diff options
Diffstat (limited to 'doc/ChangeLog')
| -rw-r--r-- | doc/ChangeLog | 8277 |
1 files changed, 8277 insertions, 0 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog new file mode 100644 index 0000000..3e6da91 --- /dev/null +++ b/doc/ChangeLog @@ -0,0 +1,8277 @@ +This document describes *changes* to previous versions, that might +affect Exim's operation, with an unchanged configuration file. For new +options, and new features, see the NewStuff file next to this ChangeLog. + +Exim version 4.96 +----------------- + +JH/01 Move the wait-for-next-tick (needed for unique messmage IDs) from + after reception to before a subsequent reception. This should + mean slightly faster delivery, and also confirmation of reception + to senders. + +JH/02 Move from using the pcre library to pcre2. The former is no longer + being developed or supported (by the original developer). + +JH/03 Constification work in the filters module required a major version + bump for the local-scan API. Specifically, the "headers_charset" + global which is visible via the API is now const and may therefore + not be modified by local-scan code. + +JH/04 Fix ClamAV TCP use under FreeBSD. Previously the OS-specific shim for + sendfile() didi not account for the way the ClamAV driver code called it. + +JH/05 Bug 2819: speed up command-line messages being read in. Previously a + time check was being done for every character; replace that with one + per buffer. + +JH/06 Bug 2815: Fix ALPN sent by server under OpenSSL. Previously the string + sent was prefixed with a length byte. + +JH/07 Change the SMTP feature name for pipelining connect to be compliant with + RFC 5321. Previously Dovecot (at least) would log errors during + submission. + +JH/08 Remove stripping of the binaries from the FreeBSD build. This was added + in 4.61 without a reason logged. Binaries will be bigger, which might + matter on diskspace-constrained systems, but debug is easier. + +JH/09 Fix macro-definition during "-be" expansion testing. The move to + write-protected store for macros had not accounted for these runtime + additions; fix by removing this protection for "-be" mode. + +JH/10 Convert all uses of select() to poll(). FreeBSD 12.2 was found to be + handing out large-numbered file descriptors, violating the usual Unix + assumption (and required by Posix) that the lowest possible number will be + allocated by the kernel when a new one is needed. In the daemon, and any + child procesees, values higher than 1024 (being bigger than FD_SETSIZE) + are not useable for FD_SET() [and hence select()] and overwrite the stack. + Assorted crashes happen. + +JH/11 Fix use of $sender_host_name in daemon process. When used in certain + main-section options or in a connect ACL, the value from the first ever + connection was never replaced for subsequent connections. Found by + Wakko Warner. + +JH/12 Bug 2838: Fix for i32lp64 hard-align platforms. Found for SPARC Linux, + though only once PCRE2 was introduced: the memory accounting used under + debug offset allocations by an int, giving a hard trap in early startup. + Change to using a size_t. Debug and fix by John Paul Adrian Glaubitz. + +JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value + with underbars is given. The write-protection of configuration introduced + in 4.95 trapped when normalisation was applied to an option not needing + expansion action. + +JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters. + +JH/15 Fix a resource leak in *BSD. An off-by-one error resulted in the daemon + failing to close the certificates directory, every hour or any time it + was touched. + +JH/16 Debugging initiated by an ACL control now continues through into routing + and transport processes. Previously debugging stopped any time Exim + re-execs, or for processing a queued message. + +JH/17 The "expand" debug selector now gives more detail, specifically on the + result of expansion operators and items. + +JH/18 Bug 2751: Fix include_directory in redirect routers. Previously a + bad comparison between the option value and the name of the file to + be included was done, and a mismatch was wrongly identified. + 4.88 to 4.95 are affected. + +JH/19 Support for Berkeley DB versions 1 and 2 is withdrawn. + +JH/20 When built with NDBM for hints DB's check for nonexistence of a name + supplied as the db file-pair basename. Previously, if a directory + path was given, for example via the autoreply "once" option, the DB + file.pag and file.dir files would be created in that directory's + parent. + +JH/21 Remove the "allow_insecure_tainted_data" main config option and the + "taint" log_selector. These were previously deprecated. + +JH/22 Fix static address-list lookups to properly return the matched item. + Previously only the domain part was returned. + +JH/23 Bug 2864: FreeBSD: fix transport hang after 4xx/5xx response. Previously + the call into OpenSSL to send a TLS Close was being repeated; this + resulted in the library waiting for the peer's Close. If that was never + sent we waited forever. Fix by tracking send calls. + +JH/24 The ${run} expansion item now expands its command string elements after + splitting. Previously it was before; the new ordering makes handling + zero-length arguments simpler. The old ordering can be obtained by + appending a new option "preexpand", after a comma, to the "run". + +JH/25 Taint-check exec arguments for transport-initiated external processes. + Previously, tainted values could be used. This affects "pipe", "lmtp" and + "queryprogram" transport, transport-filter, and ETRN commands. + The ${run} expansion is also affected: in "preexpand" mode no part of + the command line may be tainted, in default mode the executable name + may not be tainted. + +JH/26 Fix CHUNKING on a continued-transport. Previously the usabliility of + the the facility was not passed across execs, and only the first message + passed over a connection could use BDAT; any further ones using DATA. + +JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data + uses $sending_ip_address and an interface is specified. + Previously any use of the local address in the EHLO name disabled + PIPECONNECT, the common case being to use the rDNS of it. + +JH/28 OpenSSL: fix transport-required OCSP stapling verification under session + resumption. Previously verify failed because no certificate status is + passed on the wire for the restarted session. Fix by using the recorded + ocsp status of the stored session for the new connection. + +JH/29 TLS resumption: the key for session lookup in the client now includes + more info that a server could potentially use in configuring a TLS + session, avoiding oferring mismatching sessions to such a server. + Previously only the server IP was used. + +JH/30 Fix string_copyn() for limit greater than actual string length. + Previously the copied amount was the limit, which could result in a + overlapping memcpy for newly allocated destination soon after a + source string shorter than the limit. Found/investigated by KM. + +JH/31 Bug 2886: GnuTLS: Do not free the cached creds on transport connection + close; it may be needed for a subsequent connection. This caused a + SEGV on primary-MX defer. Found/investigated by Gedalya & Andreas. + +JH/32 Fix CHUNKING for a second message on a connection when the first was + rejected. Previously we did not reset the chunking-offered state, and + erroneously rejected the BDAT command. Investigation help from + Jesse Hathaway. + +JH/33 Fis ${srs_encode ...} to handle an empty sender address, now returning + an empty address. Previously the expansion returned an error. + +HS/01 Bug 2855: Handle a v4mapped sender address given us by a frontending + proxy. Previously these were misparsed, leading to paniclog entries. + + +Exim version 4.95 +----------------- + +JH/01 Bug 1329: Fix format of Maildir-format filenames to match other mail- + related applications. Previously an "H" was used where available info + says that "M" should be, so change to match. + +JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used + as arguments, so an implementation trying to copy these into a local + buffer was taking a taint-enforcement trap. Fix by using dynamically + created buffers. Similar fix for radius expansion condition. + +JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is + reasonable, eg. to count headers. Fix by using dynamically created + buffers rather than a local. Do similar fixes for ACL actions "dcc", + "log_reject_target", "malware" and "spam"; the arguments are expanded + so could be handling tainted values. + +JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had + broken the (no-op) support for this sendmail command. Restore it + to doing nothing, silently, and returning good status. + +JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once" + record path was given (or the default used) without a leading directory + path, an error occurred on trying to open it. Use the transport's working + directory. + +JH/06 Bug 2594: Change the name used for certificate name checks in the smtp + transport. Previously it was the name on the DNS A-record; use instead + the head of the CNAME chain leading there (if there is one). This seems + to align better with RFC 6125. + +JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for + smtp_accept_max_per_host allocated resources which were not released + when the limit was exceeded. This eventually crashed the daemon. Fix + by adding a release action in that path. + +JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are + expanded; previously using tainted values was rejected. Fix by using + dynamically-created buffers. + +JH/09 Relax restrictions on ACL verify condition needing access to message + headers. Previously they were only permitted in data and non-smtp ACLs; + permit also mime, dkim, prdr quit and notquit. Applies to header-syntax, + not_blind, header_sender and header_names_ascii verification. + +JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once. + Previously a macro used one argument twice; when called with the + argument as an expression having side-effects, incorrect operation + resulted. Use an inlineable function. + +JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already + held open for a verify callout. Previously this wan not accounted for + and a corrupt onward SMTP conversation resulted. + +JH/12 Bug 2607: Fix the ${srs_encode } expansion to handle quoted local_parts. + Previously they were embedded naively in the constructed address; when + needed, strip the quoting and quote the entire local_part. + Also make the inbound_srs expansion condition handle quoting. + +JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was + excluded, not matching the documentation. + +JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename + was given for the sqlite_dbfile a trap resulted. + +JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the + "name" argument resulted in a trap. There is no reason to disallow such; + this was a coding error. + +JH/16 Bug 2615: Fix pause during message reception, on systems that have been + suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time + spent suspended, ignoring the POSIX definition. Previously we assumed + it did and a constant offset from real time could be used as a correction. + Change to using the same clock source for the start-of-message and the + post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it + exists, just to get a clock slightly more aligned to reality. + +JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the + RFC says it is optional some validators care. The missing char was not + intended but triggered by a line-wrap alignment. Discovery and fix by + Guillaume Outters, hacked on by JH. + +JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the + name being quoted was tainted a trap would be taken. Fix by using + dynamically created buffers. The routine could have been called by a + rewrite with the "h" flag, by using the "-F" command-line option, or + by using a "name=" option on a control=submission ACL modifier. + +JH/19 SPF: change the Authentication-Results expansion component to give + smtp.helo when the sender domain is empty. Previously it gave + "smtp.mailfrom=<>" + +JH/20 Bug 2631: ACL dnslist conditions now ignore and log any lookups returns + not in 127.0.0.0/8 to help in spotting list domains taken over by a + domain-parking registrar. + +JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion. + Previously when a whitespace character was specified it was not inserted + after removing the newline. + +JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be + the domain part of the recipient address. This overrides any tls_sni + option set, which was previously used. + +JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI + in quotes. + +JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for + is_tainted() had an off-by-one error in the overenthusiastic direction. + Find and fix by Gavan. Although NetBSD is not a supported platform for + 4.94 this bug could affect other platforms. + +PP/01 Fix default prime selection to be consistent. + One path used ike23 still, instead of exim.dev.20160529.3; now both + execution flows will use the same DH primes (currently + exim.dev.20160529.3). + +JH/25 OpenSSL: Fix back-compatibility behaviour surrounding tls_certificates + option in smtp transport, to match the documentation. Previously + verification was not being done in some cases where it should have been. + +JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more + than one server was defined and depending on the platform memory layout + details, an internal consistency trap could be hit while walking the list + of servers. + +JH/27 Bug 2648: fix the passing of an authenticator public-name through spool + files. The value is used by the authresults expansion item. Previously + if this was used in a router or transport, a crash could result. + +JH/28 Fix spurious logging of select error. Some platforms, notably FreeBSD, + have a sufficient incidence of EINTR returns from select that an + interaction with other operations done by the main daemon loop exposed + a bug in the error-handling. This was benign apart from the log + messages. + +JH/29 Bug 2675: add outgoing-interface I= element to deferred "==" log lines, + for consistency with delivered "=>" and failed "**" lines. While we're + there, handle PRX and TFO. + +JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was + applied. This resulted, if any header-line rewrite rules were configured, + in a panic-log triggerable by sending a message with a long address in + a header. Fix by increasing the arbitrary limit to larger than a single + (dewrapped) 5322 header line maximum size. + +JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option + is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with + RFC 6648 which deprecates X- options in protocols as a general practice. + Changeover between the implementations is handled by the mechanisms + already coded. + +JH/32 Bug 2599: fix delay of delivery to a local address where there is also + a remote which uses callout/hold. Previously the local was queued. + +JH/33 Fix a taint trap in the ${listextract } expansion when the source data + was tainted. + +JH/34 Fix the placement of a multiple-message delivery marker in the delivery + log line. The asterisk is now consistently appended to the remote IP + (and port, if given), and will also be provided on defer and fail log + lines. Previously it could be placed on the local IP if that was being + logged, and was only provided on delivery lines. + +JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files. + +JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext + authenticator client_send option. Previously the next char, after a pair + was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became + ^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the + documentation. There is still no way to get a leading ^ immediately + after a NUL (ie. for the password of a PLAIN method authenticator. + +JH/37 Enforce the expected size, for fixed-size records read from hints-DB + files. For bad sizes read, delete the record and whine to paniclog. + +JH/38 When logging an AUTH failure, as server, do not include sensitive + information. Previously, the credentials would be included if given + as part of the AUTH command line and an ACL denied authentication. + +JH/39 Bug 2691: fix $local_part_data. When the matching list element + referred to a file, bad data was returned. This likely also affected + $domain_part_data. + +JH/40 The gsasl