotted by Jeremy Harris; was flawed since initial commit. 2374 Would have resulted in OCSP responses post-SNI triggering an Exim 2375 NULL dereference and crash. 2376 2377JH/13 Add $router_name and $transport_name variables. Bugzilla 308. 2378 2379PP/15 Define SIOCGIFCONF_GIVES_ADDR for GNU Hurd. 2380 Bug detection, analysis and fix by Samuel Thibault. 2381 Bugzilla 1331, Debian bug #698092. 2382 2383SC/01 Update eximstats to watch out for senders sending 'HELO [IpAddr]' 2384 2385JH/14 SMTP PRDR (http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt). 2386 Server implementation by Todd Lyons, client by JH. 2387 Only enabled when compiled with EXPERIMENTAL_PRDR. A new 2388 config variable "prdr_enable" controls whether the server 2389 advertises the facility. If the client requests PRDR a new 2390 acl_data_smtp_prdr ACL is called once for each recipient, after 2391 the body content is received and before the acl_smtp_data ACL. 2392 The client is controlled by both of: a hosts_try_prdr option 2393 on the smtp transport, and the server advertisement. 2394 Default client logging of deliveries and rejections involving 2395 PRDR are flagged with the string "PRDR". 2396 2397PP/16 Fix problems caused by timeouts during quit ACLs trying to double 2398 fclose(). Diagnosis by Todd Lyons. 2399 2400PP/17 Update configure.default to handle IPv6 localhost better. 2401 Patch by Alain Williams (plus minor tweaks). 2402 Bugzilla 880. 2403 2404PP/18 OpenSSL made graceful with empty tls_verify_certificates setting. 2405 This is now consistent with GnuTLS, and is now documented: the 2406 previous undocumented portable approach to treating the option as 2407 unset was to force an expansion failure. That still works, and 2408 an empty string is now equivalent. 2409 2410PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it 2411 clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag, 2412 not performing validation itself. 2413 2414PP/20 Added force_command boolean option to pipe transport. 2415 Patch from Nick Koston, of cPanel Inc. 2416 2417JH/15 AUTH support on callouts (and hence cutthrough-deliveries). 2418 Bugzilla 321, 823. 2419 2420TF/04 Added udpsend ACL modifier and hexquote expansion operator 2421 2422PP/21 Fix eximon continuous updating with timestamped log-files. 2423 Broken in a format-string cleanup in 4.80, missed when I repaired the 2424 other false fix of the same issue. 2425 Report and fix from Heiko Schlichting. 2426 Bugzilla 1363. 2427 2428PP/22 Guard LDAP TLS usage against Solaris LDAP variant. 2429 Report from Prashanth Katuri. 2430 2431PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options. 2432 It's SecureTransport, so affects any MacOS clients which use the 2433 system-integrated TLS libraries, including email clients. 2434 2435PP/24 Fix segfault from trying to fprintf() to a NULL stdio FILE* if 2436 using a MIME ACL for non-SMTP local injection. 2437 Report and assistance in diagnosis by Warren Baker. 2438 2439TL/08 Adjust exiqgrep to be case-insensitive for sender/receiver. 2440 2441JH/16 Fix comparisons for 64b. Bugzilla 1385. 2442 2443TL/09 Add expansion variable $authenticated_fail_id to keep track of 2444 last id that failed so it may be referenced in subsequent ACL's. 2445 2446TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by 2447 Alexander Miroch. 2448 2449TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls 2450 ldap library initialization, allowing self-signed CA's to be 2451 used. Also properly sets require_cert option later in code by 2452 using NULL (global ldap config) instead of ldap handle (per 2453 session). Bug diagnosis and testing by alxgomz. 2454 2455TL/12 Enhanced documentation in the ratelimit.pl script provided in 2456 the src/util/ subdirectory. 2457 2458TL/13 Bug 1031 - Imported transport SQL logging patch from Axel Rau 2459 renamed to Transport Post Delivery Action by Jeremy Harris, as 2460 EXPERIMENTAL_TPDA. 2461 2462TL/14 Bugzilla 1217 - Redis lookup support has been added. It is only enabled 2463 when Exim is compiled with EXPERIMENTAL_REDIS. A new config variable 2464 redis_servers = needs to be configured which will be used by the redis 2465 lookup. Patch from Warren Baker, of The Packet Hub. 2466 2467TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard Hall. 2468 2469TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a 2470 hostname or reverse DNS when processing a host list. Used suggestions 2471 from multiple comments on this bug. 2472 2473TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey. 2474 2475TL/18 Had previously added a -CONTINUE option to runtest in the test suite. 2476 Missed a few lines, added it to make the runtest require no keyboard 2477 interaction. 2478 2479TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite 2480 contains upper case chars. Make router use caseful_local_part. 2481 2482TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS 2483 support when GnuTLS has been built with p11-kit. 2484 2485 2486Exim version 4.80.1 2487------------------- 2488 2489PP/01 SECURITY: protect DKIM DNS decoding from remote exploit. 2490 CVE-2012-5671 2491 This, or similar/improved, will also be change PP/11 of 4.82. 2492 2493 2494Exim version 4.80 2495----------------- 2496 2497PP/01 Handle short writes when writing local log-files. 2498 In practice, only affects FreeBSD (8 onwards). 2499 Bugzilla 1053, with thanks to Dmitry Isaikin. 2500 2501NM/01 Bugzilla 949 - Documentation tweak 2502 2503NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps 2504 improved. 2505 2506NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs. 2507 2508PP/02 Implemented gsasl authenticator. 2509 2510PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option. 2511 2512PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use 2513 `pkg-config foo` for cflags/libs. 2514 2515PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent 2516 with rest of GSASL and with heimdal_gssapi. 2517 2518PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use 2519 `pkg-config foo` for cflags/libs for the TLS implementation. 2520 2521PP/07 New expansion variable $tls_bits; Cyrus SASL server connection 2522 properties get this fed in as external SSF. A number of robustness 2523 and debugging improvements to the cyrus_sasl authenticator. 2524 2525PP/08 cyrus_sasl server now expands the server_realm option. 2526 2527PP/09 Bugzilla 1214 - Log authentication information in reject log. 2528 Patch by Jeremy Harris. 2529 2530PP/10 Added dbmjz lookup type. 2531 2532PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid. 2533 2534PP/12 MAIL args handles TAB as well as SP, for better interop with 2535 non-compliant senders. 2536 Analysis and variant patch by Todd Lyons. 2537 2538NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated 2539 Bug report from Lars Müller <lars@samba.org> (via SUSE), 2540 Patch from Dirk Mueller <dmueller@suse.com> 2541 2542PP/13 tls_peerdn now print-escaped for spool files. 2543 Observed some $tls_peerdn in wild which contained \n, which resulted 2544 in spool file corruption. 2545 2546PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options" 2547 values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read 2548 or write after TLS renegotiation, which otherwise led to messages 2549 "Got SSL error 2". 2550 2551TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted 2552 as a tracking header (ie: a signed header comes before the signature). 2553 Patch from Wolfgang Breyha. 2554 2555JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a 2556 comma-sep list; embedded commas doubled. 2557 2558JH/02 Refactored ACL "verify =" logic to table-driven dispatch. 2559 2560PP/15 LDAP: Check for errors of TLS initialisation, to give correct 2561 diagnostics. 2562 Report and patch from Dmitry Banschikov. 2563 2564PP/16 Removed "dont_insert_empty_fragments" from "openssl_options". 2565 Removed SSL_clear() after SSL_new() which led to protocol negotiation 2566 failures. We appear to now support TLS1.1+ with Exim. 2567 2568PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate 2569 lets Exim select keys and certificates based upon TLS SNI from client. 2570 Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly 2571 before an outbound SMTP session. New log_selector, +tls_sni. 2572 2573PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid 2574 NULL dereference. Report and patch from Alun Jones. 2575 2576PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage 2577 on less well tested platforms). Obviates NetBSD pkgsrc patch-ac. 2578 Not seeing resolver debug output on NetBSD, but suspect this is a 2579 resolver implementation change. 2580 2581PP/20 Revert part of NM/04, it broke log_path containing %D expansions. 2582 Left warnings. Added "eximon gdb" invocation mode. 2583 2584PP/21 Defaulting "accept_8bitmime" to true, not false. 2585 2586PP/22 Added -bw for inetd wait mode support. 2587 2588PP/23 Added PCRE_CONFIG=yes support to Makefile for using pcre-config to 2589 locate the relevant includes and libraries. Made this the default. 2590 2591PP/24 Fixed headers_only on smtp transports (was not sending trailing dot). 2592 Bugzilla 1246, report and most of solution from Tomasz Kusy. 2593 2594JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m"). 2595 This may cause build issues on older platforms. 2596 2597PP/25 Revamped GnuTLS support, passing tls_require_ciphers to 2598 gnutls_priority_init, ignoring Exim options gnutls_require_kx, 2599 gnutls_require_mac & gnutls_require_protocols (no longer supported). 2600 Added SNI support via GnuTLS too. 2601 Made ${randint:..} supplier available, if using not-too-old GnuTLS. 2602 2603PP/26 Added EXPERIMENTAL_OCSP for OpenSSL. 2604 2605PP/27 Applied dnsdb SPF support patch from Janne Snabb. 2606 Applied second patch from Janne, implementing suggestion to default 2607 multiple-strings-in-record handling to match SPF spec. 2608 2609JH/04 Added expansion variable $tod_epoch_l for a higher-precision time. 2610 2611PP/28 Fix DCC dcc_header content corruption (stack memory referenced, 2612 read-only, out of scope). 2613 Patch from Wolfgang Breyha, report from Stuart Northfield. 2614 2615PP/29 Fix three issues highlighted by clang analyser static analysis. 2616 Only crash-plausible issue would require the Cambridge-specific 2617 iplookup router and a misconfiguration. 2618 Report from Marcin Mirosław. 2619 2620PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy. 2621 2622PP/31 %D in printf continues to cause issues (-Wformat=security), so for 2623 now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS. 2624 As part of this, removing so much warning spew let me fix some minor 2625 real issues in debug logging. 2626 2627PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing 2628 assignment on my part. Fixed. 2629 2630PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit 2631 of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by 2632 Janne Snabb (who went above and beyond: thank you). 2633 2634PP/34 Validate tls_require_ciphers on startup, since debugging an invalid 2635 string otherwise requires a connection and a bunch more work and it's 2636 relatively easy to get wrong. Should also expose TLS library linkage 2637 problems. 2638 2639PP/35 Pull in <features.h> on Linux, for some portability edge-cases of 2640 64-bit ${eval} (JH/03). 2641 2642PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of 2643 GNU libc to support some of the 64-bit stuff, should not lead to 2644 conflicts. Defined before os.h is pulled in, so if a given platform 2645 needs to override this, it can. 2646 2647PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought 2648 protection layer was required, which is not implemented. 2649 Bugzilla 1254, patch from Wolfgang Breyha. 2650 2651PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built 2652 into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make 2653 tls_dhparam take prime identifiers. Also unbreak combination of 2654 OpenSSL+DH_params+TLSSNI. 2655 2656PP/39 Disable SSLv2 by default in OpenSSL support. 2657 2658 2659Exim version 4.77 2660----------------- 2661 2662PP/01 Solaris build fix for Oracle's LDAP libraries. 2663 Bugzilla 1109, patch from Stephen Usher. 2664 2665TF/01 HP/UX build fix: avoid arithmetic on a void pointer. 2666 2667TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o 2668 whitespace trailer 2669 2670TF/02 Fix a couple more cases where we did not log the error message 2671 when unlink() failed. See also change 4.74-TF/03. 2672 2673TF/03 Make the exiwhat support code safe for signals. Previously Exim might 2674 lock up or crash if it happened to be inside a call to libc when it 2675 got a SIGUSR1 from exiwhat. 2676 2677 The SIGUSR1 handler appends the current process status to the process 2678 log which is later printed by exiwhat. It used to use the general 2679 purpose logging code to do this, but several functions it calls are 2680 not safe for signals. 2681 2682 The new output code in the SIGUSR1 handler is specific to the process 2683 log, and simple enough that it's easy to inspect for signal safety. 2684 Removing some special cases also simplifies the general logging code. 2685 Removing the spurious timestamps from the process log simplifies 2686 exiwhat. 2687 2688TF/04 Improved ratelimit ACL condition. 2689 2690 The /noupdate option has been deprecated in favour of /readonly which 2691 has clearer semantics. The /leaky, /strict, and /readonly update modes 2692 are mutually exclusive. The update mode is no longer included in the 2693 database key; it just determines when the database is updated. (This 2694 means that when you upgrade Exim will forget old rate measurements.) 2695 2696 Exim now checks that the per_* options are used with an update mode that 2697 makes sense for the current ACL. For example, when Exim is processing a 2698 message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify 2699 per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you 2700 must specify per_mail/readonly. If you omit the update mode it defaults to 2701 /leaky where that makes sense (as before) or /readonly where required. 2702 2703 The /noupdate option is now undocumented but still supported for 2704 backwards compatibility. It is equivalent to /readonly except that in 2705 ACLs where /readonly is required you may specify /leaky/noupdate or 2706 /strict/noupdate which are treated the same as /readonly. 2707 2708 A useful new feature is the /count= option. This is a generalization 2709 of the per_byte option, so that you can measure the throughput of other 2710 aggregate values. For example, the per_byte option is now equivalent 2711 to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }. 2712 2713 The per_rcpt option has been generalized using the /count= mechanism 2714 (though it's more complicated than the per_byte equivalence). When it is 2715 used in acl_smtp_rcpt, the per_rcpt option adds recipients to the 2716 measured rate one at a time; if it is used later (e.g. in acl_smtp_data) 2717 or in a non-SMTP ACL it adds all the recipients in one go. (The latter 2718 /count=$recipients_count behaviour used to work only in non-SMTP ACLs.) 2719 Note that using per_rcpt with a non-readonly update mode in more than 2720 one ACL will cause the recipients to be double-counted. (The per_mail 2721 and per_byte options don't have this problem.) 2722 2723 The handling of very low rates has changed slightly. If the computed rate 2724 is less than the event's count (usually one) then this event is the first 2725 after a long gap. In this case the rate is set to the same as this event's 2726 count, so that the first message of a spam run is counted properly. 2727 2728 The major new feature is a mechanism for counting the rate of unique 2729 events. The new per_addr option counts the number of different 2730 recipients that someone has sent messages to in the last time period. It 2731 behaves like per_rcpt if all the recipient addresses are different, but 2732 duplicate recipient addresses do not increase the measured rate. Like 2733 the /count= option this is a general mechanism, so the per_addr option 2734 is equivalent to per_rcpt/unique=$local_part@$domain. You can, for 2735 example, measure the rate that a client uses different sender addresses 2736 with the options per_mail/unique=$sender_address. There are further 2737 details in the main documentation. 2738 2739TF/05 Removed obsolete $Cambridge$ CVS revision strings. 2740 2741TF/06 Removed a few PCRE remnants. 2742 2743TF/07 Automatically extract Exim's version number from tags in the git 2744 repository when doing development or release builds. 2745 2746PP/02 Raise smtp_cmd_buffer_size to 16kB. 2747 Bugzilla 879. Patch from Paul Fisher. 2748 2749PP/03 Implement SSL-on-connect outbound with protocol=smtps on smtp transport. 2750 Heavily based on revision 40f9a89a from Simon Arlott's tree. 2751 Bugzilla 97. 2752 2753PP/04 Use .dylib instead of .so for dynamic library loading on MacOS. 2754 2755PP/05 Variable $av_failed, true if the AV scanner deferred. 2756 Bugzilla 1078. Patch from John Horne. 2757 2758PP/06 Stop make process more reliably on build failure. 2759 Bugzilla 1087. Patch from Heiko Schlittermann. 2760 2761PP/07 Make maildir_use_size_file an _expandable_ boolean. 2762 Bugzilla 1089. Patch from Heiko Schlittermann. 2763 2764PP/08 Handle ${run} returning more data than OS pipe buffer size. 2765 Bugzilla 1131. Patch from Holger Weiß. 2766 2767PP/09 Handle IPv6 addresses with SPF. 2768 Bugzilla 860. Patch from Wolfgang Breyha. 2769 2770PP/10 GnuTLS: support TLS 1.2 & 1.1. 2771 Bugzilla 1156. 2772 Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler]. 2773 Bugzilla 1095. 2774 2775PP/11 match_* no longer expand right-hand-side by default. 2776 New compile-time build option, EXPAND_LISTMATCH_RHS. 2777 New expansion conditions, "inlist", "inlisti". 2778 2779PP/12 fix uninitialised greeting string from PP/03 (smtps client support). 2780 2781PP/13 shell and compiler warnings fixes for RC1-RC4 changes. 2782 2783PP/14 fix log_write() format string regression from TF/03. 2784 Bugzilla 1152. Patch from Dmitry Isaikin. 2785 2786 2787Exim version 4.76 2788----------------- 2789 2790PP/01 The new ldap_require_cert option would segfault if used. Fixed. 2791 2792PP/02 Harmonised TLS library version reporting; only show if debugging. 2793 Layout now matches that introduced for other libraries in 4.74 PP/03. 2794 2795PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1 2796 2797PP/04 New "dns_use_edns0" global option. 2798 2799PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid. 2800 Bugzilla 1098. 2801 2802PP/06 Extra paranoia around buffer usage at the STARTTLS transition. 2803 nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316 2804 2805TK/01 Updated PolarSSL code to 0.14.2. 2806 Bugzilla 1097. Patch from Andreas Metzler. 2807 2808PP/07 Catch divide-by-zero in ${eval:...}. 2809 Fixes bugzilla 1102. 2810 2811PP/08 Condition negation of bool{}/bool_lax{} did not negate. Fixed. 2812 Bugzilla 1104. 2813 2814TK/02 Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a 2815 format-string attack -- SECURITY: remote arbitrary code execution. 2816 2817TK/03 SECURITY - DKIM signature header parsing was double-expanded, second 2818 time unintentionally subject to list matching rules, letting the header 2819 cause arbitrary Exim lookups (of items which can occur in lists, *not* 2820 arbitrary string expansion). This allowed for information disclosure. 2821 2822PP/09 Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to 2823 INT_MIN/-1 -- value coerced to INT_MAX. 2824 2825 2826Exim version 4.75 2827----------------- 2828 2829NM/01 Workaround for PCRE version dependency in version reporting 2830 Bugzilla 1073 2831 2832TF/01 Update valgrind.h and memcheck.h to copies from valgrind-3.6.0. 2833 This fixes portability to compilers other than gcc, notably 2834 Solaris CC and HP-UX CC. Fixes Bugzilla 1050. 2835 2836TF/02 Bugzilla 139: Avoid using the += operator in the modular lookup 2837 makefiles for portability to HP-UX and POSIX correctness. 2838 2839PP/01 Permit LOOKUP_foo enabling on the make command-line. 2840 Also via indented variable definition in the Makefile. 2841 (Debugging by Oliver Heesakkers). 2842 2843PP/02 Restore caching of spamd results with expanded spamd_address. 2844 Patch from author of expandable spamd_address patch, Wolfgang Breyha. 2845 2846PP/03 Build issue: lookups-Makefile now exports LC_ALL=C 2847 Improves build reliability. Fix from: Frank Elsner 2848 2849NM/02 Fix wide character breakage in the rfc2047 coding 2850 Fixes bug 1064. Patch from Andrey N. Oktyabrski 2851 2852NM/03 Allow underscore in dnslist lookups 2853 Fixes bug 1026. Patch from Graeme Fowler 2854 2855PP/04 Bugzilla 230: Support TLS-enabled LDAP (in addition to ldaps). 2856 Code patches from Adam Ciarcinski of NetBSD. 2857 2858NM/04 Fixed exiqgrep to cope with mailq missing size issue 2859 Fixes bug 943. 2860 2861PP/05 Bugzilla 1083: when lookup expansion defers, escape the output which 2862 is logged, to avoid truncation. Patch from John Horne. 2863 2864PP/06 Bugzilla 1042: implement freeze_signal on pipe transports. 2865 Patch from Jakob Hirsch. 2866 2867PP/07 Bugzilla 1061: restrict error messages sent over SMTP to not reveal 2868 SQL string expansion failure details. 2869 Patch from Andrey Oktyabrski. 2870 2871PP/08 Bugzilla 486: implement %M datestamping in log filenames. 2872 Patch from Simon Arlott. 2873 2874PP/09 New lookups functionality failed to compile on old gcc which rejects 2875 extern declarations in function scope. 2876 Patch from Oliver Fleischmann 2877 2878PP/10 Use sig_atomic_t for flags set from signal handlers. 2879 Check getgroups() return and improve debugging. 2880 Fixed developed for diagnosis in bug 927 (which turned out to be 2881 a kernel bug). 2882 2883PP/11 Bugzilla 1055: Update $message_linecount for maildir_tag. 2884 Patch from Mark Zealey. 2885 2886PP/12 Bugzilla 1056: Improved spamd server selection. 2887 Patch from Mark Zealey. 2888 2889PP/13 Bugzilla 1086: Deal with maildir quota file races. 2890 Based on patch from Heiko Schlittermann. 2891 2892PP/14 Bugzilla 1019: DKIM multiple signature generation fix. 2893 Patch from Uwe Doering, sign-off by Michael Haardt. 2894 2895NM/05 Fix to spam.c to accommodate older gcc versions which dislike 2896 variable declaration deep within a block. Bug and patch from 2897 Dennis Davis. 2898 2899PP/15 lookups-Makefile IRIX compatibility coercion. 2900 2901PP/16 Make DISABLE_DKIM build knob functional. 2902 2903NM/06 Bugzilla 968: child_open_uid: restore default SIGPIPE handler 2904 Patch by Simon Arlott 2905 2906TF/03 Fix valgrind.h portability to C89 compilers that do not support 2907 variable argument macros. Our copy now differs from upstream. 2908 2909 2910Exim version 4.74 2911----------------- 2912 2913TF/01 Failure to get a lock on a hints database can have serious 2914 consequences so log it to the panic log. 2915 2916TF/02 Log LMTP confirmation messages in the same way as SMTP, 2917 controlled using the smtp_confirmation log selector. 2918 2919TF/03 Include the error message when we fail to unlink a spool file. 2920 2921DW/01 Bugzilla 139: Support dynamically loaded lookups as modules. 2922 With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux 2923 for maintaining out-of-tree patches for some time. 2924 2925PP/01 Bugzilla 139: Documentation and portability issues. 2926 Avoid GNU Makefile-isms, let Exim continue to build on BSD. 2927 Handle per-OS dynamic-module compilation flags. 2928 2929PP/02 Let /dev/null have normal permissions. 2930 The 4.73 fixes were a little too stringent and complained about the 2931 permissions on /dev/null. Exempt it from some checks. 2932 Reported by Andreas M. Kirchwitz. 2933 2934PP/03 Report version information for many libraries, including 2935 Exim version information for dynamically loaded libraries. Created 2936 version.h, now support a version extension string for distributors 2937 who patch heavily. Dynamic module ABI change. 2938 2939PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a 2940 privilege escalation vulnerability whereby the Exim run-time user 2941 can cause root to append content of the attacker's choosing to 2942 arbitrary files. 2943 2944PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code. 2945 (Wolfgang Breyha) 2946 2947PP/06 Bugzilla 1071: fix delivery logging with untrusted macros. 2948 If dropping privileges for untrusted macros, we disabled normal logging 2949 on the basis that it would fail; for the Exim run-time user, this is not 2950 the case, and it resulted in successful deliveries going unlogged. 2951 Fixed. Reported by Andreas Metzler. 2952 2953 2954Exim version 4.73 2955----------------- 2956 2957PP/01 Date: & Message-Id: revert to normally being appended to a message, 2958 only prepend for the Resent-* case. Fixes regression introduced in 2959 Exim 4.70 by NM/22 for Bugzilla 607. 2960 2961PP/02 Include check_rfc2047_length in configure.default because we're seeing 2962 increasing numbers of administrators be bitten by this. 2963 2964JJ/01 Added DISABLE_DKIM and comment to src/EDITME 2965 2966PP/03 Bugzilla 994: added openssl_options main configuration option. 2967 2968PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads. 2969 2970PP/05 Bugzilla 834: provide a permit_coredump option for pipe transports. 2971 2972PP/06 Adjust NTLM authentication to handle SASL Initial Response. 2973 2974PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but 2975 without a peer certificate, leading to a segfault because of an 2976 assumption that peers always have certificates. Be a little more 2977 paranoid. Problem reported by Martin Tscholak. 2978 2979PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content 2980 filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes 2981 NB: ClamAV planning to remove STREAM in "middle of 2010". 2982 CL also introduces -bmalware, various -d+acl logging additions and 2983 more caution in buffer sizes. 2984 2985PP/09 Implemented reverse_ip expansion operator. 2986 2987PP/10 Bugzilla 937: provide a "debug" ACL control. 2988 2989PP/11 Bugzilla 922: Documentation dusting, patch provided by John Horne. 2990 2991PP/12 Bugzilla 973: Implement --version. 2992 2993PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0. 2994 2995PP/14 Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. 2996 2997PP/15 Bugzilla 816: support multiple condition rules on Routers. 2998 2999PP/16 Add bool_lax{} expansion operator and use that for combining multiple 3000 condition rules, instead of bool{}. Make both bool{} and bool_lax{} 3001 ignore trailing whitespace. 3002 3003JJ/02 prevent non-panic DKIM error from being sent to paniclog 3004 3005JJ/03 added tcp_wrappers_daemon_name to allow host entries other than 3006 "exim" to be used 3007 3008PP/17 Fix malware regression for cmdline scanner introduced in PP/08. 3009 Notification from Dr Andrew Aitchison. 3010 3011PP/18 Change ClamAV response parsing to be more robust and to handle ClamAV's 3012 ExtendedDetectionInfo response format. 3013 Notification from John Horne. 3014 3015PP/19 OpenSSL 1.0.0a compatibility const-ness change, should be backwards 3016 compatible. 3017 3018PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http: 3019 XSL and documented dependency on system catalogs, with examples of how 3020 it normally works. 3021 3022DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store 3023 access. 3024 3025DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour 3026 of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a 3027 configuration file which is writeable by the Exim user or group. 3028 3029DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability 3030 of configuration files to cover files specified with the -C option if 3031 they are going to be used with root privileges, not just the default 3032 configuration file. 3033 3034DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY 3035 option (effectively making it always true). 3036 3037DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration 3038 files to be used while preserving root privileges. 3039 3040DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure 3041 that rogue child processes cannot use them. 3042 3043PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim 3044 run-time user, instead of root. 3045 3046PP/28 Add WHITELIST_D_MACROS option to let some macros be overridden by the 3047 Exim run-time user without dropping privileges. 3048 3049DW/29 Remove use of va_copy() which breaks pre-C99 systems. Duplicate the 3050 result string, instead of calling string_vformat() twice with the same 3051 arguments. 3052 3053DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not 3054 for other users. Others should always drop root privileges if they use 3055 -C on the command line, even for a whitelisted configure file. 3056 3057DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes. 3058 3059NM/01 Fixed bug #1002 - Message loss when using multiple deliveries 3060 3061 3062Exim version 4.72 3063----------------- 3064 3065JJ/01 installed exipick 20100104.1, adding $max_received_linelength, 3066 $data_path, and $header_path variables; fixed documentation bugs and 3067 typos 3068 3069JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow 3070 exipick to access non-standard spools, including the "frozen" queue 3071 (Finput) 3072 3073NM/01 Bugzilla 965: Support mysql stored procedures. 3074 Patch from Alain Williams 3075 3076NM/02 Bugzilla 961: Spacing fix (syntax error) on Makefile directives for NetBSD 3077 3078NM/03 Bugzilla 955: Documentation fix for max_rcpts. 3079 Patch from Andreas Metzler 3080 3081NM/04 Bugzilla 954: Fix for unknown responses from Dovecot authenticator. 3082 Patch from Kirill Miazine 3083 3084NM/05 Bugzilla 671: Added umask to procmail example. 3085 3086JJ/03 installed exipick 20100323.0, fixing doc bug 3087 3088NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail 3089 directory. Notification and patch from Dan Rosenberg. 3090 3091TK/01 PDKIM: Upgrade PolarSSL files to upstream version 0.12.1. 3092 3093TK/02 Improve log output when DKIM signing operation fails. 3094 3095MH/01 Treat the transport option dkim_domain as a colon separated 3096 list, not as a single string, and sign the message with each element, 3097 omitting multiple occurences of the same signer. 3098 3099NM/07 Null terminate DKIM strings, Null initialise DKIM variable 3100 Bugzilla 985, 986. Patch by Simon Arlott 3101 3102NM/08 Bugzilla 967. dnsdb DNS TXT record bug fix (DKIM-related) 3103 Patch by Simon Arlott 3104 3105PP/01 Bugzilla 989: CVE-2010-2024 - work round race condition on 3106 MBX locking. Notification from Dan Rosenberg. 3107 3108 3109Exim version 4.71 3110----------------- 3111 3112TK/01 Bugzilla 912: Fix DKIM segfault on empty headers/body. 3113 3114NM/01 Bugzilla 913: Documentation fix for gnutls_* options. 3115 3116NM/02 Bugzilla 722: Documentation for randint. Better randomness defaults. 3117 3118NM/03 Bugzilla 847: Enable DNSDB lookup by default. 3119 3120NM/04 Bugzilla 915: Flag broken perl installation during build. 3121 3122 3123Exim version 4.70 3124----------------- 3125 3126TK/01 Added patch by Johannes Berg that expands the main option 3127 "spamd_address" if it starts with a dollar sign. 3128 3129TK/02 Write list of recipients to X-Envelope-Sender header when building 3130 the mbox-format spool file for content scanning (suggested by Jakob 3131 Hirsch). 3132 3133TK/03 Added patch by Wolfgang Breyha that adds experimental DCC 3134 (http://www.dcc-servers.net/) support via dccifd. Activated by 3135 setting EXPERIMENTAL_DCC=yes in Local/Makefile. 3136 3137TK/04 Bugzilla 673: Add f-protd malware scanner support. Patch submitted 3138 by Mark Daniel Reidel <mr@df.eu>. 3139 3140NM/01 Bugzilla 657: Embedded PCRE removed from the exim source tree. 3141 When building exim an external PCRE library is now needed - 3142 PCRE is a system library on the majority of modern systems. 3143 See entry on PCRE_LIBS in EDITME file. 3144 3145NM/02 Bugzilla 646: Removed unwanted C/R in Dovecot authenticator 3146 conversation. Added nologin parameter to request. 3147 Patch contributed by Kirill Miazine. 3148 3149TF/01 Do not log submission mode rewrites if they do not change the address. 3150 3151TF/02 Bugzilla 662: Fix stack corruption before exec() in daemon.c. 3152 3153NM/03 Bugzilla 602: exicyclog now handles panic log, and creates empty 3154 log files in place. Contributed by Roberto Lima. 3155 3156NM/04 Bugzilla 667: Close socket used by dovecot authenticator. 3157 3158TF/03 Bugzilla 615: When checking the local_parts router precondition 3159 after a local_part_suffix or local_part_prefix option, Exim now 3160 does not use the address's named list lookup cache, since this 3161 contains cached lookups for the whole local part. 3162 3163NM/05 Bugzilla 521: Integrated SPF Best Guess support contributed by 3164 Robert Millan. Documentation is in experimental-spec.txt. 3165 3166TF/04 Bugzilla 668: Fix parallel build (make -j). 3167 3168NM/05.2 Bugzilla 437: Prevent Maildir aux files being created with mode 000. 3169 3170NM/05.3 Bugzilla 598: Improvement to Dovecot authenticator handling. 3171 Patch provided by Jan Srzednicki. 3172 3173TF/05 Leading white space used to be stripped from $spam_report which 3174 wrecked the formatting. Now it is preserved. 3175 3176TF/06 Save $spam_score, $spam_bar, and $spam_report in spool files, so 3177 that they are available at delivery time. 3178 3179TF/07 Fix the way ${extract is skipped in the untaken branch of a conditional. 3180 3181TF/08 TLS error reporting now respects the incoming_interface and 3182 incoming_port log selectors. 3183 3184TF/09 Produce a more useful error message if an SMTP transport's hosts 3185 setting expands to an empty string. 3186 3187NM/06 Bugzilla 744: EXPN did not work under TLS. 3188 Patch provided by Phil Pennock. 3189 3190NM/07 Bugzilla 769: Extraneous comma in usage fprintf 3191 Patch provided by Richard Godbee. 3192 3193NM/08 Fixed erroneous documentation references to smtp_notquit_acl to be 3194 acl_smtp_notquit, added index entry. 3195 3196NM/09 Bugzilla 787: Potential buffer overflow in string_format. 3197 Patch provided by Eugene Bujak. 3198 3199NM/10 Bugzilla 770: Problem on some platforms modifying the len parameter to 3200 accept(). Patch provided by Maxim Dounin. 3201 3202NM/11 Bugzilla 749: Preserve old behaviour of blanks comparing equal to zero. 3203 Patch provided by Phil Pennock. 3204 3205NM/12 Bugzilla 497: Correct behaviour of exiwhat when no config exists. 3206 3207NM/13 Bugzilla 590: Correct handling of Resent-Date headers. 3208 Patch provided by Brad "anomie" Jorsch. 3209 3210NM/14 Bugzilla 622: Added timeout setting to transport filter. 3211 Patch provided by Dean Brooks. 3212 3213TK/05 Add native DKIM support (does not depend on external libraries). 3214 3215NM/15 Bugzilla 854: Removed code that symlinks to pcre as its no longer useful. 3216 Patch provided by Graeme Fowler. 3217 3218NM/16 Bugzilla 851: Documentation example syntax fix. 3219 3220NM/17 Changed NOTICE file to remove references to embedded PCRE. 3221 3222NM/18 Bugzilla 894: Fix issue with very long lines including comments in 3223 lsearch. 