exim4 (4.94-18) experimental; urgency=medium Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the concept of tainted data read from untrusted sources, like e.g. message sender or recipient. This tainted data (e.g. $local_part or $domain) cannot be used among other things as a file or directory name or command name. This WILL BREAK configurations which are not updated accordingly. Old Debian exim configuration files also will not work unmodified, the new configuration needs to be installed with local modifications merged in. Typical nonworking examples include: * Delivery to /var/mail/$local_part. Use $local_part_data in combination with check_local_user. * Using data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}} instead of data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}} for a virtual domain alias file. The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value. To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer exim. To make use of this feature add .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA allow_insecure_tainted_data = yes .endif to the exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros) *before* upgrading to exim 4.93/4.94 and check the logfile for taint warnings. This is a temporary workaround which is already marked for removal on introduction. -- Andreas Metzler Sun, 25 Apr 2021 07:42:26 +0200 exim4 (4.94-16) unstable; urgency=medium The configuration now enforces certificate verification against the system trust store on encrypted connections using the remote_smtp_smarthost transport (smarthost and satellite setups). Delivery will therefore fail if the host certificates are not verifyable and non TLS delivery is not available (e.g. because AUTH PLAIN is used). -- Andreas Metzler Wed, 17 Mar 2021 13:50:44 +0100 exim4 (4.87-3) unstable; urgency=medium Starting with 4.87~RC1-1 exim will not accept or send out messages with physical lines longer than 998 characters by SMTP DATA. Delivery of such RFC-violating message might fail and subsequently cause routing errors and loss of legitimate mail. See . This limit can be disabled by setting the macro IGNORE_SMTP_LINE_LENGTH_LIMIT. -- Andreas Metzler Sun, 08 May 2016 14:03:10 +0200 exim4 (4.87-2) unstable; urgency=medium exim4-daemon heavy does not support the "demime" ACL condition (WITH_OLD_DEMIME) anymore. It was superceded by the acl_smtp_mime ACL and will not be part of the next upstream release. -- Andreas Metzler Sat, 30 Apr 2016 13:38:29 +0200 exim4 (4.87~RC6-3) unstable; urgency=medium As part of the fix for CVE-2016-1531 updated Exim versions clean the complete execution environment by default, affecting Exim and subprocesses such as routers calling other programs, and thus may break existing installations. New configuration options (keep_environment, add_environment) were introduced to adjust this behavior. Because of the possible breakage Exim will show a runtime warning if keep_environment is not set. The Debian exim4 configuration does not rely on specific environment variables and therefore sets 'keep_environment =' (i.e confirm empty environment). Users of custom Exim configurations will need to check whether their setup continues to work with the abovementioned upstream change and modify the Exim environment as needed otherwise. If the setup works fine with empty environment it is still necessary to set the main configuration option "keep_environment =" to quiet the runtime warning. See for details. -- Andreas Metzler Wed, 23 Mar 2016 18:44:22 +0100 exim4 (4.80~rc6-1) experimental; urgency=low Upstream's handling of GnuTLS DH parameters has changed, hardcoded parameters (from RFCs are used by default. See /usr/share/doc/exim4-base/README.UPDATING* for details. Stop shipping /usr/share/exim4/exim4_refresh_gnutls-params /usr/share/exim4/timeout.pl and /var/spool/exim4/gnutls-params-2236. -- Andreas Metzler Sun, 27 May 2012 18:46:48 +0200 exim4 (4.80~rc2-1) experimental; urgency=low Ldap lookups returning multi-valued attributes now separate the attributes with only a comma, not a comma-space sequence. The GnuTLS support has been mostly rewritten. exim main configuration options gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols, are no longer supported. (They are ignored if present now, but will trigger an error in later releases.) Their functionality is entirely subsumed into tls_require_ciphers. In turn, tls_require_ciphers is no longer an Exim list and is not parsed by Exim, but is instead given to gnutls_priority_init(3). See /exim4-base/usr/share/doc/exim4-base/README.UPDATING.gz for details. -- Andreas Metzler Sat, 22 Oct 2011 19:16:58 +0200 exim4 (4.77~rc4-1) experimental; urgency=low Exim no longer performs string expansion on the second string of the match_* expansion conditions: "match_address", "match_domain", "match_ip" & "match_local_part". Named lists can still be used. The previous behavior made it too easy to create (remotely) vulnerable configurations. A more detailed rationale and explanation can be found on https://lists.exim.org/lurker/message/20111003.122326.fbcf32b7.en.html -- Andreas Metzler Thu, 05 