authenticator now supports caching of the salted password + generated by the client-side implementation. This required the addition + of a new variable: $auth4. + +JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was + left undeleted; the attempt to re-create it then failed - resulting in + the usual "SIGHUP tp have daemon reload configuration" to not work. + This affected any platform not supporting "abstract" Unix-domain + sockets (i.e. not Linux). + +JH/42 Bug 2693: Harden against a peer which reneges on a 452 "too many + recipients" response to RCPT in a later response, with a 250. The + previous coding assumed this would not happen, and under PIPELINING + would result in both lost and duplicate recipients for a message. + +JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers. + Previously the weighting was incorrectly applied. Similar fix for socks + proxies. Found and fixed by Heiko Schlichting. + +JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did + not handle sub-lists included using the +namedlist syntax. While + investigating, the same found for dns_trust_aa, dns_again_means_nonexist, + dnssec_require_domains, dnssec_request_domains, srv_fail_domains, + mx_fail_domains. + +JH/45 Use a (new) separate store pool-pair for DKIM verify working data. + Previously the permanent pool was used, so the sore could not be freed. + This meant a connection with many messages would use continually-growing + memory. + +JH/46 Use an exponentially-increasing block size when malloc'ing store. Do it + per-pool so as not to waste too much space. Previously a constant size + was used which resulted in O(n^2) behaviour; now we get O(n log n) making + DOS attacks harder. The cost is wasted memory use in the larger blocks. + +JH/47 Use explicit alloc/free for DNS lookup workspace. This permits using the + same space repeatedly, and a smaller process footprint. + +JH/48 Use a less bogus-looking filename for a temporary used for DH-parameters + for GnuTLS. Previously the name started "%s" which, while not a bug, + looked as if if might be one. + +JH/49 Bug 2710: when using SOCKS for additional messages after the first (a + "continued connection") make the $proxy_* variables available. Previously + the information was not passed across the exec() call for subsequent + transport executions. This also mean that the log lines for the + messages can show the proxy information. + +JH/50 Bug 2672: QT elements in log lines, unless disabled, now exclude the + receive time. With modern systems the difference is significant. + The historical behaviour can be restored by disabling (a new) log_selector + "queue_time_exclusive". + +JH/51 Taint-check ACL line. Previously, only filenames (for out-of-line ACL + content) were specifically tested for. Now, also cover expansions + resulting in ACL names and inline ACL content. + +JH/52 Fix ${ip6norm:} operator. Previously, any trailing line text was dropped, + making it unusable in complex expressions. + +JH/53 Bug 2743: fix immediate-delivery via named queue. Previously this would + fail with a taint-check on the spoolfile name, and leave the message + queued. + +HS/01 Enforce absolute PID file path name. + +HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process. + +PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL. + +PP/02 Bug 2643: Correct TLS DH constants. + A missing NUL termination in our code-generation tool had led to some + incorrect Diffie-Hellman constants in the Exim source. + Reported by kylon94, code-gen tool fix by Simon Arlott. + +PP/03 Impose security length checks on various command-line options. + Fixes CVE-2020-SPRSS reported by Qualys. + +PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX + better. Reported by Qualys. + +PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker + providing a particularly obnoxious sender full name. + Reported by Qualys. + +PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase() + +PP/07 Refuse to allocate too little memory, block negative/zero allocations. + Security guard. + +PP/08 Change default for recipients_max from unlimited to 50,000. + +PP/09 Fix security issue with too many recipients on a message (to remove a + known security problem if someone does set recipients_max to unlimited, + or if local additions add to the recipient list). + Fixes CVE-2020-RCPTL reported by Qualys. + +PP/10 Fix security issue in SMTP verb option parsing + Fixes CVE-2020-EXOPT reported by Qualys. + +PP/11 Fix security issue in BDAT state confusion. + Ensure we reset known-good where we know we need to not be reading BDAT + data, as a general case fix, and move the places where we switch to BDAT + mode until after various protocol state checks. + Fixes CVE-2020-BDATA reported by Qualys. + +HS/03 Die on "/../" in msglog file names + +QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of + the Exim runtime user are allowed to create files. + +QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim + runtime user. + +QS/03 When reading the output from interpreted forward files we do not + pass the pipe between the parent and the interpreting process to + executed child processes (if any). + +QS/04 Always die if requested from internal logging, even is logging is + disabled. + +JH/54 DMARC: recent versions of the OpenDMARC library appear to have broken + the API; compilation noo longer completes with DMARC support included. + This affects 1.4.1-1 on Fedora 33 (1.3.2-3 is functional); and has + been reported on other platforms. + +JH/55 TLS: as server, reject connections with ALPN indicating non-smtp use. + +JH/56 Make the majority of info read from config files readonly, for defence-in- + depth against exploits. Suggestion by Qualys. + Not supported on Solaris 10. + +JH/57 Fix control=fakreject for a custom message containing tainted data. + Previously this resulted in a log complaint, due to a re-expansion present + since fakereject was originally introduced. + +JH/58 GnuTLS: Fix certextract expansion. If a second modifier after a tag + modifier was given, a loop resulted. + +JH/59 DKIM: Fix small-message verification under TLS with chunking. If a + pipelined SMTP command followed the BDAT LAST then it would be + incorrectly treated as part of the message body, causing a verification + fail. + +JH/60 Bug 2805: Fix logging of domain-literals in Message_ID: headers. They + require looser validation rules than those for 821-level addresses, + which only permit IP addresses. + + +Exim version 4.94 +----------------- + +JH/01 Avoid costly startup code when not strictly needed. This reduces time + for some exim process initialisations. It does mean that the logging + of TLS configuration problems is only done for the daemon startup. + +JH/02 Early-pipelining support code is now included unless disabled in Makefile. + +JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to + RFC 8301. They can still be enabled, using the dkim_verify_hashes main + option. + +JH/04 Support CHUNKING from an smtp transport using a transport_filter, when + DKIM signing is being done. Previously a transport_filter would always + disable CHUNKING, falling back to traditional DATA. + +JH/05 Regard command-line recipients as tainted. + +JH/06 Bug 340: Remove the daemon pid file on exit, when due to SIGTERM. + +JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the + PAM library frees one of the arguments given to it, despite the + documentation. Therefore a plain malloc must be used. + +JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously + on-stack buffers were used, resulting in a taint trap when DSN information + copied from a received message was written into the buffer. + +JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix + the ordering of its ARC headers. This caused a crash. + +JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when + a new record was being constructed with information from the peer, a trap + was taken. + +JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive + installation would get error messages from DMARC verify, when it hit the + nonexistent file indicated by the default. Distros wanting DMARC enabled + should both provide the file and set the option. + Also enforce no DMARC verification for command-line sourced messages. + +JH/12 Fix an uninitialised flag in early-pipelining. Previously connections + could, depending on the platform, hang at the STARTTLS response. + +JH/13 Bug 2498: Reset a counter used for ARC verify before handling another + message on a connection. Previously if one message had ARC headers and + the following one did not, a crash could result when adding an + Authentication-Results: header. + +JH/14 Bug 2500: Rewind some of the common-coding in string handling between the + Exim main code and Exim-related utities. The introduction of taint + tracking also did many adjustments to string handling. Since then, eximon + frequently terminated with an assert failure. + +JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and + check for 452 responses. This slightly helps the inefficieny of doing + a large alias-expansion into a recipient-limited target. The max_rcpt + transport option still applies (and at the current default, will override + the new feature). The check is done for either cause of synch, and forces + a fast-retry of all 452'd recipients using a new MAIL FROM on the same + connection. The new facility is not tunable at this time. + +JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to + library live data was being used, so the results became garbage. Make + copies while it is still usable. + +JH/17 Logging: when the deliver_time selector ise set, include the DT= field + on delivery deferred (==) and failed (**) lines (if a delivery was + attemtped). Previously it was only on completion (=>) lines. + +JH/18 Authentication: the gsasl driver not provides the $authN variables in time + for the expansion of the server_scram_iter and server_scram_salt options. + +WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library + are now specifically given a NO_DATA response without hitting the system + resolver. The library goes on to do the now-standard TXT lookup. + Use of dnsdb lookups is not affected. + +JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure, + only retrieve the errormessage once. Previously two calls to dlerror() + were used, and the second one (for mainlog/paniclog) retrieved null + information. + +JH/20 Taint checking: disallow use of tainted data for + - the appendfile transport file and directory options + - the pipe transport command + - the autoreply transport file, log and once options + - file names used by the redirect router (including filter files) + - named-queue names + - paths used by single-key lookups + Previously this was permitted. + +JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it + adjusted the size of a major service buffer; this failed because the + buffer was in use at the time. Change to a compile-time increase in the + buffer size, when this authenticator is compiled into exim. + +JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The + previous fast-mode was untenable in the face of glibs using mmap to + support larger malloc requests. + +PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c. + New values supported, if defined on system where compiled: + allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat, + no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding + +JH/23 Performance improvement in the initial phase of a two-pass queue run. By + running a limited number of proceses in parallel, a benefit is gained. The + amount varies with the platform hardware and load. The use of the option + queue_run_in_order means we cannot do this, as ordering becomes + indeterminate. + +JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix + had introduced a string-copy (for ensuring NUL-termination) which was not + appropriate for that case, which can include embedded NUL bytes in the + block of data. Investigation showed the copy to actually be needless, the + data being length-specified. + +JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was + done during a receiving connection, and both used TLS, global info was + used rather than per-connection info for tracking the state of data + queued for transmission. This could result in a connection hang. + +JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections. + Previously, when delivering serveral messages down a single connection + only the first would provide a SIZE. This was due to the size information + not being properly tracked. + +JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as + TAI (at 37 seconds currently), pretend to be in UTC for time-related + expansion and logging. Previously, spurious values such as a future + minute could be seen. + +JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations + it could crash from a null-deref. This could also affect the + ${addresses: } operator and ${readsock } item. + +JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime + message following a mime one, the variable was not reset. + +JH/30 When an pipelined-connect fails at the first response, assume incorrect + cached capability (perhaps the peer reneged?) and immediately retry in + non-pipelined mode. + +JH/31 Fix spurious detection of timeout while writing to transport filter. + +JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously + an attempt to copy the string was made before checking it. + +JH/33 Fix the dsearch lookup to return an untainted result. Previously the + taint of the lookup key was maintained; we now regard the presence in the + filesystem as sufficient validation. + +JH/34 Fix the readsocket expansion to not segfault when an empty "options" + argument is supplied. + +JH/35 The dsearch lookup now requires that the directory is an absolute path. + Previously this was not checked, and nonempty relative paths made an + access under Exim's current working directory. + +JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case. + Previously no event was raised. + +JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE + parameter supplied by the sender MAIL FROM command. Previously it was + ignored, and only the check_spool_space option value for the required + leeway checked. + +JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present + the size of the signing public-key. Previously it was instead giving + the size of the signature hash. + +JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now + the default. See the (new) dkim_verify_min_keysizes option. + +JH/40 Fix a memory-handling bug: when a connection carried multiple messages + and an ACL use a lookup for checking either the local_part or domain, + stale data could be accessed. Ensure that variable references are + dropped between messages. + +JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied + by the client was not checked as pointing within response data before + being used. A malicious client could thus cause an out-of-bounds read and + possibly gain authentication. Fix by adding the check. + +JH/42 Internationalisation: change the default for downconversion in the smtp + transport to be "if needed". Previously it was "as previously set" for + the message, which usually meant "if needed" for message-submission but + "no" for everything else. However, MTAs have been seen using SMTPUTF8 + even when the envelope addresses did not need it, resulting in forwarding + failures to non-supporting MTAs. A downconvert in such cases will be + a no-op on the addresses, merely dropping the use of SMTPUTF8 by the + transport. The change does mean that addresses needing conversion will + be converted when previously a delivery failure would occur. + +JH/43 Fix possible long line in DSN. Previously when a very long SMTP error + response was received it would be used unchecked in a fail-DSN, violating + standards on line-length limits. Truncate if needed. + +HS/01 Remove parameters of the link to www.open-spf.org. The linked form + doesn't work. (Additionally add a new main config option to configure the + spf_smtp_comment) + + +Exim version 4.93 +----------------- + +JH/01 OpenSSL: With debug enabled output keying information sufficient, server + side, to decode a TLS 1.3 packet capture. + +JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets. + Previously the default library behaviour applied, sending two, each in + its own TCP segment. + +JH/03 Debug output for ACL now gives the config file name and line number for + each verb. + +JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. + +JH/05 DKIM: ensure that dkim_domain elements are lowercased before use. + +JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible + buffer overrun for (non-chunking) other transports. + +JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under + TLS1.3, means that a server rejecting a client certificate is not visible + to the client until the first read of encrypted data (typically the + response to EHLO). Add detection for that case and treat it as a failed + TLS connection attempt, so that the normal retry-in-clear can work (if + suitably configured). + +JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part + and/or domain. Found and fixed by Jason Betts. + +JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid + configuration). If a CNAME target was not a wellformed name pattern, a + crash could result. + +JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when + the OS reports them interleaved with other addresses. + +JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was + used both for input and for a verify callout, both encrypted, SMTP + responses being sent by the server could be lost. This resulted in + dropped connections and sometimes bounces generated by a peer sending + to this system. + +JH/11 Harden plaintext authenticator against a badly misconfigured client-send + string. Previously it was possible to cause undefined behaviour in a + library routine (usually a crash). Found by "zerons". + +JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no + output. + +JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old + API was removed, so update to use the newer ones. + +JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without + any timeout set, is taking a long time. Previously we would hang on to a + rotated logfile "forever" if the input was arriving with long gaps + (a previous attempt to fix addressed lack, for a long time, of initial + input). + +HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a + shared (NFS) environment. The length of the tempfile name is now + 4 + 16 ("hdr.