3224 3225NM/19 Bugzilla 745: TLS version reporting. 3226 Patch provided by Phil Pennock. 3227 3228NM/20 Bugzilla 167: bool: condition support. 3229 Patch provided by Phil Pennock. 3230 3231NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken 3232 clients. Patch provided by Phil Pennock. 3233 3234NM/22 Bugzilla 607: prepend (not append) Resent-Message-ID and Resent-Date. 3235 Patch provided by Brad "anomie" Jorsch. 3236 3237NM/23 Bugzilla 687: Fix misparses in eximstats. 3238 Patch provided by Heiko Schlittermann. 3239 3240NM/24 Bugzilla 688: Fix exiwhat to handle log_selector = +pid. 3241 Patch provided by Heiko Schlittermann. 3242 3243NM/25 Bugzilla 727: Use transport mode as default mode for maildirsize file. 3244 plus update to original patch. 3245 3246NM/26 Bugzilla 799: Documentation correction for ratelimit. 3247 3248NM/27 Bugzilla 802: Improvements to local interface IP addr detection. 3249 Patch provided by David Brownlee. 3250 3251NM/28 Bugzilla 807: Improvements to LMTP delivery logging. 3252 3253NM/29 Bugzilla 862, 866, 875: Documentation bugfixes. 3254 3255NM/30 Bugzilla 888: TLS documentation bugfixes. 3256 3257NM/31 Bugzilla 896: Dovecot buffer overrun fix. 3258 3259NM/32 Bugzilla 889: Change all instances of "expr" in shell scripts to "expr --" 3260 Unlike the original bugzilla I have changed all shell scripts in src tree. 3261 3262NM/33 Bugzilla 898: Transport filter timeout fix. 3263 Patch by Todd Rinaldo. 3264 3265NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches. 3266 Patch by Serge Demonchaux. 3267 3268NM/35 Bugzilla 39: Base64 decode bug fixes. 3269 Patch by Jakob Hirsch. 3270 3271NM/36 Bugzilla 909: Correct connect() call in dcc code. 3272 3273NM/37 Bugzilla 910: Correct issue with relaxed/simple handling. 3274 3275NM/38 Bugzilla 908: Removed NetBSD3 support as no longer needed. 3276 3277NM/39 Bugzilla 911: Fixed MakeLinks build script. 3278 3279 3280Exim version 4.69 3281----------------- 3282 3283TK/01 Add preliminary DKIM support. Currently requires a forked version of 3284 ALT-N's libdkim that I have put here: 3285 http://duncanthrax.net/exim-experimental/ 3286 3287 Note to Michael Haardt: I had to rename some vars in sieve.c. They 3288 were called 'true' and it seems that C99 defines that as a reserved 3289 keyword to be used with 'bool' variable types. That means you could 3290 not include C99-style headers which use bools without triggering 3291 build errors in sieve.c. 3292 3293NM/01 Bugzilla 592: --help option is handled incorrectly if exim is invoked 3294 as mailq or other aliases. Changed the --help handling significantly 3295 to do whats expected. exim_usage() emits usage/help information. 3296 3297SC/01 Added the -bylocaldomain option to eximstats. 3298 3299NM/02 Bugzilla 619: Defended against bad data coming back from gethostbyaddr. 3300 3301NM/03 Bugzilla 613: Documentation fix for acl_not_smtp. 3302 3303NM/04 Bugzilla 628: PCRE update to 7.4 (work done by John Hall). 3304 3305 3306Exim version 4.68 3307----------------- 3308 3309PH/01 Another patch from the Sieve maintainer. 3310 3311PH/02 When an IPv6 address is converted to a string for single-key lookup 3312 in an address list (e.g. for an item such as "net24-dbm;/net/works"), 3313 dots are used instead of colons so that keys in lsearch files need not 3314 contain colons. This was done some time before quoting was made available 3315 in lsearch files. However, iplsearch files do require colons in IPv6 keys 3316 (notated using the quote facility) so as to distinguish them from IPv4 3317 keys. This meant that lookups for IP addresses in host lists did not work 3318 for iplsearch lookups. 3319 3320 This has been fixed by arranging for IPv6 addresses to be expressed with 3321 colons if the lookup type is iplsearch. This is not incompatible, because 3322 previously such lookups could never work. 3323 3324 The situation is now rather anomalous, since one *can* have colons in 3325 ordinary lsearch keys. However, making the change in all cases is 3326 incompatible and would probably break a number of configurations. 3327 3328TK/01 Change PRVS address formatting scheme to reflect latests BATV draft 3329 version. 3330 3331MH/01 The "spam" ACL condition code contained a sscanf() call with a %s 3332 conversion specification without a maximum field width, thereby enabling 3333 a rogue spamd server to cause a buffer overflow. While nobody in their 3334 right mind would setup Exim to query an untrusted spamd server, an 3335 attacker that gains access to a server running spamd could potentially 3336 exploit this vulnerability to run arbitrary code as the Exim user. 3337 3338TK/02 Bugzilla 502: Apply patch to make the SPF-Received: header use 3339 $primary_hostname instead of what libspf2 thinks the hosts name is. 3340 3341MH/02 The dsearch lookup now uses lstat(2) instead of stat(2) to look for 3342 a directory entry by the name of the lookup key. Previously, if a 3343 symlink pointed to a non-existing file or a file in a directory that 3344 Exim lacked permissions to read, a lookup for a key matching that 3345 symlink would fail. Now it is enough that a matching directory entry 3346 exists, symlink or not. (Bugzilla 503.) 3347 3348PH/03 The body_linecount and body_zerocount variables are now exported in the 3349 local_scan API. 3350 3351PH/04 Added the $dnslist_matched variable. 3352 3353PH/05 Unset $tls_cipher and $tls_peerdn before making a connection as a client. 3354 This means they are set thereafter only if the connection becomes 3355 encrypted. 3356 3357PH/06 Added the client_condition to authenticators so that some can be skipped 3358 by clients under certain conditions. 3359 3360PH/07 The error message for a badly-placed control=no_multiline_responses left 3361 "_responses" off the end of the name. 3362 3363PH/08 Added -Mvc to output a copy of a message in RFC 2822 format. 3364 3365PH/09 Tidied the code for creating ratelimiting keys, creating them explicitly 3366 (without spaces) instead of just copying the configuration text. 3367 3368PH/10 Added the /noupdate option to the ratelimit ACL condition. 3369 3370PH/11 Added $max_received_linelength. 3371 3372PH/12 Added +ignore_defer and +include_defer to host lists. 3373 3374PH/13 Installed PCRE version 7.2. This needed some changes because of the new 3375 way in which PCRE > 7.0 is built. 3376 3377PH/14 Implemented queue_only_load_latch. 3378 3379PH/15 Removed an incorrect (int) cast when reading the value of SIZE in a 3380 MAIL command. The effect was to mangle the value on 64-bit systems. 3381 3382PH/16 Another patch from the Sieve maintainer. 3383 3384PH/17 Added the NOTQUIT ACL, based on a patch from Ted Cooper. 3385 3386PH/18 If a system quota error occurred while trying to create the file for 3387 a maildir delivery, the message "Mailbox is full" was not appended to the 3388 bounce if the delivery eventually timed out. Change 4.67/27 below applied 3389 only to a quota excession during the actual writing of the file. 3390 3391PH/19 It seems that peer DN values may contain newlines (and other non-printing 3392 characters?) which causes problems in log lines. The DN values are now 3393 passed through string_printing() before being added to log lines. 3394 3395PH/20 Added the "servers=" facility to MySQL and PostgreSQL lookups. (Oracle 3396 and InterBase are left for another time.) 3397 3398PH/21 Added message_body_newlines option. 3399 3400PH/22 Guard against possible overflow in moan_check_errorcopy(). 3401 3402PH/23 POSIX allows open() to be a macro; guard against that. 3403 3404PH/24 If the recipient of an error message contained an @ in the local part 3405 (suitably quoted, of course), incorrect values were put in $domain and 3406 $local_part during the evaluation of errors_copy. 3407 3408 3409Exim version 4.67 3410----------------- 3411 3412MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address 3413 is unset (happens when testing with -bh and -oMi isn't used). Thanks to 3414 Jan Srzednicki. 3415 3416PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not 3417 issue a MAIL command. 3418 3419PH/02 In an ACL statement such as 3420 3421 deny dnslists = X!=127.0.0.2 : X=127.0.0.2 3422 3423 if a client was not listed at all, or was listed with a value other than 3424 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list, 3425 the condition was not true (as it should be), so access was not denied. 3426 The bug was that the ! inversion was incorrectly passed on to the second 3427 item. This has been fixed. 3428 3429PH/03 Added additional dnslists conditions == and =& which are different from 3430 = and & when the dns lookup returns more than one IP address. 3431 3432PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the 3433 cipher suites used by GnuTLS. These options are ignored by OpenSSL. 3434 3435PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_ 3436 FSYNC, which compiles an option called disable_fsync that allows for 3437 bypassing fsync(). The documentation is heavily laced with warnings. 3438 3439SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket. 3440 3441PH/06 Some tidies to the infrastructure of the Test Suite that is concerned 3442 with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT 3443 to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile, 3444 including adding "make clean"; (3) Added -fPIC when compiling the test 3445 dynamically loaded module, to get rid of a warning. 3446 3447MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce 3448 message fails, move_frozen_messages = true and ignore_bounce_errors_after 3449 = 0s. The bug is otherwise harmless. 3450 3451PH/07 There was a bug in the dovecot authenticator such that the value of 3452 $auth1 could be overwritten, and so not correctly preserved, after a 3453 successful authentication. This usually meant that the value preserved by 3454 the server_setid option was incorrect. 3455 3456PH/08 Added $smtp_count_at_connection_start, deliberately with a long name. 3457 3458PH/09 Installed PCRE release 7.0. 3459 3460PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being 3461 run for batched SMTP input. It is now run at the start of every message 3462 in the batch. While fixing this I discovered that the process information 3463 (output by running exiwhat) was not always getting set for -bs and -bS 3464 input. This is fixed, and it now also says "batched" for BSMTP. 3465 3466PH/11 Added control=no_pipelining. 3467 3468PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's 3469 patch, slightly modified), and move the expansion of helo_data till after 3470 the connection is made in the smtp transport (so it can use these 3471 values). 3472 3473PH/13 Added ${rfc2047d: to decoded RFC 2047 strings. 3474 3475PH/14 Added log_selector = +pid. 3476 3477PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set. 3478 3479PH/16 Add ${if forany and ${if forall. 3480 3481PH/17 Added dsn_from option to vary the From: line in DSNs. 3482 3483PH/18 Flush SMTP output before performing a callout, unless control = 3484 no_callout_flush is set. 3485 3486PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender 3487 was true (the default) a successful delivery failed to delete the retry 3488 item, thus causing premature timeout of the address. The bug is now 3489 fixed. 3490 3491PH/20 Added hosts_avoid_pipelining to the smtp transport. 3492 3493PH/21 Long custom messages for fakedefer and fakereject are now split up 3494 into multiline responses in the same way that messages for "deny" and 3495 other ACL rejections are. 3496 3497PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep, 3498 with slight modification. 3499 3500PH/23 Applied sieve patches from the maintainer "tracking the latest notify 3501 draft, changing the syntax and factoring some duplicate code". 3502 3503PH/24 When the log selector "outgoing_port" was set, the port was shown as -1 3504 for deliveries of the second and subsequent messages over the same SMTP 3505 connection. 3506 3507PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and 3508 ${reduce, with only minor "tidies". 3509 3510SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match. 3511 3512PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its 3513 expansion side effects. 3514 3515PH/27 When a message times out after an over-quota error from an Exim-imposed 3516 quota, the bounce message says "mailbox is full". This message was not 3517 being given when it was a system quota that was exceeded. It now should 3518 be the same. 3519 3520MH/03 Made $recipients available in local_scan(). local_scan() already has 3521 better access to the recipient list through recipients_list[], but 3522 $recipients can be useful in postmaster-provided expansion strings. 3523 3524PH/28 The $smtp_command and $smtp_command_argument variables were not correct 3525 in the case of a MAIL command with additional options following the 3526 address, for example: MAIL FROM:<foo@bar> SIZE=1234. The option settings 3527 were accidentally chopped off. 3528 3529PH/29 SMTP synchronization checks are implemented when a command is read - 3530 there is a check that no more input is waiting when there shouldn't be 3531 any. However, for some commands, a delay in an ACL can mean that it is 3532 some time before the response is written. In this time, more input might 3533 arrive, invalidly. So now there are extra checks after an ACL has run for 3534 HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when 3535 pipelining has not been advertised. 3536 3537PH/30 MH's patch to allow iscntrl() characters to be list separators. 3538 3539PH/31 Unlike :fail:, a custom message specified with :defer: was not being 3540 returned in the SMTP response when smtp_return_error_details was false. 3541 This has been fixed. 3542 3543PH/32 Change the Dovecot authenticator to use read() and write() on the socket 3544 instead of the C I/O that was originally supplied, because problems were 3545 reported on Solaris. 3546 3547PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in 3548 Exim which did not show up earlier: it was assuming that a call to 3549 SSL_CTX_set_info_callback() might give an error value. In fact, there is 3550 no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback() 3551 was a macro that became an assignment, so it seemed to work. This has 3552 changed to a proper function call with a void return, hence the compile 3553 error. Exim's code has been fixed. 3554 3555PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit 3556 cpus. 3557 3558PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify". 3559 3560PH/36 Applied John Jetmore's patch to add -v functionality to exigrep. 3561 3562PH/37 If a message is not accepted after it has had an id assigned (e.g. 3563 because it turns out to be too big or there is a timeout) there is no 3564 "Completed" line in the log. When some messages of this type were 3565 selected by exigrep, they were listed as "not completed". Others were 3566 picked up by some special patterns. I have improved the selection 3567 criteria to be more general. 3568 3569PH/38 The host_find_failed option in the manualroute router can now be set 3570 to "ignore", to completely ignore a host whose IP address cannot be 3571 found. If all hosts are ignored, the behaviour is controlled by the new 3572 host_all_ignored option. 3573 3574PH/39 In a list of hosts for manualroute, if one item (either because of multi- 3575 homing or because of multiple MX records with /mx) generated more than 3576 one IP address, and the following item turned out to be the local host, 3577 all the secondary addresses of the first item were incorrectly removed 3578 from the list, along with the local host and any following hosts (which 3579 is what is supposed to happen). 3580 3581PH/40 When Exim receives a message, it writes the login name, uid, and gid of 3582 whoever called Exim into the -H file. In the case of the daemon it was 3583 behaving confusingly. When first started, it used values for whoever 3584 started the daemon, but after a SIGHUP it used the Exim user (because it 3585 calls itself on a restart). I have changed the code so that it now always 3586 uses the Exim user. 3587 3588PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a 3589 message are rejected with the same error (e.g. no authentication or bad 3590 sender address), and a DATA command is nevertheless sent (as can happen 3591 with PIPELINING or a stupid MUA), the error message that was given to the 3592 RCPT commands is included in the rejection of the DATA command. This is 3593 intended to be helpful for MUAs that show only the final error to their 3594 users. 3595 3596PH/42 Another patch from the Sieve maintainer. 3597 3598SC/02 Eximstats - Differentiate between permanent and temporary rejects. 3599 Eximstats - Fixed some broken HTML links and added missing column headers 3600 (Jez Hancock). 3601 Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email 3602 columns for Rejects, Temp Rejects, Ham, and Spam rows. 3603 3604SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables. 3605 3606PH/43 Yet another patch from the Sieve maintainer. 3607 3608PH/44 I found a way to check for a TCP/IP connection going away before sending 3609 the response to the final '.' that terminates a message, but only in the 3610 case where the client has not sent further data following the '.' 3611 (unfortunately, this is allowed). However, in many cases there won't be 3612 any further data because there won't be any more messages to send. A call 3613 to select() can be used: if it shows that the input is "ready", there is 3614 either input waiting, or the socket has been closed. An attempt to read 3615 the next input character can distinguish the two cases. Previously, Exim 3616 would have sent an OK response which the client would never have see. 3617 This could lead to message repetition. This fix should cure that, at 3618 least in a lot of common cases. 3619 3620PH/45 Do not advertise STARTTLS in response to HELP unless it would be 3621 advertised in response to EHLO. 3622 3623 3624Exim version 4.66 3625----------------- 3626 3627PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one 3628 fixed by 4.65/MH/01 (is this a record?) are fixed: 3629 3630 (i) An empty string was always treated as zero by the numeric comparison 3631 operators. This behaviour has been restored. 3632 3633 (ii) It is documented that the numeric comparison operators always treat 3634 their arguments as decimal numbers. This was broken in that numbers 3635 starting with 0 were being interpreted as octal. 3636 3637 While fixing these problems I realized that there was another issue that 3638 hadn't been noticed. Values of message_size_limit (both the global option 3639 and the transport option) were treated as octal if they started with 0. 3640 The documentation was vague. These values are now always treated as 3641 decimal, and I will make that clear in the documentation. 3642 3643 3644Exim version 4.65 3645----------------- 3646 3647TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with 3648 Linux large file support (_FILE_OFFSET_BITS=64) on older glibc 3649 versions. (#438) 3650 3651MH/01 Don't check that the operands of numeric comparison operators are 3652 integers when their expansion is in "skipping" mode (fixes bug 3653 introduced by 4.64-PH/07). 3654 3655PH/01 If a system filter or a router generates more than SHRT_MAX (32767) 3656 child addresses, Exim now panics and dies. Previously, because the count 3657 is held in a short int, deliveries were likely to be lost. As such a 3658 large number of recipients for a single message is ridiculous 3659 (performance will be very, very poor), I have chosen to impose a limit 3660 rather than extend the field. 3661 3662 3663Exim version 4.64 3664----------------- 3665 3666TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a 3667 leftover -K file (the existence of which was triggered by #402). 3668 While we were at it, introduced process PID as part of the -K 3669 filename. This should rule out race conditions when creating 3670 these files. 3671 3672TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing 3673 processing considerably. Previous code took too long for large mails, 3674 triggering a timeout which in turn triggers #401. 3675 3676TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used 3677 in the DK code in transports.c. sendfile() is not really portable, 3678 hence the _LINUX specificness. 3679 3680TF/01 In the add_headers option to the mail command in an Exim filter, 3681 there was a bug that Exim would claim a syntax error in any 3682 header after the first one which had an odd number of characters 3683 in the field name. 3684 3685PH/01 If a server that rejects MAIL FROM:<> was the target of a sender 3686 callout verification, Exim cached a "reject" for the entire domain. This 3687 is correct for most verifications, but it is not correct for a recipient 3688 verification with use_sender or use_postmaster set, because in that case 3689 the callout does not use MAIL FROM:<>. Exim now distinguishes the special 3690 case of MAIL FROM:<> rejection from other early rejections (e.g. 3691 rejection of HELO). When verifying a recipient using a non-null MAIL 3692 address, the cache is ignored if it shows MAIL FROM:<> rejection. 3693 Whatever the result of the callout, the value of the domain cache is 3694 left unchanged (for any other kind of callout, getting as far as trying 3695 RCPT means that the domain itself is ok). 3696 3697PH/02 Tidied a number of unused variable and signed/unsigned warnings that 3698 gcc 4.1.1 threw up. 3699 3700PH/03 On Solaris, an unexpectedly close socket (dropped connection) can 3701 manifest itself as EPIPE rather than ECONNECT. When tidying away a 3702 session, the daemon ignores ECONNECT errors and logs others; it now 3703 ignores EPIPE as well. 3704 3705PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c 3706 (quoted-printable decoding). 3707 3708PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and 3709 later the small subsequent patch to fix an introduced bug. 3710 3711PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer. 3712 3713PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}. 3714 3715PH/08 An error is now given if message_size_limit is specified negative. 3716 3717PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables 3718 to be given (somewhat) arbitrary names. 3719 3720JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced 3721 in 4.64-PH/09. 3722 3723JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions, 3724 miscellaneous code fixes 3725 3726PH/10 Added the log_reject_target ACL modifier to specify where to log 3727 rejections. 3728 3729PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_ 3730 hostname. This is wrong, because it relates to the incoming message (and 3731 probably the interface on which it is arriving) and not to the outgoing 3732 callout (which could be using a different interface). This has been 3733 changed to use the value of the helo_data option from the smtp transport 3734 instead - this is what is used when a message is actually being sent. If 3735 there is no remote transport (possible with a router that sets up host 3736 addresses), $smtp_active_hostname is used. 3737 3738PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various 3739 tweaks were necessary in order to get it to work (see also 21 below): 3740 (a) The code assumed that strncpy() returns a negative number on buffer 3741 overflow, which isn't the case. Replaced with Exim's string_format() 3742 function. 3743 (b) There were several signed/unsigned issues. I just did the minimum 3744 hacking in of casts. There is scope for a larger refactoring. 3745 (c) The code used strcasecmp() which is not a standard C function. 3746 Replaced with Exim's strcmpic() function. 3747 (d) The code set only $1; it now sets $auth1 as well. 3748 (e) A simple test gave the error "authentication client didn't specify 3749 service in request". It would seem that Dovecot has changed its 3750 interface. Fortunately there's a specification; I followed it and 3751 changed what the client sends and it appears to be working now. 3752 3753PH/13 Added $message_headers_raw to provide the headers without RFC 2047 3754 decoding. 3755 3756PH/14 Corrected misleading output from -bv when -v was also used. Suppose the 3757 address A is aliased to B and C, where B exists and C does not. Without 3758 -v the output is "A verified" because verification stops after a 3759 successful redirection if more than one address is generated. However, 3760 with -v the child addresses are also verified. Exim was outputting "A 3761 failed to verify" and then showing the successful verification for C, 3762 with its parentage. It now outputs "B failed to verify", showing B's 3763 parentage before showing the successful verification of C. 3764 3765PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to 3766 look up a TXT record in a specific list after matching in a combined 3767 list. 3768 3769PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and 3770 RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when 3771 they consult the DNS. I had assumed they would set it the way they 3772 wanted; and indeed my experiments on Linux seem to show that in some 3773 cases they do (I could influence IPv6 lookups but not IPv4 lookups). 3774 To be on the safe side, however, I have now made the interface to 3775 host_find_byname() similar to host_find_bydns(), with an argument 3776 containing the DNS resolver options. The host_find_byname() function now 3777 sets these options at its start, just as host_find_bydns() does. The smtp 3778 transport options dns_qualify_single and dns_search_parents are passed to 3779 host_find_byname() when gethostbyname=TRUE in this transport. Other uses 3780 of host_find_byname() use the default settings of RES_DEFNAMES 3781 (qualify_single) but not RES_DNSRCH (search_parents). 3782 3783PH/17 Applied (a modified version of) Nico Erfurth's patch to make 3784 spool_read_header() do less string testing, by means of a preliminary 3785 switch on the second character of optional "-foo" lines. (This is 3786 overdue, caused by the large number of possibilities that now exist. 3787 Originally there were few.) While I was there, I also converted the 3788 str(n)cmp tests so they don't re-test the leading "-" and the first 3789 character, in the hope this might squeeze out yet more improvement. 3790 3791PH/18 Two problems with "group" syntax in header lines when verifying: (1) The 3792 flag allowing group syntax was set by the header_syntax check but not 3793 turned off, possible causing trouble later; (2) The flag was not being 3794 set at all for the header_verify test, causing "group"-style headers to 3795 be rejected. I have now set it in this case, and also caused header_ 3796 verify to ignore an empty address taken from a group. While doing this, I 3797 came across some other cases where the code for allowing group syntax 3798 while scanning a header line wasn't quite right (mostly, not resetting 3799 the flag correctly in the right place). These bugs could have caused 3800 trouble for malformed header lines. I hope it is now all correct. 3801 3802PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called 3803 with the "reply" argument non-NULL. The code, however (which originally 3804 came from elsewhere) had *some* tests for NULL when it wrote to *reply, 3805 but it didn't always do it. This confused somebody who was copying the 3806 code for some other use. I have removed all the tests. 3807 3808PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a 3809 feature that was used to support insecure browsers during the U.S. crypto 3810 embargo. It requires special client support, and Exim is probably the 3811 only MTA that supported it -- and would never use it because real RSA is 3812 always available. This code has been removed, because it had the bad 3813 effect of slowing Exim down by computing (never used) parameters for the 3814 RSA_EXPORT functionality. 3815 3816PH/21 On the advice of Timo Sirainen, added a check to the dovecot 3817 authenticator to fail if there's a tab character in the incoming data 3818 (there should never be unless someone is messing about, as it's supposed 3819 to be base64-encoded). Also added, on Timo's advice, the "secured" option 3820 if the connection is using TLS or if the remote IP is the same as the 3821 local IP, and the "valid-client-cert option" if a client certificate has 3822 been verified. 3823 3824PH/22 As suggested by Dennis Davis, added a server_condition option to *all* 3825 authenticators. This can be used for authorization after authentication 3826 succeeds. (In the case of plaintext, it servers for both authentication 3827 and authorization.) 3828 3829PH/23 Testing for tls_required and lost_connection in a retry rule didn't work 3830 if any retry times were supplied. 3831 3832PH/24 Exim crashed if verify=helo was activated during an incoming -bs 3833 connection, where there is no client IP address to check. In this 3834 situation, the verify now always succeeds. 3835 3836PH/25 Applied John Jetmore's -Mset patch. 3837 3838PH/26 Added -bem to be like -Mset, but loading a message from a file. 3839 3840PH/27 In a string expansion for a processed (not raw) header when multiple 3841 headers of the same name were present, leading whitespace was being 3842 removed from all of them, but trailing whitespace was being removed only 3843 from the last one. Now trailing whitespace is removed from each header 3844 before concatenation. Completely empty headers in a concatenation (as 3845 before) are ignored. 3846 3847PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John 3848 Jetmore). It would have mis-read ACL variables from pre-4.61 spool files. 3849 3850PH/29 [Removed. This was a change that I later backed out, and forgot to 3851 correct the ChangeLog entry (that I had efficiently created) before 3852 committing the later change.] 3853 3854PH/30 Exim was sometimes attempting to deliver messages that had suffered 3855 address errors (4xx response to RCPT) over the same connection as other 3856 messages routed to the same hosts. Such deliveries are always "forced", 3857 so retry times are not inspected. This resulted in far too many retries 3858 for the affected addresses. The effect occurred only when there were more 3859 hosts than the hosts_max_try setting in the smtp transport when it had 3860 the 4xx errors. Those hosts that it had tried were not added to the list 3861 of hosts for which the message was waiting, so if all were tried, there 3862 was no problem. Two fixes have been applied: 3863 3864 (i) If there are any address or message errors in an SMTP delivery, none 3865 of the hosts (tried or untried) are now added to the list of hosts 3866 for which the message is waiting, so the message should not be a 3867 candidate for sending over the same connection that was used for a 3868 successful delivery of some other message. This seems entirely 3869 reasonable: after all the message is NOT "waiting for some host". 3870 This is so "obvious" that I'm not sure why it wasn't done 3871 previously. Hope I haven't missed anything, but it can't do any 3872 harm, as the worst effect is to miss an optimization. 3873 3874 (ii) If, despite (i), such a delivery is accidentally attempted, the 3875 routing retry time is respected, so at least it doesn't keep 3876 hammering the server. 3877 3878PH/31 Installed Andrew Findlay's patch to close the writing end of the socket 3879 in ${readsocket because some servers need this prod. 3880 3881PH/32 Added some extra debug output when updating a wait-xxx database. 3882 3883PH/33 The hint "could be header name not terminated by colon", which has been 3884 given for certain expansion errors for a long time, was not being given 3885 for the ${if def:h_colon_omitted{... case. 3886 3887PH/34 The spec says: "With one important exception, whenever a domain list is 3888 being scanned, $domain contains the subject domain." There was at least 3889 one case where this was not true. 3890 3891PH/35 The error "getsockname() failed: connection reset by peer" was being 3892 written to the panic log as well as the main log, but it isn't really 3893 panic-worthy as it just means the connection died rather early on. I have 3894 removed the panic log writing for the ECONNRESET error when getsockname() 3895 fails. 3896 3897PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue 3898 runs only) independently of the message's sender address. This meant 3899 that, if the 4xx error was in fact related to the sender, a different 3900 message to the same recipient with a different sender could confuse 3901 things. In particular, this can happen when sending to a greylisting 3902 server, but other circumstances could also provoke similar problems. 3903 I have changed the default so that the retry time for these errors is now 3904 based a combination of the sender and recipient addresses. This change 3905 can be overridden by setting address_retry_include_sender=false in the 3906 smtp transport. 3907 3908PH/37 For LMTP over TCP/IP (the smtp transport), error responses from the 3909 remote server are returned as part of bounce messages. This was not 3910 happening for LMTP over a pipe (the lmtp transport), but now it is the 3911 same for both kinds of LMTP. 3912 3913PH/38 Despite being documented as not happening, Exim was rewriting addresses 3914 in header lines that were in fact CNAMEs. This is no longer the case. 3915 3916PH/39 If -R or -S was given with -q<time>, the effect of -R or -S was ignored, 3917 and queue runs started by the daemon processed all messages. This has 3918 been fixed so that -R and -S can now usefully be given with -q<time>. 3919 3920PH/40 Import PCRE release 6.7 (fixes some bugs). 3921 3922PH/41 Add bitwise logical operations to eval (courtesy Brad Jorsch). 3923 3924PH/42 Give an error if -q is specified more than once. 3925 3926PH/43 Renamed the variables $interface_address and $interface_port as 3927 $received_ip_address and $received_port, to make it clear that these 3928 values apply to message reception, and not to the outgoing interface when 3929 a message is delivered. (The old names remain recognized, of course.) 3930 3931PH/44 There was no timeout on the connect() call when using a Unix domain 3932 socket in the ${readsocket expansion. There now is. 3933 3934PH/45 Applied a modified version of Brad Jorsch's patch to allow "message" to 3935 be meaningful with "accept". 3936 3937SC/01 Eximstats V1.43 3938 Bug fix for V1.42 with -h0 specified. Spotted by Chris Lear. 3939 3940SC/02 Eximstats V1.44 3941 Use a glob alias rather than an array ref in the generated 3942 parser. This improves both readability and performance. 3943 3944SC/03 Eximstats V1.45 (Marco Gaiarin / Steve Campbell) 3945 Collect SpamAssassin and rejection statistics. 3946 Don't display local sender or destination tables unless 3947 there is data to show. 3948 Added average volumes into the top table text output. 3949 3950SC/04 Eximstats V1.46 3951 Collect data on the number of addresses (recipients) 3952 as well as the number of messages. 3953 3954SC/05 Eximstats V1.47 3955 Added 'Message too big' to the list of mail rejection 3956 reasons (thanks to Marco Gaiarin). 