Oct 2011 19:22:52 +0200 exim4 (4.72-3) unstable; urgency=low Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345. This is a privilege escalation issue that allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option. The macro override facility (-D) might also be misused for this purpose. In reaction to this security vulnerability upstream has made a number of user visible changes. This package includes these changes. --------------------------------------------------------- If exim is invoked with the -C or -D option the daemon will not regain root privileges though re-execution. This is usually necessary for local delivery, though. Therefore it is generally not possible anymore to run an exim daemon with -D or -C options. However this version of exim has been built with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST defines a list of configuration files which are trusted; if a config file is owned by root and matches a pathname in the list, then it may be invoked by the Exim build-time user without Exim relinquishing root privileges. As a hotfix to not break existing installations of mailscanner we have also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim with -DOUTGOING while being able to do local deliveries. If you previously were using -D switches you will need to change your setup to use a separate configuration file. The ".include" mechanism makes this easy. --------------------------------------------------------- The system filter is run as exim_user instead of root by default. If your setup requies root privileges when running the system filter you will need to set the system_filter_user exim main configuration option. --------------------------------------------------------- -- Andreas Metzler Sat, 18 Dec 2010 18:57:16 +0100 exim4 (4.69-4) unstable; urgency=low In reaction to #475194, the size of the Diffie-Hellman parameters used by exim was increased to 2048, which is GnuTLS's default. Since periodically regenerating the Diffie-Hellman parameters doesn't increase security that much (they're sent in clear text in the TLS handshake, and some protocols even have hardcoded them in the standard document), and automatically generating 2048 bits Diffie-Hellman parameters can take a long time, this has been disabled in the Exim4 packages starting with 4.69-4. All exim installations will thus run with the Diffie-Hellman parameters shipped in the package by default. Really, really paranoid people with sufficiently fast machines will want to set up a cron job calling /usr/share/exim4/exim4_refresh_gnutls-params manually - suggested interval is weekly or monthly. -- Marc Haber Sun, 27 Apr 2008 09:14:32 +0200 exim4 (4.68-1) unstable; urgency=low In order to fix #420217, the handling of incoming messages to system accounts has been changed once again. To allow system account mail addresses to be redirected via traditional /etc/aliases, system accounts are now processed later in the router chain. This has made it necessary to change the default behavior of the real- prefix. real-foo is now only accessible for locally generated messages, such as the error message generated by the userforward router. If you need the old behavior back, set the macro COND_LOCAL_SUBMITTER=true. As a side-effect, you can entirely switch off the real- processing by setting COND_LOCAL_SUBMITTER=false. -- Marc Haber Thu, 04 Oct 2007 22:34:01 +0200 exim4 (4.67-6) unstable; urgency=low acl_whitelist_local_deny was renamed to acl_local_deny_exceptions to avoid confusion. This means changes to ACLs, file names in /etc/exim4/conf.d/acl and the exception list file names themselves. CONFDIR/local_host_whitelist and CONFDIR/local_sender_whitelist have been renamed to CONFDIR/host_local_deny_exceptions and CONFDIR/sender_local_deny_exceptions. The old files will continue to be honored for a transition period. The old file conf.d/acl/20_exim4-config_whitelist_local_deny will get a .dpkg-bak suffix if it had local changes, and it will be removed if there were no local changes. In the case of local changes, you'll need to repeat these changes in the new file conf.d/acl/20_exim4-config_local_deny_exceptions. -- Marc Haber Wed, 05 Sep 2007 21:22:22 +0200 exim4 (4.67-5) unstable; urgency=low The macro generation in update-exim4.conf has been changed once more. update-exim4.conf now looks for the (non-commented!) definition of the exim configuration macro UPEX4CmacrosUPEX4C to an arbitrary, non-empty value, and inserts the generated macro definitions right after this line, without changing it. update-exim4.conf looks for commented UPEX4CmacrosUPEX4C (which used to be the place marker in earlier 4.67-x versions) and barfs if it finds them anywhere in /etc/exim4/exim4.conf.template or recursively /etc/exim4/conf.d. This check - as a feature - also includes files that would normally be excluded by update-exim4.conf, such as .dpkg-old and .dpkg-dist files. If you insist on having a commented UPEX4CmacrosUPEX4C in your exim configuration and don't want update-exim4.conf to barf, set the exim macro UPEX4CmacrosOK_config_adapted to a non-empty value. -- Marc Haber Thu, 