$message_exim_id") which might break on file + systems which restrict the file name length to lower values. + (It was "hdr.$pid".) + +HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a + shared (NFS) environment. + +HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it + did for all versions <4.90). Notably -M, -m, --invert, -I may be + affected. + +JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors + on some platforms for bit 31. + +JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks + to changes apparently associated with TLS1.3 handling some of the APIs + previously used were either nonfunctional or inappropriate. Strings + like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256 + and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace + the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 . + This affects log line X= elements, the $tls_{in,out}_cipher variables, + and the use of specific cipher names in the encrypted= ACL condition. + +JH/17 OpenSSL: the default openssl_options now disables ssl_v3. + +JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the + verification result was not updated unless hosts_require_ocsp applied. + +JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option + queue_list_requires_admin set to false, non-admin users were denied the + facility. + +JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in + directory-of-certs mode. Previously they were advertised despite the + documentation. + +JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. + A single TCP connection by a client will now hold a TLS connection open + for multiple message deliveries, by default. Previously the default was to + not do so. + +JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by + default. If built with the facility, DANE will be used. The facility + SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME". + +JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define + is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL + must be defined and you must still, unless you define DISABLE_TLS, manage + the the include-dir and library-file requirements that go with that + choice. Non-TLS builds are still supported. + +JH/24 Fix duplicated logging of peer name/address, on a transport connection- + reject under TFO. + +JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by + default. If the platform supports and has the facility enabled, it will + be requested on all coneections. + +JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now + controlled by the build-time option SUPPORT_PIPE_CONNECT. + +PP/01 Unbreak heimdal_gssapi, broken in 4.92. + +JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for + success-DSN messages. Previously the From: header was always the default + one for these; the option was ignored. + +JH/28 Fix the timeout on smtp response to apply to the whole response. + Previously it was reset for every read, so a teergrubing peer sending + single bytes within the time limit could extend the connection for a + long time. Credit to Qualsys Security Advisory Team for the discovery. + +JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing + delivery address, which leaked information of the results of local + forwarding. Change to the original envelope recipient address, per + standards. + +JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is + requested. Previously not bounce was generated and a log entry of + error ignored was made. + +JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917) + +JH/32 Introduce a general tainting mechanism for values read from the input + channel, and values derived from them. Refuse to expand any tainted + values, to catch one form of exploit. + +JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result + was unused and the unexpanded text used for the test. Found and + fixed by Ruben Jenster. + +JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open, + an attempt to use a TLS library read routine dereffed a nul pointer, + causing a segfault. + +JH/35 Bug 2409: filter out-of-spec chars from callout response before using + them in our smtp response. + +JH/36 Have the general router option retry_use_local_part default to true when + any of the restrictive preconditions are set (to anything). Previously it + was only for check_local user. The change removes one item of manual + configuration which is required for proper retries when a remote router + handles a subset of addresses for a domain. + +JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file + link count into consideration. + +HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line + caused the extension of big_buffer, the following lines were ignored. + +JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in + accordance with RFC 2308. Previously there was no expiry, so a longlived + receive process (eg. due to ACL delays) versus a short SOA value could + surprise. + +HS/05 Handle trailing backslash gracefully. (CVE-2019-15846) + +JH/39 Promote DMARC support to mainline. + +JH/40 Bug 2452: Add a References: header to DSNs. + +JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman + parameters. The relevant library call is documented as "Deprecated: This + function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since + 3.6.0, DH parameters are negotiated following RFC7919." + +HS/06 Change the default of dnssec_request_domains to "*" + +JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we + carried on and emitted a BDAT command, even when PIPELINING was not + active. + +JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted + buffer was used for the filename, resulting in a trap when tainted + arguments (eg. $domain) were used. + +JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below; + recommended to avoid a possible server-load attack. The feature can be + re-enabled via the openssl_options main cofiguration option. + +JH/45 local_scan API: documented the current smtp_printf() call. This changed + for version 4.90 - adding a "more data" boolean to the arguments. + Bumped the ABI version number also, this having been missed previously; + release versions 4.90 to 4.92.3 inclusive were effectively broken in + respect of usage of smtp_printf() by either local_scan code or libraries + accessed via the ${dlfunc } expansion item. Both will need coding + adjustment for any calls to smtp_printf() to match the new function + signature; a FALSE value for the new argument is always safe. + +JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating + the file-offset (which the Linux syscall does, and exim expects); this + resulted in an indefinite loop. + +JH/47 ARC: fix crash in signing, triggered when a configuration error failed + to do ARC verification. The Authentication-Results: header line added + by the configuration then had no ARC item. + +JH/48 Bug 2784: fix shutdown=no in the ${readsocket) expansion item. Previously + an incorrect mode was used for reading the result, resulting in it being + ignored. + + +Exim version 4.92 +----------------- + +JH/01 Remove code calling the customisable local_scan function, unless a new + definition "HAVE_LOCAL_SCAN=yes" is present in the Local/Makefile. + +JH/02 Bug 1007: Avoid doing logging from signal-handlers, as that can result in + non-signal-safe functions being used. + +JH/03 Bug 2269: When presented with a received message having a stupidly large + number of DKIM-Signature headers, disable DKIM verification to avoid + a resource-consumption attack. The limit is set at twenty. + +JH/04 Add variables $arc_domains, $arc_oldest_pass for ARC verify. Fix the + report of oldest_pass in ${authres } in consequence, and separate out + some descriptions of reasons for verification fail. + +JH/05 Bug 2273: Cutthrough delivery left a window where the received messsage + files in the spool were present and unlocked. A queue-runner could spot + them, resulting in a duplicate delivery. Fix that by doing the unlock + after the unlink. Investigation by Tim Stewart. Take the opportunity to + add more error-checking on spoolfile handling while that code is being + messed with. + +PP/01 Refuse to open a spool data file (*-D) if it's a symlink. + No known attacks, no CVE, this is defensive hardening. + +JH/06 Bug 2275: The MIME ACL unlocked the received message files early, and + a queue-runner could start a delivery while other operations were ongoing. + Cutthrough delivery was a common victim, resulting in duplicate delivery. + Found and investigated by Tim Stewart. Fix by using the open message data + file handle rather than opening another, and not locally closing it (which + releases a lock) for that case, while creating the temporary .eml format + file for the MIME ACL. Also applies to "regex" and "spam" ACL conditions. + +JH/07 Bug 177: Make a random-recipient callout success visible in ACL, by setting + $sender_verify_failure/$recipient_verify_failure to "random". + +JH/08 When generating a selfsigned cert, use serial number 1 since zero is not + legitimate. + +JH/09 Bug 2274: Fix logging of cmdline args when starting in an unlinked cwd. + Previously this would segfault. + +JH/10 Fix ARC signing for case when DKIM signing failed. Previously this would + segfault. + +JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd + like zero, since the resolver should be doing this for us, But we need one + as a CNAME but no MX presence gets the CNAME returned; we need to check + that doesn't point to an MX to declare it "no MX returned" rather than + "error, loop". A new main option is added so the older capability of + following some limited number of chain links is maintained. + +JH/12 Add client-ip info to non-pass iprev ${authres } lines. + +JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol + methods. These should support TLS 1.3; they arrived with TLS 1.3 and the + now-deprecated earlier definitions used only specified the range up to TLS + 1.2 (in the older-version library docs). + +JH/14 Bug 2284: Fix DKIM signing for body lines starting with a pair of dots. + +JH/15 Rework TLS client-side context management. Stop using a global, and + explicitly pass a context around. This enables future use of TLS for + connections to service-daemons (eg. malware scanning) while a client smtp + connection is using TLS; with cutthrough connections this is quite likely. + +JH/16 Fix ARC verification to do AS checks in reverse order. + +JH/17 Support a "tls" option on the ${readsocket } expansion item. + +JH/18 Bug 2287: Fix the protocol name (eg utf8esmtp) for multiple messages + using the SMTPUTF8 option on their MAIL FROM commands, in one connection. + Previously the "utf8" would be re-prepended for every additional message. + +JH/19 Reject MAIL FROM commands with SMTPUTF8 when the facility was not advertised. + Previously thery were accepted, resulting in issues when attempting to + forward messages to a non-supporting MTA. + +PP/02 Let -n work with printing macros too, not just options. + +JH/20 Bug 2296: Fix cutthrough for >1 address redirection. Previously only + one parent address was copied, and bogus data was used at delivery-logging + time. Either a crash (after delivery) or bogus log data could result. + Discovery and analysis by Tim Stewart. + +PP/03 Make ${utf8clean:} expansion operator detect incomplete final character. + Previously if the string ended mid-character, we did not insert the + promised '?' replacement. + +PP/04 Documentation: current string operators work on bytes, not codepoints. + +JH/21 Change as many as possible of the global flags into one-bit bitfields; these + should pack well giving a smaller memory footprint so better caching and + therefore performance. Group the declarations where this can't be done so + that the byte-sized flag variables are not interspersed among pointer + variables, giving a better chance of good packing by the compiler. + +JH/22 Bug 1896: Fix the envelope from for DMARC forensic reports to be possibly + non-null, to avoid issues with sites running BATV. Previously reports were + sent with an empty envelope sender so looked like bounces. + +JH/23 Bug 2318: Fix the noerror command within filters. It wasn't working. + The ignore_error flag wasn't being returned from the filter subprocess so + was not set for later routers. Investigation and fix by Matthias Kurz. + +JH/24 Bug 2310: Raise a msg:fail:internal event for each undelivered recipient, + and a msg:complete for the whole, when a message is manually removed using + -Mrm. Developement by Matthias Kurz, hacked on by JH. + +JH/25 Avoid fixed-size buffers for pathnames in DB access. This required using + a "Gnu special" function, asprintf() in the DB utility binary builds; I + hope that is portable enough. + +JH/26 Bug 2311: Fix DANE-TA verification under GnuTLS. Previously it was also + requiring a known-CA anchor certificate; make it now rely entirely on the + TLSA as an anchor. Checking the name on the leaf cert against the name + on the A-record for the host is still done for TA (but not for EE mode). + +JH/27 Fix logging of proxy address. Previously, a pointless "PRX=[]:0" would be + included in delivery lines for non-proxied connections, when compiled with + SUPPORT_SOCKS and running with proxy logging enabled. + +JH/28 Bug 2314: Fire msg:fail:delivery event even when error is being ignored. + Developement by Matthias Kurz, tweaked by JH. While in that bit of code, + move the existing event to fire before the normal logging of message + failure so that custom logging is bracketed by normal logging. + +JH/29 Bug 2322: A "fail" command in a non-system filter (file) now fires the + msg:fail:internal event. Developement by Matthias Kurz. + +JH/30 Bug 2329: Increase buffer size used for dns lookup from 2k, which was + far too small for todays use of crypto signatures stored there. Go all + the way to the max DNS message size of 64kB, even though this might be + overmuch for IOT constrained device use. + +JH/31 Fix a bad use of a copy function, which could be used to pointlessly + copy a string over itself. The library routine is documented as not + supporting overlapping copies, and on MacOS it actually raised a SIGABRT. + +JH/32 For main options check_spool_space and check_inode_space, where the + platform supports 64b integers, support more than the previous 2^31 kB + (i.e. more than 2 TB). Accept E, P and T multipliers in addition to + the previous G, M, k. + +JH/33 Bug 2338: Fix the cyrus-sasl authenticator to fill in the + $authenticated_fail_id variable on authentication failure. Previously + it was unset. + +JH/34 Increase RSA keysize of autogen selfsign cert from 1024 to 2048. RHEL 8.0 + OpenSSL didn't