3957 3958SC/06 Eximstats V1.48 3959 Mainlog lines which have GMT offsets and are too short to 3960 have a flag are now skipped. 3961 3962SC/07 Eximstats V1.49 (Alain Williams) 3963 Added the -emptyok flag. 3964 3965SC/08 Eximstats V1.50 3966 Fixes for obtaining the IP address from reject messages. 3967 3968JJ/03 exipick.20061117.2, made header handling as similar to exim as possible 3969 (added [br]h_ prefixes, implemented RFC2047 decoding. Fixed 3970 whitespace changes from 4.64-PH/27 3971 3972JJ/04 exipick.20061117.2, fixed format and added $message_headers_raw to 3973 match 4.64-PH/13 3974 3975JJ/05 exipick.20061117.2, bug fixes (error out sooner when invalid criteria 3976 are found, allow negative numbers in numeric criteria) 3977 3978JJ/06 exipick.20061117.2, added new $message_body_missing variable 3979 3980JJ/07 exipick.20061117.2, added $received_ip_address and $received_port 3981 to match changes made in 4.64-PH/43 3982 3983PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm. 3984 3985PH/47 Put in an explicit test for a DNS lookup of an address record where the 3986 "domain" is actually an IP address, and force a failure. This locks out 3987 those revolvers/nameservers that support "A-for-A" lookups, in 3988 contravention of the specifications. 3989 3990PH/48 When a host name was looked up from an IP address, and the subsequent 3991 forward lookup of the name timed out, the host name was left in 3992 $sender_host_name, contrary to the specification. 3993 3994PH/49 Although default lookup types such as lsearch* or cdb*@ have always been 3995 restricted to single-key lookups, Exim was not diagnosing an error if 3996 * or *@ was used with a query-style lookup. 3997 3998PH/50 Increased the value of DH_BITS in tls-gnu.c from 768 to 1024. 3999 4000MH/01 local_scan ABI version incremented to 1.1. It should have been updated 4001 long ago, but noone interested enough thought of it. Let's just say that 4002 the "1.1" means that there are some new functions that weren't there at 4003 some point in the past. 4004 4005PH/51 Error processing for expansion failure of helo_data from an smtp 4006 transport during callout processing was broken. 4007 4008PH/52 Applied John Jetmore's patch to allow tls-on-connect and STARTTLS to be 4009 tested/used via the -bh/-bhc/-bs options. 4010 4011PH/53 Added missing "#include <time.h>" to pcre/pcretest.c (this was a PCRE 4012 bug, fixed in subsequent PCRE releases). 4013 4014PH/54 Applied Robert Bannocks' patch to avoid a problem with references that 4015 arises when using the Solaris LDAP libraries (but not with OpenLDAP). 4016 4017PH/55 Check for a ridiculously long file name in exim_dbmbuild. 4018 4019 4020Exim version 4.63 4021----------------- 4022 4023SC/01 Use a glob alias rather than an array ref in eximstats generated 4024 parser. This improves both readability and performance. 4025 4026SC/02 Collect SpamAssassin and rejection statistics in eximstats. 4027 Don't display local sender or destination tables in eximstats unless 4028 there is data to show. 4029 Added average volumes into the eximstats top table text output. 4030 4031SC/03 Collect data on the number of addresses (recipients) as well 4032 as the number of messages in eximstats. 4033 4034TF/01 Correct an error in the documentation for the redirect router. Exim 4035 does (usually) call initgroups() when daemonizing. 4036 4037TF/02 Call initgroups() when dropping privilege in exim.c, so that Exim runs 4038 with consistent privilege compared to when running as a daemon. 4039 4040TF/03 Note in the spec that $authenticated_id is not set for local 4041 submissions from trusted users. 4042 4043TF/04 The ratelimit per_rcpt option now works correctly in acl_not_smtp. 4044 Thanks to Dean Brooks <dean@iglou.com> for the patch. 4045 4046TF/05 Make it easier to get SMTP authentication and TLS/SSL support working 4047 by adding some example configuration directives to the default 4048 configuration file. A little bit of work is required to uncomment the 4049 directives and define how usernames and passwords are checked, but 4050 there is now a framework to start from. 4051 4052PH/01 Added #define LDAP_DEPRECATED 1 to ldap.c because some of the "old" 4053 functions that Exim currently uses aren't defined in ldap.h for OpenLDAP 4054 without this. I don't know how relevant this is to other LDAP libraries. 4055 4056PH/02 Add the verb name to the "unknown ACL verb" error. 4057 4058PH/03 Magnus Holmgren's patch for filter_prepend_home. 4059 4060PH/03 Fixed Bugzilla #101: macro definition between ACLs doesn't work. 4061 4062PH/04 Applied Magnus Holmgren's patch to fix Bugzilla #98: transport's home 4063 directory not expanded when it should be if an expanded home directory 4064 was set for the address (which is overridden by the transport). 4065 4066PH/05 Applied Alex Kiernan's patch to fix Bugzilla #99: a problem with 4067 libradius. 4068 4069PH/06 Added acl_not_smtp_start, based on Johannes Berg's patch, and set the 4070 bit to forbid control=suppress_local_fixups in the acl_not_smtp ACL, 4071 because it is too late at that time, and has no effect. 4072 4073PH/07 Changed ${quote_pgsql to quote ' as '' instead of \' because of a 4074 security issue with \' (bugzilla #107). I could not use the 4075 PQescapeStringConn() function, because it needs a PGconn value as one of 4076 its arguments. 4077 4078PH/08 When testing addresses using -bt, indicate those final addresses that 4079 are duplicates that would not cause an additional delivery. At least one 4080 person was confused, thinking that -bt output corresponded to deliveries. 4081 (Suppressing duplicates isn't a good idea as you lose the information 4082 about possibly different redirections that led to the duplicates.) 4083 4084PH/09 Applied patch from Erik to use select() instead of poll() in spam.c on 4085 systems where poll() doesn't work, in particular OS X. 4086 4087PH/10 Added more information to debugging output for retry time not reached. 4088 4089PH/11 Applied patch from Arkadiusz Miskiewicz to apply a timeout to read 4090 operations in malware.c. 4091 4092PH/12 Applied patch from Magnus Holmgren to include the "h" tag in Domain Keys 4093 signatures. 4094 4095PH/13 If write_rejectlog was set false when logging was sent to syslog with 4096 syslog_duplication set false, log lines that would normally be written 4097 both the the main log and to the reject log were not written to syslog at 4098 all. 4099 4100PH/14 In the default configuration, change the use of "message" in ACL warn 4101 statements to "add_header". 4102 4103PH/15 Diagnose a filter syntax error for "seen", "unseen", or "noerror" if not 4104 not followed by a command (e.g. "seen endif"). 4105 4106PH/16 Recognize SMTP codes at the start of "message" in ACLs and after :fail: 4107 and :defer: in a redirect router. Add forbid_smtp_code to suppress the 4108 latter. 4109 4110PH/17 Added extra conditions to the default value of delay_warning_condition 4111 so that it is now: 4112 4113 ${if or { \ 4114 { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} } \ 4115 { match{$h_precedence:}{(?i)bulk|list|junk} } \ 4116 { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} } \ 4117 }{no}{yes}} 4118 4119 The Auto-Submitted: and various List- headers are standardised, whereas I 4120 don't think Precedence: ever was. 4121 4122PH/18 Refactored debugging code in route_finduser() to show more information, 4123 in particular, the error code if getpwnam() issues one. 4124 4125PH/19 Added PQsetClientEncoding(conn, "SQL_ASCII") to the pgsql code module. 4126 This is apparently needed in addition to the PH/07 change above to avoid 4127 any possible encoding problems. 4128 4129PH/20 Perl can change the locale. Exim was resetting it after a ${perl call, 4130 but not after initializing Perl. 4131 4132PH/21 Added a call to PQsetNoticeProcessor() to catch pgsql "notices" and 4133 output them only if debugging. By default they are written stderr, 4134 apparently, which is not desirable. 4135 4136PH/22 Added Alain Williams' LDAP patch to support setting REFERRALS=off on 4137 queries. 4138 4139JJ/01 exipick: added --reverse (and -R synonym), --random, --size, --sort and 4140 --not options 4141 4142JJ/02 exipick: rewrote --help documentation to hopefully make more clear. 4143 4144PH/23 Made -oMaa and -oMt work with -bh and -bs to pretend the connection is 4145 authenticated or an ident call has been made. Suppress the default 4146 values for $authenticated_id and $authenticated_sender (but permit -oMai 4147 and -oMas) when testing with -bh. 4148 4149PH/24 Re-jigged the order of the tests in the default configuration so that the 4150 tests for valid domains and recipients precede the DNS black list and CSA 4151 tests, on the grounds that those ones are more expensive. 4152 4153PH/25 Exim was not testing for a space following SMTP commands such as EHLO 4154 that require one. Thus, EHLORHUBARB was interpreted as a valid command. 4155 This bug exists in every version of Exim that I still have, right back to 4156 0.12. 4157 4158PH/26 (n)wildlsearch lookups are documented as being done case-insensitively. 4159 However, an attempt to turn on case-sensitivity in a regex key by 4160 including (?-i) didn't work because the subject string was already 4161 lowercased, and the effects were non-intuitive. It turns out that a 4162 one-line patch can be used to allow (?-i) to work as expected. 4163 4164 4165Exim version 4.62 4166----------------- 4167 4168TF/01 Fix the add_header change below (4.61 PH/55) which had a bug that (amongst 4169 other effects) broke the use of negated acl sub-conditions. 4170 4171PH/01 ${readsocket now supports Internet domain sockets (modified John Jetmore 4172 patch). 4173 4174PH/02 When tcp-wrappers is called from Exim, it returns only "deny" or "allow". 4175 "Deny" causes Exim to reject the incoming connection with a 554 error. 4176 Unfortunately, if there is a major crisis, such as a disk failure, 4177 tcp-wrappers gives "deny", whereas what one would like would be some 4178 kind of temporary error. A kludge has been added to help with this. 4179 Before calling hosts_ctl(), errno is set zero. If the result is "deny", a 4180 554 error is used if errno is still zero or contains ENOENT (which occurs 4181 if either of the /etc/hosts.{allow,deny} files is missing). Otherwise, a 4182 451 error is used. 4183 4184PH/03 Add -lutil to the default FreeBSD LIBS setting. 4185 4186PH/04 Change PH/19 for 4.61 was too wide. It should not be applied to host 4187 errors. Otherwise a message that provokes a temporary error (when other 4188 messages do not) can cause a whole host to time out. 4189 4190PH/05 Batch deliveries by appendfile and pipe transports did not work when the 4191 addresses were routed directly to files or pipes from a redirect router. 4192 File deliveries just didn't batch; pipe deliveries might have suffered 4193 odd errors. 4194 4195PH/06 A failure to get a lock for a hints database would erroneously always say 4196 "Failed to get write lock", even when it was really a read lock. 4197 4198PH/07 The appendfile transport was creating MBX lock files with a fixed mode 4199 of 0600. This has been changed to use the value of the lockfile_mode 4200 option (which defaults to 0600). 4201 4202PH/08 Applied small patch from the Sieve maintainer. 4203 4204PH/09 If maildir_quota_directory_regex was set to exclude (say) the .Trash 4205 folder from quota calculations, a direct delivery into this folder messed 4206 up the contents of the maildirsize file. This was because the regex was 4207 used only to exclude .Trash (or whatever) when the size of the mailbox 4208 was calculated. There was no check that a delivery was happening into an 4209 excluded directory. This bug has been fixed by ignoring all quota 4210 processing for deliveries into excluded directories. 4211 4212PH/10 Added the maildirfolder_create_regex option to appendfile. 4213 4214 4215Exim version 4.61 4216----------------- 4217 4218PH/01 The code for finding all the local interface addresses on a FreeBSD 4219 system running IPv6 was broken. This may well have applied to all BSD 4220 systems, as well as to others that have similar system calls. The broken 4221 code found IPv4 interfaces correctly, but gave incorrect values for the 4222 IPv6 interfaces. In particular, ::1 was not found. The effect in Exim was 4223 that it would not match correctly against @[] and not recognize the IPv6 4224 addresses as local. 4225 4226PH/02 The ipliteral router was not recognizing addresses of the form user@ 4227 [ipv6:....] because it didn't know about the "ipv6:" prefix. 4228 4229PH/03 Added disable_ipv6. 4230 4231PH/04 Changed $reply_address to use the raw form of the headers instead of the 4232 decoded form, because it is most often used to construct To: headers 4233 lines in autoreplies, and the decoded form may well be syntactically 4234 invalid. However, $reply_address has leading white space removed, and all 4235 newlines turned into spaces so that the autoreply transport does not 4236 grumble. 4237 4238PH/05 If group was specified without a user on a router, and no group or user 4239 was specified on a transport, the group from the router was ignored. 4240 4241PH/06 Increased the number of ACL variables to 20 of each type, and arranged 4242 for visible compile-time settings that can be used to change these 4243 numbers, for those that want even more. Backwards compatibility with old 4244 spool files has been maintained. However, going back to a previous Exim 4245 release will lost any variables that are in spool files. 4246 4247PH/07 Two small changes when running in the test harness: increase delay when 4248 passing a TCP/IP connection to a new process, in case the original 4249 process has to generate a bounce, and remove special handling of 4250 127.0.0.2 (sic), which is no longer necessary. 4251 4252PH/08 Changed debug output of dbfn_open() flags from numbers to names, so as to 4253 be the same on different OS. 4254 4255PH/09 Moved a debug statement in filter processing to avoid a race problem when 4256 testing. 4257 4258JJ/01 exipick: fixed bug where -b (brief) output option showed "Vars:" 4259 whether --show-vars was specified or not 4260 4261JJ/02 exipick: Added support for new ACL variable spool format introduced 4262 in 4.61-PH/06 4263 4264PH/10 Fixed another bug related to PH/04 above: if an incoming message had a 4265 syntactically invalid From: or Reply-to: line, and a filter used this to 4266 generate an autoreply, and therefore failed to obtain an address for the 4267 autoreply, Exim could try to deliver to a non-existent relative file 4268 name, causing unrelated and misleading errors. What now happens is that 4269 it logs this as a hard delivery error, but does not attempt to create a 4270 bounce message. 4271 4272PH/11 The exinext utility has a -C option for testing purposes, but although 4273 the given file was scanned by exinext itself; it wasn't being passed on 4274 when Exim was called. 4275 4276PH/12 In the smtp transport, treat an explicit ECONNRESET error the same as 4277 an end-of-file indication when reading a command response. 4278 4279PH/13 Domain literals for IPv6 were not recognized unless IPv6 support was 4280 compiled. In many other places in Exim, IPv6 addresses are always 4281 recognized, so I have changed this. It also means that IPv4 domain 4282 literals of the form [IPV4:n.n.n.n] are now always recognized. 4283 4284PH/14 When a uid/gid is specified for the queryprogram router, it cannot be 4285 used if the router is not running as root, for example, when verifying at 4286 ACL time, or when using -bh. The debugging output from this situation was 4287 non-existent - all you got was a failure to exec. I have made two 4288 changes: 4289 4290 (a) Failures to set uid/gid, the current directory, or a process leader 4291 in a subprocess such as that created by queryprogram now generate 4292 suitable debugging output when -d is set. 4293 4294 (b) The queryprogram router detects when it is not running as root, 4295 outputs suitable debugging information if -d is set, and then runs 4296 the subprocess without attempting to change uid/gid. 4297 4298PH/15 Minor change to Makefile for building test_host (undocumented testing 4299 feature). 4300 4301PH/16 As discussed on the list in Nov/Dec: Exim no longer looks at the 4302 additional section of a DNS packet that returns MX or SRV records. 4303 Instead, it always explicitly searches for A/AAAA records. This avoids 4304 major problems that occur when a DNS server includes only records of one 4305 type (A or AAAA) in an MX/SRV packet. A byproduct of this change has 4306 fixed another bug: if SRV records were looked up and the corresponding 4307 address records were *not* found in the additional section, the port 4308 values from the SRV records were lost. 4309 4310PH/17 If a delivery to a pipe, file, or autoreply was deferred, Exim was not 4311 using the correct key (the original address) when searching the retry 4312 rules in order to find which one to use for generating the retry hint. 4313 4314PH/18 If quota_warn_message contains a From: header, Exim now refrains from 4315 adding the default one. Similarly, if it contains a Reply-To: header, the 4316 errors_reply_to option, if set, is not used. 4317 4318PH/19 When calculating a retry time, Exim used to measure the "time since 4319 failure" by looking at the "first failed" field in the retry record. Now 4320 it does not use this if it is later than than the arrival time of the 4321 message. Instead it uses the arrival time. This makes for better 4322 behaviour in cases where some deliveries succeed, thus re-setting the 4323 "first failed" field. An example is a quota failure for a huge message 4324 when small messages continue to be delivered. Without this change, the 4325 "time since failure" will always be short, possible causing more frequent 4326 delivery attempts for the huge message than are intended. 4327 [Note: This change was subsequently modified - see PH/04 for 4.62.] 4328 4329PH/20 Added $auth1, $auth2, $auth3 to contain authentication data (as well as 4330 $1, $2, $3) because the numerical variables can be reset during some 4331 expansion items (e.g. "match"), thereby losing the authentication data. 4332 4333PH/21 Make -bV show the size of off_t variables so that the test suite can 4334 decide whether to run tests for quotas > 2G. 4335 4336PH/22 Test the values given for quota, quota_filecount, quota_warn_threshold, 4337 mailbox_size, and mailbox_filecount in the appendfile transport. If a 4338 filecount value is greater than 2G or if a quota value is greater than 2G 4339 on a system where the size of off_t is not greater than 4, a panic error 4340 is given. 4341 4342PH/23 When a malformed item such as 1.2.3/24 appears in a host list, it can 4343 never match. The debug and -bh output now contains an explicit error 4344 message indicating a malformed IPv4 address or mask. 4345 4346PH/24 An host item such as 1.2.3.4/abc was being treated as the IP address 4347 1.2.3.4 without a mask. Now it is not recognized as an IP address, and 4348 PH/23 above applies. 4349 4350PH/25 Do not write to syslog when running in the test harness. The only 4351 occasion when this arises is a failure to open the main or panic logs 4352 (for which there is an explicit test). 4353 4354PH/26 Added the /no_tell option to "control=freeze". 4355 4356PH/27 If a host name lookup failed very early in a connection, for example, if 4357 the IP address matched host_lookup and the reverse lookup yielded a name 4358 that did not have a forward lookup, an error message of the form "no IP 4359 address found for host xxx.xxx.xxx (during SMTP connection from NULL)" 4360 could be logged. Now it outputs the IP address instead of "NULL". 4361 4362PH/28 An enabling patch from MH: add new function child_open_exim2() which 4363 allows the sender and the authenticated sender to be set when 4364 submitting a message from within Exim. Since child_open_exim() is 4365 documented for local_scan(), the new function should be too. 4366 4367PH/29 In GnuTLS, a forced expansion failure for tls_privatekey was not being 4368 ignored. In both GnuTLS and OpenSSL, an expansion of tls_privatekey that 4369 results in an empty string is now treated as unset. 4370 4371PH/30 Fix eximon buffer overflow bug (Bugzilla #73). 4372 4373PH/31 Added sender_verify_fail logging option. 4374 4375PH/32 In November 2003, the code in Exim that added an empty Bcc: header when 4376 needed by RFC 822 but not by RFC 2822 was commented out. I have now 4377 tidied the source and removed it altogether. 4378 4379PH/33 When a queue run was abandoned because the load average was too high, a 4380 log line was always written; now it is written only if the queue_run log 4381 selector is set. In addition, the log line for abandonment now contains 4382 information about the queue run such as the pid. This is always present 4383 in "start" and "stop" lines but was omitted from the "abandon" line. 4384 4385PH/34 Omit spaces between a header name and the colon in the error message that 4386 is given when verify = headers_syntax fails (if there are lots of them, 4387 the message gets confusing). 4388 4389PH/35 Change the default for dns_check_names_pattern to allow slashes within 4390 names, as there are now some PTR records that contain slashes. This check 4391 is only to protect against broken name servers that fall over on strange 4392 characters, so the fact that it applies to all lookups doesn't matter. 4393 4394PH/36 Now that the new test suite is complete, we can remove some of the 4395 special code in Exim that was needed for the old test suite. For example, 4396 sorting DNS records because real resolvers return them in an arbitrary 4397 order. The new test suite's fake resolver always returns records in the 4398 same order. 4399 4400PH/37 When running in the test harness, use -odi for submitted messages (e.g. 4401 bounces) except when queue_only is set, to avoid logging races between 4402 the different processes. 4403 4404PH/38 Panic-die if .include specifies a non-absolute path. 4405 4406PH/39 A tweak to the "H" retry rule from its user. 4407 4408JJ/03 exipick: Removed parentheses from 'next' and 'last' calls that specified 4409 a label. They prevented compilation on older perls. 4410 4411JJ/04 exipick: Refactored code to prevent implicit split to @_ which caused 4412 a warning to be raised on newish perls. 4413 4414JJ/05 exipick: Fixed bug where -bpc always showed a count of all messages 4415 on queue. Changes to match documented behaviour of showing count of 4416 messages matching specified criteria. 4417 4418PH/40 Changed the default ident timeout from 30s to 5s. 4419 4420PH/41 Added support for the use of login_cap features, on those BSD systems 4421 that have them, for controlling the resources used by pipe deliveries. 4422 4423PH/42 The content-scanning code uses fopen() to create files in which to put 4424 message data. Previously it was not paying any attention to the mode of 4425 the files. Exim runs with umask(0) because the rest of the code creates 4426 files with open(), and sets the required mode explicitly. Thus, these 4427 files were ending up world-writeable. This was not a big issue, because, 4428 being within the spool directory, they were not world-accessible. I have 4429 created a function called modefopen, which takes an additional mode 4430 argument. It sets umask(777), creates the file, chmods it to the required 4431 mode, then resets the umask. All the relevant calls to fopen() in the 4432 content scanning code have been changed to use this function. 4433 4434PH/43 If retry_interval_max is set greater than 24 hours, it is quietly reset 4435 to 24 hours. This avoids potential overflow problems when processing G 4436 and H retry rules. I suspect nobody ever tinkers with this value. 4437 4438PH/44 Added STRIP_COMMAND=/usr/bin/strip to the FreeBSD Makefile. 4439 4440PH/45 When the plaintext authenticator is running as a client, the server's 4441 challenges are checked to ensure they are valid base64 strings. By 4442 default, the authentication attempt is cancelled if an invalid string is 4443 received. Setting client_ignore_invalid_base64 true ignores these errors. 4444 The decoded challenge strings are now placed in $auth1, $auth2, etc. as 4445 they are received. Thus, the responses can be made to depend on the 4446 challenges. If an invalid string is ignored, an empty string is placed in 4447 the variable. 4448 4449PH/46 Messages that are created by the autoreply transport now contains a 4450 References: header, in accordance with RFCs 2822 and 3834. 4451 4452PH/47 Added authenticated_sender_force to the smtp transport. 4453 4454PH/48 The ${prvs expansion was broken on systems where time_t was long long. 4455 4456PH/49 Installed latest patch from the Sieve maintainer. 4457 4458PH/50 When an Exim quota was set without a file count quota, and mailbox_size 4459 was also set, the appendfile transport was unnecessarily scanning a 4460 directory of message files (e.g. for maildir delivery) to find the count 4461 of files (along with the size), even though it did not need this 4462 information. It now does the scan only if it needs to find either the 4463 size of the count of files. 4464 4465PH/51 Added ${time_eval: to convert Exim time strings into seconds. 4466 4467PH/52 Two bugs concerned with error handling when the smtp transport is 4468 used in LMTP mode: 4469 4470 (i) Exim was not creating retry information for temporary errors given 4471 for individual recipients after the DATA command when the smtp transport 4472 was used in LMTP mode. This meant that they could be retried too 4473 frequently, and not timed out correctly. 4474 4475 (ii) Exim was setting the flag that allows error details to be returned 4476 for LMTP errors on RCPT commands, but not for LMTP errors for individual 4477 recipients that were returned after the DATA command. 4478 4479PH/53 This is related to PH/52, but is more general: for any failing address, 4480 when detailed error information was permitted to be returned to the 4481 sender, but the error was temporary, then after the final timeout, only 4482 "retry timeout exceeded" was returned. Now it returns the full error as 4483 well as "retry timeout exceeded". 4484 4485PH/54 Added control=allow_auth_unadvertised, as it seems there are clients that 4486 do this, and (what is worse) MTAs that accept it. 4487 4488PH/55 Added the add_header modified to ACLs. The use of "message" with "warn" 4489 will now be deprecated. 4490 4491PH/56 New os.c-cygwin from the Cygwin maintainer. 4492 4493JJ/06 exipick: added --unsorted option to allow unsorted output in all output 4494 formats (previously only available in exim formats via -bpr, -bpru, 4495 and -bpra. Now also available in native and exiqgrep formats) 4496 4497JJ/07 exipick: added --freeze and --thaw options to allow faster interaction 4498 with very large, slow to parse queues 4499 4500JJ/08 exipick: added ! as generic prefix to negate any criteria format 4501 4502JJ/09 exipick: miscellaneous performance enhancements (~24% improvements) 4503 4504PH/57 Tidies in SMTP dialogue display in debug output: (i) It was not showing 4505 responses to authentication challenges, though it was showing the 4506 challenges; (ii) I've removed the CR characters from the debug output for 4507 SMTP output lines. 4508 4509PH/58 Allow for the insertion of a newline as well as a space when a string 4510 is turned into more than one encoded-word during RFC 2047 encoding. The 4511 Sieve code now uses this. 4512 4513PH/59 Added the following errors that can be detected in retry rules: mail_4xx, 4514 data_4xx, lost_connection, tls_required. 4515 4516PH/60 When a VRFY deferred or FAILED, the log message rather than the user 4517 message was being sent as an SMTP response. 4518 4519PH/61 Add -l and -k options to exicyclog. 4520 4521PH/62 When verifying, if an address was redirected to one new address, so that 4522 verification continued, and the new address failed or deferred after 4523 having set something in $address_data, the value of $address_data was not 4524 passed back to the ACL. This was different to the case when no 4525 redirection occurred. The value is now passed back in both cases. 4526 4527PH/63 Changed the macro HAVE_LOGIN_CAP (see PH/41 for this release above) to 4528 HAVE_SETCLASSRESOURCES because there are different APIs in use that all 4529 use login_cap.h, so on its own it isn't the distinguishing feature. The 4530 new name refers directly to the setclassresources() function. 4531 4532PH/65 Added configuration files for NetBSD3. 4533 4534PH/66 Updated OS/Makefile-HP-UX for gcc 4.1.0 with HP-UX 11. 4535 4536PH/67 Fixed minor infelicity in the sorting of addresses to ensure that IPv6 4537 is preferred over IPv4. 4538 4539PH/68 The bounce_return_message and bounce_return_body options were not being 4540 honoured for bounces generated during the reception of non-SMTP messages. 4541 In particular, this applied to messages rejected by the ACL. This bug has 4542 been fixed. However, if bounce_return_message is true and bounce_return_ 4543 body is false, the headers that are returned for a non-SMTP message 4544 include only those that have been read before the error was detected. 4545 (In the case of an ACL rejection, they have all been read.) 4546 4547PH/69 The HTML version of the specification is now built in a directory called 4548 spec_html instead of spec.html, because the latter looks like a path with 4549 a MIME-type, and this confuses some software. 4550 4551PH/70 Catch two compiler warnings in sieve.c. 4552 4553PH/71 Fixed an obscure and subtle bug (thanks Alexander & Matthias). The 4554 function verify_get_ident() calls ip_connect() to connect a socket, but 4555 if the "connect()" function timed out, ip_connect() used to close the 4556 socket. However, verify_get_ident() also closes the socket later, and in 4557 between Exim writes to the log, which may get opened at this point. When 4558 the socket was closed in ip_connect(), the log could get the same file 4559 descriptor number as the socket. This naturally causes chaos. The fix is 4560 not to close the socket in ip_connect(); the socket should be closed by 4561 the function that creates it. There was only one place in the code where 4562 this was missing, in the iplookup router, which I don't think anybody now 4563 uses, but I've fixed it anyway. 4564 4565PH/72 Make dns_again_means_nonexist apply to lookups using gethostbyname() as 4566 well as to direct DNS lookups. Otherwise the handling of names in host 4567 lists is inconsistent and therefore confusing. 4568 4569 4570Exim version 4.60 4571----------------- 4572 4573PH/01 Two changes to the default runtime configuration: 4574 4575 (1) Move the checks for relay_from_hosts and authenticated clients from 4576 after to before the (commented out) DNS black list checks. 4577 4578 (2) Add control=submission to the relay_from_hosts and authenticated 4579 clients checks, on the grounds that messages accepted by these 4580 statements are most likely to be submissions. 4581 4582PH/02 Several tidies to the handling of ${prvs and ${prvscheck: 4583 4584 (1) Generate an error if the third argument for the ${prvs expansion is 4585 not a single digit. 4586 4587 (2) Treat a missing third argument of ${prvscheck as if it were an empty 4588 string. 4589 4590 (3) Reset the variables that are obtained from the first argument of 4591 ${prvscheck and used in the second argument before leaving the code, 4592 because their memory is reclaimed, so using them afterwards may do 4593 silly things. 4594 4595 (4) Tidy up the code for expanding the arguments of ${prvscheck one by 4596 one (it's much easier than Tom thought :-). 4597 4598 (5) Because of (4), we can now allow for the use of $prvscheck_result 4599 inside the third argument. 4600 4601PH/03 For some reason, the default setting of PATH when running a command from 4602 a pipe transport was just "/usr/bin". I have changed it to 4603 "/bin:/usr/bin". 4604 4605PH/04 SUPPORT_TRANSLATE_IP_ADDRESS and MOVE_FROZEN_MESSAGES did not cause 4606 anything to be listed in the output from -bV. 4607 4608PH/05 When a filter generated an autoreply, the entire To: header line was 4609 quoted in the delivery log line, like this: 4610 4611 => >A.N.Other <ano@some.domain> <original@ddress> ... 4612 4613 This has been changed so that it extracts the operative address. There 4614 may be more than one such address. If so, they are comma-separated, like 4615 this: 4616 4617 => >ano@some.domain,ona@other.domain <original@ddress> ... 4618 4619PH/06 When a client host used a correct literal IP address in a HELO or EHLO 4620 command, (for example, EHLO [1.2.3.4]) and the client's IP address was 4621 not being looked up in the rDNS to get a host name, Exim was showing the 4622 IP address twice in Received: lines, even though the IP addresses were 4623 identical. For example: 4624 4625 Received: from [1.2.3.4] (helo=[1.2.3.4]) 4626 4627 However, if the real host name was known, it was omitting the HELO data 4628 if it matched the actual IP address. This has been tidied up so that it 4629 doesn't show the same IP address twice. 4630 4631PH/07 When both +timestamp and +memory debugging was on, the value given by 4632 $tod_xxx expansions could be wrong, because the tod_stamp() function was 4633 called by the debug printing, thereby overwriting the timestamp buffer. 4634 Debugging no longer uses the tod_stamp() function when +timestamp is set. 4635 4636PH/08 When the original message was included in an autoreply transport, it 4637 always said "this is a copy of the message, including all the headers", 4638 even if body_only or headers_only was set. It now gives an appropriate 4639 message. 4640 4641PH/09 Applied a patch from the Sieve maintainer which: 4642 4643 o fixes some comments 4644 o adds the (disabled) notify extension core 4645 o adds some debug output for the result of if/elsif tests 4646 o points to the current vacation draft in the documentation 4647 and documents the missing references header update 4648 4649 and most important: 4650 4651 o fixes a bug in processing the envelope test (when testing 4652 multiple envelope elements, the last element determined the 4653 result) 4654 4655PH/10 Exim was violating RFC 3834 ("Recommendations for Automatic Responses to 4656 Electronic Mail") by including: 4657 4658 Auto-submitted: auto-generated 4659 4660 in the messages that it generates (bounce messages and others, such as 4661 warnings). In the case of bounce messages for non-SMTP messages, there was 4662 also a typo: it was using "Auto_submitted" (underscore instead of 4663 hyphen). Since every message generated by Exim is necessarily in response 4664 to another message, thes have all been changed to: 4665 4666 Auto-Submitted: auto-replied 4667 4668 in accordance with these statements in the RFC: 4669 4670 The auto-replied keyword: 4671 4672 - SHOULD be used on messages sent in direct response to another 4673 message by an automatic process, 4674 4675 - MUST NOT be used on manually-generated messages, 4676 4677 - MAY be used on Delivery Status Notifications (DSNs) and Message 4678 Disposition Notifications (MDNs), 4679 4680 - MUST NOT be used on messages generated by automatic or periodic 4681 processes, except for messages which are automatic responses to 4682 other messages. 