28 Jun 2007 08:29:36 +0200 exim4 (4.67-4) unstable; urgency=low Since a lot of users did not read the docs while upgrading and filed bug reports about exim4-config failing to install due to a "malformed macro definition", update-exim4.conf.conf now checks for DEBCONFsomethingDEBCONF strings anywhere in /etc/exim4/exim4.conf.template or recursively /etc/exim4/conf.d and barfs if such strings are found. This check - as a feature - also includes files that would normally be excluded by update-exim4.conf. It _is_ necessary to either accept the offered configuration file change _or_ to manually check a manually changed exim config. Exim will _NOT_ run if a configuration file of an older version is being used with a more recent exim4-config. If you insist on having DEBCONFsomethingDEBCONF strings in your exim configuration and don't want update-exim4.conf to barf, set the exim macro DEBCONFstringOK_config_adapted to a non-empty value. -- Marc Haber Fri, 22 Jun 2007 12:50:38 +0200 exim4 (4.67-2) experimental; urgency=low The symlink /etc/exim4/email-addresses caused data loss for people who had a local file named /etc/exim4/email-addresses. The Debian tools do not handle symlinks in /etc which are contained in packages very well, so we decided to simply remove it. Please submit a tested patch if you think that it would be a more elegant way to handle the transition from /etc/exim4/email-addresses to /etc/email-addresses. There is now a possibility to modify handling of incoming messages to system accounts, identified by their UID (see conf.d/router/250_exim4-config_lowuid). If you want this, set the macro FIRST_USER_ACCOUNT_UID (which defaults to 0) to the UID of your first "real" user account. Incoming messages for an account with an UID below that value get routed according to the extra alias file /etc/exim4/lowuid-aliases. If an account does not have an alias there, it gets routed to the value of the macro DEFAULT_SYSTEM_ACCOUNT_ALIAS, which defaults to ":fail: no mail to system accounts" and gets the message rejected. You can use this mechanism to route all messages for system accounts to a single address, with exceptions. Locally generated messages are not processed by this facility. Generation of the final exim configuration has changed. The configuration no longer has the DEBCONFsomethingDEBCONF placeholders. All data from Debconf are put into exim configuration macros by update-exim4.conf, which are then appropriately picked up by the configuration itself. There should be no visible change to people who have not modified their configuration, but customized configurations need to adapt. We now do basic sanitizing of input read from update-exim4.conf.conf. If your update-exim4.conf complains about non-ascii values, you have found a bug. Please report it. -- Marc Haber Mon, 11 Jun 2007 14:09:24 +0200 exim4 (4.62-7) unstable; urgency=low Bug #392993 says that 4.63-5 and -6 have overwritten manual setting of dc_local_delivery with one of the default versions if you have set dc_local_delivery to a value that is not either mail_spool or maildir_home. Please verify that your dc_local_delivery does still point to the transport you have chosen. Please note that the debconf configuration only supports plain lists. Advanced features like "dsearch;" entered there may work today, but are not guaranteed to continue working in the future. If you want to use such features, please use the macros made available for use in the configuration or edit the configuration itself. This allows us to use semicolons as list delimiters consistently while still being backwards compatible to colon-separated lists without driving code complexity up too high. Starting with this version, update-exim4.conf will print a warning if a dsearch lookup is found in the list of local domains, dc_local_domains since there is a HOWTO on the Internet that recommends doing this kind of things and this will _not_ work any more. -- Marc Haber Sun, 15 Oct 2006 10:00:15 +0000 exim4 (4.62-4) unstable; urgency=low exim4-config has had its debconf templates re-worked. Basic functionality is unchanged, so you shouldn't expect a real difference. The priority of most questions has been lowered to medium, so that the Installer can install exim4 with no questions being asked. The default is local delivery only. Mail messages for root and postmaster are delivered to an mbox file in /var/mail/mail, make sure to read them. You can do the full exim4 configuration by calling dpkg-reconfigure exim4-config as root. It is now finally possible to configure exim4 to deliver outgoing mail to a smarthost on a port number different from 25 via debconf. -- Marc Haber Mon, 9 Oct 2006 14:12:25 +0000 exim4 (4.62-3) unstable; urgency=low A template for SPF support is now provided. It is disabled by default, and relies on external calls to spfquery(1) from the libmail-spf-query-perl package. For details, check README.Debian, and conf.d/acl/30_exim4-config_check_rcpt. -- Robert Millan Fri, 28 Jul 2006 22:43:56 +0200 exim4 (4.62-1) unstable; urgency=low Please note that the handling of update-exim4.conf.conf has changed with regard to dc_local_interfaces and dc_relay_nets: If the strings given there contain a semicolon, the string "<;" is now prepended to the value written to the configuration file to consider ; a list separator. This significantly helps writing down IPv6 addresses, but means that if you use complex things like lookups in update-exim4.conf.conf, you'll have to change your configuration to use the macros that directly interfere with the configuration. 