want to use such a weak key. Do for GnuTLS also, and for + more-modern GnuTLS move from GNUTLS_SEC_PARAM_LOW to + GNUTLS_SEC_PARAM_MEDIUM. + +JH/35 OpenSSL: fail the handshake when SNI processing hits a problem, server + side. Previously we would continue as if no SNI had been received. + +JH/36 Harden the handling of string-lists. When a list consisted of a sole + "<" character, which should be a list-separator specification, we walked + off past the nul-terimation. + +JH/37 Bug 2341: Send "message delayed" warning MDNs (restricted to external + causes) even when the retry time is not yet met. Previously they were + not, meaning that when (say) an account was over-quota and temp-rejecting, + and multiple senders' messages were queued, only one sender would get + notified on each configured delay_warning cycle. + +JH/38 Bug 2351: Log failures to extract envelope addresses from message headers. + +JH/39 OpenSSL: clear the error stack after an SSL_accept(). With anon-auth + cipher-suites, an error can be left on the stack even for a succeeding + accept; this results in impossible error messages when a later operation + actually does fail. + +AM/01 Bug 2359: GnuTLS: repeat lowlevel read and write operations while they + return error codes indicating retry. Under TLS1.3 this becomes required. + +JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT. Previously + it only wrote the new authenticators, resulting in a lack of tracking of + peer changes of ESMTP extensions until the next cache flush. + +JH/41 Fix the loop reading a message header line to check for integer overflow, + and more-often against header_maxsize. Previously a crafted message could + induce a crash of the recive process; now the message is cleanly rejected. + +JH/42 Bug 2366: Fix the behaviour of the dkim_verify_signers option. It had + been totally disabled for all of 4.91. Discovery and fix by "Mad Alex". + + +Exim version 4.91 +----------------- + +GF/01 DEFER rather than ERROR on redis cluster MOVED response. + When redis_servers is set to a list of > 1 element, and the Redis servers + in that list are in cluster configuration, convert the REDIS_REPLY_ERROR + case of MOVED into a DEFER case instead, thus moving the query onto the + next server in the list. For a cluster of N elements, all N servers must + be defined in redis_servers. + +GF/02 Catch and remove uninitialized value warning in exiqsumm + Check for existence of @ARGV before looking at $ARGV[0] + +JH/01 Replace the store_release() internal interface with store_newblock(), + which internalises the check required to safely use the old one, plus + the allocate and data copy operations duplicated in both (!) of the + extant use locations. + +JH/02 Disallow '/' characters in queue names specified for the "queue=" ACL + modifier. This matches the restriction on the commandline. + +JH/03 Fix pgsql lookup for multiple result-tuples with a single column. + Previously only the last row was returned. + +JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously + we assumed that tags in the header were well-formed, and parsed the + element content after inspecting only the first char of the tag. + Assumptions at that stage could crash the receive process on malformed + input. + +JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL. + While running the DKIM ACL we operate on the Permanent memory pool so that + variables created with "set" persist to the DATA ACL. Also (at any time) + DNS lookups that fail create cache records using the Permanent pool. But + expansions release any allocations made on the current pool - so a dnsdb + lookup expansion done in the DKIM ACL releases the memory used for the + DNS negative-cache, and bad things result. Solution is to switch to the + Main pool for expansions. + While we're in that code, add checks on the DNS cache during store_reset, + active in the testsuite. + Problem spotted, and debugging aided, by Wolfgang Breyha. + +JH/06 Fix issue with continued-connections when the DNS shifts unreliably. + When none of the hosts presented to a transport match an already-open + connection, close it and proceed with the list. Previously we would + queue the message. Spotted by Lena with Yahoo, probably involving + round-robin DNS. + +JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL. + Previously a spurious "250 OK id=" response was appended to the proper + failure response. + +JH/08 The "support for" informational output now, which built with Content + Scanning support, has a line for the malware scanner interfaces compiled + in. Interface can be individually included or not at build time. + +JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included + by the template makefile "src/EDITME". The "STREAM" support for an older + ClamAV interface method is removed. + +JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of + rows affected is given instead). + +JH/11 The runtime Berkeley DB library version is now additionally output by + "exim -d -bV". Previously only the compile-time version was shown. + +JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating + SMTP connection. Previously, when one had more recipients than the + first, an abortive onward connection was made. Move to full support for + multiple onward connections in sequence, handling cutthrough connection + for all multi-message initiating connections. + +JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by + routers. Previously, a multi-recipient message would fail to match the + onward-connection opened for the first recipient, and cause its closure. + +JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as + a timeout on read on a GnuTLS initiating connection, resulting in the + initiating connection being dropped. This mattered most when the callout + was marked defer_ok. Fix to keep the two timeout-detection methods + separate. + +JH/15 Relax results from ACL control request to enable cutthrough, in + unsupported situations, from error to silently (except under debug) + ignoring. This covers use with PRDR, frozen messages, queue-only and + fake-reject. + +HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789) + +JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc + metadata, resulting in a crash in free(). + +PP/01 Fix broken Heimdal GSSAPI authenticator integration. + Broken in f2ed27cf5, missing an equals sign for specified-initialisers. + Broken also in d185889f4, with init system revamp. + +JH/17 Bug 2113: Fix conversation closedown with the Avast malware scanner. + Previously we abruptly closed the connection after reading a malware- + found indication; now we go on to read the "scan ok" response line, + and send a quit. + +JH/18 Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail + ACL. Previously, a crash would result. + +JH/19 Speed up macro lookups during configuration file read, by skipping non- + macro text after a replacement (previously it was only once per line) and + by skipping builtin macros when searching for an uppercase lead character. + +JH/20 DANE support moved from Experimental to mainline. The Makefile control + for the build is renamed. + +JH/21 Fix memory leak during multi-message connections using STARTTLS. A buffer + was allocated for every new TLS startup, meaning one per message. Fix + by only allocating once (OpenSSL) or freeing on TLS-close (GnuTLS). + +JH/22 Bug 2236: When a DKIM verification result is overridden by ACL, DMARC + reported the original. Fix to report (as far as possible) the ACL + result replacing the original. + +JH/23 Fix memory leak during multi-message connections using STARTTLS under + OpenSSL. Certificate information is loaded for every new TLS startup, + and the resources needed to be freed. + +JH/24 Bug 2242: Fix exim_dbmbuild to permit directoryless filenames. + +JH/25 Fix utf8_downconvert propagation through a redirect router. Previously it + was not propagated. + +JH/26 Bug 2253: For logging delivery lines under PRDR, append the overall + DATA response info to the (existing) per-recipient response info for + the "C=" log element. It can have useful tracking info from the + destination system. Patch from Simon Arlott. + +JH/27 Bug 2251: Fix ldap lookups that return a single attribute having zero- + length value. Previously this would segfault. + +HS/02 Support Avast multiline protoocol, this allows passing flags to + newer versions of the scanner. + +JH/28 Ensure that variables possibly set during message acceptance are marked + dead before release of memory in the daemon loop. This stops complaints + about them when the debug_store option is enabled. Discovered specifically + for sender_rate_period, but applies to a whole set of variables. + Do the same for the queue-runner and queue-list loops, for variables set + from spool message files. Do the same for the SMTP per-message loop, for + certain variables indirectly set in ACL operations. + +JH/29 Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such + as a multi-recipient message from a mailinglist manager). The coding had + an arbitrary cutoff number of characters while checking for more input; + enforced by writing a NUL into the buffer. This corrupted long / fast + input. The problem was exposed more widely when more pipelineing of SMTP + responses was introduced, and one Exim system was feeding another. + The symptom is log complaints of SMTP syntax error (NUL chars) on the + receiving system, and refused recipients seen by the sending system + (propating to people being dropped from mailing lists). + Discovered and pinpointed by David Carter. + +JH/30 The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being + replaced by the ${authresults } expansion. + +JH/31 Bug 2257: Fix pipe transport to not use a socket-only syscall. + +HS/03 Set a handler for SIGTERM and call exit(3) if running as PID 1. This + allows proper process termination in container environments. + +JH/32 Bug 2258: Fix spool_wireformat in combination with LMTP transport. + Previously the "final dot" had a newline after it; ensure it is CR,LF. + +JH/33 SPF: remove support for the "spf" ACL condition outcome values "err_temp" + and "err_perm", deprecated since 4.83 when the RFC-defined words + "temperror" and "permerror" were introduced. + +JH/34 Re-introduce enforcement of no cutthrough delivery on transports having + transport-filters or DKIM-signing. The restriction was lost in the + consolidation of verify-callout and delivery SMTP handling. + Extend the restriction to also cover ARC-signing. + +JH/35 Cutthrough: for a final-dot response timeout (and nonunderstood responses) + in defer=pass mode supply a 450 to the initiator. Previously the message + would be spooled. + +PP/02 DANE: add dane_require_tls_ciphers SMTP Transport option; if unset, + tls_require_ciphers is used as before. + +HS/03 Malware Avast: Better match the Avast multiline protocol. Add + "pass_unscanned". Only tmpfails from the scanner are written to + the paniclog, as they may require admin intervention (permission + denied, license issues). Other scanner errors (like decompression + bombs) do not cause a paniclog entry. + +JH/36 Fix reinitialisation of DKIM logging variable between messages. + Previously it was possible to log spurious information in receive log + lines. + +JH/37 Bug 2255: Revert the disable of the OpenSSL session caching. This + triggered odd behaviour from Outlook Express clients. + +PP/03 Add util/renew-opendmarc-tlds.sh script for safe renewal of public + suffix list. + +JH/38 DKIM: accept Ed25519 pubkeys in SubjectPublicKeyInfo-wrapped form, + since the IETF WG has not yet settled on that versus the original + "bare" representation. + +JH/39 Fix syslog logging for syslog_timestamp=no and log_selector +millisec. + Previously the millisecond value corrupted the output. + Fix also for syslog_pid=no and log_selector +pid, for which the pid + corrupted the output. + + +Exim version 4.90 +----------------- + +JH/01 Rework error string handling in TLS interface so that the caller in + more cases is responsible for logging. This permits library-sourced + string to be attached to addresses during delivery, and collapses + pairs of long lines into single ones. + +PP/01 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly + during configuration. Wildcards are allowed and expanded. + +JH/02 Rework error string handling in DKIM to pass more info back to callers. + This permits better logging. + +JH/03 Rework the transport continued-connection mechanism: when TLS is active, + do not close it down and have the child transport start it up again on + the passed-on TCP connection. Instead, proxy the child (and any + subsequent ones) for TLS via a unix-domain socket channel. Logging is + affected: the continued delivery log lines do not have any DNSSEC, TLS + Certificate or OCSP information. TLS cipher information is still logged. + +JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of + identical IP addresses on different listening ports. Will also affect + "exiwhat" output. + +PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers; + add noisy ifdef guards to special-case this sillyness. + Patch from Bernd Kuhls. + +JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger + than 255 are no longer allowed. + +JH/06 Default openssl_options to include +no_ticket, to reduce load on peers. + Disable the session-cache too, which might reduce our load. Since we + currrectly use a new context for every connection, both as server and + client, there is no benefit for these. + GnuTLS appears to not support tickets server-side by default (we don't + call gnutls_session_ticket_enable_server()) but client side is enabled + by default on recent versions (3.1.3 +) unless the PFS priority string + is used (3.2.4 +). + +PP/03 Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at + <https://reproducible-builds.org/specs/source-date-epoch/>. + +JH/07 Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously + the check for any unsuccessful recipients did not notice the limit, and + erroneously found still-pending ones. + +JH/08 Pipeline CHUNKING command and data together, on kernels that support + MSG_MORE. Only in-clear (not on TLS connections). + +JH/09 Avoid using a temporary file during transport using dkim. Unless a + transport-filter is involved we can buffer the headers in memory for + creating the signature, and read the spool data file once for the + signature and again for transmission. + +JH/10 Enable use of sendfile in Linux builds as default. It was disabled in + 4.77 as the kernel support then wasn't solid, having issues in 64bit + mode. Now, it's been long enough. Add support for FreeBSD also. + +JH/11 Bug 2104: Fix continued use of a transport connection with TLS. In the + case where the routing stage had gathered several addresses to send to + a host before calling the transport for the first, we previously failed + to close down TLS in the old transport process before passing the TCP + connection to the new process. The new one sent a STARTTLS command + which naturally failed, giving a failed delivery and bloating the retry + database. Investigation and fix prototype from Wolfgang Breyha. + +JH/12 Fix check on SMTP command input synchronisation. Previously there were + false-negatives in the check that the sender had not preempted a response + or prompt from Exim (running as a server), due to that code's lack of + awareness of the SMTP input buffering. + +PP/04 Add commandline_checks_require_admin option. + Exim drops privileges sanely, various checks such as -be aren't a + security problem, as long as you trust local users with access to their + own account. When invoked by services which pass untrusted data to + Exim, this might be an issue. Set this option in main configuration + AND make fixes to the calling application, such as using `--` to stop + processing options. + +JH/13 Do pipelining under TLS. Previously, although safe, no advantage was + taken. Now take care to pack both (client) MAIL,RCPT,DATA, and (server) + responses to those, into a single TLS record each way (this usually means + a single packet). As a side issue, smtp_enforce_sync now works on TLS + connections. + +PP/05 OpenSSL/1.1: use DH_bits() for more accurate DH param sizes. This + affects you only if you're dancing at the edge of the param size limits. + If you are, and this message makes sense to you, then: raise the + configured limit or use OpenSSL 1.1. Nothing we can do for older + versions. + +JH/14 For the "sock" variant of the malware scanner interface, accept an empty + cmdline element to get the documented default one. Previously it was + inaccessible. + +JH/15 Fix a crash in the smtp transport caused