4683 4684PH/11 Added "${if def:sender_address {(envelope-from <$sender_address>)\n\t}}" 4685 to the default Received: header definition. 4686 4687PH/12 Added log selector acl_warn_skipped (default on). 4688 4689PH/13 After a successful wildlsearch lookup, discard the values of numeric 4690 variables because (a) they are in the wrong storage pool and (b) even if 4691 they were copied, it wouldn't work properly because of the caching. 4692 4693PH/14 Add check_rfc2047_length to disable enforcement of RFC 2047 length 4694 checking when decoding. Apparently there are clients that generate 4695 overlong encoded strings. Why am I not surprised? 4696 4697PH/15 If the first argument of "${if match_address" was not empty, but did not 4698 contain an "@" character, Exim crashed. Now it writes a panic log message 4699 and treats the condition as false. 4700 4701PH/16 In autoreply, treat an empty string for "once" the same as unset. 4702 4703PH/17 A further patch from the Sieve maintainer: "Introduce the new Sieve 4704 extension "envelope-auth". The code is finished and in agreement with 4705 other implementations, but there is no documentation so far and in fact, 4706 nobody wrote the draft yet. This extension is currently #undef'ed, thus 4707 not changing the active code. 4708 4709 Print executed "if" and "elsif" statements when debugging is used. This 4710 helps a great deal to understand what a filter does. 4711 4712 Document more things not specified clearly in RFC3028. I had all this 4713 sorted out, when out of a sudden new issues came to my mind. Oops." 4714 4715PH/18 Exim was not recognizing the "net-" search type prefix in match_ip lists 4716 (Bugzilla #53). 4717 4718PH/19 Exim expands the IPv6 address given to -bh to its full non-abbreviated 4719 canonical form (as documented). However, after a host name lookup from 4720 the IP address, check_host() was doing a simple string comparison with 4721 addresses acquired from the DNS when checking that the found name did 4722 have the original IP as one of its addresses. Since any found IPv6 4723 addresses are likely to be in abbreviated form, the comparison could 4724 fail. Luckily, there already exists a function for doing the comparison 4725 by converting both addresses to binary, so now that is used instead of 4726 the text comparison. 4727 4728PH/20 There was another similar case to PH/19, when a complete host name was 4729 given in a host list; looking up its IP address could give an abbreviated 4730 form, whereas the current host's name might or might not be abbreviated. 4731 The same fix has been applied. 4732 4733 4734Exim version 4.54 4735----------------- 4736 4737PH/01 The ${base62: operator adjusted itself to base 36 when BASE_62 was 4738 set to 36 (for Darwin and Cygwin), but the ${base62d: operator did not. 4739 It now does. 4740 4741PH/02 Two minor problems detected in Cygwin: the os.{c,h} files had lost */ on 4742 the CVS lines, and there was a missing #if HAVE_IPV6 in host.c. 4743 4744PH/03 Typo: missing ".o" in src/pcre/Makefile. 4745 4746PH/04 Tighten up "personal" tests: Instead of testing for any "List-" 4747 header line, restrict the check to what is listed in RFCs 2369 and 2929. 4748 Also, for "Auto-Submitted", treat anything other than "no" as 4749 non-personal, in accordance with RFC 3834. (Previously it treated 4750 anything starting "auto-" as non-personal.) 4751 4752TF/01 The control=submission/name=... option had a problem with syntax 4753 errors if the name included a slash character. The /name= option 4754 now slurps the rest of the string, so it can include any characters 4755 but it must come last in the list of options (after /sender_retain 4756 or /domain=). 4757 4758PH/05 Some modifications to the interface to the fake nameserver for the new 4759 testing suite. 4760 4761 4762 4763Exim version 4.53 4764----------------- 4765 4766TK/01 Added the "success_on_redirect" address verification option. See 4767 NewStuff for rationale and an example. 4768 4769PH/01 Added support for SQLite, basic code supplied by David Woodhouse. 4770 4771PH/02 Patch to exigrep to allow it to work on syslog lines. 4772 4773PH/03 When creating an mbox file for a virus/spam scan, use fseek() instead of 4774 fread() to skip over the body file's header line, because in Cygwin the 4775 header line is locked and is inaccessible. 4776 4777PH/04 Added $message_exim_id, ultimately to replace $message_id (they will both 4778 co-exist for some time) to make it clear that it is the Exim ID that is 4779 referenced, not the Message-ID: header line. 4780 4781PH/05 Replaced all Tom's calls to snprintf() with calls to the internal 4782 string_format() function, because snprintf() does not exist on all 4783 operating systems. 4784 4785PH/06 The use of forbid_filter_existstest now also locks out the use of the 4786 ${stat: expansion item. 4787 4788PH/07 Changed "SMTP protocol violation: synchronization error" into "SMTP 4789 protocol synchronization error", to keep the pedants happy. 4790 4791PH/08 Arrange for USE_INET_NTOA_FIX to be set in config.h for AIX systems as 4792 well as for IRIX systems, when gcc is being used. See the host.c source 4793 file for comments. 4794 4795PH/09 Installed latest Cygwin configuration files from the Cygwin maintainer. 4796 4797PH/10 Named domain lists were not working if used in a queue_smtp_domains 4798 setting. 4799 4800PH/11 Added support for the IGNOREQUOTA extension to LMTP, both to the lmtp 4801 transport and to the smtp transport in LMTP mode. 4802 4803TK/02 Remove one case of BASE64 error detection FTTB (undocumented anyway). 4804 4805PH/12 There was a missing call to search_tidyup() before the fork() in rda.c to 4806 run a filter in a subprocess. This could lead to confusion in subsequent 4807 lookups in the parent process. There should also be a search_tidyup() at 4808 the end of the subprocess. 4809 4810PH/13 Previously, if "verify = helo" was set in an ACL, the condition was true 4811 only if the host matched helo_try_verify_hosts, which caused the 4812 verification to occur when the EHLO/HELO command was issued. The ACL just 4813 tested the remembered result. Now, if a previous verification attempt has 4814 not happened, "verify = helo" does it there and then. 4815 4816JJ/01 exipick: added $message_exim_id variable (see 4.53-PH/04) 4817 4818TK/03 Fix log output including CR from clamd. 4819 4820PH/14 A reference to $reply_address when Reply-to: was empty and From: did not 4821 exist provoked a memory error which could cause a segfault. 4822 4823PH/15 Installed PCRE 6.2 4824 4825PH/17 Defined BIND_8_COMPAT in the Darwin os.h file. 4826 4827PH/18 Reversed 4.52/PH/17 because the HP-UX user found it wasn't the cause 4828 of the problem. Specifically, suggested +O2 rather than +O1 for the 4829 HP-UX compiler. 4830 4831PH/19 Added sqlite_lock_timeout option (David Woodhouse's patch). 4832 4833PH/20 If a delivery was routed to a non-standard port by means of an SRV 4834 record, the port was not correctly logged when the outgoing_port log 4835 selector was set (it logged the transort's default port). 4836 4837PH/21 Added support for host-specific ports to manualroute, queryprogram, 4838 fallback_hosts, and "hosts" in the smtp transport. 4839 4840PH/22 If the log selector "outgoing_port" is set, the port is now also given on 4841 host errors such as "Connection refused". 4842 4843PH/23 Applied a patch to fix problems with exim-4.52 while doing radius 4844 authentication with radiusclient 0.4.9: 4845 4846 - Error returned from rc_read_config was caught wrongly 4847 - Username/password not passed on to radius server due to wrong length. 4848 4849 The presumption is that some radiusclient API changes for 4.51/PH/17 4850 were not taken care of correctly. The code is still untested by me (my 4851 Linux distribution still has 0.3.2 of radiusclient), but it was 4852 contributed by a Radius user. 4853 4854PH/24 When doing a callout, the value of $domain wasn't set correctly when 4855 expanding the "port" option of the smtp transport. 4856 4857TK/04 MIME ACL: Fix buffer underrun that occurs when EOF condition is met 4858 while reading a MIME header. Thanks to Tom Hughes for a patch. 4859 4860PH/24 Include config.h inside local_scan.h so that configuration settings are 4861 available. 4862 4863PH/25 Make $smtp_command_argument available after all SMTP commands. This means 4864 that in an ACL for RCPT (for example), you can examine exactly what was 4865 received. 4866 4867PH/26 Exim was recognizing IPv6 addresses of the form [IPv6:....] in EHLO 4868 commands, but it was not correctly comparing the address with the actual 4869 client host address. Thus, it would show the EHLO address in Received: 4870 header lines when this was not necessary. 4871 4872PH/27 Added the % operator to ${eval:}. 4873 4874PH/28 Exim tries to create and chdir to its spool directory when it starts; 4875 it should be ignoring failures (because with -C, for example, it has lost 4876 privilege). It wasn't ignoring creation failures other than "already 4877 exists". 4878 4879PH/29 Added "crypteq" to the list of supported features that Exim outputs when 4880 -bV or -d is used. 4881 4882PH/30 Fixed (presumably very longstanding) bug in exim_dbmbuild: if it failed 4883 because an input line was too long, either on its own, or by virtue of 4884 too many continuations, the temporary file was not being removed, and the 4885 return code was incorrect. 4886 4887PH/31 Missing "BOOL" in function definition in filtertest.c. 4888 4889PH/32 Applied Sieve patches from the maintainer. 4890 4891TK/05 Domainkeys: Accomodate for a minor API change in libdomainkeys 0.67. 4892 4893PH/33 Added "verify = not_blind". 4894 4895PH/34 There are settings for CHOWN_COMMAND and MV_COMMAND that can be used in 4896 Local/Makefile (with some defaults set). These are used in built scripts 4897 such as exicyclog, but they have never been used in the exim_install 4898 script (though there are many overriding facilities there). I have 4899 arranged that the exim_install script now takes note of these two 4900 settings. 4901 4902PH/35 Installed configuration files for Dragonfly. 4903 4904PH/36 When a locally submitted message by a trusted user did not contain a 4905 From: header, and the sender address was obtained from -f or from an SMTP 4906 MAIL command, and the trusted user did not use -F to supply a sender 4907 name, $originator_name was incorrectly used when constructing a From: 4908 header. Furthermore, $originator_name was used for submission mode 4909 messages from external hosts without From: headers in a similar way, 4910 which is clearly wrong. 4911 4912PH/37 Added control=suppress_local_fixups. 4913 4914PH/38 When log_selector = +received_sender was set, and the addition of the 4915 sender made the log line's construction buffer exactly full, or one byte 4916 less than full, an overflow happened when the terminating "\n" was 4917 subsequently added. 4918 4919PH/39 Added a new log selector, "unknown_in_list", which provokes a log entry 4920 when the result of a list match is failure because a DNS lookup failed. 4921 4922PH/40 RM_COMMAND is now used in the building process. 4923 4924PH/41 Added a "distclean" target to the top-level Makefile; it deletes all 4925 the "build-* directories that it finds. 4926 4927PH/42 (But a TF fix): In a domain list, Exim incorrectly matched @[] if the IP 4928 address in a domain literal was a prefix of an interface address. 4929 4930PH/43 (Again a TF fix): In the dnslookup router, do not apply widen_domains 4931 when verifying a sender address, unless rewrite_headers is false. 4932 4933PH/44 Wrote a long comment about why errors_to addresses are verified as 4934 recipients, not senders. 4935 4936TF/01 Add missing LIBS=-lm to OS/Makefile-OpenBSD which was overlooked when 4937 the ratelimit ACL was added. 4938 4939PH/45 Added $smtp_command for the full command (cf $smtp_command_argument). 4940 4941PH/46 Added extra information about PostgreSQL errors to the error string. 4942 4943PH/47 Added an interface to a fake DNS resolver for use by the new test suite, 4944 avoiding the need to install special zones in a real server. This is 4945 backwards compatible; if it can't find the fake resolver, it drops back. 4946 Thus, both old and new test suites can be run. 4947 4948TF/02 Added util/ratelimit.pl 4949 4950TF/03 Minor fix to the ratelimit code to improve its behaviour in case the 4951 clock is set back in time. 4952 4953TF/04 Fix the ratelimit support in exim_fixdb. Patch provided by Brian 4954 Candler <B.Candler@pobox.com>. 4955 4956TF/05 The fix for PH/43 was not completely correct; widen_domains is always 4957 OK for addresses that are the result of redirections. 4958 4959PH/48 A number of further additions for the benefit of the new test suite, 4960 including a fake gethostbyname() that interfaces to the fake DNS resolver 4961 (see PH/47 above). 4962 4963TF/06 The fix for widen_domains has also been applied to qualify_single and 4964 search_parents which are the other dnslookup options that can cause 4965 header rewrites. 4966 4967PH/49 Michael Haardt's randomized retrying, but as a separate retry parameter 4968 type ("H"). 4969 4970PH/50 Make never_users, trusted_users, admin_groups, trusted_groups expandable. 4971 4972TF/07 Exim produced the error message "an SRV record indicated no SMTP 4973 service" if it encountered an MX record with an empty target hostname. 4974 The message is now "an MX or SRV record indicated no SMTP service". 4975 4976TF/08 Change PH/13 introduced the possibility that verify=helo may defer, 4977 if the DNS of the sending site is misconfigured. This is quite a 4978 common situation. This change restores the behaviour of treating a 4979 helo verification defer as a failure. 4980 4981PH/51 If self=fail was set on a router, the bounce message did not include the 4982 actual error message. 4983 4984 4985Exim version 4.52 4986----------------- 4987 4988TF/01 Added support for Client SMTP Authorization. See NewStuff for details. 4989 4990PH/01 When a transport filter timed out in a pipe delivery, and the pipe 4991 command itself ended in error, the underlying message about the transport 4992 filter timeout was being overwritten with the pipe command error. Now the 4993 underlying error message should be appended to the second error message. 4994 4995TK/01 Fix poll() being unavailable on Mac OSX 10.2. 4996 4997PH/02 Reduce the amount of output that "make" produces by default. Full output 4998 can still be requested. 4999 5000PH/03 The warning log line about a condition test deferring for a "warn" verb 5001 was being output only once per connection, rather than after each 5002 occurrence (because it was using the same function as for successful 5003 "warn" verbs). This seems wrong, so I have changed it. 5004 5005TF/02 Two buglets in acl.c which caused Exim to read a few bytes of memory that 5006 it should not have, which might have caused a crash in the right 5007 circumstances, but probably never did. 5008 5009PH/04 Installed a modified version of Tony Finch's patch to make submission 5010 mode fix the return path as well as the Sender: header line, and to 5011 add a /name= option so that you can make the user's friendly name appear 5012 in the header line. 5013 5014TF/03 Added the control = fakedefer ACL modifier. 5015 5016TF/04 Added the ratelimit ACL condition. See NewStuff for details. Thanks to 5017 Mark Lowes for thorough testing. 5018 5019TK/02 Rewrote SPF support to work with libspf2 versions >1.2.0. 5020 5021TK/03 Merged latest SRS patch from Miles Wilton. 5022 5023PH/05 There's a shambles in IRIX6 - it defines EX_OK in unistd.h which conflicts 5024 with the definition in sysexits.h (which is #included earlier). 5025 Fortunately, Exim does not actually use EX_OK. The code used to try to 5026 preserve the sysexits.h value, by assuming that macro definitions were 5027 scanned for macro replacements. I have been disabused of this notion, 5028 so now the code just undefines EX_OK before #including unistd.h. 5029 5030PH/06 There is a timeout for writing blocks of data, set by, e.g. data_timeout 5031 in the smtp transport. When a block could not be written in a single 5032 write() function, the timeout was being re-applied to each part-write. 5033 This seems wrong - if the receiver was accepting one byte at a time it 5034 would take for ever. The timeout is now adjusted when this happens. It 5035 doesn't have to be particularly precise. 5036 5037TK/04 Added simple SPF lookup method in EXPERIMENTAL_SPF. See NewStuff for 5038 details. Thanks to Chris Webb <chris@arachsys.com> for the patch! 5039 5040PH/07 Added "fullpostmaster" verify option, which does a check to <postmaster> 5041 without a domain if the check to <postmaster@domain> fails. 5042 5043SC/01 Eximstats: added -xls and the ability to specify output files 5044 (patch written by Frank Heydlauf). 5045 5046SC/02 Eximstats: use FileHandles for outputting results. 5047 5048SC/03 Eximstats: allow any combination of xls, txt, and html output. 5049 5050SC/04 Eximstats: fixed display of large numbers with -nvr option 5051 5052SC/05 Eximstats: fixed merging of reports with empty tables. 5053 5054SC/06 Eximstats: added the -include_original_destination flag 5055 5056SC/07 Eximstats: removed tabs and trailing whitespace. 5057 5058TK/05 Malware: Improve on aveserver error handling. Patch from Alex Miller. 5059 5060TK/06 MBOX spool code: Add real "From " MBOX separator line 5061 so the .eml file is really in mbox format (even though 5062 most programs do not really care). Patch from Alex Miller. 5063 5064TK/07 MBOX spool code: Add X-Envelope-From: and X-Envelope-To: headers. 5065 The latter is generated from $received_to and is only set if the 5066 message has one envelope recipient. SA can use these headers, 5067 obviously out-of-the-box. Patch from Alex Miller. 5068 5069PH/08 The ${def test on a variable was returning false if the variable's 5070 value was "0", contrary to what the specification has always said! 5071 The result should be true unless the variable is empty. 5072 5073PH/09 The syntax error of a character other than { following "${if 5074 def:variable_name" (after optional whitespace) was not being diagnosed. 5075 An expansion such as ${if def:sender_ident:{xxx}{yyy}} in which an 5076 accidental colon was present, for example, could give incorrect results. 5077 5078PH/10 Tidied the code in a number of places where the st_size field of a stat() 5079 result is used (not including appendfile, where other changes are about 5080 to be made). 5081 5082PH/11 Upgraded appendfile so that quotas larger than 2G are now supported. 5083 This involved changing a lot of size variables from int to off_t. It 5084 should work with maildirs and everything. 5085 5086TK/08 Apply fix provided by Michael Haardt to prevent deadlock in case of 5087 spamd dying while we are connected to it. 5088 5089TF/05 Fixed a ${extract error message typo reported by Jeremy Harris 5090 <jgh@wizmail.org> 5091 5092PH/12 Applied Alex Kiernan's patch for the API change for the error callback 5093 function for BDB 4.3. 5094 5095PH/13 Changed auto_thaw such that it does not apply to bounce messages. 5096 5097PH/14 Imported PCRE 6.0; this was more than just a trivial operation because 5098 the sources for PCRE have been re-arranged and more files are now 5099 involved. 5100 5101PH/15 The code I had for printing potentially long long variables in PH/11 5102 above was not the best (it lost precision). The length of off_t variables 5103 is now inspected at build time, and an appropriate printing format (%ld 5104 or %lld) is chosen and #defined by OFF_T_FMT. We also define LONGLONG_T 5105 to be "long long int" or "long int". This is needed for the internal 5106 formatting function string_vformat(). 5107 5108PH/16 Applied Matthew Newton's patch to exicyclog: "If log_file_path is set in 5109 the configuration file to be ":syslog", then the script "guesses" where 5110 the logs files are, rather than using the compiled in default. In our 5111 case the guess is not the same as the compiled default, so the script 5112 suddenly stopped working when I started to use syslog. The patch checks 5113 to see if log_file_path is "". If so, it attempts to read it from exim 5114 with no configuration file to get the compiled in version, before it 5115 falls back to the previous guessing code." 5116 5117TK/09 Added "prvs" and "prvscheck" expansion items. These help a lot with 5118 implementing BATV in an Exim configuration. See NewStuff for the gory 5119 details. 5120 5121PH/17 Applied Michael Haardt's patch for HP-UX, affecting only the os.h and 5122 Makefile that are specific to HP-UX. 5123 5124PH/18 If the "use_postmaster" option was set for a recipient callout together 5125 with the "random" option, the postmaster address was used as the MAIL 5126 FROM address for the random test, but not for the subsequent recipient 5127 test. It is now used for both. 5128 5129PH/19 Applied Michael Haardt's patch to update Sieve to RFC3028bis. "The 5130 patch removes a few documentation additions to RFC 3028, because the 5131 latest draft now contains them. It adds the new en;ascii-case comparator 5132 and a new error check for 8bit text in MIME parts. Comparator and 5133 require names are now matched exactly. I enabled the subaddress 5134 extension, but it is not well tested yet (read: it works for me)." 5135 5136PH/20 Added macros for time_t as for off_t (see PH/15 above) and used them to 5137 rework some of the code of TK/09 above to avoid the hardwired use of 5138 "%lld" and "long long". Replaced the call to snprintf() with a call to 5139 string_vformat(). 5140 5141PH/21 Added some other messages to those in 4.51/PH/42, namely "All relevant MX 5142 records point to non-existent hosts", "retry timeout exceeded", and 5143 "retry time not reached for any host after a long failure period". 5144 5145PH/22 Fixed some oversights/typos causing bugs when Exim is compiled with 5146 experimental DomainKeys support: 5147 5148 (1) The filter variables $n0-$n9 and $sn0-$sn9 were broken. 5149 (2) On an error such as an illegally used "control", the wrong name for 5150 the control was given. 5151 5152 These problems did NOT occur unless DomainKeys support was compiled. 5153 5154PH/23 Added daemon_startup_retries and daemon_startup_sleep. 5155 5156PH/24 Added ${if match_ip condition. 5157 5158PH/25 Put debug statements on either side of calls to EXIM_DBOPEN() for hints 5159 databases so that it will be absolutely obvious if a crash occurs in the 5160 DB library. This is a regular occurrence (often caused by mis-matched 5161 db.h files). 5162 5163PH/26 Insert a lot of missing (void) casts for functions such as chown(), 5164 chmod(), fcntl(), sscanf(), and other functions from stdio.h. These were 5165 picked up on a user's system that detects such things. There doesn't seem 5166 to be a gcc warning option for this - only an attribute that has to be 5167 put on the function's prototype. It seems that in Fedora Core 4 they have 5168 set this on a number of new functions. No doubt there will be more in due 5169 course. 5170 5171PH/27 If a dnslookup or manualroute router is set with verify=only, it need not 5172 specify a transport. However, if an address that was verified by such a 5173 router was the subject of a callout, Exim crashed because it tried to 5174 read the rcpt_include_affixes from the non-existent transport. Now it 5175 just assumes that the setting of that option is false. This bug was 5176 introduced by 4.51/PH/31. 5177 5178PH/28 Changed -d+all to exclude +memory, because that information is very 5179 rarely of interest, but it makes the output a lot bigger. People tend to 5180 do -d+all out of habit. 5181 5182PH/29 Removed support for the Linux-libc5 build, as it is obsolete and the 5183 code in os-type was giving problems when libc.so lives in lib64, like on 5184 x86_64 Fedora Core. 5185 5186PH/30 Exim's DNS code uses the original T_xxx names for DNS record times. These 5187 aren't the modern standard, and it seems that some systems' include files 5188 don't always have them. Exim was already checking for some of the newer 5189 ones like T_AAAA, and defining it itself. I've added checks for all the 5190 record types that Exim uses. 5191 5192PH/31 When using GnuTLS, if the parameters cache file did not exist, Exim was 5193 not automatically generating a new one, as it is supposed to. This 5194 prevented TLS from working. If the file did exist, but contained invalid 5195 data, a new version was generated, as expected. It was only the case of a 5196 non-existent file that was broken. 5197 5198TK/10 Domainkeys: Fix a bug in verification that caused a crash in conjunction 5199 with a change in libdomainkeys > 0.64. 5200 5201TK/11 Domainkeys: Change the logic how the "testing" policy flag is retrieved 5202 from DNS. If the selector record carries the flag, it now has 5203 precedence over the domain-wide flag. 5204 5205TK/12 Cleared some compiler warnings related to SPF, SRS and DK code. 5206 5207PH/32 In mua_wrapper mode, if an smtp transport configuration error (such as 5208 the use of a port name that isn't defined in /etc/services) occurred, the 5209 message was deferred as in a normal delivery, and thus remained on the 5210 spool, instead of being failed because of the mua_wrapper setting. This 5211 is now fixed, and I tidied up some of the mua_wrapper messages at the 5212 same time. 5213 5214SC/08 Eximstats: whilst parsing the mainlog(s), store information about 5215 the messages in a hash of arrays rather than using individual hashes. 5216 This is a bit cleaner and results in dramatic memory savings, albeit 5217 at a slight CPU cost. 5218 5219SC/09 Eximstats: added the -show_rt<list> and the -show_dt<list> flags 5220 as requested by Marc Sherman. 5221 5222SC/10 Eximstats: added histograms for user specified patterns as requested 5223 by Marc Sherman. 5224 5225SC/11 Eximstats: v1.43 - bugfix for pattern histograms with -h0 specified. 5226 5227PH/33 Patch from the Cygwin maintainer to add "b" to all occurences of 5228 fopen() in the content-scanning modules that did not already have it. 5229 5230 5231Exim version 4.51 5232----------------- 5233 5234TK/01 Added Yahoo DomainKeys support via libdomainkeys. See 5235 doc/experimental-spec.txt for details. (http://domainkeys.sf.net) 5236 5237TK/02 Fix ACL "control" statement not being available in MIME ACL. 5238 5239TK/03 Fix ACL "regex" condition not being available in MIME ACL. 5240 5241PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used 5242 to test Sieve filters that use "vacation". 5243 5244PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch 5245 that changes the way the GnuTLS parameters are stored in the cache file. 5246 The new format can be generated externally. For backward compatibility, 5247 if the data in the cache doesn't make sense, Exim assumes it has read an 5248 old-format file, and it generates new data and writes a new file. This 5249 means that you can't go back to an older release without removing the 5250 file. 5251 5252PH/03 A redirect router that has both "unseen" and "one_time" set does not 5253 work if there are any delivery delays because "one_time" forces the 5254 parent to be marked "delivered", so its unseen clone is never tried 5255 again. For this reason, Exim now forbids the simultaneous setting of 5256 these two options. 5257 5258PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are 5259 redirected to themselves ("homonym" addresses). Read the long ChangeLog 5260 entry if you want to know the details. The fix, however, neglected to 5261 consider the case when local delivery batching is involved. The test for 5262 "previously delivered" was not happening when checking to see if an 5263 address could be batched with a previous (undelivered) one; under 5264 certain circumstances this could lead to multiple deliveries to the same 5265 address. 5266 5267PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T 5268 in its include files, and this causes problems building Exim. 5269 5270PH/06 A number of "verify =" ACL conditions have no options (e.g. verify = 5271 header_syntax) but Exim was just ignoring anything given after a slash. 5272 In particular, this caused confusion with an attempt to use "verify = 5273 reverse_host_lookup/defer_ok". An error is now given when options are 5274 supplied for verify items that do not have them. (Maybe reverse_host_ 5275 lookup should have a defer_ok option, but that's a different point.) 5276 5277PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as 5278 defined by RFC 821) to 2048, because there were problems with some AUTH 5279 commands, and RFC 1869 says the size should be increased for extended 5280 SMTP commands that take arguments. 5281 5282PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony 5283 Finch). 5284 5285PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an 5286 "unknown" error; now it says that the functionality isn't in the binary. 5287 5288PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in 5289 an address' error message when a string expansion fails (syntax or 5290 whatever). Otherwise the password may appear in the log. Following change 5291 PH/42 below, there is no longer a chance of it appearing in a bounce 5292 message. 5293 5294PH/11 Installed exipick version 20050225.0 from John Jetmore. 5295 5296PH/12 If the last host in a fallback_hosts list was multihomed, only the first 5297 of its addresses was ever tried. (Bugzilla bug #2.) 5298 5299PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed 5300 the result incorrectly in the debug output. (It correctly added a newline 5301 to what was transported.) 5302 5303TF/01 Added $received_time. 5304 5305PH/14 Modified the default configuration to add an acl_smtp_data ACL, with 5306 commented out examples of how to interface to a virus scanner and to 5307 SpamAssassin. Also added commented examples of av_scanner and 5308 spamd_address settings. 5309 5310PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions 5311 and controls are allowed in which ACLs. There were a couple of minor 5312 errors. Some of the entries in the conditions table (which is a table of 5313 where they are NOT allowed) were getting very unwieldy; rewrote them as a 5314 negation of where the condition IS allowed. 5315 5316PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer. 5317 5318PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the 5319 header file does not have a version number, so I've had to invent a new 5320 value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new 5321 API. The code is untested by me (my Linux distribution still has 0.3.2 of 5322 radiusclient), but it was contributed by a Radius user. 5323 5324PH/18 Installed Lars Mainka's patch for the support of CRL collections in 5325 files or directories, for OpenSSL. 5326 5327PH/19 When an Exim process that is running as root has to create an Exim log 5328 file, it does so in a subprocess that runs as exim:exim so as to get the 5329 ownership right at creation (otherwise, other Exim processes might see 5330 the file with the wrong ownership). There was no test for failure of this 5331 fork() call, which would lead to the process getting stuck as it waited 5332 for a non-existent subprocess. Forks do occasionally fail when resources 5333 run out. I reviewed all the other calls to fork(); they all seem to check 5334 for failure. 5335 5336PH/20 When checking for unexpected SMTP input at connect time (before writing 5337 the banner), Exim was not dealing correctly with a non-positive return 5338 from the read() function. If the client had disconnected by this time, 5339 the result was a log entry for a synchronization error with an empty 5340 string after "input=" when read() returned zero. If read() returned -1 5341 (an event I could not check), uninitialized data bytes were printed. 5342 There were reports of junk text (parts of files, etc) appearing after 5343 "input=". 5344 5345PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages. 5346 5347PH/22 Added support for macro redefinition, and (re)definition in between 5348 driver and ACL definitions. 5349 5350PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then 5351 forgetting to use the resulting value; it was using the unexpanded value. 5352 5353PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it 5354 hadn't been configured. The fix is from Juergen Kreileder, who 5355 understands it better than I do: 5356 5357 "Here's what I see happening with three configured cyrus_sasl 5358 authenticators configured (plain, login, cram-md5): 5359 5360 On startup auth_cyrus_sasl_init() gets called for each of these. 5361 This means three calls to sasl_listmech() without a specified mech_list. 5362 => SASL tests which mechs of all available mechs actually work 5363 => three warnings about OTP not working 5364 => the returned list contains: plain, login, cram-md5, digest-md5, ... 5365 5366 With the patch, sasl_listmech() also gets called three times. But now 5367 SASL's mech_list option is set to the server_mech specified in the the 5368 authenticator. Or in other words, the answer from sasl_listmech() 5369 gets limited to just the mech you're testing for (which is different 5370 for each call.) 5371 => the return list contains just 'plain' or 'login', 'cram-md5' or 5372 nothing depending on the value of ob->server_mech. 5373 5374 I've just tested the patch: Authentication still works fine, 5375 unavailable mechs specified in the exim configuration are still 5376 caught, and the auth.log warnings about OTP are gone." 5377 5378PH/25 When debugging is enabled, the contents of the command line are added 5379 to the debugging output, even when log_selector=+arguments is not 5380 specified. 5381 5382PH/26 Change scripts/os-type so that when "uname -s" returns just "GNU", the 5383 answer is "GNU", and only if the return is "GNU/something" is the answer 5384 "Linux". 5385 5386PH/27 $acl_verify_message is now set immediately after the failure of a 5387 verification in an ACL, and so is available in subsequent modifiers. In 5388 particular, the message can be preserved by coding like this: 5389 5390 warn !verify = sender 5391 set acl_m0 = $acl_verify_message 5392 5393 Previously, $acl_verify_message was set only while expanding "message" 5394 and "log_message" when a very denied access. 5395 5396PH/28 Modified OS/os.c-Linux with 5397 5398 -#ifndef OS_LOAD_AVERAGE 5399 +#if !defined(OS_LOAD_AVERAGE) && defined(__linux__) 5400 5401 to make Exim compile on kfreebsd-gnu. (I'm totally confused about the 5402 nomenclature these days.) 5403 5404PH/29 Installed patch from the Sieve maintainer that adds the options 5405 sieve_useraddress and sieve_subaddress to the redirect router. 5406 5407PH/30 In these circumstances: 5408 . Two addresses routed to the same list of hosts; 5409 . First host does not offer TLS; 5410 . First host accepts first address; 5411 . First host gives temporary error to second address; 5412 . Second host offers TLS and a TLS session is established; 5413 . Second host accepts second address. 