127.0.0.1 and ::1 have been removed from the default hostlist relay_from_hosts - these addresses are now added by update-exim4.conf with the appropriate separator. If you set MAIN_RELAY_NETS manually, you'll need to add these two addresses to your local host list. -- Marc Haber Sat, 29 Apr 2006 22:36:31 +0000 exim4 (4.60-2) unstable; urgency=low The exim4 daemon packages now include a symlink from /usr/sbin/exim4 to /usr/sbin/exim. This can break exim 3 cron and init scripts if the last exim 3 you had installed was any earlier than 3.36-5 and the conffiles from your exim 3 package are still around. Be sure to have any exim 4 earlier than 3.36-5 _purged_ (not removed) before installing this package. -- Marc Haber Wed, 24 Jan 2006 14:58:08 +0100 exim4 (4.50-5) unstable; urgency=low mailname, the local name of the system used to qualify senders and recipients is no longer a local domain by default. Having local delivery for that host name used to break satellite and smarthost setups where no local delivery was expected. /etc/exim4/update-exim4.conf.conf is modified automatically on upgrade from the appropriate earlier versions, so if you don't do any funky things with /etc/exim4/update-exim4.conf.conf, you should be fine. -- Marc Haber Sat, 2 Apr 2005 20:31:27 +0200 exim4 (4.43-3) unstable; urgency=low /etc/exim4/email-addresses is ignored now, please use /etc/email-addresses! The last version of exim4 that shipped this file was uploaded on the 19th of May 2003, and I really do not want to start sarge with cruft like that. -- Andreas Metzler Mon, 10 Jan 2004 10:05:34 +0100 exim4 (4.34-1) unstable; urgency=low Debconf will not ask for relay_domains if configuring smarthost or satellite-type systems. - This functionality was untested and could generate mail-loops. -- Andreas Metzler Wed, 12 May 2004 13:42:23 +0200 exim4 (4.31-2) unstable; urgency=low The local_scan perl-plugin has been removed because upstream development has stopped. (am) -- Andreas Metzler Mon, 5 Apr 2004 15:55:12 +0200 exim4 (4.30-5) unstable; urgency=low (Re)introduce /etc/exim4/exim4.conf.template as alternative to the multiple small files in /etc/exim4/conf.d/ and make it the default choice for fresh installations. This trades in a loss of comfort (you will again need to merge in each small change manually) for increased stability. -- Andreas Metzler Sun, 11 Jan 2004 13:03:43 +0100 exim4 (4.30-1) unstable; urgency=low * Exim now runs under its own uid (Debian-exim) instead of using mail:mail. WARNING: You cannot downgrade this version to an older one without manual chown|chrgrp all files owned by Debian-exim to mail. Securitywise this is a tradeoff: - if exim is SUID root and runs without deliver_drop_privilege you win: exim's internal data in /var/spool/exim4 is not open to attacks by bugs in programs SGID mail (mail delivery agents like deliver or procmail, or MUAs like pine) anymore. This is Debian's default setup. - OTOH if you need to be able to make local deliveries to /var/mail and want to run exim with reduced priviledge you have some additional work to do: * Use an SGID MDA for the actual delivery (I suggest maildrop.) * Make changes to run exim4 under group mail: - exim_group=mail. - Hack: make Debian-exim a group with gid=8, i.e. an alias for the mail group, _before_ you make the upgrade. (groupadd -o -g 8 Debian-exim) -- Andreas Metzler Sun, 7 Dec 2003 13:59:46 +0100 exim4 (4.24-1) unstable; urgency=low * This version of exim cannot run deliveries as root anymore, see change 5a for exim 4.23 in /usr/share/doc/exim4-base/changelog.gz. If you don't redirect mail for root via /etc/aliases to a nonpriviledged account the mail will be delivered to /var/mail/mail with permissions 0600 and owner mail:mail. -- Andreas Metzler Fri, 3 Oct 2003 18:11:17 +0200 exim4 (4.22-2) unstable; urgency=low Include exiscan-acl patch http://duncanthrax.net/exiscan-acl/ in -heavy and -custom for easy integration of content-scanning and invoking spamassassin at SMTP time. -- Andreas Metzler Wed, 27 Aug 2003 12:50:59 +0200 exim4 (4.22-1) unstable; urgency=low * The way that the $h_ (and $header_) expansions work has been changed by the addition of RFC 2047 decoding. See the main documentation (the NewStuff file until release 4.30, then the manual) for full details. Exim shipped with Debian defaults to HEADER_DECODE_TO="UTF-8" -- Andreas Metzler Mon, 18 Aug 2003 16:51:47 +0200 exim4 (4.20-2) unstable; urgency=low Rewriting now uses /etc/email-addresses instead of /etc/exim4/email-addresses like exim v3 did. Please move the contents to the new file and delete the old one, when you have time to spare. -- Andreas Metzler Tue, 15 Jul 2003 10:20:15 +0200