when two hosts in succession + are unsuable for non-message-specific reasons - eg. connection timeout, + banner-time rejection. + +JH/16 Fix logging of delivery remote port, when specified by router, under + callout/hold. + +PP/06 Repair manualroute's ability to take options in any order, even if one + is the name of a transport. + Fixes bug 2140. + +HS/01 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369) + +JH/17 Change the list-building routines interface to use the expanding-string + triplet model, for better allocation and copying behaviour. + +JH/18 Prebuild the data-structure for "builtin" macros, for faster startup. + Previously it was constructed the first time a possibly-matching string + was met in the configuration file input during startup; now it is done + during compilation. + +JH/19 Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy- + compatible one, to avoid the (poorly documented) possibility of a config + file in the working directory redirecting the DB files, possibly correpting + some existing file. CVE-2017-10140 assigned for BDB. + +JH/20 Bug 2147: Do not defer for a verify-with-callout-and-random which is not + cache-hot. Previously, although the result was properly cached, the + initial verify call returned a defer. + +JH/21 Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but + the main verify for receipient in uncached-mode. + +JH/22 Retire historical build files to an "unsupported" subdir. These are + defined as "ones for which we have no current evidence of testing". + +JH/23 DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field, + if present. Previously it was ignored. + +JH/24 Start using specified-initialisers in C structure init coding. This is + a C99 feature (it's 2017, so now considered safe). + +JH/25 Use one-bit bitfields for flags in the "addr" data structure. Previously + if was a fixed-sized field and bitmask ops via macros; it is now more + extensible. + +PP/07 GitHub PR 56: Apply MariaDB build fix. + Patch provided by Jaroslav Škarvada. + +PP/08 Bug 2161: Fix regression in sieve quoted-printable handling introduced + during Coverity cleanups [4.87 JH/47] + Diagnosis and fix provided by Michael Fischer v. Mollard. + +JH/26 Fix DKIM bug: when the pseudoheader generated for signing was exactly + the right size to place the terminating semicolon on its own folded + line, the header hash was calculated to an incorrect value thanks to + the (relaxed) space the fold became. + +HS/02 Fix Bug 2130: large writes from the transport subprocess were chunked + and confused the parent. + +JH/27 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process + which could crash as a result. This could lead to undeliverable messages. + +JH/28 Logging: "next input sent too soon" now shows where input was truncated + for log purposes. + +JH/29 Fix queue_run_in_order to ignore the PID portion of the message ID. This + matters on fast-turnover and PID-randomising systems, which were getting + out-of-order delivery. + +JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for + a possibly-overlapping copy. The symptom was that "Remote host closed + connection in response to HELO" was logged instead of the actual 4xx + error for the HELO. + +JH/31 Fix CHUNKING code to properly flush the unwanted chunk after an error. + Previously only that bufferd was discarded, resulting in SYMTP command + desynchronisation. + +JH/32 DKIM: when a message has multiple signatures matching an identity given + in dkim_verify_signers, run the dkim acl once for each. Previously only + one run was done. Bug 2189. + +JH/33 Downgrade an unfound-list name (usually a typo in the config file) from + "panic the current process" to "deliberately defer". The panic log is + still written with the problem list name; the mail and reject logs now + get a temp-reject line for the message that was being handled, saying + something like "domains check lookup or other defer". The SMTP 451 + message is still "Temporary local problem". + +JH/34 Bug 2199: Fix a use-after-free while reading smtp input for header lines. + A crafted sequence of BDAT commands could result in in-use memory beeing + freed. CVE-2017-16943. + +HS/03 Bug 2201: Fix checking for leading-dot on a line during headers reading + from SMTP input. Previously it was always done; now only done for DATA + and not BDAT commands. CVE-2017-16944. + +JH/35 Bug 2201: Flush received data in BDAT mode after detecting an error fatal + to the message (such as an overlong header line). Previously this was + not done and we did not exit BDAT mode. Followon from the previous item + though a different problem. + + +Exim version 4.89 +----------------- + +JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules + than -2003 did; needs libidn2 in addition to libidn. + +JH/02 The path option on a pipe transport is now expanded before use. + +PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections. + Patch provided by "Björn", documentation fix added too. + +JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was + missing a wire-to-host endian conversion. + +JH/04 Bug 2004: fix CHUNKING in non-PIPELINEING mode. Chunk data following + close after a BDAT command line could be taken as a following command, + giving a synch failure. Fix by only checking for synch immediately + before acknowledging the chunk. + +PP/02 GitHub PR 52: many spelling fixes, which include fixing parsing of + no_require_dnssec option and creation of _HAVE_TRANSPORT_APPEND_MAILDIR + macro. Patches provided by Josh Soref. + +JH/05 Have the EHLO response advertise VRFY, if there is a vrfy ACL defined. + Previously we did not; the RFC seems ambiguous and VRFY is not listed + by IANA as a service extension. However, John Klensin suggests that we + should. + +JH/06 Bug 2017: Fix DKIM verification in -bh test mode. The data feed into + the dkim code may be unix-mode line endings rather than smtp wire-format + CRLF, so prepend a CR to any bare LF. + +JH/07 Rationalise the coding for callout smtp conversations and transport ones. + As a side-benfit, callouts can now use PIPELINING hence fewer round-trips. + +JH/08 Bug 2016: Fix DKIM verification vs. CHUNKING. Any BDAT commands after + the first were themselves being wrongly included in the feed into dkim + processing; with most chunk sizes in use this resulted in an incorrect + body hash calculated value. + +JH/09 Bug 2014: permit inclusion of a DKIM-Signature header in a received + DKIM signature block, for verification. Although advised against by + standards it is specifically not ruled illegal. + +JH/10 Bug 2025: Fix reception of (quoted) local-parts with embedded spaces. + +JH/11 Bug 2029: Fix crash in DKIM verification when a message signature block is + missing a body hash (the bh= tag). + +JH/12 Bug 2018: Re-order Proxy Protocol startup versus TLS-on-connect startup. + It seems that HAProxy sends the Proxy Protocol information in clear and + only then does a TLS startup, so do the same. + +JH/13 Bug 2027: Avoid attempting to use TCP Fast Open for non-transport client + TCP connections (such as for Spamd) unless the daemon successfully set + Fast Open mode on its listening sockets. This fixes breakage seen on + too-old kernels or those not configured for Fast Open, at the cost of + requiring both directions being enabled for TFO, and TFO never being used + by non-daemon-related Exim processes. + +JH/14 Bug 2000: Reject messages recieved with CHUNKING but with malformed line + endings, at least on the first header line. Try to canonify any that get + past that check, despite the cost. + +JH/15 Angle-bracket nesting (an error inserted by broken sendmails) levels are + now limited to an arbitrary five deep, while parsing addresses with the + strip_excess_angle_brackets option enabled. + +PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and + instead leave the unprompted TLS handshake in socket buffer for the + TLS library to consume. + +PP/04 Bug 2018: Also handle Proxy Protocol v2 safely. + +PP/05 FreeBSD compat: handle that Ports no longer create /usr/bin/perl + +JH/16 Drop variables when they go out of scope. Memory management drops a whole + region in one operation, for speed, and this leaves assigned pointers + dangling. Add checks run only under the testsuite which checks all + variables at a store-reset and panics on a dangling pointer; add code + explicitly nulling out all the variables discovered. Fixes one known + bug: a transport crash, where a dangling pointer for $sending_ip_address + originally assigned in a verify callout, is re-used. + +PP/06 Drop '.' from @INC in various Perl scripts. + +PP/07 Switch FreeBSD iconv to always use the base-system libc functions. + +PP/08 Reduce a number of compilation warnings under clang; building with + CC=clang CFLAGS+=-Wno-dangling-else -Wno-logical-op-parentheses + should be warning-free. + +JH/17 Fix inbound CHUNKING when DKIM disabled at runtime. + +HS/01 Fix portability problems introduced by PP/08 for platforms where + realloc(NULL) is not equivalent to malloc() [SunOS et al]. + +HS/02 Bug 1974: Fix missing line terminator on the last received BDAT + chunk. This allows us to accept broken chunked messages. We need a more + general solution here. + +PP/09 Wrote util/chunking_fixqueue_finalnewlines.pl to help recover + already-broken messages in the queue. + +JH/18 Bug 2061: Fix ${extract } corrupting an enclosing ${reduce } $value. + +JH/19 Fix reference counting bug in routing-generated-address tracking. + + +Exim version 4.88 +----------------- + +JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination + supports it and a size is available (ie. the sending peer gave us one). + +JH/02 The obsolete acl condition "demime" is removed (finally, after ten + years of being deprecated). The replacements are the ACLs + acl_smtp_mime and acl_not_smtp_mime. + +JH/03 Upgrade security requirements imposed for hosts_try_dane: previously + a downgraded non-dane trust-anchor for the TLS connection (CA-style) + or even an in-clear connection were permitted. Now, if the host lookup + was dnssec and dane was requested then the host is only used if the + TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority + MXs) will be tried (for hosts_try_dane though not for hosts_require_dane) + if one fails this test. + This means that a poorly-configured remote DNS will make it incommunicado; + but it protects against a DNS-interception attack on it. + +JH/04 Bug 1810: make continued-use of an open smtp transport connection + non-noisy when a race steals the message being considered. + +JH/05 If main configuration option tls_certificate is unset, generate a + self-signed certificate for inbound TLS connections. + +JH/06 Bug 165: hide more cases of password exposure - this time in expansions + in rewrites and routers. + +JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 + and logged a warning sing 4.83; now they are a configuration file error. + +JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name + (lacking @domain). Apply the same qualification processing as RCPT. + +JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode. + +JH/10 Support ${sha256:} applied to a string (as well as the previous + certificate). + +JH/11 Cutthrough: avoid using the callout hints db on a verify callout when + a cutthrough deliver is pending, as we always want to make a connection. + This also avoids re-routing the message when later placing the cutthrough + connection after a verify cache hit. + Do not update it with the verify result either. + +JH/12 Cutthrough: disable when verify option success_on_redirect is used, and + when routing results in more than one destination address. + +JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim + signing (which inhibits the cutthrough capability). Previously only + the presence of an option was tested; now an expansion evaluating as + empty is permissible (obviously it should depend only on data available + when the cutthrough connection is made). + +JH/14 Fix logging of errors under PIPELINING. Previously the log line giving + the relevant preceding SMTP command did not note the pipelining mode. + +JH/15 Fix counting of empty lines in $body_linecount and $message_linecount. + Previously they were not counted. + +JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same + as one having no matching records. Previously we deferred the message + that needed the lookup. + +JH/17 Fakereject: previously logged as a normal message arrival "<="; now + distinguished as "(=". + +JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work + for missing MX records. Previously it only worked for missing A records. + +JH/19 Bug 1850: support Radius libraries that return REJECT_RC. + +JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops + after the data-go-ahead and data-ack. Patch from Jason Betts. + +JH/21 Bug 1846: Send DMARC forensic reports for reject and quarantine results, + even for a "none" policy. Patch from Tony Meyer. + +JH/22 Fix continued use of a connection for further deliveries. If a port was + specified by a router, it must also match for the delivery to be + compatible. + +JH/23 Bug 1874: fix continued use of a connection for further deliveries. + When one of the recipients of a message was unsuitable for the connection + (has no matching addresses), we lost track of needing to mark it + deferred. As a result mail would be lost. + +JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO. + +JH/25 Decoding ACL controls is now done using a binary search; the source code + takes up less space and should be simpler to maintain. Merge the ACL + condition decode tables also, with similar effect. + +JH/26 Fix problem with one_time used on a redirect router which returned the + parent address unchanged. A retry would see the parent address marked as + delivered, so not attempt the (identical) child. As a result mail would + be lost. + +JH/27 Fix a possible security hole, wherein a process operating with the Exim + UID can gain a root shell. Credit to http://www.halfdog.net/ for + discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim + itself :( + +JH/28 Enable {spool,log} filesystem space and inode checks as default. + Main config options check_{log,spool}_{inodes,space} are now + 100 inodes, 10MB unless set otherwise in the configuration. + +JH/29 Fix the connection_reject log selector to apply to the connect ACL. + Previously it only applied to the main-section connection policy + options. + +JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. + +PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created + by me. Added RFC7919 DH primes as an alternative. + +PP/02 Unbreak build via pkg-config with new hash support when crypto headers + are not in the system include path. + +JH/31 Fix longstanding bug with aborted TLS server connection handling. Under + GnuTLS, when a session startup failed (eg because the client disconnected) + Exim did stdio operations after fclose. This was exposed by a recent + change which nulled out the file handle after the fclose. + +JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is + signed directly by the cert-signing cert, rather than an intermediate + OCSP-signing cert. This is the model used by LetsEncrypt. + +JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT. + +HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on + an incoming connection. + +HS/02 Bug 1802: Do not half-close the connection after sending a request + to rspamd. + +HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2 + fallback to "prime256v1". + +JH/34 SECURITY: Use proper copy of DATA command in error message. + Could leak key material. Remotely exploitable. CVE-2016-9963. + + +Exim version 4.87 +----------------- + +JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16 + and 3.4.4 - once the server is enabled to respond to an OCSP request + it does even when not requested, resulting in a stapling non-aware + client dropping the TLS connection. + +TF/01 Code cleanup: Overhaul the debug_selector and log_selector machinery to + support variable-length bit vectors. No functional change. + +TF/02 Improve the consistency of logging incoming and outgoing interfaces. + The I= interface field on outgoing lines is now after the H= remote + host field, same as incoming lines. There is a separate + outgoing_interface log selector which allows you to disable the + outgoing I= field. + +JH/02 Bug 728: Close logfiles after a daemon-process "exceptional" log write. + If not running log_selector +smtp_connection the mainlog would be held + open indefinitely after a "too many connections" event, including to a + deleted file after a log rotate. Leave