5414 Exim incorrectly logged both deliveries with the TLS parameters (cipher 5415 and peerdn, if requested) that were in fact used only for the second 5416 address. 5417 5418PH/31 When doing a callout as part of verifying an address, Exim was not paying 5419 attention to any local part prefix or suffix that was matched by the 5420 router that accepted the address. It now behaves in the same way as it 5421 does for delivery: the affixes are removed from the local part unless 5422 rcpt_include_affixes is set on the transport. 5423 5424PH/32 Add the sender address, as F=<...>, to the log line when logging a 5425 timeout during the DATA phase of an incoming message. 5426 5427PH/33 Sieve envelope tests were broken for match types other than :is. I have 5428 applied a patch sanctioned by the Sieve maintainer. 5429 5430PH/34 Change 4.50/80 broke Exim in that it could no longer handle cases where 5431 the uid or gid is negative. A case of a negative gid caused this to be 5432 noticed. The fix allows for either to be negative. 5433 5434PH/35 ACL_WHERE_MIME is now declared unconditionally, to avoid too much code 5435 clutter, but the tables that are indexed by ACL_WHERE_xxx values had been 5436 overlooked. 5437 5438PH/36 The change PH/12 above was broken. Fixed it. 5439 5440PH/37 Exim used to check for duplicate addresses in the middle of routing, on 5441 the grounds that routing the same address twice would always produce the 5442 same answer. This might have been true once, but it is certainly no 5443 longer true now. Routing a child address may depend on the previous 5444 routing that produced that child. Some complicated redirection strategies 5445 went wrong when messages had multiple recipients, and made Exim's 5446 behaviour dependent on the order in which the addresses were given. 5447 5448 I have moved the duplicate checking until after the routing is complete. 5449 Exim scans the addresses that are assigned to local and remote 5450 transports, and removes any duplicates. This means that more work will be 5451 done, as duplicates will always all be routed, but duplicates are 5452 presumably rare, so I don't expect this is of any significance. 5453 5454 For deliveries to pipes, files, and autoreplies, the duplicate checking 5455 still happens during the routing process, since they are not going to be 5456 routed further. 5457 5458PH/38 Installed a patch from Ian Freislich, with the agreement of Tom Kistner. 5459 It corrects a timeout issue with spamd. This is Ian's comment: "The 5460 background is that sometimes spamd either never reads data from a 5461 connection it has accepted, or it never writes response data. The exiscan 5462 spam.[ch] uses a 3600 second timeout on spamd socket reads, further, it 5463 blindly assumes that writes won't block so it may never time out." 5464 5465PH/39 Allow G after quota size as well as K and M. 5466 5467PH/40 The value set for $authenticated_id in an authenticator may not contain 5468 binary zeroes or newlines because the value is written to log lines and 5469 to spool files. There was no check on this. Now the value is run through 5470 the string_printing() function so that such characters are converted to 5471 printable escape sequences. 5472 5473PH/41 $message_linecount is a new variable that contains the total number of 5474 lines in the message. Compare $body_linecount, which is the count for the 5475 body only. 5476 5477PH/42 Exim no longer gives details of delivery errors for specific addresses in 5478 bounce and delay warning messages, except in certain special cases, which 5479 are as follows: 5480 5481 (a) An SMTP error message from a remote host; 5482 (b) A message specified in a :fail: redirection; 5483 (c) A message specified in a "fail" command in a system filter; 5484 (d) A message specified in a FAIL return from the queryprogram router; 5485 (e) A message specified by the cannot_route_message router option. 5486 5487 In these cases only, Exim does include the error details in bounce and 5488 warning messages. There are also a few cases where bland messages such 5489 as "unrouteable address" or "local delivery error" are given. 5490 5491PH/43 $value is now also set for the "else" part of a ${run expansion. 5492 5493PH/44 Applied patch from the Sieve maintainer: "The vacation draft is still 5494 being worked on, but at least Exim now implements the latest version to 5495 play with." 5496 5497PH/45 In a pipe transport, although a timeout while waiting for the pipe 5498 process to complete was treated as a delivery failure, a timeout while 5499 writing the message to the pipe was logged, but erroneously treated as a 5500 successful delivery. Such timeouts include transport filter timeouts. For 5501 consistency with the overall process timeout, these timeouts are now 5502 treated as errors, giving rise to delivery failures by default. However, 5503 there is now a new Boolean option for the pipe transport called 5504 timeout_defer, which, if set TRUE, converts the failures into defers for 5505 both kinds of timeout. A transport filter timeout is now identified in 5506 the log output. 5507 5508PH/46 The "scripts/Configure-config.h" script calls "make" at one point. On 5509 systems where "make" and "gmake" are different, calling "gmake" at top 5510 level broke things. I've arranged for the value of $(MAKE) to be passed 5511 from the Makefile to this script so that it can call the same version of 5512 "make". 5513 5514 5515A note about Exim versions 4.44 and 4.50 5516---------------------------------------- 5517 5518Exim 4.50 was meant to be the next release after 4.43. It contains a lot of 5519changes of various kinds. As a consequence, a big documentation update was 5520needed. This delayed the release for rather longer than seemed good, especially 5521in the light of a couple of (minor) security issues. Therefore, the changes 5522that fixed bugs were backported into 4.43, to create a 4.44 maintenance 5523release. So 4.44 and 4.50 are in effect two different branches that both start 5524from 4.43. 5525 5526I have left the 4.50 change log unchanged; it contains all the changes since 55274.43. The change log for 4.44 is below; many of its items are identical to 5528those for 4.50. This seems to be the most sensible way to preserve the 5529historical information. 5530 5531 5532Exim version 4.50 5533----------------- 5534 5535 1. Minor wording change to the doc/README.SIEVE file. 5536 5537 2. Change 4.43/35 introduced a bug: if quota_filecount was set, the 5538 computation of the current number of files was incorrect. 5539 5540 3. Closing a stable door: arrange to panic-die if setitimer() ever fails. The 5541 bug fixed in 4.43/37 would have been diagnosed quickly if this had been in 5542 place. 5543 5544 4. Give more explanation in the error message when the command for a transport 5545 filter fails to execute. 5546 5547 5. There are several places where Exim runs a non-Exim command in a 5548 subprocess. The SIGUSR1 signal should be disabled for these processes. This 5549 was being done only for the command run by the queryprogram router. It is 5550 now done for all such subprocesses. The other cases are: ${run, transport 5551 filters, and the commands run by the lmtp and pipe transports. 5552 5553 6. Added CONFIGURE_GROUP build-time option. 5554 5555 7. Some older OS have a limit of 256 on the maximum number of file 5556 descriptors. Exim was using setrlimit() to set 1000 as a large value 5557 unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these 5558 systems. I've change it so that if it can't get 1000, it tries for 256. 5559 5560 8. "control=submission" was allowed, but had no effect, in a DATA ACL. This 5561 was an oversight, and furthermore, ever since the addition of extra 5562 controls (e.g. 4.43/32), the checks on when to allow different forms of 5563 "control" were broken. There should now be diagnostics for all cases when a 5564 control that does not make sense is encountered. 5565 5566 9. Added the /retain_sender option to "control=submission". 5567 556810. $recipients is now available in the predata ACL (oversight). 5569 557011. Tidy the search cache before the fork to do a delivery from a message 5571 received from the command line. Otherwise the child will trigger a lookup 5572 failure and thereby defer the delivery if it tries to use (for example) a 5573 cached ldap connection that the parent has called unbind on. 5574 557512. If verify=recipient was followed by verify=sender in a RCPT ACL, the value 5576 of $address_data from the recipient verification was clobbered by the 5577 sender verification. 5578 557913. The value of address_data from a sender verification is now available in 5580 $sender_address_data in subsequent conditions in the ACL statement. 5581 558214. Added forbid_sieve_filter and forbid_exim_filter to the redirect router. 5583 558415. Added a new option "connect=<time>" to callout options, to set a different 5585 connection timeout. 5586 558716. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0 5588 was its contents. (It was OK if the option was not defined at all.) 5589 559017. A "Completed" log line is now written for messages that are removed from 5591 the spool by the -Mrm option. 5592 559318. New variables $sender_verify_failure and $recipient_verify_failure contain 5594 information about exactly what failed. 5595 559619. Added -dd to debug only the daemon process. 5597 559820. Incorporated Michael Haardt's patch to ldap.c for improving the way it 5599 handles timeouts, both on the server side and network timeouts. Renamed the 5600 CONNECT parameter as NETTIMEOUT (but kept the old name for compatibility). 5601 560221. The rare case of EHLO->STARTTLS->HELO was setting the protocol to "smtp". 5603 It is now set to "smtps". 5604 560522. $host_address is now set to the target address during the checking of 5606 ignore_target_hosts. 5607 560823. When checking ignore_target_hosts for an ipliteral router, no host name was 5609 being passed; this would have caused $sender_host_name to have been used if 5610 matching the list had actually called for a host name (not very likely, 5611 since this list is usually IP addresses). A host name is now passed as 5612 "[x.x.x.x]". 5613 561424. Changed the calls that set up the SIGCHLD handler in the daemon to use the 5615 code that specifies a non-restarting handler (typically sigaction() in 5616 modern systems) in an attempt to fix a rare and obscure crash bug. 5617 561825. Narrowed the window for a race in the daemon that could cause it to ignore 5619 SIGCHLD signals. This is not a major problem, because they are used only to 5620 wake it up if nothing else does. 5621 562226. A malformed maildirsize file could cause Exim to calculate negative values 5623 for the mailbox size or file count. Odd effects could occur as a result. 5624 The maildirsize information is now recalculated if the size or filecount 5625 end up negative. 5626 562727. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this 5628 support for a long time. Removed HAVE_SYS_VFS_H. 5629 563028. Installed the latest version of exipick from John Jetmore. 5631 563229. In an address list, if the pattern was not a regular expression, an empty 5633 subject address (from a bounce message) matched only if the pattern was an 5634 empty string. Non-empty patterns were not even tested. This was the wrong 5635 because it is perfectly reasonable to use an empty address as part of a 5636 database query. An empty address is now tested by patterns that are 5637 lookups. However, all the other forms of pattern expect the subject to 5638 contain a local part and a domain, and therefore, for them, an empty 5639 address still always fails if the pattern is not itself empty. 5640 564130. Exim went into a mad DNS loop when attempting to do a callout where the 5642 host was specified on an smtp transport, and looking it up yielded more 5643 than one IP address. 5644 564531. Re-factored the code for checking spool and log partition space into a 5646 function that finds that data and another that does the check. The former 5647 is then used to implement four new variables: $spool_space, $log_space, 5648 $spool_inodes, and $log_inodes. 5649 565032. The RFC2047 encoding function was originally intended for short strings 5651 such as real names; it was not keeping to the 75-character limit for 5652 encoded words that the RFC imposes. It now respects the limit, and 5653 generates multiple encoded words if necessary. To be on the safe side, I 5654 have increased the buffer size for the ${rfc2047: expansion operator from 5655 1024 to 2048 bytes. 5656 565733. It is now permitted to omit both strings after an "if" condition; if the 5658 condition is true, the result is "true". As before, when the second string 5659 is omitted, a false condition yields an empty string. This makes it less 5660 cumbersome to write custom ACL and router conditions. 5661 566234. Failure to deliver a bounce message always caused it to be frozen, even if 5663 there was an errors_to setting on the router. The errors_to setting is now 5664 respected. 5665 566635. If an IPv6 address is given for -bh or -bhc, it is now converted to the 5667 canonical form (fully expanded) before being placed in 5668 $sender_host_address. 5669 567036. The table in the code that translates DNS record types into text (T_A to 5671 "A" for instance) was missing entries for NS and CNAME. It is just possible 5672 that this could have caused confusion if both these types were looked up 5673 for the same domain, because the text type is used as part of Exim's 5674 per-process caching. But the chance of anyone hitting this buglet seems 5675 very small. 5676 567737. The dnsdb lookup has been extended in a number of ways. 5678 5679 (1) There is a new type, "zns", which walks up the domain tree until it 5680 finds some nameserver records. It should be used with care. 5681 5682 (2) There is a new type, "mxh", which is like "mx" except that it returns 5683 just the host names, not the priorities. 5684 5685 (3) It is now possible to give a list of domains (or IP addresses) to be 5686 looked up. The behaviour when one of the lookups defers can be 5687 controlled by a keyword. 5688 5689 (4) It is now possible to specify the separator character for use when 5690 multiple records are returned. 5691 569238. The dnslists ACL condition has been extended: it is now possible to supply 5693 a list of IP addresses and/or domains to be looked up in a particular DNS 5694 domain. 5695 569639. Added log_selector=+queue_time_overall. 5697 569840. When running the queue in the test harness, wait just a tad after forking a 5699 delivery process, to get repeatability of debugging output. 5700 570141. Include certificate and key file names in error message when GnuTLS fails 5702 to set them up, because the GnuTLS error message doesn't include the name 5703 of the failing file when there is a problem reading it. 5704 570542. Allow both -bf and -bF in the same test run. 5706 570743. Did the same fix as 41 above for OpenSSL, which had the same infelicity. 5708 570944. The "Exiscan patch" is now merged into the mainline Exim source. 5710 571145. Sometimes the final signoff response after QUIT could fail to get 5712 transmitted in the non-TLS case. Testing !tls_active instead of tls_active 5713 < 0 before doing a fflush(). This bug looks as though it goes back to the 5714 introduction of TLS in release 3.20, but "sometimes" must have been rare 5715 because the tests only now provoked it. 5716 571746. Reset the locale to "C" after calling embedded Perl, in case it was changed 5718 (this can affect the format of dates). 5719 572047. exim_tidydb, when checking for the continued existence of a message for 5721 which it has found a message-specific retry record, was not finding 5722 messages that were in split spool directories. Consequently, it was 5723 deleting retry records that should have stayed in existence. 5724 572548. Steve fixed some bugs in eximstats. 5726 572749. The SPA authentication driver was not abandoning authentication and moving 5728 on to the next authenticator when an expansion was forced to fail, 5729 contradicting the general specification for all authenticators. Instead it 5730 was generating a temporary error. It now behaves as specified. 5731 573250. The default ordering of permitted cipher suites for GnuTLS was pessimal 5733 (the order specifies the preference for clients). The order is now AES256, 5734 AES128, 3DES, ARCFOUR128. 5735 573651. Small patch to Sieve code - explicitly set From: when generating an 5737 autoreply. 5738 573952. Exim crashed if a remote delivery caused a very long error message to be 5740 recorded - for instance if somebody sent an entire SpamAssassin report back 5741 as a large number of 550 error lines. This bug was coincidentally fixed by 5742 increasing the size of one of Exim's internal buffers (big_buffer) that 5743 happened as part of the Exiscan merge. However, to be on the safe side, I 5744 have made the code more robust (and fixed the comments that describe what 5745 is going on). 5746 574753. Now that there can be additional text after "Completed" in log lines (if 5748 the queue_time_overall log selector is set), a one-byte patch to exigrep 5749 was needed to allow it to recognize "Completed" as not the last thing in 5750 the line. 5751 575254. The LDAP lookup was not handling a return of LDAP_RES_SEARCH_REFERENCE. A 5753 patch that reportedly fixes this has been added. I am not expert enough to 5754 create a test for it. This is what the patch creator wrote: 5755 5756 "I found a little strange behaviour of ldap code when working with 5757 Windows 2003 AD Domain, where users was placed in more than one 5758 Organization Units. When I tried to give exim partial DN, the exit code 5759 of ldap_search was unknown to exim because of LDAP_RES_SEARCH_REFERENCE. 5760 But simultaneously result of request was absolutely normal ldap result, 5761 so I produce this patch..." 5762 5763 Later: it seems that not all versions of LDAP support LDAP_RES_SEARCH_ 5764 REFERENCE, so I have modified the code to exclude the patch when that macro 5765 is not defined. 5766 576755. Some experimental protocols are using DNS PTR records for new purposes. The 5768 keys for these records are domain names, not reversed IP addresses. The 5769 dnsdb PTR lookup now tests whether its key is an IP address. If not, it 5770 leaves it alone. Component reversal etc. now happens only for IP addresses. 5771 CAN-2005-0021 5772 577356. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP. 5774 577557. Double the size of the debug message buffer (to 2048) so that more of very 5776 long debug lines gets shown. 5777 577858. The exicyclog utility now does better if the number of log files to keep 5779 exceeds 99. In this case, it numbers them 001, 002 ... instead of 01, 02... 5780 578159. Two changes related to the smtp_active_hostname option: 5782 5783 (1) $smtp_active_hostname is now available as a variable. 5784 (2) The default for smtp_banner uses $smtp_active_hostname instead 5785 of $primary_hostname. 5786 578760. The host_aton() function is supposed to be passed a string that is known 5788 to be a valid IP address. However, in the case of IPv6 addresses, it was 5789 not checking this. This is a hostage to fortune. Exim now panics and dies 5790 if the condition is not met. A case was found where this could be provoked 5791 from a dnsdb PTR lookup with an IPv6 address that had more than 8 5792 components; fortuitously, this particular loophole had already been fixed 5793 by change 4.50/55 above. 5794 5795 If there are any other similar loopholes, the new check in host_aton() 5796 itself should stop them being exploited. The report I received stated that 5797 data on the command line could provoke the exploit when Exim was running as 5798 exim, but did not say which command line option was involved. All I could 5799 find was the use of -be with a bad dnsdb PTR lookup, and in that case it is 5800 running as the user. 5801 CAN-2005-0021 5802 580361. There was a buffer overflow vulnerability in the SPA authentication code 5804 (which came originally from the Samba project). I have added a test to the 5805 spa_base64_to_bits() function which I hope fixes it. 5806 CAN-2005-0022 5807 580862. Configuration update for GNU/Hurd and variations. Updated Makefile-GNU and 5809 os.h-GNU, and added configuration files for GNUkFreeBSD and GNUkNetBSD. 5810 581163. The daemon start-up calls getloadavg() while still root for those OS that 5812 need the first call to be done as root, but it missed one case: when 5813 deliver_queue_load_max is set with deliver_drop_privilege. This is 5814 necessary for the benefit of the queue runner, because there is no re-exec 5815 when deliver_drop_privilege is set. 5816 581764. A call to exiwhat cut short delays set up by "delay" modifiers in ACLs. 5818 This has been fixed. 5819 582065. Caching of lookup data for "hosts =" ACL conditions, when a named host list 5821 was in use, was not putting the data itself into the right store pool; 5822 consequently, it could be overwritten for a subsequent message in the same 5823 SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked 5824 the caching.) 5825 582666. Added hosts_max_try_hardlimit to the smtp transport, default 50. 5827 582867. The string_is_ip_address() function returns 0, 4, or 6, for "no an IP 5829 address", "IPv4 address", and "IPv6 address", respectively. Some calls of 5830 the function were treating the return as a boolean value, which happened to 5831 work because 0=false and not-0=true, but is not correct code. 5832 583368. The host_aton() function was not handling scoped IPv6 addresses (those 5834 with, for example, "%eth0" on the end) correctly. 5835 583669. Fixed some compiler warnings in acl.c for the bitmaps specified with 5837 negated items (that is, ~something) in unsigned ints. Some compilers 5838 apparently mutter when there is no cast. 5839 584070. If an address verification called from an ACL failed, and did not produce a 5841 user-specific message (i.e. there was only a "system" message), nothing was 5842 put in $acl_verify_message. In this situation, it now puts the system 5843 message there. 5844 584571. Change 4.23/11 added synchronization checking at the start of an SMTP 5846 session; change 4.31/43 added the unwanted input to the log line - except 5847 that it did not do this in the start of session case. It now does. 5848 584972. After a timeout in a callout SMTP session, Exim still sent a QUIT command. 5850 This is wrong and can cause the other end to generate a synchronization 5851 error if it is another Exim or anything else that does the synchronization 5852 check. A QUIT command is no longer sent after a timeout. 5853 585473. $host_lookup_deferred has been added, to make it easier to detect DEFERs 5855 during host lookups. 5856 585774. The defer_ok option of callout verification was not working if it was used 5858 when verifying addresses in header lines, that is, for this case: 5859 5860 verify = header_sender/callout=defer_ok 5861 586275. A backgrounded daemon closed stdin/stdout/stderr on entry; this meant that 5863 those file descriptors could be used for SMTP connections. If anything 5864 wrote to stderr (the example that came up was "warn" in embedded Perl), it 5865 could be sent to the SMTP client, causing chaos. The daemon now opens 5866 stdin, stdout, and stderr to /dev/null when it puts itself into the 5867 background. 5868 586976. Arrange for output from Perl's "warn" command to be written to Exim's main 5870 log by default. The user can override this with suitable Perl magic. 5871 587277. The use of log_message on a "discard" ACL verb, which is supposed to add to 5873 the log message when discard triggers, was not working for the DATA ACL or 5874 for the non-SMTP ACL. 5875 587678. Error message wording change in sieve.c. 5877 587879. If smtp_accept_max_per_host was set, the number of connections could be 5879 restricted to fewer than expected, because the daemon was trying to set up 5880 a new connection before checking whether the processes handling previous 5881 connections had finished. The check for completed processes is now done 5882 earlier. On busy systems, this bug wouldn't be noticed because something 5883 else would have woken the daemon, and it would have reaped the completed 5884 process earlier. 5885 588680. If a message was submitted locally by a user whose login name contained one 5887 or more spaces (ugh!), the spool file that Exim wrote was not re-readable. 5888 It caused a spool format error. I have fixed the spool reading code. A 5889 related problem was that the "from" clause in the Received: line became 5890 illegal because of the space(s). It is now covered by ${quote_local_part. 5891 589281. Included the latest eximstats from Steve (adds average sizes to HTML Top 5893 tables). 5894 589582. Updated OS/Makefile-AIX as per message from Mike Meredith. 5896 589783. Patch from Sieve maintainer to fix unterminated string problem in 5898 "vacation" handling. 5899 590084. Some minor changes to the Linux configuration files to help with other 5901 OS variants using glibc. 5902 590385. One more patch for Sieve to update vacation handling to latest spec. 5904 5905 5906---------------------------------------------------- 5907See the note above about the 4.44 and 4.50 releases. 5908---------------------------------------------------- 5909 5910 5911Exim version 4.44 5912----------------- 5913 5914 1. Change 4.43/35 introduced a bug that caused file counts to be 5915 incorrectly computed when quota_filecount was set in an appendfile 5916 transport 5917 5918 2. Closing a stable door: arrange to panic-die if setitimer() ever fails. The 5919 bug fixed in 4.43/37 would have been diagnosed quickly if this had been in 5920 place. 5921 5922 3. Give more explanation in the error message when the command for a transport 5923 filter fails to execute. 5924 5925 4. There are several places where Exim runs a non-Exim command in a 5926 subprocess. The SIGUSR1 signal should be disabled for these processes. This 5927 was being done only for the command run by the queryprogram router. It is 5928 now done for all such subprocesses. The other cases are: ${run, transport 5929 filters, and the commands run by the lmtp and pipe transports. 5930 5931 5. Some older OS have a limit of 256 on the maximum number of file 5932 descriptors. Exim was using setrlimit() to set 1000 as a large value 5933 unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these 5934 systems. I've change it so that if it can't get 1000, it tries for 256. 5935 5936 6. "control=submission" was allowed, but had no effect, in a DATA ACL. This 5937 was an oversight, and furthermore, ever since the addition of extra 5938 controls (e.g. 4.43/32), the checks on when to allow different forms of 5939 "control" were broken. There should now be diagnostics for all cases when a 5940 control that does not make sense is encountered. 5941 5942 7. $recipients is now available in the predata ACL (oversight). 5943 5944 8. Tidy the search cache before the fork to do a delivery from a message 5945 received from the command line. Otherwise the child will trigger a lookup 5946 failure and thereby defer the delivery if it tries to use (for example) a 5947 cached ldap connection that the parent has called unbind on. 5948 5949 9. If verify=recipient was followed by verify=sender in a RCPT ACL, the value 5950 of $address_data from the recipient verification was clobbered by the 5951 sender verification. 5952 595310. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0 5954 was its contents. (It was OK if the option was not defined at all.) 5955 595611. A "Completed" log line is now written for messages that are removed from 5957 the spool by the -Mrm option. 5958 595912. $host_address is now set to the target address during the checking of 5960 ignore_target_hosts. 5961 596213. When checking ignore_target_hosts for an ipliteral router, no host name was 5963 being passed; this would have caused $sender_host_name to have been used if 5964 matching the list had actually called for a host name (not very likely, 5965 since this list is usually IP addresses). A host name is now passed as 5966 "[x.x.x.x]". 5967 596814. Changed the calls that set up the SIGCHLD handler in the daemon to use the 5969 code that specifies a non-restarting handler (typically sigaction() in 5970 modern systems) in an attempt to fix a rare and obscure crash bug. 5971 597215. Narrowed the window for a race in the daemon that could cause it to ignore 5973 SIGCHLD signals. This is not a major problem, because they are used only to 5974 wake it up if nothing else does. 5975 597616. A malformed maildirsize file could cause Exim to calculate negative values 5977 for the mailbox size or file count. Odd effects could occur as a result. 5978 The maildirsize information is now recalculated if the size or filecount 5979 end up negative. 5980 598117. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this 5982 support for a long time. Removed HAVE_SYS_VFS_H. 5983 598418. Updated exipick to current release from John Jetmore. 5985 598619. Allow an empty sender to be matched against a lookup in an address list. 5987 Previously the only cases considered were a regular expression, or an 5988 empty pattern. 5989 599020. Exim went into a mad DNS lookup loop when doing a callout where the 5991 host was specified on the transport, if the DNS lookup yielded more than 5992 one IP address. 5993 599421. The RFC2047 encoding function was originally intended for short strings 5995 such as real names; it was not keeping to the 75-character limit for 5996 encoded words that the RFC imposes. It now respects the limit, and 5997 generates multiple encoded words if necessary. To be on the safe side, I 5998 have increased the buffer size for the ${rfc2047: expansion operator from 5999 1024 to 2048 bytes. 6000 600122. Failure to deliver a bounce message always caused it to be frozen, even if 6002 there was an errors_to setting on the router. The errors_to setting is now 6003 respected. 6004 600523. If an IPv6 address is given for -bh or -bhc, it is now converted to the 6006 canonical form (fully expanded) before being placed in 6007 $sender_host_address. 6008 600924. Updated eximstats to version 1.33 6010 601125. Include certificate and key file names in error message when GnuTLS fails 6012 to set them up, because the GnuTLS error message doesn't include the name 6013 of the failing file when there is a problem reading it. 6014 601526. Expand error message when OpenSSL has problems setting up cert/key files. 6016 As per change 25. 6017 601827. Reset the locale to "C" after calling embedded Perl, in case it was changed 6019 (this can affect the format of dates). 6020 602128. exim_tidydb, when checking for the continued existence of a message for 6022 which it has found a message-specific retry record, was not finding 6023 messages that were in split spool directories. Consequently, it was 6024 deleting retry records that should have stayed in existence. 6025 602629. eximstats updated to version 1.35 6027 1.34 - allow eximstats to parse syslog lines as well as mainlog lines 6028 1.35 - bugfix such that pie charts by volume are generated correctly 6029 603030. The SPA authentication driver was not abandoning authentication and moving 6031 on to the next authenticator when an expansion was forced to fail, 6032 contradicting the general specification for all authenticators. Instead it 6033 was generating a temporary error. It now behaves as specified. 6034 603531. The default ordering of permitted cipher suites for GnuTLS was pessimal 6036 (the order specifies the preference for clients). The order is now AES256, 6037 AES128, 3DES, ARCFOUR128. 6038 603931. Small patch to Sieve code - explicitly set From: when generating an 6040 autoreply. 6041 604232. Exim crashed if a remote delivery caused a very long error message to be 6043 recorded - for instance if somebody sent an entire SpamAssassin report back 6044 as a large number of 550 error lines. This bug was coincidentally fixed by 6045 increasing the size of one of Exim's internal buffers (big_buffer) that 6046 happened as part of the Exiscan merge. However, to be on the safe side, I 6047 have made the code more robust (and fixed the comments that describe what 6048 is going on). 6049 605033. Some experimental protocols are using DNS PTR records for new purposes. The 6051 keys for these records are domain names, not reversed IP addresses. The 6052 dnsdb PTR lookup now tests whether its key is an IP address. If not, it 6053 leaves it alone. Component reversal etc. now happens only for IP addresses. 6054 CAN-2005-0021 6055 605634. The host_aton() function is supposed to be passed a string that is known 6057 to be a valid IP address. However, in the case of IPv6 addresses, it was 6058 not checking this. This is a hostage to fortune. Exim now panics and dies 6059 if the condition is not met. A case was found where this could be provoked 6060 from a dnsdb PTR lookup with an IPv6 address that had more than 8 6061 components; fortuitously, this particular loophole had already been fixed 6062 by change 4.50/55 or 4.44/33 above. 6063 6064 If there are any other similar loopholes, the new check in host_aton() 6065 itself should stop them being exploited. The report I received stated that 6066 data on the command line could provoke the exploit when Exim was running as 6067 exim, but did not say which command line option was involved. All I could 6068 find was the use of -be with a bad dnsdb PTR lookup, and in that case it is 6069 running as the user. 6070 CAN-2005-0021 6071 607235. There was a buffer overflow vulnerability in the SPA authentication code 6073 (which came originally from the Samba project). I have added a test to the 6074 spa_base64_to_bits() function which I hope fixes it. 6075 CAN-2005-0022 6076 607736. The daemon start-up calls getloadavg() while still root for those OS that 6078 need the first call to be done as root, but it missed one case: when 6079 deliver_queue_load_max is set with deliver_drop_privilege. This is 6080 necessary for the benefit of the queue runner, because there is no re-exec 6081 when deliver_drop_privilege is set. 6082 608337. Caching of lookup data for "hosts =" ACL conditions, when a named host list 6084 was in use, was not putting the data itself into the right store pool; 6085 consequently, it could be overwritten for a subsequent message in the same 6086 SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked 6087 the caching.) 6088 608938. Sometimes the final signoff response after QUIT could fail to get 6090 transmitted in the non-TLS case. Testing !tls_active instead of tls_active 6091 < 0 before doing a fflush(). This bug looks as though it goes back to the 6092 introduction of TLS in release 3.20, but "sometimes" must have been rare 6093 because the tests only now provoked it. 6094 6095 6096Exim version 4.43 6097----------------- 6098 6099 1. Fixed a longstanding but relatively impotent bug: a long time ago, before 6100 PIPELINING, the function smtp_write_command() used to return TRUE or FALSE. 