the per net connection logging + leaving it open for efficiency as that will be quickly detected by the + check on the next write. + +HS/01 Bug 1671: Fix post transport crash. + Processing the wait-<transport> messages could crash the delivery + process if the message IDs didn't exist for some reason. When + using 'split_spool_directory=yes' the construction of the spool + file name failed already, exposing the same netto behaviour. + +JH/03 Bug 425: Capture substrings in $regex1, $regex2 etc from regex & + mime_regex ACL conditions. + +JH/04 Bug 1686: When compiled with EXPERIMENTAL_DSN_INFO: Add extra information + to DSN fail messages (bounces): remote IP, remote greeting, remote response + to HELO, local diagnostic string. + +JH/05 Downgrade message for a TLS-certificate-based authentication fail from + log line to debug. Even when configured with a tls authenticator many + client connections are expected to not authenticate in this way, so + an authenticate fail is not an error. + +HS/02 Add the Exim version string to the process info. This way exiwhat + gives some more detail about the running daemon. + +JH/06 Bug 1395: time-limit caching of DNS lookups, to the TTL value. This may + matter for fast-change records such as DNSBLs. + +JH/07 Bug 1678: Always record an interface option value, if set, as part of a + retry record, even if constant. There may be multiple transports with + different interface settings and the retry behaviour needs to be kept + distinct. + +JH/08 Bug 1586: exiqgrep now refuses to run if there are unexpected arguments. + +JH/09 Bug 1700: ignore space & tab embedded in base64 during decode. + +JH/10 Bug 840: fix log_defer_output option of pipe transport + +JH/11 Bug 830: use same host for all RCPTS of a message, even under + hosts_randomize. This matters a lot when combined with mua_wrapper. + +JH/12 Bug 1706: percent and underbar characters are no longer escaped by the + ${quote_pgsql:<string>} operator. + +JH/13 Bug 1708: avoid misaligned access in cached lookup. + +JH/14 Change header file name for freeradius-client. Relevant if compiling + with Radius support; from the Gentoo tree and checked under Fedora. + +JH/15 Bug 1712: Introduce $prdr_requested flag variable + +JH/16 Bug 1714: Permit an empty string as expansion result for transport + option transport_filter, meaning no filtering. + +JH/17 Bug 1713: Fix non-PDKIM_DEBUG build. Patch from Jasen Betts. + +JH/18 Bug 1709: When built with TLS support, the tls_advertise_hosts option now + defaults to "*" (all hosts). The variable is now available when not built + with TLS, default unset, mainly to enable keeping the testsuite sane. + If a server certificate is not supplied (via tls_certificate) an error is + logged, and clients will find TLS connections fail on startup. Presumably + they will retry in-clear. + Packagers of Exim are strongly encouraged to create a server certificate + at installation time. + +HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency + with the $config_file variable. + +JH/19 Two additional event types: msg:rcpt:defer and msg:rcpt:host:defer. Both + in transport context, after the attempt, and per-recipient. The latter type + is per host attempted. The event data is the error message, and the errno + information encodes the lookup type (A vs. MX) used for the (first) host, + and the trailing two digits of the smtp 4xx response. + +GF/01 Bug 1715: Fix for race condition in exicyclog, where exim could attempt + to write to mainlog (or rejectlog, paniclog) in the window between file + creation and permissions/ownership being changed. Particularly affects + installations where exicyclog is run as root, rather than exim user; + result is that the running daemon panics and dies. + +JH/20 Bug 1701: For MySQL lookups, support MySQL config file option group names. + +JH/21 Bug 1720: Add support for priority groups and weighted-random proxy + selection for the EXPERIMENTAL_SOCKS feature, via new per-proxy options + "pri" and "weight". Note that the previous implicit priority given by the + list order is no longer honoured. + +JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalization + for DKIM processing. + +JH/23 Move SOCKS5 support from Experimental to mainline, enabled for a build + by defining SUPPORT_SOCKS. + +JH/26 Move PROXY support from Experimental to mainline, enabled for a build + by defining SUPPORT_PROXY. Note that the proxy_required_hosts option + is renamed to hosts_proxy, and the proxy_{host,target}_{address,port}. + variables are renamed to proxy_{local,external}_{address,port}. + +JH/27 Move Internationalisation support from Experimental to mainline, enabled + for a build by defining SUPPORT_I18N + +JH/28 Bug 1745: Fix redis lookups to handle (quoted) spaces embedded in parts + of the query string, and make ${quote_redis:} do that quoting. + +JH/29 Move Events support from Experimental to mainline, enabled by default + and removable for a build by defining DISABLE_EVENT. + +JH/30 Updated DANE implementation code to current from Viktor Dukhovni. + +JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly + cached by the daemon. + +JH/32 Move Redis support from Experimental to mainline, enabled for a build + by defining LOOKUP_REDIS. The libhiredis library is required. + +JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit + keys are given for lookup. + +JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM + support, by using OpenSSL or GnuTLS library ones. This means DKIM is + only supported when built with TLS support. The PolarSSL SHA routines + are still used when the TLS library is too old for convenient support. + +JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option + openssl_options), for security. OpenSSL forces this from version 1.1.0 + server-side so match that on older versions. + +JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh + allocation for $value could be released as the expansion processing + concluded, but leaving the global pointer active for it. + +JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response, + and to use the domains and local_parts ACL conditions. + +JH/38 Fix cutthrough bug with body lines having a single dot. The dot was + incorrectly not doubled on cutthrough transmission, hence seen as a + body-termination at the receiving system - resulting in truncated mails. + Commonly the sender saw a TCP-level error, and retransmitted the message + via the normal store-and-forward channel. This could result in duplicates + received - but deduplicating mailstores were liable to retain only the + initial truncated version. + +JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64. + +JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS. + +JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While + we're in there, support oversigning also; bug 1309. + +JH/42 Bug 1796: Fix error logged on a malware scanner connection failure. + +HS/04 Add support for keep_environment and add_environment options. + +JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain; + either intentional arithmetic overflow during PRNG, or testing config- + induced overflows. + +JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough + delivery resulted in actual delivery. Cancel cutthrough before DATA + stage. + +JH/45 Fix cutthrough, when connection not opened by verify and target hard- + rejects a recipient: pass the reject to the originator. + +JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs. + Many were false-positives and ignorable, but it's worth fixing the + former class. + +JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also + for the new environment-manipulation done at startup. Move the routines + from being local to tls.c to being global via the os.c file. + +JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing + an extract embedded as result-arg for a map, the first arg for extract + is unavailable so we cannot tell if this is a numbered or keyed + extraction. Accept either. + + +Exim version 4.86 +----------------- + +JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now + expanded. + +JH/02 The smtp transport option "multi_domain" is now expanded. + +JH/03 The smtp transport now requests PRDR by default, if the server offers + it. + +JH/04 Certificate name checking on server certificates, when exim is a client, + is now done by default. The transport option tls_verify_cert_hostnames + can be used to disable this per-host. The build option + EXPERIMENTAL_CERTNAMES is withdrawn. + +JH/05 The value of the tls_verify_certificates smtp transport and main options + default to the word "system" to access the system default CA bundle. + For GnuTLS, only version 3.0.20 or later. + +JH/06 Verification of the server certificate for a TLS connection is now tried + (but not required) by default. The verification status is now logged by + default, for both outbound TLS and client-certificate supplying inbound + TLS connections + +JH/07 Changed the default rfc1413 lookup settings to disable calls. Few + sites use this now. + +JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery + Status Notification (bounce) messages are now MIME format per RFC 3464. + Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised + under the control of the dsn_advertise_hosts option, and routers may + have a dsn_lasthop option. + +JH/09 A timeout of 2 minutes is now applied to all malware scanner types by + default, modifiable by a malware= option. The list separator for + the options can now be changed in the usual way. Bug 68. + +JH/10 The smtp_receive_timeout main option is now expanded before use. + +JH/11 The incoming_interface log option now also enables logging of the + local interface on delivery outgoing connections. + +JH/12 The cutthrough-routing facility now supports multi-recipient mails, + if the interface and destination host and port all match. + +JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a + /defer_ok option. + +JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd. + Patch from Andrew Lewis. + +JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition) + now supports optional time-restrictions, weighting, and priority + modifiers per server. Patch originally by <rommer@active.by>. + +JH/16 The spamd_address main option now supports a mixed list of local + and remote servers. Remote servers can be IPv6 addresses, and + specify a port-range. + +JH/17 Bug 68: The spamd_address main option now supports an optional + timeout value per server. + +JH/18 Bug 1581: Router and transport options headers_add/remove can + now have the list separator specified. + +JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry + option values. + +JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails + under OpenSSL. + +JH/21 Support for the A6 type of dns record is withdrawn. + +JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters + rather than the verbs used. + +JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size + from 255 to 1024 chars. + +JH/24 Verification callouts now attempt to use TLS by default. + +HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains) + are generic router options now. The defaults didn't change. + +JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames. + Original patch from Alexander Shikoff, worked over by JH. + +HS/02 Bug 1575: exigrep falls back to autodetection of compressed + files if ZCAT_COMMAND is not executable. + +JH/26 Bug 1539: Add timeout/retry options on dnsdb lookups. + +JH/27 Bug 286: Support SOA lookup in dnsdb lookups. + +JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN. + Normally benign, it bites when the pair was led to by a CNAME; + modern usage is to not canonicalize the domain to a CNAME target + (and we were inconsistent anyway for A-only vs AAAA+A). + +JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards. + +JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse, + when evaluating $sender_host_dnssec. + +JH/31 Check the HELO verification lookup for DNSSEC, adding new + $sender_helo_dnssec variable. + +JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve. + +JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log. + +JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues. + +JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was + documented as working, but never had. Support all but $spam_report. + +JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command + added for tls authenticator. + +HS/03 Add perl_taintmode main config option + + +Exim version 4.85 +----------------- + +TL/01 When running the test suite, the README says that variables such as + no_msglog_check are global and can be placed anywhere in a specific + test's script, however it was observed that placement needed to be near + the beginning for it to behave that way. Changed the runtest perl + script to read through the entire script once to detect and set these + variables, reset to the beginning of the script, and then run through + the script parsing/test process like normal. + +TL/02 The BSD's have an arc4random API. One of the functions to induce + adding randomness was arc4random_stir(), but it has been removed in + OpenBSD 5.5. Detect this OpenBSD version and skip calling this + function when detected. + +JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now + cause callback expansion. + +TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that + syntax errors in an expansion can be treated as a string instead of + logging or causing an error, due to the internal use of bool_lax + instead of bool when processing it. + +JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for + server certificates when making smtp deliveries. + +JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups. + +JH/04 Add ${sort {list}{condition}{extractor}} expansion item. + +TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep. + +TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups. + Merged patch from Sebastian Wiedenroth. + +JH/05 Fix results-pipe from transport process. Several recipients, combined + with certificate use, exposed issues where response data items split + over buffer boundaries were not parsed properly. This eventually + resulted in duplicates being sent. This issue only became common enough + to notice due to the introduction of connection certificate information, + the item size being so much larger. Found and fixed by Wolfgang Breyha. + +JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed + size buffer was used, resulting in syntax errors when an expansion + exceeded it. + +JH/07 Add support for directories of certificates when compiled with a GnuTLS + version 3.3.6 or later. + +JH/08 Rename the TPDA experimental facility to Event Actions. The #ifdef + is EXPERIMENTAL_EVENT, the main-configuration and transport options + both become "event_action", the variables become $event_name, $event_data + and $event_defer_errno. There is a new variable $verify_mode, usable in + routers, transports and related events. The tls:cert event is now also + raised for inbound connections, if the main configuration event_action + option is defined. + +TL/06 In test suite, disable OCSP for old versions of openssl which contained + early OCSP support, but no stapling (appears to be less than 1.0.0). + +JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on + server certificate names available under the smtp transport option + "tls_verify_cert_hostname" now do not permit multi-component wildcard + matches. + +JH/10 Time-related extraction expansions from certificates now use the main + option "timezone" setting for output formatting, and are consistent + between OpenSSL and GnuTLS compilations. Bug 1541. + +JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047- + encoded parameter in the incoming message. Bug 1558. + +JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now + include certificate info, eximon was claiming there were spoolfile + syntax errors. + +JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return. + +JH/14 Log delivery-related information more consistently, using the sequence + "H=<name> [<ip>]" wherever possible. + +TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which + are problematic for Debian distribution, omit them from the release + tarball. + +JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature. + +JH/16 Fix string representation of time values on 64bit time_t architectures. + Bug 1561. + +JH/17 Fix a null-indirection in certextract expansions when a nondefault + output list separator was used. + + +Exim version 4.84 +----------------- +TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static + checkers that were complaining about end of non-void function with no + return. + +JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers. + This was a regression introduced in 4.83 by another bugfix. + +JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled. + +TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when + EXPERIMENTAL_DSN is enabled. Fix from Wolfgang Breyha. + + +Exim version 4.83 +----------------- + +TF/01 Correctly close the server side of TLS when forking for delivery. + + When a message was received over SMTP with TLS, Exim failed to clear up + the incoming connection properly after forking off the child process to + deliver the message. In some situations the subsequent outgoing + delivery connection happened to have the same fd number as the incoming + connection previously had. Exim would try to use TLS and fail, logging + a "Bad file descriptor" error. + +TF/02 Portability fix for building lookup modules on Solaris when the xpg4 + utilities have not been installed. + +JH/01 Fix memory-handling in use of acl as a conditional; avoid free of + temporary space as the ACL may create new global variables. + +TL/01 LDAP support uses per connection or global context settings, depending + upon the detected version of the libraries at build time. + +TL/02 Experimental Proxy Protocol support: allows a proxied SMTP connection + to extract and use the src ip:port in logging and expansions as if it + were a direct connection from the outside internet. PPv2 support was + updated based on HAProxy spec change in May 2014. + +JH/02 Add ${listextract {number}{list}{success}{fail}}. + +TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents. + Properly escape header and check for NULL return. + +PP/01 Continue incomplete 4.82 PP/19 by fixing docs too: use dns_dnssec_ok + not dns_use_dnssec. + +JH/03 Bugzilla 1157: support log_selector smtp_confirmation for lmtp. + +TL/04 Add verify = header_names_ascii check to reject email with non-ASCII + characters in header names, implemented as a verify condition. + Contributed by Michael Fischer v. Mollard. + +TL/05 Rename SPF condition results err_perm and err_temp to standardized + results permerror and temperror. Previous values are deprecated but + still accepted. In a future release, err_perm and err_temp will be + completely removed, which will be a backward incompatibility if the + ACL tests for either of these two old results. Patch contributed by + user bes-internal on the mailing list. + +JH/04 Add ${utf8clean:} operator. Contributed by Alex Rau. + +JH/05 Bugzilla 305: Log incoming-TLS details on rejects, subject to log + selectors, in both main and reject logs. + +JH/06 Log outbound-TLS and port details, subject to log selectors, for a + failed delivery. + +JH/07 Add malware type "sock" for talking to simple daemon. + +JH/08 Bugzilla 1371: Add tls_{,try_}verify_hosts to smtp transport. + +JH/09 Bugzilla 1431: Support (with limitations) headers_add/headers_remove in + routers/transports under cutthrough routing. + +JH/10 Bugzilla 1005: ACL "condition =" should accept values which are negative + numbers. Touch up "bool" conditional to keep the same definition. + +TL/06 Remove duplicated language in spec file from 4.82 TL/16. + +JH/11 Add dnsdb tlsa lookup. From Todd Lyons. + +JH/12 Expand items in router/transport headers_add or headers_remove lists + individually rather than the list as a whole. Bug 1452. + + Required for reasonable handling of multiple headers_ options when + they may be empty; requires that headers_remove items with embedded + colons must have them doubled (or the list-separator changed). + +TL/07 Add new dmarc expansion variable $dmarc_domain_policy to directly + view the policy declared in the DMARC record. Currently, $dmarc_status + is a combined value of both the record presence and the result of the + analysis. + +JH/13 Fix handling of $tls_cipher et.al. in (non-verify) transport. Bug 1455. + +JH/14 New options dnssec_request_domains, dnssec_require_domains on the + dnslookup router and the smtp transport (applying to the forward + lookup). + +TL/08 Bugzilla 1453: New LDAP "SERVERS=" option allows admin to override list + of ldap servers used for a specific lookup. Patch provided by Heiko + Schlichting. + +JH/18 New options dnssec_lax, dnssec_strict on dnsdb lookups. + New variable $lookup_dnssec_authenticated for observability. + +TL/09 Bugzilla 609: Add -C option to exiqgrep, specify which exim.conf to use. + Patch submitted by Lars Timman. + +JH/19 EXPERIMENTAL_OCSP support under GnuTLS. Bug 1459. + +TL/10 Bugzilla 1454: New -oMm option to pass message reference to Exim. + Requires trusted mode and valid format message id, aborts otherwise. + Patch contributed by Heiko Schlichting. + +JH/20 New expansion variables tls_(in,out)_(our,peer)cert, and expansion item + certextract with support for various fields. Bug 1358. + +JH/21 Observability of OCSP via variables tls_(in,out)_ocsp. Stapling + is requested by default, modifiable by smtp transport option + hosts_request_ocsp. + +JH/22 Expansion operators ${md5:string} and ${sha1:string} can now + operate on certificate variables to give certificate fingerprints + Also new ${sha256:cert_variable}. + +JH/23 The PRDR feature is moved from being Experimental into the mainline. + +TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from + Christian Aistleitner. + +JH/24 The OCSP stapling feature is moved from Experimental into the mainline. + +TL/12 Bug 1444: Fix improper \r\n sequence handling when writing spool + file. Patch from Wolfgang Breyha. + +JH/25 Expand the coverage of the delivery $host and $host_address to + client authenticators run in verify callout. Bug 1476. + +JH/26 Port service names are now accepted for tls_on_connect_ports, to + align with daemon_smtp_ports. Bug 72. + +TF/03 Fix udpsend. The ip_connectedsocket() function's socket type + support and error reporting did not work properly. + +TL/13 Bug 1495: Exiqgrep check if -C config file specified on cli exists + and is readable. Patch from Andrew Colin Kissa. + +TL/14 Enhance documentation of ${run expansion and how it parses the + commandline after expansion, particularly in the case when an + unquoted variable expansion results in an empty value. + +JH/27 The TLS SNI feature was broken in 4.82. Fix it. + +PP/02 Fix internal collision of T_APL on systems which support RFC3123 + by renaming away from it. Addresses GH issue 15, reported by + Jasper Wallace. + +JH/28 Fix parsing of MIME headers for parameters with quoted semicolons. + +TL/15 SECURITY: prevent double expansion in math comparison functions + (can expand unsanitized data). Not remotely exploitable. + CVE-2014-2972 + + +Exim version 4.82 +----------------- + +PP/01 Add -bI: framework, and -bI:sieve for querying sieve capabilities. + +PP/02 Make -n do something, by making it not do something. + When combined with -bP, the name of an option is not output. + +PP/03 Added tls_dh_min_bits SMTP transport driver option, only honoured + by GnuTLS. + +PP/04 First step towards DNSSEC, provide $sender_host_dnssec for + $sender_host_name and config options to manage this, and basic check + routines. + +PP/05 DSCP support for outbound connections and control modifier for inbound. + +PP/06 Cyrus SASL: set local and remote IP;port properties for driver. + (Only plugin which currently uses this is kerberos4, which nobody should + be using, but we should make it available and other future plugins might + conceivably use it, even though it would break NAT; stuff *should* be + using channel bindings instead). + +PP/07 Handle "exim -L <tag>" to indicate to use syslog with tag as the process + name; added for Sendmail compatibility; requires admin caller. + Handle -G as equivalent to "control = suppress_local_fixups" (we used to + just ignore it); requires trusted caller. + Also parse but ignore: -Ac -Am -X<logfile> + Bugzilla 1117. + +TL/01 Bugzilla 1258 - Refactor MAIL FROM optional args processing. + +TL/02 Add +smtp_confirmation as a default logging option. + +TL/03 Bugzilla 198 - Implement remove_header ACL modifier. + Patch by Magnus Holmgren from 2007-02-20. + +TL/04 Bugzilla 1281 - Spec typo. + Bugzilla 1283 - Spec typo. + Bugzilla 1290 - Spec grammar fixes. + +TL/05 Bugzilla 1285 - Spec omission, fix docbook errors for spec.txt creation. + +TL/06 Add Experimental DMARC support using libopendmarc libraries. + +TL/07 Fix an out of order global option causing a segfault. Reported to dev + mailing list by by Dmitry Isaikin. + +JH/01 Bugzilla 1201 & 304 - New cutthrough-delivery feature, with TLS support. + +JH/02 Support "G" suffix to numbers in ${if comparisons. + +PP/08 Handle smtp transport tls_sni option forced-fail for OpenSSL. + +NM/01 Bugzilla 1197 - Spec typo + Bugzilla 1196 - Spec examples corrections + +JH/03 Add expansion operators ${listnamed:name} and ${listcount:string} + +PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called + gnutls_enable_pkcs11, but renamed to more accurately indicate its + function. + +PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC. + Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler. + +JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition + "acl {{name}{arg}...}", and optional args on acl condition + "acl = name arg..." + +JH/05 Permit multiple router/transport headers_add/remove lines. + +JH/06 Add dnsdb pseudo-lookup "a+" to do an "aaaa" + "a" combination. + +JH/07 Avoid using a waiting database for a single-message-only transport. + Performance patch from Paul Fisher. Bugzilla 1262. + +JH/08 Strip leading/trailing newlines from add_header ACL modifier data. + Bugzilla 884. + +JH/09 Add $headers_added variable, with content from use of ACL modifier + add_header (but not yet added to the message). Bugzilla 199. + +JH/10 Add 8bitmime log_selector, for 8bitmime status on the received line. + Pulled from Bugzilla 817 by Wolfgang Breyha. + +PP/11 SECURITY: protect DKIM DNS decoding from remote exploit. + CVE-2012-5671 + (nb: this is the same fix as in Exim 4.80.1) + +JH/11 Add A= logging on delivery lines, and a client_set_id option on + authenticators. + +JH/12 Add optional authenticated_sender logging to A= and a log_selector + for control. + +PP/12 Unbreak server_set_id for NTLM/SPA auth, broken by 4.80 PP/29. + +PP/13 Dovecot auth: log better reason to rejectlog if Dovecot did not + advertise SMTP AUTH mechanism to us, instead of a generic + protocol violation error. Also, make Exim more robust to bad + data from the Dovecot auth socket. + +TF/01 Fix ultimate retry timeouts for intermittently deliverable recipients. + + When a queue runner is handling a message, Exim first routes the + recipient addresses, during which it prunes them based on the retry + hints database. After that it attempts to deliver the message to + any remaining recipients. It then updates the hints database using + the retry rules. + + So if a recipient address works intermittently, it can get repeatedly + deferred at routing time. The retry hints record remains fresh so the + address never reaches the final cutoff time. + + This is a fairly common occurrence when a user is bumping up against + their storage quota. Exim had some logic in its local delivery code + to deal with this. However it did not apply to per-recipient defers + in remote deliveries, e.g. over LMTP to a separate IMAP message store. + + This change adds a proper retry rule check during routing so that the + final cutoff time is checked against the message's age. We only do + this check if there is an address retry record and there is not a + domain retry record; this implies that previous attempts to handle + the address had the retry_use_local_parts option turned on. We use + this as an approximation for the destination being like a local + delivery, as in LMTP. + + I suspect this new check makes the old local delivery cutoff check + redundant, but I have not verified this so I left the code in place. + +TF/02 Correct gecos expansion when From: is a prefix of the username. + + Test 0254 submits a message to Exim with the header + + Resent-From: f + + When I ran the test suite under the user fanf2, Exim expanded + the header to contain my full name, whereas it should have added + a Resent-Sender: header. It erroneously treats any prefix of the + username as equal to the username. + + This change corrects that bug. + +GF/01 DCC debug and logging tidyup + Error conditions log to paniclog rather than rejectlog. + Debug lines prefixed by "DCC: " to remove any ambiguity. + +TF/03 Avoid unnecessary rebuilds of lookup-related code. + +PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server. + Bug spotted by Jeremy Harris; was flawed since initial commit. + Would have resulted in OCSP responses post-SNI triggering an Exim + NULL dereference and crash. + +JH/13 Add $router_name and $transport_name variables. Bugzilla 308. + +PP/15 Define SIOCGIFCONF_GIVES_ADDR for GNU Hurd. + Bug detection, analysis and fix by Samuel Thibault. + Bugzilla 1331, Debian bug #698092. + +SC/01 Update eximstats to watch out for senders sending 'HELO [IpAddr]' + +JH/14 SMTP PRDR (http://www.eric-a-hall.com/specs/draft-hall-prdr-00.txt). + Server implementation by Todd Lyons, client by JH. + Only enabled when compiled with EXPERIMENTAL_PRDR. A new + config variable "prdr_enable" controls whether the server + advertises the facility. If the client requests PRDR a new + acl_data_smtp_prdr ACL is called once for each recipient, after + the body content is received and before the acl_smtp_data ACL. + The client is controlled by both of: a hosts_try_prdr option + on the smtp transport, and the server advertisement. + Default client logging of deliveries and rejections involving + PRDR are flagged with the string "PRDR". + +PP/16 Fix problems caused by timeouts during quit ACLs trying to double + fclose(). Diagnosis by Todd Lyons. + +PP/17 Update configure.default to handle IPv6 localhost better. + Patch by Alain Williams (plus minor tweaks). + Bugzilla 880. + +PP/18 OpenSSL made graceful with empty tls_verify_certificates setting. + This is now consistent with GnuTLS, and is now documented: the + previous undocumented portable approach to treating the option as + unset was to force an expansion failure. That still works, and + an empty string is now equivalent. + +PP/19 Renamed DNSSEC-enabling option to "dns_dnssec_ok", to make it + clearer that Exim is using the DO (DNSSEC OK) EDNS0 resolver flag, + not performing validation itself. + +PP/20 Added force_command boolean option to pipe transport. + Patch from Nick Koston, of cPanel Inc. + +JH/15 AUTH support on callouts (and hence cutthrough-deliveries). + Bugzilla 321, 823. + +TF/04 Added udpsend ACL modifier and hexquote expansion operator + +PP/21 Fix eximon continuous updating with timestamped log-files. + Broken in a format-string cleanup in 4.80, missed when I repaired the + other false fix of the same issue. + Report and fix from Heiko Schlichting. + Bugzilla 1363. + +PP/22 Guard LDAP TLS usage against Solaris LDAP variant. + Report from Prashanth Katuri. + +PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options. + It's SecureTransport, so affects any MacOS clients which use the + system-integrated TLS libraries, including email clients. + +PP/24 Fix segfault from trying to fprintf() to a NULL stdio FILE* if + using a MIME ACL for non-SMTP local injection. + Report and assistance in diagnosis by Warren Baker. + +TL/08 Adjust exiqgrep to be case-insensitive for sender/receiver. + +JH/16 Fix comparisons for 64b. Bugzilla 1385. + +TL/09 Add expansion variable $authenticated_fail_id to keep track of + last id that failed so it may be referenced in subsequent ACL's. + +TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by + Alexander Miroch. + +TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls + ldap library initialization, allowing self-signed CA's to be + used. Also properly sets require_cert option later in code by + using NULL (global ldap config) instead of ldap handle (per + session). Bug diagnosis and testing by alxgomz. + +TL/12 Enhanced documentation in the ratelimit.pl script provided in + the src/util/ subdirectory. + +TL/13 Bug 1031 - Imported transport SQL logging patch from Axel Rau + renamed to Transport Post Delivery Action by Jeremy Harris, as + EXPERIMENTAL_TPDA. + +TL/14 Bugzilla 1217 - Redis lookup support has been added. It is only enabled + when Exim is compiled with EXPERIMENTAL_REDIS. A new config variable + redis_servers = needs to be configured which will be used by the redis + lookup. Patch from Warren Baker, of The Packet Hub. + +TL/15 Fix exiqsumm summary for corner case. Patch provided by Richard