6101 Now it returns an integer. A number of calls were still expecting a T/F 6102 return. Fortuitously, in all cases, the tests worked in OK situations, 6103 which is the norm. However, things would have gone wrong on any write 6104 failures on the smtp file descriptor. This function is used when sending 6105 messages over SMTP and also when doing verify callouts. 6106 6107 2. When Exim is called to do synchronous delivery of a locally submitted 6108 message (the -odf or -odi options), it no longer closes stderr before doing 6109 the delivery. 6110 6111 3. Implemented the mua_wrapper option. 6112 6113 4. Implemented mx_fail_domains and srv_fail_domains for the dnslookup router. 6114 6115 5. Implemented the functions header_remove(), header_testname(), 6116 header_add_at_position(), and receive_remove_recipient(), and exported them 6117 to local_scan(). 6118 6119 6. If an ACL "warn" statement specified the addition of headers, Exim already 6120 inserted X-ACL-Warn: at the start if there was no header name. However, it 6121 was not making this test for the second and subsequent header lines if 6122 there were newlines in the string. This meant that an invalid header could 6123 be inserted if Exim was badly configured. 6124 6125 7. Allow an ACL "warn" statement to add header lines at the start or after all 6126 the Received: headers, as well as at the end. 6127 6128 8. Added the rcpt_4xx retry error code. 6129 6130 9. Added postmaster_mailfrom=xxx to callout verification option. 6131 613210. Added mailfrom=xxxx to the callout verification option, for verify= 6133 header_sender only. 6134 613511. ${substr_1_:xxxx} and ${substr__3:xxxx} are now diagnosed as syntax errors 6136 (they previously behaved as ${substr_1_0:xxxx} and ${substr:_0_3:xxxx}). 6137 613812. Inserted some casts to stop certain compilers warning when using pointer 6139 differences as field lengths or precisions in printf-type calls (mostly 6140 affecting debugging statements). 6141 614213. Added optional readline() support for -be (dynamically loaded). 6143 614414. Obscure bug fix: if a message error (e.g. 4xx to MAIL) happened within the 6145 same clock tick as a message's arrival, so that its received time was the 6146 same as the "first fail" time on the retry record, and that message 6147 remained on the queue past the ultimate address timeout, every queue runner 6148 would try a delivery (because it was past the ultimate address timeout) but 6149 after another failure, the ultimate address timeout, which should have then 6150 bounced the address, did not kick in. This was a "< instead of <=" error; 6151 in most cases the first failure would have been in the next clock tick 6152 after the received time, and all would be well. 6153 615415. The special items beginning with @ in domain lists (e.g. @mx_any) were not 6155 being recognized when the domain list was tested by the match_domain 6156 condition in an expansion string. 6157 615816. Added the ${str2b64: operator. 6159 616017. Exim was always calling setrlimit() to set a large limit for the number of 6161 processes, without checking whether the existing limit was already 6162 adequate. (It did check for the limit on file descriptors.) Furthermore, 6163 errors from getrlimit() and setrlimit() were being ignored. Now they are 6164 logged to the main and panic logs, but Exim does carry on, to try to do its 6165 job under whatever limits there are. 6166 616718. Imported PCRE 5.0. 6168 616919. Trivial typo in log message " temporarily refused connection" (the leading 6170 space). 6171 617220. If the log selector return_path_on_delivery was set and an address was 6173 redirected to /dev/null, the delivery process crashed because it assumed 6174 that a return path would always be set for a "successful" delivery. In this 6175 case, the whole delivery is bypassed as an optimization, and therefore no 6176 return path is set. 6177 617821. Internal re-arrangement: the function for sending a challenge and reading 6179 a response while authentication was assuming a zero-terminated challenge 6180 string. It's now changed to take a pointer and a length, to allow for 6181 binary data in such strings. 6182 618322. Added the cyrus_sasl authenticator (code supplied by MBM). 6184 618523. Exim was not respecting finduser_retries when seeking the login of the 6186 uid under which it was called; it was always trying 10 times. (The default 6187 setting of finduser_retries is zero.) Also, it was sleeping after the final 6188 failure, which is pointless. 6189 619024. Implemented tls_on_connect_ports. 6191 619225. Implemented acl_smtp_predata. 6193 619426. If the domain in control=submission is set empty, Exim assumes that the 6195 authenticated id is a complete email address when it generates From: or 6196 Sender: header lines. 6197 619827. Added "#define SOCKLEN_T int" to OS/os.h-SCO and OS/os.h-SCO_SV. Also added 6199 definitions to OS/Makefile-SCO and OS/Makefile-SCO_SV that put basename, 6200 chown and chgrp in /bin and hostname in /usr/bin. 6201 620228. Exim was keeping the "process log" file open after each use, just as it 6203 does for the main log. This opens the possibility of it remaining open for 6204 long periods when the USR1 signal hits a daemon. Occasional processlog 6205 errors were reported, that could have been caused by this. Anyway, it seems 6206 much more sensible not to leave this file open at all, so that is what now 6207 happens. 6208 620929. The long-running daemon process does not normally write to the log once it 6210 has entered its main loop, and it closes the log before doing so. This is 6211 so that log files can straightforwardly be renamed and moved. However, 6212 there are a couple of unusual error situations where the daemon does write 6213 log entries, and I had neglected to close the log afterwards. 6214 621530. The text of an SMTP error response that was received during a remote 6216 delivery was being truncated at 512 bytes. This is too short for some of 6217 the long messages that one sometimes sees. I've increased the limit to 6218 1024. 6219 622031. It is now possible to make retry rules that apply only when a message has a 6221 specific sender, in particular, an empty sender. 6222 622332. Added "control = enforce_sync" and "control = no_enforce_sync". This makes 6224 it possible to be selective about when SMTP synchronization is enforced. 6225 622633. Added "control = caseful_local_part" and "control = "caselower_local_part". 6227 622832. Implemented hosts_connection_nolog. 6229 623033. Added an ACL for QUIT. 6231 623234. Setting "delay_warning=" to disable warnings was not working; it gave a 6233 syntax error. 6234 623535. Added mailbox_size and mailbox_filecount to appendfile. 6236 623736. Added control = no_multiline_responses to ACLs. 6238 623937. There was a bug in the logic of the code that waits for the clock to tick 6240 in the case where the clock went backwards by a substantial amount such 6241 that the microsecond fraction of "now" was more than the microsecond 6242 fraction of "then" (but the whole seconds number was less). 6243 624438. Added support for the libradius Radius client library this is found on 6245 FreeBSD (previously only the radiusclient library was supported). 6246 6247 6248Exim version 4.42 6249----------------- 6250 6251 1. When certain lookups returned multiple values in the form name=value, the 6252 quoting of the values was not always being done properly. Specifically: 6253 (a) If the value started with a double quote, but contained no whitespace, 6254 it was not quoted. 6255 (b) If the value contained whitespace other than a space character (i.e. 6256 tabs or newlines or carriage returns) it was not quoted. 6257 This fix has been applied to the mysql and pgsql lookups by writing a 6258 separate quoting function and calling it from the lookup code. The fix 6259 should probably also be applied to nisplus, ibase and oracle lookups, but 6260 since I cannot test any of those, I have not disturbed their existing code. 6261 6262 2. A hit in the callout cache for a specific address caused a log line with no 6263 reason for rejecting RCPT. Now it says "Previous (cached) callout 6264 verification failure". 6265 6266 3. There was an off-by-one bug in the queryprogram router. An over-long 6267 return line was truncated at 256 instead of 255 characters, thereby 6268 overflowing its buffer with the terminating zero. As well as fixing this, I 6269 have increased the buffer size to 1024 (and made a note to document this). 6270 6271 4. If an interrupt, such as the USR1 signal that is send by exiwhat, arrives 6272 when Exim is waiting for an SMTP response from a remote server, Exim 6273 restarts its select() call on the socket, thereby resetting its timeout. 6274 This is not a problem when such interrupts are rare. Somebody set up a cron 6275 job to run exiwhat every 2 minutes, which is less than the normal select() 6276 timeout (5 or 10 minutes). This meant that the select() timeout never 6277 kicked in because it was always reset. I have fixed this by comparing the 6278 time when an interrupt arrives with the time at the start of the first call 6279 to select(). If more time than the timeout has elapsed, the interrupt is 6280 treated as a timeout. 6281 6282 5. Some internal re-factoring in preparation for the addition of Sieve 6283 extensions (by MH). In particular, the "personal" test is moved to a 6284 separate function, and given an option for scanning Cc: and Bcc: (which is 6285 not set for Exim filters). 6286 6287 6. When Exim created an email address using the login of the caller as the 6288 local part (e.g. when creating a From: or Sender: header line), it was not 6289 quoting the local part when it contained special characters such as @. 6290 6291 7. Installed new OpenBSD configuration files. 6292 6293 8. Reworded some messages for syntax errors in "and" and "or" conditions to 6294 try to make them clearer. 6295 6296 9. Callout options, other than the timeout value, were being ignored when 6297 verifying sender addresses in header lines. For example, when using 6298 6299 verify = header_sender/callout=no_cache 6300 6301 the cache was (incorrectly) being used. 6302 630310. Added a missing instance of ${EXE} to the exim_install script; this affects 6304 only the Cygwin environment. 6305 630611. When return_path_on_delivery was set as a log selector, if different remote 6307 addresses in the same message used different return paths and parallel 6308 remote delivery occurred, the wrong values would sometimes be logged. 6309 (Whenever a remote delivery process finished, the return path value from 6310 the most recently started remote delivery process was logged.) 6311 631212. RFC 3848 specifies standard names for the "with" phrase in Received: header 6313 lines when AUTH and/or TLS are in use. This is the "received protocol" 6314 field. Exim used to use "asmtp" for authenticated SMTP, without any 6315 indication (in the protocol name) for TLS use. Now it follows the RFC and 6316 uses "esmtpa" if the connection is authenticated, "esmtps" if it is 6317 encrypted, and "esmtpsa" if it is both encrypted and authenticated. These 6318 names appear in log lines as well as in Received: header lines. 6319 632013. Installed MH's patches for Sieve to add the "copy" and "vacation" 6321 extensions, and comparison tests, and to fix some bugs. 6322 632314. Changes to the "personal" filter test: 6324 6325 (1) The test was buggy in that it was just doing the equivalent of 6326 "contains" tests on header lines. For example, if a user's address was 6327 anne@some.where, the "personal" test would incorrectly be true for 6328 6329 To: susanne@some.where 6330 6331 This test is now done by extracting each address from the header in turn, 6332 and checking the entire address. Other tests that are part of "personal" 6333 are now done using regular expressions (for example, to check local parts 6334 of addresses in From: header lines). 6335 6336 (2) The list of non-personal local parts in From: addresses has been 6337 extended to include "listserv", "majordomo", "*-request", and "owner-*", 6338 taken from the Sieve specification recommendations. 6339 6340 (3) If the message contains any header line starting with "List-" it is 6341 treated as non-personal. 6342 6343 (4) The test for "circular" in the Subject: header line has been removed 6344 because it now seems ill-conceived. 6345 634615. Minor typos in src/EDITME comments corrected. 6347 634816. Installed latest exipick from John Jetmore. 6349 635017. If headers_add on a router specified a text string that was too long for 6351 string_sprintf() - that is, longer than 8192 bytes - Exim panicked. The use 6352 of string_sprintf() is now avoided. 6353 635418. $message_body_size was not set (it was always zero) when running the DATA 6355 ACL and the local_scan() function. 6356 635719. For the "mail" command in an Exim filter, no default was being set for 6358 the once_repeat time, causing a random time value to be used if "once" was 6359 specified. (If the value happened to be <= 0, no repeat happened.) The 6360 default is now 0s, meaning "never repeat". The "vacation" command was OK 6361 (its default is 7d). It's somewhat surprising nobody ever noticed this bug 6362 (I found it when inspecting the code). 6363 636420. There is now an overall timeout for performing a callout verification. It 6365 defaults to 4 times the callout timeout, which applies to individual SMTP 6366 commands during the callout. The overall timeout applies when there is more 6367 than one host that can be tried. The timeout is checked before trying the 6368 next host. This prevents very long delays if there are a large number of 6369 hosts and all are timing out (e.g. when the network connections are timing 6370 out). The value of the overall timeout can be changed by specifying an 6371 additional sub-option for "callout", called "maxwait". For example: 6372 6373 verify = sender/callout=5s,maxwait=20s 6374 637521. Add O_APPEND to the open() call for maildirsize files (Exim already seeks 6376 to the end before writing, but this should make it even safer). 6377 637822. Exim was forgetting that it had advertised PIPELINING for the second and 6379 subsequent messages on an SMTP connection. It was also not resetting its 6380 memory on STARTTLS and an internal HELO. 6381 638223. When Exim logs an SMTP synchronization error within a session, it now 6383 records whether PIPELINING has been advertised or not. 6384 638524. Added 3 instances of "(long int)" casts to time_t variables that were being 6386 formatted using %ld, because on OpenBSD (and perhaps others), time_t is int 6387 rather than long int. 6388 638925. Installed the latest Cygwin configuration files from the Cygwin maintainer. 6390 639126. Added the never_mail option to autoreply. 6392 6393 6394Exim version 4.41 6395----------------- 6396 6397 1. A reorganization of the code in order to implement 4.40/8 caused a daemon 6398 crash if the getsockname() call failed; this can happen if a connection is 6399 closed very soon after it is established. The problem was simply in the 6400 order in which certain operations were done, causing Exim to try to write 6401 to the SMTP stream before it had set up the file descriptor. The bug has 6402 been fixed by making things happen in the correct order. 6403 6404 6405Exim version 4.40 6406----------------- 6407 6408 1. If "drop" was used in a DATA ACL, the SMTP output buffer was not flushed 6409 before the connection was closed, thus losing the rejection response. 6410 6411 2. Commented out the definition of SOCKLEN_T in os.h-SunOS5. It is needed for 6412 some early Solaris releases, but causes trouble in current releases where 6413 socklen_t is defined. 6414 6415 3. When std{in,out,err} are closed, re-open them to /dev/null so that they 6416 always exist. 6417 6418 4. Minor refactoring of os.c-Linux to avoid compiler warning when IPv6 is not 6419 configured. 6420 6421 5. Refactoring in expand.c to improve memory usage. Pre-allocate a block so 6422 that releasing the top of it at the end releases what was used for sub- 6423 expansions (unless the block got too big). However, discard this block if 6424 the first thing is a variable or header, so that we can use its block when 6425 it is dynamic (useful for very large $message_headers, for example). 6426 6427 6. Lookups now cache *every* query, not just the most recent. A new, separate 6428 store pool is used for this. It can be recovered when all lookup caches are 6429 flushed. Lookups now release memory at the end of their result strings. 6430 This has involved some general refactoring of the lookup sources. 6431 6432 7. Some code has been added to the store_xxx() functions to reduce the amount 6433 of flapping under certain conditions. 6434 6435 8. log_incoming_interface used to affect only the <= reception log lines. Now 6436 it causes the local interface and port to be added to several more SMTP log 6437 lines, for example "SMTP connection from", and rejection lines. 6438 6439 9. The Sieve author supplied some patches for the doc/README.SIEVE file. 6440 644110. Added a conditional definition of _BSD_SOCKLEN_T to os.h-Darwin. 6442 644311. If $host_data was set by virtue of a hosts lookup in an ACL, its value 6444 could be overwritten at the end of the current message (or the start of a 6445 new message if it was set in a HELO ACL). The value is now preserved for 6446 the duration of the SMTP connection. 6447 644812. If a transport had a headers_rewrite setting, and a matching header line 6449 contained an unqualified address, that address was qualified, even if it 6450 did not match any rewriting rules. The underlying bug was that the values 6451 of the flags that permit the existence of unqualified sender and recipient 6452 addresses in header lines (set by {sender,recipient}_unqualified_hosts for 6453 non-local messages, and by -bnq for local messages) were not being 6454 preserved with the message after it was received. 6455 645613. When Exim was logging an SMTP synchronization error, it could sometimes log 6457 "next input=" as part of the text comprising the host identity instead of 6458 the correct text. The code was using the same buffer for two different 6459 strings. However, depending on which order the printing function evaluated 6460 its arguments, the bug did not always show up. Under Linux, for example, my 6461 test suite worked just fine. 6462 646314. Exigrep contained a use of Perl's "our" scoping after change 4.31/70. This 6464 doesn't work with some older versions of Perl. It has been changed to "my", 6465 which in any case is probably the better facility to use. 6466 646715. A really picky compiler found some instances of statements for creating 6468 error messages that either had too many or two few arguments for the format 6469 string. 6470 647116. The size of the buffer for calls to the DNS resolver has been increased 6472 from 1024 to 2048. A larger buffer is needed when performing PTR lookups 6473 for addresses that have a lot of PTR records. This alleviates a problem; it 6474 does not fully solve it. 6475 647617. A dnsdb lookup for PTR records that receives more data than will fit in the 6477 buffer now truncates the list and logs the incident, which is the same 6478 action as happens when Exim is looking up a host name and its aliases. 6479 Previously in this situation something unpredictable would happen; 6480 sometimes it was "internal error: store_reset failed". 6481 648218. If a server dropped the connection unexpectedly when an Exim client was 6483 using GnuTLS and trying to read a response, the client delivery process 6484 crashed while trying to generate an error log message. 6485 648619. If a "warn" verb in an ACL added multiple headers to a message in a single 6487 string, for example: 6488 6489 warn message = H1: something\nH2: something 6490 6491 the text was added as a single header line from Exim's point of view 6492 though it ended up OK in the delivered message. However, searching for the 6493 second and subsequent header lines using $h_h2: did not work. This has been 6494 fixed. Similarly, if a system filter added multiple headers in this way, 6495 the routers could not see them. 6496 649720. Expanded the error message when iplsearch is called with an invalid key to 6498 suggest using net-iplsearch in a host list. 6499 650021. When running tests using -bh, any delays imposed by "delay" modifiers in 6501 ACLs are no longer actually imposed (and a message to that effect is 6502 output). 6503 650422. If a "gecos" field in a passwd entry contained escaped characters, in 6505 particular, if it contained a \" sequence, Exim got it wrong when building 6506 a From: or a Sender: header from that name. A second bug also caused 6507 incorrect handling when an unquoted " was present following a character 6508 that needed quoting. 6509 651023. "{crypt}" as a password encryption mechanism for a "crypteq" expansion item 6511 was not being matched caselessly. 6512 651324. Arranged for all hyphens in the exim.8 source to be escaped with 6514 backslashes. 6515 651625. Change 16 of 4.32, which reversed 71 or 4.31 didn't quite do the job 6517 properly. Recipient callout cache records were still being keyed to include 6518 the sender, even when use_sender was set false. This led to far more 6519 callouts that were necessary. The sender is no longer included in the key 6520 when use_sender is false. 6521 652226. Added "control = submission" modifier to ACLs. 6523 652427. Added the ${base62d: operator to decode base 62 numbers. 6525 652628. dnsdb lookups can now access SRV records. 6527 652829. CONFIGURE_OWNER can be set at build time to define an alternative owner for 6529 the configuration file. 6530 653130. The debug message "delivering xxxxxx-xxxxxx-xx" is now output in verbose 6532 (-v) mode. This makes the output for a verbose queue run more intelligible. 6533 653431. Added a use_postmaster feature to recipient callouts. 6535 653632. Added the $body_zerocount variable, containing the number of binary zero 6537 bytes in the message body. 6538 653933. The time of last modification of the "new" subdirectory is now used as the 6540 "mailbox time last read" when there is a quota error for a maildir 6541 delivery. 6542 654334. Added string comparison operators lt, lti, le, lei, gt, gti, ge, gei. 6544 654535. Added +ignore_unknown as a special item in host lists. 6546 654736. Code for decoding IPv6 addresses in host lists is now included, even if 6548 IPv6 support is not being compiled. This fixes a bug in which an IPv6 6549 address was recognized as an IP address, but was then not correctly decoded 6550 into binary, causing unexpected and incorrect effects when compared with 6551 another IP address. 6552 6553 6554Exim version 4.34 6555----------------- 6556 6557 1. Very minor rewording of debugging text in manualroute to say "list of 6558 hosts" instead of "hostlist". 6559 6560 2. If verify=header_syntax was set, and a header line with an unqualified 6561 address (no domain) and a large number of spaces between the end of the 6562 name and the colon was received, the reception process suffered a buffer 6563 overflow, and (when I tested it) crashed. This was caused by some obsolete 6564 code that should have been removed. The fix is to remove it! 6565 6566 3. When running in the test harness, delay a bit after writing a bounce 6567 message to get a bit more predictability in the log output. 6568 6569 4. Added a call to search_tidyup() just before forking a reception process. In 6570 theory, someone could use a lookup in the expansion of smtp_accept_max_ 6571 per_host which, without the tidyup, could leave open a database connection. 6572 6573 5. Added the variables $recipient_data and $sender_data which get set from a 6574 lookup success in an ACL "recipients" or "senders" condition, or a router 6575 "senders" option, similar to $domain_data and $local_part_data. 6576 6577 6. Moved the writing of debug_print from before to after the "senders" test 6578 for routers. 6579 6580 7. Change 4.31/66 (moving the time when the Received: is generated) caused 6581 problems for message scanning, either using a data ACL, or using 6582 local_scan() because the Received: header was not generated till after they 6583 were called (in order to set the time as the time of reception completion). 6584 I have revised the way this works. The header is now generated after the 6585 body is received, but before the ACL or local_scan() are called. After they 6586 are run, the timestamp in the header is updated. 6587 6588 6589Exim version 4.33 6590----------------- 6591 6592 1. Change 4.24/6 introduced a bug because the SIGALRM handler was disabled 6593 before starting a queue runner without re-exec. This happened only when 6594 deliver_drop_privilege was set or when the Exim user was set to root. The 6595 effect of the bug was that timeouts during subsequent deliveries caused 6596 crashes instead of being properly handled. The handler is now left at its 6597 default (and expected) setting. 6598 6599 2. The other case in which a daemon avoids a re-exec is to deliver an incoming 6600 message, again when deliver_drop_privilege is set or Exim is run as root. 6601 The bug described in (1) was not present in this case, but the tidying up 6602 of the other signals was missing. I have made the two cases consistent. 6603 6604 3. The ignore_target_hosts setting on a manualroute router was being ignored 6605 for hosts that were looked up using the /MX notation. 6606 6607 4. Added /ignore=<ip list> feature to @mx_any, @mx_primary, and @mx_secondary 6608 in domain lists. 6609 6610 5. Change 4.31/55 was buggy, and broke when there was a rewriting rule that 6611 operated on the sender address. After changing the $sender_address to <> 6612 for the sender address verify, Exim was re-instated it as the original 6613 (before rewriting) address, but remembering that it had rewritten it, so it 6614 wasn't rewriting it again. This bug also had the effect of breaking the 6615 sender address verification caching when the sender address was rewritten. 6616 6617 6. The ignore_target_hosts option was being ignored by the ipliteral router. 6618 This has been changed so that if the ip literal address matches 6619 ignore_target_hosts, the router declines. 6620 6621 7. Added expansion conditions match_domain, match_address, and match_local_ 6622 part (NOT match_host). 6623 6624 8. The placeholder for the Received: header didn't have a length field set. 6625 6626 9. Added code to Exim itself and to exim_lock to test for a specific race 6627 condition that could lead to file corruption when using MBX delivery. The 6628 issue is with the lockfile that is created in /tmp. If this file is removed 6629 after a process has opened it but before that process has acquired a lock, 6630 there is the potential for a second process to recreate the file and also 6631 acquire a lock. This could lead to two Exim processes writing to the file 6632 at the same time. The added code performs the same test as UW imapd; it 6633 checks after acquiring the lock that its file descriptor still refers to 6634 the same named file. 6635 663610. The buffer for building added header lines was of fixed size, 8192 bytes. 6637 It is now parameterized by HEADER_ADD_BUFFER_SIZE and this can be adjusted 6638 when Exim is built. 6639 664011. Added the smtp_active_hostname option. If used, this will typically be made 6641 to depend on the incoming interface address. Because $interface_address is 6642 not set up until the daemon has forked a reception process, error responses 6643 that can happen earlier (such as "too many connections") no longer contain 6644 a host name. 6645 664612. If an expansion in a condition on a "warn" statement fails because a lookup 6647 defers, the "warn" statement is abandoned, and the next ACL statement is 6648 processed. Previously this caused the whole ACL to be aborted. 6649 665013. Added the iplsearch lookup type. 6651 665214. Added ident_timeout as a log selector. 6653 665415. Added tls_certificate_verified as a log selector. 6655 665616. Added a global option tls_require_ciphers (compare the smtp transport 6657 option of the same name). This controls incoming TLS connections. 6658 665917. I finally figured out how to make tls_require_ciphers do a similar thing 6660 in GNUtls to what it does in OpenSSL, that is, set up an appropriate list 6661 before starting the TLS session. 6662 666318. Tabs are now shown as \t in -bP output. 6664 666519. If the log selector return_path_on_delivery was set, Exim crashed when 6666 bouncing a message because it had too many Received: header lines. 6667 666820. If two routers both had headers_remove settings, and the first one included 6669 a superfluous trailing colon, the final name in the first list and the 6670 first name in the second list were incorrectly joined into one item (with a 6671 colon in the middle). 6672 6673 6674Exim version 4.32 6675----------------- 6676 6677 1. Added -C and -D options to the exinext utility, mainly to make it easier 6678 to include in the automated testing, but these could be helpful when 6679 multiple configurations are in use. 6680 6681 2. The exinext utility was not formatting the output nicely when there was 6682 an alternate port involved in the retry record key, nor when there was a 6683 message id as well (for retries that were specific to a specific message 6684 and a specific host). It was also confused by IPv6 addresses, because of 6685 the additional colons they contain. I have fixed the IPv4 problem, and 6686 patched it up to do a reasonable job for IPv6. 6687 6688 3. When there is an error after a MAIL, RCPT, or DATA SMTP command during 6689 delivery, the log line now contains "pipelined" if PIPELINING was used. 6690 6691 4. An SMTP transport process used to panic and die if the bind() call to set 6692 an explicit outgoing interface failed. This has been changed; it is now 6693 treated in the same way as a connect() failure. 6694 6695 5. A reference to $sender_host_name in the part of a conditional expansion 6696 that was being skipped was still causing a DNS lookup. This no longer 6697 occurs. 6698 6699 6. The def: expansion condition was not recognizing references to header lines 6700 that used bh_ and bheader_. 6701 6702 7. Added the _cache feature to named lists. 6703 6704 8. The code for checking quota_filecount in the appendfile transport was 6705 allowing one more file than it should have been. 6706 6707 9. For compatibility with Sendmail, the command line option 6708 6709 -prval:sval 6710 6711 is equivalent to 6712 6713 -oMr rval -oMs sval 6714 6715 and sets the incoming protocol and host name (for trusted callers). The 6716 host name and its colon can be omitted when only the protocol is to be set. 6717 Note the Exim already has two private options, -pd and -ps, that refer to 6718 embedded Perl. It is therefore impossible to set a protocol value of "d" or 6719 "s", but I don't think that's a major issue. 6720 672110. A number of refactoring changes to the code, none of which should affect 6722 Exim's behaviour: 6723 6724 (a) The number of logging options was getting close to filling up the 6725 32-bit word that was used as a bit map. I have split them into two classes: 6726 those that are passed in the argument to log_write(), and those that are 6727 only ever tested independently outside of that function. These are now in 6728 separate 32-bit words, so there is plenty of room for expansion again. 6729 There is no change in the user interface or the logging behaviour. 6730 6731 (b) When building, for example, log lines, the code previously used a 6732 macro that called string_cat() twice, in order to add two strings. This is 6733 not really sufficiently general. Furthermore, there was one instance where 6734 it was actually wrong because one of the argument was used twice, and in 6735 one call a function was used. (As it happened, calling the function twice 6736 did not affect the overall behaviour.) The macro has been replaced by a 6737 function that can join an arbitrary number of extra strings onto a growing 6738 string. 6739 6740 (c) The code for expansion conditions now uses a table and a binary chop 6741 instead of a serial search (which was left over from when there were very 6742 few conditions). Also, it now recognizes conditions like "pam" even when 6743 the relevant support is not compiled in: a suitably worded error message is 6744 given if an attempt is made to use such a condition. 6745 674611. Added ${time_interval:xxxxx}. 6747 674812. A bug was causing one of the ddress fields not to be passed back correctly 6749 from remote delivery subprocesses. The field in question was not being 6750 subsequently used, so this caused to problems in practice. 6751 675213. Added new log selectors queue_time and deliver_time. 6753 675414. Might have fixed a bug in maildirsizefile handling that threw up 6755 "unexpected character" debug warnings, and recalculated the data 6756 unnecessarily. In any case, I expanded the warning message to give more 6757 information. 6758 675915. Added the message "Restricted characters in address" to the statements in 6760 the default ACL that block characters like @ and % in local parts. 6761 676216. Change 71 for release 4.31 proved to be much less benign that I imagined. 6763 Three changes have been made: 6764 6765 (a) There was a serious bug; a negative response to MAIL caused the whole 6766 recipient domain to be cached as invalid, thereby blocking all messages 6767 to all local parts at the same domain, from all senders. This bug has 6768 been fixed. The domain is no longer cached after a negative response to 6769 MAIL if the sender used is not empty. 6770 6771 (b) The default behaviour of using MAIL FROM:<> for recipient callouts has 6772 been restored. 6773 6774 (c) A new callout option, "use_sender" has been added for people who want 6775 the modified behaviour. 6776 6777 6778Exim version 4.31 6779----------------- 6780 6781 1. Removed "EXTRALIBS=-lwrap" from OS/Makefile-Unixware7 on the advice of 6782 Larry Rosenman. 6783 6784 2. Removed "LIBS = -lresolv" from OS/Makefile-Darwin as it is not needed, and 6785 indeed breaks things for older releases. 6786 6787 3. Added additional logging to the case where there is a problem reading data 6788 from a filter that is running in a subprocess using a pipe, in order to 6789 try to track down a specific problem. 6790 6791 4. Testing facility fudge: when running in the test harness and attempting 6792 to connect to 10.x.x.x (expecting a connection timeout) I'm now sometimes 6793 getting "No route to host". Convert this to a timeout. 6794 6795 5. Define ICONV_ARG2_TYPE as "char **" for Unixware7 to avoid compiler 6796 warning. 6797 6798 6. Some OS don't have socklen_t but use size_t instead. This affects the 6799 fifth argument of getsockopt() amongst other things. This is now 6800 configurable by a macro called SOCKLEN_T which defaults to socklen_t, but 6801 can be set for individual OS. I have set it for SunOS5, OSF1, and 6802 Unixware7. Current versions of SunOS5 (aka Solaris) do have socklen_t, but 6803 some earlier ones do not. 6804 6805 7. Change 4.30/15 was not doing the test caselessly. 6806 6807 8. The standard form for an IPv6 address literal was being rejected by address 6808 parsing in, for example, MAIL and RCPT commands. An example of this kind of 6809 address is [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts 6810 this, as well as the form without the "IPv6" on the front (but only when 6811 address literals are enabled, of course). 6812 6813 9. Added some casts to avoid compiler warnings in OS/os.c-Linux. 6814 681510. Exim crashed if a message with an empty sender address specified by -f 6816 encountered a router with an errors_to setting. This could be provoked only 6817 by a command such as 6818 6819 exim -f "" ... 6820 6821 where an empty string was supplied; "<>" did not hit this bug. 6822 682311. Installed PCRE release 4.5. 6824 682512. If EHLO/HELO was rejected by an ACL, the value of $sender_helo_name 6826 remained set. It is now erased. 6827 682813. exiqgrep wasn't working on MacOS X because it didn't correctly compute 6829 times from message ids (which are base 36 rather than the normal 62). 6830 683114. "Expected" SMTP protocol errors that can arise when PIPELINING is in use 6832 were being counted as actual protocol errors, and logged if the log 6833 selector +smtp_protocol_error was set. One cannot be perfect in this test, 6834 but now, if PIPELINING has been advertised, RCPT following a rejected MAIL, 6835 and DATA following a set of rejected RCPTs do not count as protocol errors. 6836 In other words, Exim assumes they were pipelined, though this may not 6837 actually be the case. Of course, in all cases the client gets an 6838 appropriate error code. 6839 684015. If a lookup fails in an ACL condition, a message about the failure may 6841 be available; it is used if testing the ACL cannot continue, because most 6842 such messages specify what the cause of the deferral is. However, some 6843 messages (e.g. "MYSQL: no data found") do not cause a defer. There was bug 6844 that caused an old message to be retained and used if a later statement 6845 caused a defer, replacing the real cause of the deferral. 6846 684716. If an IP address had so many PTR records that the DNS lookup buffer 6848 was not large enough to hold them, Exim could crash while trying to process 6849 the truncated data. It now detects and logs this case. 6850 685117. Further to 4.21/58, another change has been made: if (and only if) the 6852 first line of a message (the first header line) ends with CRLF, a bare LF 6853 in a subsequent header line has a space inserted after it, so as not to 6854 terminate the header. 6855 685618. Refactoring: tidied an ugly bit of code in appendfile that copied data 6857 unnecessarily, used atoi() instead of strtol(), and didn't check the 6858 termination when getting file sizes from file names by regex. 6859 686019. Completely re-implemented the support for maildirsize files, in the light 6861 of a number of problems with the previous contributed implementation 6862 (4.30/29). In particular: 6863 6864 . If the quota is zero, the maildirsize file is maintained, but no quota is 6865 imposed. 6866 6867 . If the maildir directory does not exist, it is created before any attempt 6868 to write a maildirsize file. 6869 6870 . The quota value in the file is just a cache; if the quota is changed in 6871 the transport, the new value overrides. 6872 6873 . A regular expression is available for excluding directories from the 6874 count. 6875 687620. The autoreply transport checks the characters in options that define the 6877 message's headers; it allows continued headers, but it was checking with 6878 isspace() after an embedded newline instead of explicitly looking for a 6879 space or a tab. 6880 688121. If all the "regular" hosts to which an address was routed had passed their 6882 expiry times, and had not reached their retry times, the address was 6883 bounced, even if fallback hosts were defined. Now Exim should go on to try 6884 the fallback hosts. 6885 688622. Increased buffer sizes in the callout code from 1024 to 4096 to match the 6887 equivalent code in the SMTP transport. Some hosts send humungous responses 6888 to HELO/EHLO, more than 1024 it seems. 6889 689023. Refactoring: code in filter.c used (void *) for "any old type" but this 6891 gives compiler warnings in some environments. I've now done it "properly", 6892 using a union. 6893 689424. The replacement for inet_ntoa() that is used with gcc on IRIX systems 6895 (because of problems with the built-in one) was declared to return uschar * 6896 instead of char *, causing compiler failure. 6897 689825. Fixed a file descriptor leak when processing alias/forward files. 6899 690026. Fixed a minor format string issue in dbfn.c. 6901 690227. Typo in exim.c: ("dmbnz" for "dbmnz"). 6903 690428. If a filter file refered to $h_xxx or $message_headers, and the headers 6905 contained RFC 2047 "words", Exim's memory could, under certain conditions, 6906 become corrupted. 6907 690829. When a sender address is verified, it is cached, to save repeating the test 6909 when there is more than one recipient in a message. However, when the 6910 verification involves a callout, it is possible for different callout 6911 options to be set for different recipients. It is too complicated to keep 6912 track of this in the cache, so now Exim always runs a verification when a 6913 callout is required, relying on the callout cache for the optimization. 6914 The overhead is duplication of the address routing, but this should not be 6915 too great. 6916 691730. Fixed a bug in callout caching. If a RCPT command caused the sender address 6918 to be verified with callout=postmaster, and the main callout worked but the 6919 postmaster check failed, the verification correctly failed. However, if a 6920 subsequent RCPT command asked for sender verification *without* the 6921 postmaster check, incorrect caching caused this verification also to fail, 6922 incorrectly. 6923 692431. Exim caches DNS lookup failures so as to avoid multiple timeouts; however, 6925 it was not caching the DNS options (qualify_single, search_parents) that 6926 were used when the lookup failed. A subsequent lookup with different 6927 options therefore always gave the same answer, though there were cases 6928 where it should not have. (Example: a "domains = !$mx_any" option on a 6929 dnslookup router: the "domains" option is always processed without any 6930 widening, but the router might have qualify_single set.) Now Exim uses the 6931 cached value only when the same options are set. 6932 693332. Added John Jetmore's "exipick" utility to the distribution. 6934 693533. GnuTLS: When an attempt to start a TLS session fails for any reason other 6936 than a timeout (e.g. a certificate is required, and is not provided), an 6937 Exim server now closes the connection immediately. Previously it waited for 6938 the client to close - but if the client is SSL, it seems that they each 6939 wait for each other, leading to a delay before one of them times out. 6940 694134: GnuTLS: Updated the code to use the new GnuTLS 1.0.0 API. I have not 6942 maintained 0.8.x compatibility because I don't think many are using it, and 6943 it is clearly obsolete. 6944 694535. Added TLS support for CRLs: a tls_crl global option and one for the smtp 6946 transport. 6947 694836. OpenSSL: $tls_certificate_verified was being set to 1 even if the 6949 client certificate was expired. A simple patch fixes this, though I don't 6950 understand the full logic of why the verify callback is called multiple 6951 times. 6952 695337. OpenSSL: a patch from Robert Roselius: "Enable client-bug workaround. 6954 Versions of OpenSSL as of 0.9.6d include a 'CBC countermeasure' feature, 6955 which causes problems with some clients (such as the Certicom SSL Plus 6956 library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, 6957 disables the coutermeasure allowing Eudora to connect." 6958 695938. Exim was not checking that a write() to a log file succeeded. This could 6960 lead to Bad Things if a log got too big, in particular if it hit a file 6961 size limit. Exim now panics and dies if it cannot write to a log file, just 6962 as it does if it cannot open a log file. 6963 696439. Modified OS/Makefile-Linux so that it now contains 6965 6966 CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE 6967 6968 The two -D definitions ensure that Exim is compiled with large file 6969 support, which makes it possible to handle log files that are bigger than 6970 2^31. 6971 697240. Fixed a subtle caching bug: if (in an ACL or a set of routers, for 6973 instance) a domain was checked against a named list that involved a lookup, 6974 causing $domain_data to be set, then another domain was checked against the 6975 same list, then the first domain was re-checked, the value of $domain_data 6976 after the final check could be wrong. In particular, if the second check 6977 failed, it could be set empty. This bug probably also applied to 6978 $local_part_data. 6979 698041. The strip_trailing_dot option was not being applied to the address given 6981 with the -f command-line option. 6982 698342. The code for reading a message's header from the spool was incrementing 6984 $received_count, but never initializing it. This meant that the value was 6985 incorrect (doubled) while delivering a message in the same process in which 6986 it was received. In the most common configuration of Exim, this never 6987 happens - a fresh exec is done - but it can happen when 6988 deliver_drop_privilege is set. 6989 699043. When Exim logs an SMTP synchronization error - client data sent too soon - 6991 it now includes up to 150 characters of the unexpected data in the log 6992 line. 6993 699444. The exim_dbmbuild utility uses fixed size buffers for reading input lines 6995 and building data strings. The size of both of these buffers was 10 000 6996 bytes - far larger than anybody would *ever* want, thought I. Needless to 6997 say, somebody hit the limit. I have increased the maximum line length to 6998 20 000 and the maximum data length of concatenated lines to 100 000. I have 6999 also fixed two bugs, because there was no checking on these buffers. Tsk, 7000 tsk. Now exim_dbmbuild gives a message and exits with an error code if a 7001 buffer is too small. 7002 700345. The exim_dbmbuild utility did not support quoted keys, as Exim does in 7004 lsearch lookups. Now it does. 7005 700646. When parsing a route_list item in a manualroute router, a fixed-length 7007 buffer was used for the list of hosts. I made this 1024 bytes long, 7008 thinking that nobody would ever have a list of hosts that long. Wrong. 7009 Somebody had a whole pile of complicated expansion conditions, and the 7010 string was silently truncated, leading to an expansion error. It turns out 7011 that it is easier to change to an unlimited length (owing to other changes 7012 that have happened since this code was originally written) than to build 7013 structure for giving a limitation error. The length of the item that 7014 expands into the list of hosts is now unlimited. 7015 701647. The lsearch lookup could not handle data where the length of text line was 7017 more than 4095 characters. Such lines were truncated, leading to shortened 7018 data being returned. It should now handle lines of any length. 7019 702048. Minor wording revision: "cannot test xxx in yyy ACL" becomes "cannot test 7021 xxx condition in yyy ACL" (e.g. "cannot test domains condition in DATA 7022 ACL"). 7023 702449. Cosmetic tidy to scripts like exicyclog that are generated by globally 7025 replacing strings such as BIN_DIRECTORY in a source file: the replacement 7026 no longer happens in comment lines. A list of replacements is now placed 7027 at the head of all of the source files, except those whose only change is 7028 to replace PERL_COMMAND in the very first #! line. 7029 703050. Replaced the slow insertion sort in queue.c, for sorting the list of 7031 messages on the queue, with a bottom-up merge sort, using code contributed 7032 by Michael Haardt. This should make operations like -bp somewhat faster on 7033 large queues. It won't affect queue runners, except when queue_run_in_order 7034 is set. 7035 703651. Installed eximstats 1.31 in the distribution. 7037 703852. Added support for SRV lookups to the dnslookup router. 7039 704053. If an ACL referred to $message_body or $message_body_end, the value was not 7041 reset for any messages that followed in the same SMTP session. 7042 704354. The store-handling optimization for building very long strings was not 7044 differentiating between the different store pools. I don't think this 7045 actually made any difference in practice, but I've tidied it. 7046 704755. While running the routers to verify a sender address, $sender_address 7048 was still set to the sender address. This is wrong, because when routing to 7049 send a bounce to the sender, it would be empty. Therefore, I have changed 7050 it so that, while verifying a sender address, $sender_address is set to <>. 7051 (There is no change to what happens when verifying a recipient address.) 7052 705356. After finding MX (or SRV) records, Exim was doing a DNS lookup for the 7054 target A or AAAA records (if not already returned) without resetting the 7055 qualify_single or search_parents options of the DNS resolver. These are 7056 inappropriate in this case because the targets of MX and SRV records must 7057 be FQDNs. A broken DNS record could cause trouble if it happened to have a 7058 target that, when qualified, matched something in the local domain. These 7059 two options are now turned off when doing these lookups. 7060 706157. It seems that at least some releases of Reiserfs (which does not have the 7062 concept of a fixed number of inodes) returns zero and not -1 for the 7063 number of available inodes. This interacted badly with check_spool_inodes, 7064 which assumed that -1 was the "no such thing" setting. What I have done is 7065 to check that the total number of inodes is greater than zero before doing 7066 the test of how many are available. 7067 706858. When a "warn" ACL statement has a log_message modifier, the message is 7069 remembered, and not repeated. This is to avoid a lot of repetition when a 7070 message has many recipients that cause the same warning to be written. 7071 However, Exim was preserving the list of already written lines for an 7072 entire SMTP session, which doesn't seem right. The memory is now reset if a 7073 new message is started. 7074 707559. The "rewrite" debugging flag was not showing the result of rewriting in the 7076 debugging output unless log_rewrite was also set. 7077 707860. Avoid a compiler warning on 64-bit systems in dsearch.c by avoiding the use 7079 of (int)(handle) when we know that handle contains (void *)(-1). 7080 708161. The Exim daemon panic-logs an error return when it closes the incoming 7082 connection. However "connection reset by peer" seems to be common, and 7083 isn't really an error worthy of noting specially, so that particular error 7084 is no long logged. 7085 708662. When Exim is trying to find all the local interfaces, it used to panic and 7087 die if the ioctl to get the interface flags failed. However, it seems that 7088 on at least one OS (Solaris 9) it is possible to have an interface that is 7089 included in the list of interfaces, but for which you get a failure error 7090 for this call. This happens when the interface is not "plumbed" into a 7091 protocol (i.e. neither IPv4 nor IPv6). I've changed the code so that a 7092 failure of the "get flags" call assumes that the interface is down. 7093 709463. Added a ${eval10: operator, which assumes all numbers are decimal. This 7095 makes life easier for people who are doing arithmetic on fields extracted 7096 from dates, where you often get leading zeros that should not be 7097 interpreted as octal. 7098 709964. Added qualify_domain to the redirect router, to override the global 7100 setting. 7101 710265. If a pathologically long header line contained very many addresses (the 7103 report of this problem mentioned 10 000) and each of them was rewritten, 7104 Exim could use up a very large amount of memory. (It kept on making new 7105 copies of the header line as it rewrote, and never released the old ones.) 7106 At the expense of a bit more processing, the header rewriting function has 7107 been changed so that it no longer eats memory in this way. 7108 710966. The generation of the Received: header has been moved from the time that a 7110 message starts to be received, to the time that it finishes. The timestamp 7111 in the Received: header should now be very close to that of the <= log 7112 line. There are two side-effects of this change: 7113 7114 (a) If a message is rejected by a DATA or non-SMTP ACL or local_scan(), the 7115 logged header lines no longer include the local Received: line, because 7116 it has not yet been created. The same applies to a copy of the message 7117 that is returned to a non-SMTP sender when a message is rejected. 7118 7119 (b) When a filter file is tested using -bf, no additional Received: header 7120 is added to the test message. After some thought, I decided that this 7121 is a bug fix. 7122 7123 This change does not affect the value of $received_for. It is still set 7124 after address rewriting, but before local_scan() is called. 7125 712667. Installed the latest Cygwin-specific files from the Cygwin maintainer. 7127 712868. GnuTLS: If an empty file is specified for tls_verify_certificates, GnuTLS 7129 gave an unhelpful panic error message, and a defer error. I have managed to 7130 change this behaviour so that it now rejects any supplied certificate, 7131 which seems right, as the list of acceptable certificates is empty. 7132 713369. OpenSSL: If an empty file is specified for tls_verify_certificates, OpenSSL 7134 gave an unhelpful defer error. I have not managed to make this reject any 7135 supplied certificates, but the error message it gives is "no certificate 7136 supplied", which is not helpful. 7137 713870. exigrep's output now also includes lines that are not associated with any 7139 message, but which match the given pattern. Implemented by a patch from 7140 Martin Sluka, which also tidied up the Perl a bit. 7141 714271. Recipient callout verification, like sender verification, was using <> in 7143 the MAIL FROM command. This isn't really the right thing, since the actual 7144 sender may affect whether the remote host accepts the recipient or not. I 7145 have changed it to use the actual sender in the callout; this means that 7146 the cache record is now keyed on a recipient/sender pair, not just the 7147 recipient address. There doesn't seem to be a real danger of callout loops, 7148 since a callout by the remote host to check the sender would use <>. 7149 [SEE ABOVE: changed after hitting problems.] 7150 715172. Exim treats illegal SMTP error codes that do not begin with 4 or 5 as 7152 temporary errors. However, in the case of such a code being given after 7153 the end of a data transmission (i.e. after ".") Exim was failing to write 7154 a retry record for the message. (Yes, there was some broken host that was 7155 actually sending 8xx at this point.) 7156 715773. An unknown lookup type in a host list could cause Exim to panic-die when 7158 the list was checked. (An example that provoked this was putting <; in the 7159 middle of a list instead of at the start.) If this happened during a DATA 7160 ACL check, a -D file could be left lying around. This kind of configuration 7161 error no longer causes Exim to die; instead it causes a defer error. The 7162 incident is still logged to the main and panic logs. 7163 716474. Buglet left over from Exim 3 conversion. The message "too many messages 7165 in one connection" was written to the rejectlog but not the mainlog, except 7166 when address rewriting (yes!) was being logged. 7167 716875. Added write_rejectlog option. 7169 717076. When a system filter was run not as root (that is, when system_filter_user 7171 was set), the values of the $n variables were not being returned to the 7172 main process; thus, they were not subsequently available in the $sn 7173 variables. 7174 717577. Added +return_path_on_delivery log selector. 7176 717778. A connection timeout was being treated differently from recipients deferred 7178 when testing hosts_max_try with a message that was older than the host's 7179 retry timeout. (The host should not be counted, thus allowing all hosts to 7180 be tried at least once before bouncing.) This may have been the cause of an 7181 occasionally reported bug whereby a message would remain on the queue 7182 longer than the retry timeout, but would be bounced if a delivery was 7183 forced. I say "may" because I never totally pinned down the problem; 7184 setting up timeout/retry tests is difficult. See also the next item. 7185 718679. The ultimate address timeout was not being applied to errors that involved 7187 a combination of host plus message (for example, a timeout on a MAIL 7188 command). When an address resolved to a number of possible hosts, and they 7189 were not all tried for each delivery (e.g. because of hosts_max_try), a 7190 message could remain on the queue longer than the retry timeout. 7191 719280. Sieve bug: "stop" inside "elsif" was broken. Applied a patch from Michael 7193 Haardt. 7194 719581. Fixed an obscure SMTP outgoing bug which required at least the following 7196 conditions: (a) there was another message waiting for the same server; 7197 (b) the server returned 5xx to all RCPT commands in the first message so 7198 that the message was not completed; (c) the server dropped the connection 7199 or gave a negative response to the RSET that Exim sends to abort the 7200 transaction. The observed case was a dropped connection after DATA that had 7201 been sent in pipelining mode. That is, the server had advertised PIPELINING 7202 but was not implementing it correctly. The effect of the bug was incorrect 7203 behaviour, such as trying another host, and this could lead to a crash. 7204 7205 7206Exim version 4.30 7207----------------- 7208 7209 1. The 3rd arguments to getsockname(), getpeername(), and accept() in exim.c 7210 and daemon.c were passed as pointers to ints; they should have been 7211 pointers to socklen_t variables (which are typically unsigned ints). 7212 7213 2. Some signed/unsigned type warnings in the os.c file for Linux have been 7214 fixed. 7215 7216 3. Fixed a really odd bug that affected only the testing scheme; patching a 7217 certain fixed string in the binary changed the value of another string that 7218 happened to be identical to the end of the original first string. 7219 7220 4. When gethostbyname() (or equivalent) is passed an IP address as a "host 7221 name", it returns that address as the IP address. On some operating 7222 systems (e.g. Solaris), it also passes back the IP address string as the 7223 "host name". However, on others (e.g. Linux), it passes back an empty 7224 string. Exim wasn't checking for this, and was changing the host name to an 7225 empty string, assuming it had been canonicalized. 7226 7227 5. Although rare, it is permitted to have more than one PTR record for a given 7228 IP address. I thought that gethostbyaddr() or getipnodebyaddr() always gave 7229 all the names associated with an address, because they do in Solaris. 7230 However, it seems that they do not in Linux for data that comes from the 7231 DNS. If an address in /etc/hosts has multiple names, they _are_ all given. 7232 I found this out when I moved to a new Linux workstation and tried to run 7233 the Exim test suite. 7234 7235 To get round this problem I have changed the code so that it now does its 7236 own call to the DNS to look up PTR records when searching for a host name. 7237 If nothing can be found in the DNS, it tries gethostbyaddr(), so that 7238 addresses that are only in /etc/hosts are still found. 7239 7240 This behaviour is, however, controlled by an option called host_lookup_ 7241 order, which defaults to "bydns:byaddr". If people want to use the other 7242 order, or indeed, just use one or the other means of lookup, they can 7243 specify it in this variable. 7244 7245 6. If a PTR record yields an empty name, Exim treats it as non-existent. In 7246 some operating systems, this comes back from gethostbyaddr() as an empty 7247 string, and this is what Exim used to test for. However, it seems that in 7248 other systems, "." is yielded. Exim now tests for this case too. 7249 7250 7. The values of check_spool_space and check_log_space are now held internally 7251 as a number of kilobytes instead of an absolute number of bytes. If a 7252 numbers is specified without 'K' or 'M', it is rounded up to the nearest 7253 kilobyte. This means that much larger values can be stored. 7254 7255 8. Exim monitor: an attempt to get the action menu when not actually pointing 7256 at a message produces an empty menu entitled "No message selected". This 7257 works on Solaris (OpenWindows). However, XFree86 does not like a menu with 7258 no entries in it ("Shell widget menu has zero width and/or height"). So I 7259 have added a single, blank menu entry in this case. 7260 7261 9. Added ${quote_local_part. 7262 726310. MIME decoding is now applied to the contents of Subject: header lines when 7264 they are logged. 7265 726611. Now that a reference to $sender_host_address automatically causes a reverse 7267 lookup to occur if necessary (4.13/18), there is no need to arrange for a 7268 host lookup before query-style lookups in lists that might use this 7269 variable. This has therefore been abolished, and the "net-" prefix is no 7270 longer necessary for query-style lookups. 7271 727212. The Makefile for SCO_SV contained a setting of LDFLAGS. This appears to 7273 have been a typo for LFLAGS, so it has been changed. 7274 727513. The install script calls Exim with "-C /dev/null" in order to find the 7276 version number. If ALT_CONFIG_PREFIX was set, this caused an error message 7277 to be output. However, since Exim outputs its version number before the 7278 error, it didn't break the script. It just looked ugly. I fixed this by 7279 always allowing "-C /dev/null" if the caller is root. 7280 728114. Ignore overlarge ACL variable number when reading spool file - insurance 7282 against a later release with more variables having written the file. 7283 728415. The standard form for an IPv6 address literal was being rejected by EHLO. 7285 Example: [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts 7286 this, as well as the form without the "IPv6" on the front. 7287 728816. Added CHOWN_COMMAND=/usr/sbin/chown and LIBS=-lresolv to the 7289 OS/Makefile-Darwin file. 7290 729117. Fixed typo in lookups/ldap.c: D_LOOKUP should be D_lookup. This applied 7292 only to LDAP libraries that do not have LDAP_OPT_DEREF. 7293 729418. After change 4.21/52, "%ld" was used to format the contents of the $inode 7295 variable. However, some OS use ints for inodes. I've added cast to long int 7296 to get rid of the compiler warning. 7297 729819. I had forgotten to lock out "/../" in configuration file names when 7299 ALT_CONFIG_PREFIX was set. 7300 730120. Routers used for verification do not need to specify transports. However, 7302 if such a router generated a host list, and callout was configured, Exim 7303 crashed, because it could not find a port number from the (non-existent) 7304 transport. It now assumes port 25 in this circumstance. 7305 730621. Added the -t option to exigrep. 7307 730822. If LOOKUP_LSEARCH is defined, all three linear search methods (lsearch, 7309 wildlsearch, nwildlsearch) are compiled. LOOKUP_WILDLSEARCH and LOOKUP_ 7310 NWILDLSEARCH are now obsolete, but retained for compatibility. If either of 7311 them is set, LOOKUP_LSEARCH is forced. 7312 731323. "exim -bV" now outputs a list of lookups that are included in the binary. 7314 731524. Added sender and host information to the "rejected by local_scan()" log 7316 line; previously there was no indication of these. 7317 731825. Added .include_if_exists. 7319 732026. Change 3.952/11 added an explicit directory sync on top of a file sync for 7321 Linux. It turns out that not all file systems support this. Apparently some 7322 versions of NFS do not. (It's rare to put Exim's spool on NFS, but people 7323 do it.) To cope with this, the error EINVAL, which means that sync-ing is 7324 not supported on the file descriptor, is now ignored when Exim is trying to 7325 sync a directory. This applies only to Linux. 7326 732727. Added -DBIND_8_COMPAT to the CLFAGS setting for Darwin. 7328 732928. In Darwin (MacOS X), the PAM headers are in /usr/include/pam and not in 7330 /usr/include/security. There's now a flag in OS/os.h-Darwin to cope with 7331 this. 7332 733329. Added support for maildirsize files from supplied patch (modified a bit). 7334 733530. The use of :fail: followed by an empty string could lead Exim to respond to 7336 sender verification failures with (e.g.): 7337 7338 550 Verification failed for <xxx> 7339 550 Sender verify failed 7340 7341 where the first response line was missing the '-' that indicates it is not 7342 the final line of the response. 7343 734431. The loop for finding the name of the user that called Exim had a hardwired 7345 limit of 10; it now uses the value of finduser_retries, which is used for 7346 all other user lookups. 7347 734832. Added $received_count variable, available in data and not_smtp ACLs, and at 7349 delivery time. 7350 735133. Exim was neglecting to zero errno before one call of strtol() when 7352 expanding a string and expecting an integer value. On some systems this 7353 resulted in spurious "integer overflow" errors. Also, it was casting the 7354 result into an int without checking. 7355 735634. Testing for a connection timeout using "timeout_connect" in the retry rules 7357 did not work. The code looks as if it has *never* worked, though it appears 7358 to have been documented since at least release 1.62. I have made it work. 7359 736035. The "timeout_DNS" error in retry rules, also documented since at least 7361 1.62, also never worked. As it isn't clear exactly what this means, and 7362 clearly it isn't a major issue, I have abolished the feature by treating it 7363 as "timeout", and writing a warning to the main and panic logs. 7364 736536. The display of retry rules for -brt wasn't always showing the error code 7366 correctly. 7367 736837. Added new error conditions to retry rules: timeout_A, timeout_MX, 7369 timeout_connect_A, timeout_connect_MX. 7370 737138. Rewriting the envelope sender at SMTP time did not allow it to be rewritten 7372 to the empty sender. 7373 737439. The daemon was not analysing the content of -oX till after it had closed 7375 stderr and disconnected from the controlling terminal. This meant that any 7376 syntax errors were only noted on the panic log, and the return code from 7377 the command was 0. By re-arranging the code a little, I've made the 7378 decoding happen first, so such errors now appear on stderr, and the return 7379 code is 1. However, the actual setting up of the sockets still happens in 7380 the disconnected process, so errors there are still only recorded on the 7381 panic log. 7382 738340. A daemon listener on a wildcard IPv6 socket that also accepts IPv4 7384 connections (as happens on some IP stacks) was logged at start up time as 7385 just listening for IPv6. It now logs "IPv6 with IPv4". This differentiates 7386 it from "IPv6 and IPv4", which means that two separate sockets are being 7387 used. 7388 738941. The debug output for gethostbyname2() or getipnodebyname() failures now 7390 says whether AF_INET or AF_INET6 was passed as an argument. 7391 739242. Exiwhat output was messed up when time zones were included in log 7393 timestamps. 7394 739543. Exiwhat now gives more information about the daemon's listening ports, 7396 and whether -tls-on-connect was used. 7397 739844. The "port" option of the smtp transport is now expanded. 7399 740045. A "message" modifier in a "warn" statement in a non-message ACL was being 7401 silently ignored. Now an error message is written to the main and panic 7402 logs. 7403 740446. There's a new ACL modifier called "logwrite" which writes to a log file 7405 as soon as it is encountered. 7406 740747. Added $local_user_uid and $local_user_gid at routing time. 7408 740948. Exim crashed when trying to verify a sender address that was being 7410 rewritten to "<>". 7411 741249. Exim was recognizing only a space character after ".include". It now also 7413 recognizes a tab character. 7414 741550. Fixed several bugs in the Perl script that creates the exim.8 man page by 7416 extracting the relevant information from the specification. The man page no 7417 longer contains scrambled data for the -d option, and I've added a section 7418 at the front about calling Exim under different names. 7419 742051. Added "extra_headers" argument to the "mail" command in filter files. 7421 742252. Redirecting mail to an unqualified address in a Sieve filter caused Exim to 7423 crash. 7424 742553. Installed eximstats 1.29. 7426 742754. Added transport_filter_timeout as a generic transport option. 7428 742955. Exim no longer adds an empty Bcc: header to messages that have no To: or 7430 Cc: header lines. This was required by RFC 822, but it not required by RFC 7431 2822. 7432 743356. Exim used to add From:, Date:, and Message-Id: header lines to any 7434 incoming messages that did not have them. Now it does so only if the 7435 message originates locally, that is, if there is no associated remote host 7436 address. When Resent- header lines are present, this applies to the Resent- 7437 lines rather than the non-Resent- lines. 7438 743957. Drop incoming SMTP connection after too many syntax or protocol errors. The 7440 limit is controlled by smtp_max_synprot_errors, defaulting to 3. 7441 744258. Messages for configuration errors now include the name of the main 7443 configuration file - useful now that there may be more than one file in a 7444 list (.included file names were always shown). 7445 744659. Change 4.21/82 (run initgroups() when starting the daemon) causes problems 7447 for those rare installations that do not start the daemon as root or run it 7448 setuid root. I've cut out the call to initgroups() if the daemon is not 7449 root at that time. 7450 745160. The Exim user and group can now be bound into the binary as text strings 7452 that are looked up at the start of Exim's processing. 7453 745461. Applied a small patch for the Interbase code, supplied by Ard Biesheuvel. 7455 745662. Added $mailstore_basename variable. 7457 745863. Installed patch to sieve.c from Michael Haardt. 7459 746064. When Exim failed to open the panic log after failing to open the main log, 7461 the original message it was trying to log was written to stderr and debug 7462 output, but if they were not available (the usual case in production), it 7463 was lost. Now it is written to syslog before the two lines that record the 7464 failures to open the logs. 7465 746665. Users' Exim filters run in subprocesses under the user's uid. It is 7467 possible for a "deliver" command or an alias in a "personal" command to 7468 provoke an address rewrite. If logging of address rewriting is configured, 7469 this fails because the process is not running as root or exim. There may be 7470 a better way of dealing with this, but for the moment (because 4.30 needs 7471 to be released), I have disabled address rewrite logging when running a 7472 filter in a non-root, non-exim process. 7473 7474 7475Exim version 4.24 7476----------------- 7477 7478 1. The buildconfig auxiliary program wasn't quoting the value set for 7479 HEADERS_CHARSET. This caused a compilation error complaining that 'ISO' was 7480 not defined. This bug was masked in 4.22 by the effect that was fixed in 7481 change 4.23/1. 7482 7483 2. Some messages that were rejected after a message id was allocated were 7484 shown as "incomplete" by exigrep. It no longer does this for messages that 7485 are rejected by local_scan() or the DATA or non-SMTP ACLs. 7486 7487 3. If a Message-ID: header used a domain literal in the ID, and Exim did not 7488 have allow_domain_literals set, the ID did not get logged in the <= line. 7489 Domain literals are now always recognized in Message-ID: header lines. 7490 7491 4. The first argument for a ${extract expansion item is the key name or field 7492 number. Leading and trailing spaces in this item were not being ignored, 7493 causing some misleading effects. 7494 7495 5. When deliver_drop_privilege was set, single queue runner processes started 7496 manually (i.e. by the command "exim -q") or by the daemon (which uses the 7497 same command in the process it spins off) were not dropping privilege. 7498 7499 6. When the daemon running as "exim" started a queue runner, it always 7500 re-executed Exim in the spun-off process. This is a waste of effort when 7501 deliver_drop_privilege is set. The new process now just calls the 7502 queue-runner function directly. 7503 7504 7505Exim version 4.23 7506----------------- 7507 7508 1. Typo in the src/EDITME file: it referred to HEADERS_DECODE_TO instead of 7509 HEADERS_CHARSET. 7510 7511 2. Change 4.21/73 introduced a bug. The pid file path set by -oP was being 7512 ignored. Though the use of -oP was forcing the writing of a pid file, it 7513 was always written to the default place. 7514 7515 3. If the message "no IP address found for host xxxx" is generated during 7516 incoming verification, it is now followed by identification of the incoming 7517 connection (so you can more easily find what provoked it). 7518 7519 4. Bug fix for Sieve filters: "stop" inside a block was not working properly. 7520 7521 5. Added some features to "harden" Exim a bit more against certain attacks: 7522 7523 (a) There is now a build-time option called FIXED_NEVER_USERS that can 7524 be put in Local/Makefile. This is like the never_users runtime option, 7525 but it cannot be overridden. The default setting is "root". 7526 7527 (b) If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a 7528 prefix string with which any file named in a -C command line option 7529 must start. 7530 7531 (c) If ALT_CONFIG_ROOT_ONLY is defined in Local/Makefile, root privilege 7532 is retained for -C and -D only if the caller of Exim is root. Without 7533 it, the exim user may also use -C and -D and retain privilege. 7534 7535 (d) If DISABLE_D_OPTION is defined in Local/Makefile, the use of the -D 7536 command line option is disabled. 7537 7538 6. Macro names set by the -D option must start with an upper case letter, just 7539 like macro names defined in the configuration file. 7540 7541 7. Added "dereference=" facility to LDAP. 7542 7543 8. Two instances of the typo "uknown" in the source files are fixed. 7544 7545 9. If a PERL_COMMAND setting in Local/Makefile was not at the start of a line, 7546 the Configure-Makefile script screwed up while processing it. 7547 754810. Incorporated PCRE 4.4. 7549 755011. The SMTP synchronization check was not operating right at the start of an 7551 SMTP session. For example, it could not catch a HELO sent before the client 7552 waited for the greeting. There is now a check for outstanding input at the 7553 point when the greeting is written. Because of the duplex, asynchronous 7554 nature of TCP/IP, it cannot be perfect - the incorrect input may be on its 7555 way, but not yet received, when the check is performed. 7556 755712. Added tcp_nodelay to make it possible to turn of the setting of TCP_NODELAY 7558 on TCP/IP sockets, because this apparently causes some broken clients to 7559 timeout. 7560 756113. Installed revised OS/Makefile-CYGWIN and OS/os.c-cygwin (the .h file was 7562 unchanged) from the Cygwin maintainer. 7563 756414. The code for -bV that shows what is in the binary showed "mbx" when maildir 7565 was supported instead of testing for mbx. Effectively a typo. 7566 756715. The spa authenticator server code was not checking that the input it 7568 received was valid base64. 7569 757016. The debug output line for the "set" modifier in ACLs was not showing the 7571 name of the variable that was being set. 7572 757317. Code tidy: the variable type "vtype_string" was never used. Removed it. 7574 757518. Previously, a reference to $sender_host_name did not cause a DNS reverse 7576 lookup on its own. Something else was needed to trigger the lookup. For 7577 example, a match in host_lookup or the need for a host name in a host list. 7578 Now, if $sender_host_name is referenced and the host name has not yet been 7579 looked up, a lookup is performed. If the lookup fails, the variable remains 7580 empty, and $host_lookup_failed is set to "1". 7581 758219. Added "eqi" as a case-independent comparison operator. 7583 758420. The saslauthd authentication condition could segfault if neither service 7585 nor realm was specified. 7586 758721. If an overflowing value such as "2048M" was set for message_size_limit, the 7588 error message that was logged was misleading, and incoming SMTP 7589 connections were dropped. The message is now more accurate, and temporary 7590 errors are given to SMTP connections. 7591 759222. In some error situations (such as 21 above) Exim rejects all SMTP commands 7593 (except RSET) with a 421 error, until QUIT is received. However, it was 7594 failing to send a response to QUIT. 7595 759623. The HELO ACL was being run before the code for helo_try_verify_hosts, 7597 which made it impossible to use "verify = helo" in the HELO ACL. The HELO 7598 ACL is now run after the helo_try_verify_hosts code. 7599 760024. "{MD5}" and "{SHA1}" are now recognized as equivalent to "{md5"} and 7601 "{sha1}" in the "crypteq" expansion condition (in fact the comparison is 7602 case-independent, so other case variants are also recognized). Apparently 7603 some systems use these upper case variants. 7604 760525. If more than two messages were waiting for the same host, and a transport 7606 filter was specified for the transport, Exim sent two messages over the 7607 same TCP/IP connection, and then failed with "socket operation on non- 7608 socket" when it tried to send the third. 7609 761026. Added Exim::debug_write and Exim::log_write for embedded Perl use. 7611 761227. The extern definition of crypt16() in expand.c was not being excluded when 7613 the OS had its own crypt16() function. 7614 761528. Added bounce_return_body as a new option, and bounce_return_size_limit 7616 as a preferred synonym for return_size_limit, both as an option and as an 7617 expansion variable. 7618 761929. Added LIBS=-liconv to OS/Makefile-OSF1. 7620 762130. Changed the default configuration ACL to relax the local part checking rule 7622 for addresses that are not in any local domains. For these addresses, 7623 slashes and pipe symbols are allowed within local parts, but the sequence 7624 /../ is explicitly forbidden. 7625 762631. SPA server authentication was not clearing the challenge buffer before 7627 using it. 7628 762932. log_message in a "warn" ACL statement was writing to the reject log as 7630 well as to the main log, which contradicts the documentation and doesn't 7631 seem right (because no rejection is happening). So I have stopped it. 7632 763333. Added Ard Biesheuvel's lookup code for accessing an Interbase database. 7634 However, I am unable to do any testing of this. 7635 763634. Fixed an infelicity in the appendfile transport. When checking directories 7637 for a mailbox, to see if any needed to be created, it was accidentally 7638 using path names with one or more superfluous leading slashes; tracing 7639 would show up entries such as stat("///home/ph10", 0xFFBEEA48). 7640 764135. If log_message is set on a "discard" verb in a MAIL or RCPT ACL, its 7642 contents are added to the log line that is written for every discarded 7643 recipient. (Previously a log_message setting was ignored.) 7644 764536. The ${quote: operator now quotes the string if it is empty. 7646 764737. The install script runs exim in order to find its version number. If for 7648 some reason other than non-existence or emptiness, which it checks, it 7649 could not run './exim', it was installing it with an empty version number, 7650 i.e. as "exim-". This error state is now caught, and the installation is 7651 aborted. 7652 765338. An argument was missing from the function that creates an error message 7654 when Exim fails to connect to the socket for saslauthd authentication. 7655 This could cause Exim to crash, or give a corrupted message. 7656 765739. Added isip, isip4, and isip6 to ${if conditions. 7658 765940. The ACL variables $acl_xx are now saved with the message, and can be 7660 accessed later in routers, transports, and filters. 7661 766241. The new lookup type nwildlsearch is like wildlsearch, except that the key 7663 strings in the file are not string-expanded. 7664 766542. If a MAIL command specified a SIZE value that was too large to fit into an 7666 int variable, the check against message_size_limit failed. Such values are 7667 now forced to INT_MAX, which is around 2Gb for a 32-bit variable. Maybe one 7668 day this will have to be increased, but I don't think I want to be around 7669 when emails are that large. 7670 7671 7672 7673Exim version 4.22 7674----------------- 7675 7676 1. Removed HAVE_ICONV=yes from OS/Makefile-FreeBSD, since it seems that 7677 iconv() is not standard in FreeBSD. 7678 7679 2. Change 4.21/17 was buggy and could cause stack overwriting on a system with 7680 IPv6 enabled. The observed symptom was a segmentation fault on return from 7681 the function os_common_find_running_interfaces() in src/os.c. 7682 7683 3. In the check_special_case() function in daemon.c I had used "errno" as an 7684 argument name, which causes warnings on some systems. This was basically a 7685 typo, since it was named "eno" in the comments! 7686 7687 4. The code that waits for the clock to tick (at a resolution of some fraction 7688 of a second) so as to ensure message-id uniqueness was always waiting for 7689 at least one whole tick, when it could have waited for less. [This is 7690 almost certainly not relevant at current processor speeds, where it is 7691 unlikely to ever wait at all. But we try to future-proof.] 7692 7693 5. The function that sleeps for a time interval that includes fractions of a 7694 second contained a race. It did not block SIGALRM between setting the 7695 timer, and suspending (a couple of lines later). If the interval was short 7696 and the sigsuspend() was delayed until after it had expired, the suspension 7697 never ended. On busy systems this could lead to processes getting stuck for 7698 ever. 7699 7700 6. Some uncommon configurations may cause a lookup to happen in a queue runner 7701 process, before it forks any delivery processes. The open lookup caching 7702 mechanism meant that the open file or database connection was passed into 7703 the delivery process. The problem was that delivery processes always tidy 7704 up cached lookup data. This could cause a problem for the next delivery 7705 process started by the queue runner, because the external queue runner 7706 process does not know about the closure. So the next delivery process 7707 still has data in the lookup cache. In the case of a file lookup, there was 7708 no problem because closing a file descriptor in a subprocess doesn't affect 7709 the parent. However, if the lookup was caching a connection to a database, 7710 the connection was closed, and the second delivery process was likely to 7711 see errors such as "PGSQL: query failed: server closed the connection 7712 unexpectedly". The problem has been fixed by closing all cached lookups 7713 in a queue runner before running a delivery process. 7714 7715 7. Compiler warning on Linux for the second argument of iconv(), which doesn't 7716 seem to have the "const" qualifier which it has on other OS. I've 7717 parameterised it. 7718 7719 8. Change 4.21/2 was too strict. It is only if there are two authenticators 7720 *of the same type* (client or server) with the same public name that an 7721 error should be diagnosed. 7722 7723 9. When Exim looked up a host name for an IP address, but failed to find the 7724 original IP address when looking up the host name (a safety check), it 7725 output the message "<ip address> does not match any IP for NULL", which was 7726 confusing, to say the least. The bug was that the host name should have 7727 appeared instead of "NULL". 7728 772910. Since release 3.03, if Exim is called by a uid other than root or the Exim 7730 user that is built into the binary, and the -C or -D options is used, root 7731 privilege is dropped before the configuration file is read. In addition, 7732 logging is switched to stderr instead of the normal log files. If the 7733 configuration then re-defines the Exim user, the unprivileged environment 7734 is probably not what is expected, so Exim logs a panic warning message (but 7735 proceeds). 7736 7737 However, if deliver_drop_privilege is set, the unprivileged state may well 7738 be exactly what is intended, so the warning has been cut out in that case, 7739 and Exim is allowed to try to write to its normal log files. 7740 7741 7742Exim version 4.21 7743----------------- 7744 7745 1. smtp_return_error_details was not giving details for temporary sender 7746 or receiver verification errors. 7747 7748 2. Diagnose a configuration error if two authenticators have the same public 7749 name. 7750 7751 3. Exim used not to create the message log file for a message until the first 7752 delivery attempt. This could be confusing when incoming messages were held 7753 for policy or load reasons. The message log file is now created at the time 7754 the message is received, and an initial "Received" line is written to it. 7755 7756 4. The automatically generated man page for command line options had a minor 7757 bug that caused no ill effects; however, a more serious problem was that 7758 the procedure for building the man page automatically didn't always 7759 operate. Consequently, release 4.20 contains an out-of-date version. This 7760 shouldn't happen again. 7761 7762 5. When building Exim with embedded Perl support, the script that builds the 7763 Makefile was calling 'perl' to find its compile-time parameters, ignoring 7764 any setting of PERL_COMMAND in Local/Makefile. This is now fixed. 7765 7766 6. The freeze_tell option was not being used for messages that were frozen on 7767 arrival, either by an ACL or by local_scan(). 7768 7769 7. Added the smtp_incomplete_transaction log selector. 7770 7771 8. After STARTTLS, Exim was not forgetting that it had advertised AUTH, so it 7772 was accepting AUTH without a new EHLO. 7773 7774 9. Added tls_remember_esmtp to cope with YAEB. This allows AUTH and other 7775 ESMTP extensions after STARTTLS without a new EHLO, in contravention of the 7776 RFC. 7777 777810. Logging of TCP/IP connections (when configured) now happens in the main 7779 daemon process instead of the child process, so that the TCP/IP connection 7780 count is more accurate (but it can never be perfect). 7781 778211. The use of "drop" in a nested ACL was not being handled correctly in the 7783 outer ACL. Now, if condition failure induced by the nested "drop" causes 7784 the outer ACL verb to deny access ("accept" or "discard" after "endpass", 7785 or "require"), the connection is dropped. 7786 778712. Similarly, "discard" in a nested ACL wasn't being handled. A nested ACL 7788 that yield "discard" can now be used with an "accept" or a "discard" verb, 7789 but an error is generated for any others (because I can't see a useful way 7790 to define what should happen). 7791 779213. When an ACL is read dynamically from a file (or anywhere else), the lines 7793 are now processed in the same way as lines in the Exim configuration file. 7794 In particular, continuation lines are supported. 7795 779614. Added the "dnslists = a.b.c!=n.n.n.n" feature. 7797 779815. Added -ti meaning -t -i. 7799 780016. Check for letters, digits, hyphens, and dots in the names of dnslist 7801 domains, and warn by logging if others are found. 7802 780317. At least on BSD, alignment is not guaranteed for the array of ifreq's 7804 returned from GIFCONF when Exim is trying to find the list of interfaces on 7805 a host. The code in os.c has been modified to copy each ifreq to an aligned 7806 structure in all cases. 7807 7808 Also, in some cases, the returned ifreq's were being copied to a 'struct 7809 ifreq' on the stack, which was subsequently passed to host_ntoa(). That 7810 means the last couple of bytes of an IPv6 address could be chopped if the 7811 ifreq contained only a normal sockaddr (14 bytes storage). 7812 781318. Named domain lists were not supported in the hosts_treat_as_local option. 7814 An entry such as +xxxx was not recognized, and was treated as a literal 7815 domain name. 7816 781719. Ensure that header lines added by a DATA ACL are included in the reject log 7818 if the ACL subsequently rejects the message. 7819 782020. Upgrade the cramtest.pl utility script to use Digest::MD5 instead of just 7821 MD5 (which is deprecated). 7822 782321. When testing a filter file using -bf, Exim was writing a message when it 7824 took the sender from a "From " line in the message, but it was not doing so 7825 when it took $return_path from a Return-Path: header line. It now does. 7826 782722. If the contents of a "message" modifier for a "warn" ACL verb do not begin 7828 with a valid header line field name (a series of printing characters 7829 terminated by a colon, Exim now inserts X-ACL-Warn: at the beginning. 7830 783123. Changed "disc" in the source to "disk" to conform to the documentation and 7832 the book and for uniformity. 7833 783424. Ignore Sendmail's -Ooption=value command line item. 7835 783625. When execve() failed while trying to run a command in a pipe transport, 7837 Exim was returning EX_UNAVAILABLE (69) from the subprocess. However, this 7838 could be confused with a return value of 69 from the command itself. This 7839 has been changed to 127, the value the shell returns if it is asked to run 7840 a non-existent command. The wording for the related log line suggests a 7841 non-existent command as the problem. 7842 784326. If received_header_text expands to an empty string, do not add a Received: 7844 header line to the message. (Well, it adds a token one on the spool, but 7845 marks it "old" so that it doesn't get used or transmitted.) 7846 784727. Installed eximstats 1.28 (addition of -nt option). 7848 784928. There was no check for failure on the call to getsockname() in the daemon 7850 code. This can fail if there is a shortage of resources on the system, with 7851 ENOMEM, for example. A temporary error is now given on failure. 7852 785329. Contrary to the C standard, it seems that in some environments, the 7854 equivalent of setlocale(LC_ALL, "C") is not obeyed at the start of a C 7855 program. Exim now does this explicitly; it affects the formatting of 7856 timestamps using strftime(). 7857 785830. If exiqsumm was given junk data, it threw up some uninitialized variable 7859 complaints. I've now initialized all the variables, to avoid this. 7860 786132. Header lines added by a system filter were not being "seen" during 7862 transport-time rewrites. 7863 786433. The info_callback() function passed to OpenSSL is set up with type void 7865 (*)(SSL *, int, int), as described somewhere. However, when calling the 7866 function (actually a macro) that sets it up, the type void(*)() is 7867 expected. I've put in a cast to prevent warnings from picky compilers. 7868 786934. If a DNS black list lookup found a CNAME record, but there were no A 7870 records associated with the domain it pointed at, Exim crashed. 7871 787235. If a DNS black list lookup returned more than one A record, Exim ignored 7873 all but the first. It now scans all returned addresses if a particular IP 7874 value is being sought. In this situation, the contents of the 7875 $dnslist_value variable are a list of all the addresses, separated by a 7876 comma and a space. 7877 787836. Tightened up the rules for host name lookups using reverse DNS. Exim used 7879 to accept a host name and all its aliases if the forward lookup for any of 7880 them yielded the IP address of the incoming connection. Now it accepts only 7881 those names whose forward lookup yields the correct IP address. Any other 7882 names are discarded. This closes a loophole whereby a rogue DNS 7883 administrator could create reverse DNS records to break through a 7884 wildcarded host restriction in an ACL. 7885 788637. If a user filter or a system filter that ran in a subprocess used any of 7887 the numerical variables ($1, $2 etc), or $thisaddress, in a pipe command, 7888 the wrong values were passed to the pipe command ($thisaddress had the 7889 value of $0, $0 had the value of $1, etc). This bug was introduced by 7890 change 4.11/101, and not discovered because I wrote an inadequate test. :-( 7891 789238. Improved the line breaking for long SMTP error messages from ACLs. 7893 Previously, if there was no break point between 40 and 75 characters, Exim 7894 left the rest of the message alone. Two changes have been made: (a) I've 7895 reduced the minimum length to 35 characters; (b) if it can't find a break 7896 point between 35 and 75 characters, it looks ahead and uses the first one 7897 that it finds. This may give the occasional overlong line, but at least the 7898 remaining text gets split now. 7899 790039. Change 82 of 4.11 was unimaginative. It assumed the limit on the number of 7901 file descriptors might be low, and that setting 1000 would always raise it. 7902 It turns out that in some environments, the limit is already over 1000 and 7903 that lowering it causes trouble. So now Exim takes care not to decrease it. 7904 790540. When delivering a message, the value of $return_path is set to $sender_ 7906 address at the start of routing (routers may change the value). By an 7907 oversight, this default was not being set up when an address was tested by 7908 -bt or -bv, which affected the outcome if any router or filter referred to 7909 $return_path. 7910 791141. The idea of the "warn" ACL verb is that it adds a header or writes to the 7912 log only when "message" or "log_message" are set. However, if one of the 7913 conditions was an address verification, or a call to a nested ACL, the 7914 messages generated by the underlying test were being passed through. This 7915 no longer happens. The underlying message is available in $acl_verify_ 7916 message for both "message" and "log_message" expansions, so it can be 7917 passed through if needed. 7918 791942. Added RFC 2047 interpretation of header lines for $h_ expansions, with a 7920 new expansion $bh_ to give the encoded byte string without charset 7921 translation. Translation happens only if iconv() is available; HAVE_ICONV 7922 indicates this at build time. HEADERS_CHARSET gives the charset to 7923 translate to; headers_charset can change it in the configuration, and 7924 "headers charset" can change it in an individual filter file. 7925 792643. Now that we have a default RFC 2047 charset (see above), the code in Exim 7927 that creates RFC 2047 encoded "words" labels them as that charset instead 7928 of always using iso-8859-1. The cases are (i) the explicit ${rfc2047: 7929 expansion operator; (ii) when Exim creates a From: line for a local 7930 message; (iii) when a header line is rewritten to include a "phrase" part. 7931 793244. Nasty bug in exiqsumm: the regex to skip already-delivered addresses was 7933 buggy, causing it to skip the first lines of messages whose message ID 7934 ended in 'D'. This would not have bitten before Exim release 4.14, because 7935 message IDs were unlikely to end in 'D' before then. The effect was to have 7936 incorrect size information for certain domains. 7937 793845. #include "config.h" was missing at the start of the crypt16.c module. This 7939 caused trouble on Tru64 (aka OSF1) systems, because HAVE_CRYPT16 was not 7940 noticed. 7941 794246. If there was a timeout during a "random" callout check, Exim treated it as 7943 a failure of the random address, and carried on sending RSET and the real 7944 address. If the delay was just some slowness somewhere, the response to the 7945 original RCPT would be taken as a response to RSET and so on, causing 7946 mayhem of various kinds. 7947 794847. Change 50 for 4.20 was a heap of junk. I don't know what I was thinking 7949 when I implemented it. It didn't allow for the fact that some option values 7950 may legitimately be negative (e.g. size_addition), and it didn't even do 7951 the right test for positive values. 7952 795348. Domain names in DNS records are case-independent. Exim always looks them up 7954 in lower case. Some resolvers return domain names in exactly the case they 7955 appear in the zone file, that is, they may contain uppercase letters. Not 7956 all resolvers do this - some return always lower case. Exim was treating a 7957 change of case by a resolver as a change of domain, similar to a widening 7958 of a domain abbreviation. This triggered its re-routing code and so it was 7959 trying to route what was effectively the same domain again. This normally 7960 caused routing to fail (because the router wouldn't handle the domain 7961 twice). Now Exim checks for this case specially, and just changes the 7962 casing of the domain that it ultimately uses when it transmits the message 7963 envelope. 7964 796549. Added Sieve (RFC 3028) support, courtesy of Michael Haardt's contributed 7966 module. 7967 796850. If a filter generated a file delivery with a non-absolute name (possible if 7969 no home directory exists for the router), the forbid_file option was not 7970 forbidding it. 7971 797251. Added '&' feature to dnslists, to provide bit mask matching in addition to 7973 the existing equality matching. 7974 797552. Exim was using ints instead of ino_t variables in some places where it was 7976 dealing with inode numbers. 7977 797853. If TMPDIR is defined in Local/Makefile (default in src/EDITME is 7979 TMPDIR="/tmp"), Exim checks for the presence of an environment variable 7980 called TMPDIR, and if it finds it is different, it changes its value. 7981 798254. The smtp_printf() function is now made available to local_scan() so 7983 additional output lines can be written before returning. There is also an 7984 smtp_fflush() function to enable the detection of a dropped connection. 7985 The variables smtp_input and smtp_batched_input are exported to 7986 local_scan(). 7987 798855. Changed the default runtime configuration: the message "Unknown user" 7989 has been removed from the ACL, and instead placed on the localuser router, 7990 using the cannot_route_message feature. This means that any verification 7991 failures that generate their own messages won't get overridden. Similarly, 7992 the "Unrouteable address" message that was in the ACL for unverifiable 7993 relay addresses has also been removed. 7994 799556. Added hosts_avoid_esmtp to the smtp transport. 7996 799757. The exicyclog script was not checking for the esoteric option 7998 CONFIGURE_FILE_USE_EUID in the Local/Makefile. It now does this, but it 7999 will work only if exicyclog is run under the appropriate euid. 8000 800158. Following a discussion on the list, the rules by which Exim recognises line 8002 endings on incoming messages have been changed. The -dropcr and drop_cr 8003 options are now no-ops, retained only for backwards compatibility. The 8004 following line terminators are recognized: LF CRLF CR. However, special 8005 processing applies to CR: 8006 8007 (i) The sequence CR . CR does *not* terminate an incoming SMTP message, 8008 nor a local message in the state where . is a terminator. 8009 8010 (ii) If a bare CR is encountered in a header line, an extra space is added 8011 after the line terminator so as not to end the header. The reasoning 8012 behind this is that bare CRs in header lines are most likely either 8013 to be mistakes, or people trying to play silly games. 8014 801559. The size of a message, as listed by "-bp" or in the Exim monitor window, 8016 was being incorrectly given as 18 bytes larger than it should have been. 8017 This is a VOB (very old bug). 8018 801960. This may never have affected anything current, but just in case it has: 8020 When the local host is found other than at the start of a list of hosts, 8021 the local host, those with the same MX, and any that follow, are discarded. 8022 When the list in question was part of a longer list of hosts, the following 8023 hosts (not currently being processed) were also being discarded. This no 8024 longer happens. I'm not sure if this situation could ever has previously 8025 arisen. 8026 802761. Added the "/MX" feature to lists of hosts in the manualroute and query 8028 program routers. 8029 803062. Whenever Exim generates a new message, it now adds an Auto-Submitted: 8031 header. This is something that is recommended in a new Internet Draft, and 8032 is something that is documented as being done by Sendmail. There are two 8033 possible values. For messages generated by the autoreply transport, Exim 8034 adds: 8035 8036 Auto-Submitted: auto-replied 8037 8038 whereas for all other generated messages (e.g. bounces) it adds 8039 8040 Auto-Submitted: auto-generated 8041 804263. The "personal" condition in filters now includes a test for the 8043 Auto-Submitted: header. If it contains the string "auto-" the message it 8044 not considered personal. 8045 804664. Added rcpt_include_affixes as a generic transport option. 8047 804865. Added queue_only_override (default true). 8049 805066. Added the syslog_duplication option. 8051 805267. If what should have been the first header line of a message consisted of 8053 a space followed by a colon, Exim was mis-interpreting it as a header line. 8054 It isn't of course - it is syntactically invalid and should therefore be 8055 treated as the start of the message body. The misbehaviour could have 8056 caused a number of strange effects, including loss of data in subsequent 8057 header lines, and spool format errors. 8058 805968. Formerly, the AUTH parameter on a MAIL command was trusted only if the 8060 client host had authenticated. This control can now be exercised by an ACL 8061 for more flexibility. 8062 806369. By default, callouts do not happen when testing with -bh. There is now a 8064 variant, -bhc, which does actually run the callout code, including 8065 consulting and updating the callout cache. 8066 806770. Added support for saslauthd authentication, courtesy of Alexander 8068 Sabourenkov. 8069 807071. If statvfs() failed on the spool or log directories while checking their 8071 size for availability, Exim confusingly gave the error "space shortage". 8072 Furthermore, in debugging mode it crashed with a floating point exception. 8073 These checks are done if check_{spool,log}_{space,inodes} are set, and when 8074 an SMTP message arrives with SIZE= on the MAIL command. As this is a really 8075 serious problem, Exim now writes to the main and panic logs when this 8076 happens, with details of the failure. It then refuses to accept the 8077 incoming message, giving the message "spool directory problem" or "log 8078 directory problem" with a 421 code for SMTP messages. 8079 808072. When Exim is about to re-exec itself, it ensures that the file descriptors 8081 0, 1, and 2 exist, because some OS complain for execs without them (see 8082 ChangeLog 4.05/30). If necessary, Exim opens /dev/null to use for these 8083 descriptors. However, the code omitted to check that the open succeeded, 8084 causing mysterious errors if for some reason the permissions on /dev/null 8085 got screwed. Now Exim writes a message to the main and panic logs, and 8086 bombs out if it can't open /dev/null. 8087 808873. Re-vamped the way daemon_smtp_port, local_interfaces, and -oX work and 8089 interact so that it is all more flexible. It is supposed to remain 8090 backwards compatible. Also added extra_local_interfaces. 8091 809274. Invalid data sent to a SPA (NTLM) server authenticator could cause the code 8093 to bomb out with an assertion failure - to the client this appears as a 8094 connection drop. This problem occurs in the part of the code that was taken 8095 from the Samba project. Fortunately, the assertion is in a very simple 8096 function, so I have fixed this by reproducing the function inline in the 8097 one place where it is called, and arranging for authentication to fail 8098 instead of killing the process with assert(). 8099 810075. The SPA client code was not working when the server requested OEM rather 8101 than Unicode encoding. 8102 810376. Added code to make require_files with a specific uid setting more usable in 8104 the case where statting the file as root fails - usually a non-root-mounted 8105 NFS file system. When this happens and the failure is EACCES, Exim now 8106 forks a subprocess and does the per-uid checking as the relevant uid. 8107 810877. Added process_log_path. 8109 811078. If log_file_path was not explicitly set, a setting of check_log_space or 8111 check_log_inodes was ignored. 8112 811379. If a space check for the spool or log partitions fails, the incident is now 8114 logged. Of course, in the latter case the data may get lost... 8115 811680. Added the %p formatting code to string_format() so that it can be used to 8117 print addresses in debug_print(). Adjusted all the address printing in the 8118 debugging in store.c to use %p rather than %d. 8119 812081. There was a concern that a line of code in smtp_in.c could overflow a 8121 buffer if a HELO/EHLO command was given followed by 500 or so spaces. As 8122 initially expressed, the concern was not well-founded, because trailing 8123 spaces are removed early. However, if the trailing spaces were followed by 8124 a NULL, they did not get removed, so the overflow was possible. Two fixes 8125 were applied: 8126 8127 (a) I re-wrote the offending code in a cleaner fashion. 8128 (b) If an incoming SMTP command contains a NULL character, it is rejected 8129 as invalid. 8130 813182. When Exim changes uid/gid to the Exim user at daemon start time, it now 8132 runs initgroups(), so that if the Exim user is in any additional groups, 8133 they will be used during message reception. 8134 8135 8136Exim version 4.20 8137----------------- 8138 8139The change log for 4.20 and earlier releases has been archived. 8140 8141**** 8142