Hall. + +TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a + hostname or reverse DNS when processing a host list. Used suggestions + from multiple comments on this bug. + +TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey. + +TL/18 Had previously added a -CONTINUE option to runtest in the test suite. + Missed a few lines, added it to make the runtest require no keyboard + interaction. + +TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite + contains upper case chars. Make router use caseful_local_part. + +TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS + support when GnuTLS has been built with p11-kit. + + +Exim version 4.80.1 +------------------- + +PP/01 SECURITY: protect DKIM DNS decoding from remote exploit. + CVE-2012-5671 + This, or similar/improved, will also be change PP/11 of 4.82. + + +Exim version 4.80 +----------------- + +PP/01 Handle short writes when writing local log-files. + In practice, only affects FreeBSD (8 onwards). + Bugzilla 1053, with thanks to Dmitry Isaikin. + +NM/01 Bugzilla 949 - Documentation tweak + +NM/02 Bugzilla 1093 - eximstats DATA reject detection regexps + improved. + +NM/03 Bugzilla 1169 - primary_hostname spelling was incorrect in docs. + +PP/02 Implemented gsasl authenticator. + +PP/03 Implemented heimdal_gssapi authenticator with "server_keytab" option. + +PP/04 Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use + `pkg-config foo` for cflags/libs. + +PP/05 Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent + with rest of GSASL and with heimdal_gssapi. + +PP/06 Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use + `pkg-config foo` for cflags/libs for the TLS implementation. + +PP/07 New expansion variable $tls_bits; Cyrus SASL server connection + properties get this fed in as external SSF. A number of robustness + and debugging improvements to the cyrus_sasl authenticator. + +PP/08 cyrus_sasl server now expands the server_realm option. + +PP/09 Bugzilla 1214 - Log authentication information in reject log. + Patch by Jeremy Harris. + +PP/10 Added dbmjz lookup type. + +PP/11 Let heimdal_gssapi authenticator take a SASL message without an authzid. + +PP/12 MAIL args handles TAB as well as SP, for better interop with + non-compliant senders. + Analysis and variant patch by Todd Lyons. + +NM/04 Bugzilla 1237 - fix cases where printf format usage not indicated + Bug report from Lars Müller <lars@samba.org> (via SUSE), + Patch from Dirk Mueller <dmueller@suse.com> + +PP/13 tls_peerdn now print-escaped for spool files. + Observed some $tls_peerdn in wild which contained \n, which resulted + in spool file corruption. + +PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options" + values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read + or write after TLS renegotiation, which otherwise led to messages + "Got SSL error 2". + +TK/01 Bugzilla 1239 - fix DKIM verification when signature was not inserted + as a tracking header (ie: a signed header comes before the signature). + Patch from Wolfgang Breyha. + +JH/01 Bugzilla 660 - Multi-valued attributes from ldap now parseable as a + comma-sep list; embedded commas doubled. + +JH/02 Refactored ACL "verify =" logic to table-driven dispatch. + +PP/15 LDAP: Check for errors of TLS initialisation, to give correct + diagnostics. + Report and patch from Dmitry Banschikov. + +PP/16 Removed "dont_insert_empty_fragments" from "openssl_options". + Removed SSL_clear() after SSL_new() which led to protocol negotiation + failures. We appear to now support TLS1.1+ with Exim. + +PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate + lets Exim select keys and certificates based upon TLS SNI from client. + Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly + before an outbound SMTP session. New log_selector, +tls_sni. + +PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid + NULL dereference. Report and patch from Alun Jones. + +PP/19 DNS resolver init changes for NetBSD compatibility. (Risk of breakage + on less well tested platforms). Obviates NetBSD pkgsrc patch-ac. + Not seeing resolver debug output on NetBSD, but suspect this is a + resolver implementation change. + +PP/20 Revert part of NM/04, it broke log_path containing %D expansions. + Left warnings. Added "eximon gdb" invocation mode. + +PP/21 Defaulting "accept_8bitmime" to true, not false. + +PP/22 Added -bw for inetd wait mode support. + +PP/23 Added PCRE_CONFIG=yes support to Makefile for using pcre-config to + locate the relevant includes and libraries. Made this the default. + +PP/24 Fixed headers_only on smtp transports (was not sending trailing dot). + Bugzilla 1246, report and most of solution from Tomasz Kusy. + +JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m"). + This may cause build issues on older platforms. + +PP/25 Revamped GnuTLS support, passing tls_require_ciphers to + gnutls_priority_init, ignoring Exim options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols (no longer supported). + Added SNI support via GnuTLS too. + Made ${randint:..} supplier available, if using not-too-old GnuTLS. + +PP/26 Added EXPERIMENTAL_OCSP for OpenSSL. + +PP/27 Applied dnsdb SPF support patch from Janne Snabb. + Applied second patch from Janne, implementing suggestion to default + multiple-strings-in-record handling to match SPF spec. + +JH/04 Added expansion variable $tod_epoch_l for a higher-precision time. + +PP/28 Fix DCC dcc_header content corruption (stack memory referenced, + read-only, out of scope). + Patch from Wolfgang Breyha, report from Stuart Northfield. + +PP/29 Fix three issues highlighted by clang analyser static analysis. + Only crash-plausible issue would require the Cambridge-specific + iplookup router and a misconfiguration. + Report from Marcin Mirosław. + +PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy. + +PP/31 %D in printf continues to cause issues (-Wformat=security), so for + now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS. + As part of this, removing so much warning spew let me fix some minor + real issues in debug logging. + +PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing + assignment on my part. Fixed. + +PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit + of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by + Janne Snabb (who went above and beyond: thank you). + +PP/34 Validate tls_require_ciphers on startup, since debugging an invalid + string otherwise requires a connection and a bunch more work and it's + relatively easy to get wrong. Should also expose TLS library linkage + problems. + +PP/35 Pull in <features.h> on Linux, for some portability edge-cases of + 64-bit ${eval} (JH/03). + +PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of + GNU libc to support some of the 64-bit stuff, should not lead to + conflicts. Defined before os.h is pulled in, so if a given platform + needs to override this, it can. + +PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought + protection layer was required, which is not implemented. + Bugzilla 1254, patch from Wolfgang Breyha. + +PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built + into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make + tls_dhparam take prime identifiers. Also unbreak combination of + OpenSSL+DH_params+TLSSNI. + +PP/39 Disable SSLv2 by default in OpenSSL support. + + +Exim version 4.77 +----------------- + +PP/01 Solaris build fix for Oracle's LDAP libraries. + Bugzilla 1109, patch from Stephen Usher. + +TF/01 HP/UX build fix: avoid arithmetic on a void pointer. + +TK/01 DKIM Verification: Fix relaxed canon for empty headers w/o + whitespace trailer + +TF/02 Fix a couple more cases where we did not log the error message + when unlink() failed. See also change 4.74-TF/03. + +TF/03 Make the exiwhat support code safe for signals. Previously Exim might + lock up or crash if it happened to be inside a call to libc when it + got a SIGUSR1 from exiwhat. + + The SIGUSR1 handler appends the current process status to the process + log which is later printed by exiwhat. It used to use the general + purpose logging code to do this, but several functions it calls are + not safe for signals. + + The new output code in the SIGUSR1 handler is specific to the process + log, and simple enough that it's easy to inspect for signal safety. + Removing some special cases also simplifies the general logging code. + Removing the spurious timestamps from the process log simplifies + exiwhat. + +TF/04 Improved ratelimit ACL condition. + + The /noupdate option has been deprecated in favour of /readonly which + has clearer semantics. The /leaky, /strict, and /readonly update modes + are mutually exclusive. The update mode is no longer included in the + database key; it just determines when the database is updated. (This + means that when you upgrade Exim will forget old rate measurements.) + + Exim now checks that the per_* options are used with an update mode that + makes sense for the current ACL. For example, when Exim is processing a + message (e.g. acl_smtp_rcpt or acl_smtp_data, etc.) you can specify + per_mail/leaky or per_mail/strict; otherwise (e.g. in acl_smtp_helo) you + must specify per_mail/readonly. If you omit the update mode it defaults to + /leaky where that makes sense (as before) or /readonly where required. + + The /noupdate option is now undocumented but still supported for + backwards compatibility. It is equivalent to /readonly except that in + ACLs where /readonly is required you may specify /leaky/noupdate or + /strict/noupdate which are treated the same as /readonly. + + A useful new feature is the /count= option. This is a generalization + of the per_byte option, so that you can measure the throughput of other + aggregate values. For example, the per_byte option is now equivalent + to per_mail/count=${if >{0}{$message_size} {0} {$message_size} }. + + The per_rcpt option has been generalized using the /count= mechanism + (though it's more complicated than the per_byte equivalence). When it is + used in acl_smtp_rcpt, the per_rcpt option adds recipients to the + measured rate one at a time; if it is used later (e.g. in acl_smtp_data) + or in a non-SMTP ACL it adds all the recipients in one go. (The latter + /count=$recipients_count behaviour used to work only in non-SMTP ACLs.) + Note that using per_rcpt with a non-readonly update mode in more than + one ACL will cause the recipients to be double-counted. (The per_mail + and per_byte options don't have this problem.) + + The handling of very low rates has changed slightly. If the computed rate + is less than the event's count (usually one) then this event is the first + after a long gap. In this case the rate is set to the same as this event's + count, so that the first message of a spam run is counted properly. + + The major new feature is a mechanism for counting the rate of unique + events. The new per_addr option counts the number of different + recipients that someone has sent messages to in the last time period. It + behaves like per_rcpt if all the recipient addresses are different, but + duplicate recipient addresses do not increase the measured rate. Like + the /count= option this is a general mechanism, so the per_addr option + is equivalent to per_rcpt/unique=$local_part@$domain. You can, for + example, measure the rate that a client uses different sender addresses + with the options per_mail/unique=$sender_address. There are further + details in the main documentation. + +TF/05 Removed obsolete $Cambridge$ CVS revision strings. + +TF/06 Removed a few PCRE remnants. + +TF/07 Automatically extract Exim's version number from tags in the git + repository when doing development or release builds. + +PP/02 Raise smtp_cmd_buffer_size to 16kB. + Bugzilla 879. Patch from Paul Fisher. + +PP/03 Implement SSL-on-connect outbound with protocol=smtps on smtp transport. + Heavily based on revision 40f9a89a from Simon Arlott's tree. + Bugzilla 97. + +PP/04 Use .dylib instead of .so for dynamic library loading on MacOS. + +PP/05 Variable $av_failed, true if the AV scanner deferred. + Bugzilla 1078. Patch from John Horne. + +PP/06 Stop make process more reliably on build failure. + Bugzilla 1087. Patch from Heiko Schlittermann. + +PP/07 Make maildir_use_size_file an _expandable_ boolean. + Bugzilla 1089. Patch from Heiko Schlittermann. + +PP/08 Handle ${run} returning more data than OS pipe buffer size. + Bugzilla 1131. Patch from Holger Weiß. + +PP/09 Handle IPv6 addresses with SPF. + Bugzilla 860. Patch from Wolfgang Breyha. + +PP/10 GnuTLS: support TLS 1.2 & 1.1. + Bugzilla 1156. + Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler]. + Bugzilla 1095. + +PP/11 match_* no longer expand right-hand-side by default. + New compile-time build option, EXPAND_LISTMATCH_RHS. + New expansion conditions, "inlist", "inlisti". + +PP/12 fix uninitialised greeting string from PP/03 (smtps client support). + +PP/13 shell and compiler warnings fixes for RC1-RC4 changes. + +PP/14 fix log_write() format string regression from TF/03. + Bugzilla 1152. Patch from Dmitry Isaikin. + + +Exim version 4.76 +----------------- + +PP/01 The new ldap_require_cert option would segfault if used. Fixed. + +PP/02 Harmonised TLS library version reporting; only show if debugging. + Layout now matches that introduced for other libraries in 4.74 PP/03. + +PP/03 New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1 + +PP/04 New "dns_use_edns0" global option. + +PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid. + Bugzilla 1098. + +PP/06 Extra paranoia around buffer usage at the STARTTLS transition. + nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316 + +TK/01 Updated PolarSSL code to 0.14.2. + Bugzilla 1097. Patch from Andreas Metzler. + +PP/07 Catch divide-by-zero in ${eval:...}. + Fixes bugzilla 1102. + +PP/08 Condition negation of bool{}/bool_lax{} did not negate. Fixed. + Bugzilla 1104. + +TK/02 Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a + format-string attack -- SECURITY: remote arbitrary code execution. + +TK/03 SECURITY - DKIM signature header parsing was double-expanded, second + time unintentionally subject to list matching rules, letting the header + cause arbitrary Exim lookups (of items which can occur in lists, *not* + arbitrary string expansion). This allowed for information disclosure. + +PP/09 Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to + INT_MIN/-1 -- value coerced to INT_MAX. + + +Exim version 4.75 +----------------- + +NM/01 Workaround for PCRE version dependency in version reporting + Bugzilla 1073 + +TF/01 Update valgrind.h and memcheck.h to copies from valgrind-3.6.0. + This fixes portability to compilers other than gcc, notably + Solaris CC and HP-UX CC. Fixes Bugzilla 1050. + +TF/02 Bugzilla 139: Avoid using the += operator in the modular lookup + makefiles for portability to HP-UX and POSIX correctness. + +PP/01 Permit LOOKUP_foo enabling on the make command-line. + Also via indented variable definition in the Makefile. + (Debugging by Oliver Heesakkers). + +PP/02 Restore caching of spamd results with expanded spamd_address. + Patch from author of expandable spamd_address patch, Wolfgang Breyha. + +PP/03 Build issue: lookups-Makefile now exports LC_ALL=C + Improves build reliability. Fix from: Frank Elsner + +NM/02 Fix wide character breakage in the rfc2047 coding + Fixes bug 1064. Patch from Andrey N. Oktyabrski + +NM/03 Allow underscore in dnslist lookups + Fixes bug 1026. Patch from Graeme Fowler + +PP/04 Bugzilla 230: Support TLS-enabled LDAP (in addition to ldaps). + Code patches from Adam Ciarcinski of NetBSD. + +NM/04 Fixed exiqgrep to cope with mailq missing size issue + Fixes bug 943. + +PP/05 Bugzilla 1083: when lookup expansion defers, escape the output which + is logged, to avoid truncation. Patch from John Horne. + +PP/06 Bugzilla 1042: implement freeze_signal on pipe transports. + Patch from Jakob Hirsch. + +PP/07 Bugzilla 1061: restrict error messages sent over SMTP to not reveal + SQL string expansion failure details. + Patch from Andrey Oktyabrski. + +PP/08 Bugzilla 486: implement %M datestamping in log filenames. + Patch from Simon Arlott. + +PP/09 New lookups functionality failed to compile on old gcc which rejects + extern declarations in function scope. + Patch from Oliver Fleischmann + +PP/10 Use sig_atomic_t for flags set from signal handlers. + Check getgroups() return and improve debugging. + Fixed developed for diagnosis in bug 927 (which turned out to be + a kernel bug). + +PP/11 Bugzilla 1055: Update $message_linecount for maildir_tag. + Patch from Mark Zealey. + +PP/12 Bugzilla 1056: Improved spamd server selection. + Patch from Mark Zealey. + +PP/13 Bugzilla 1086: Deal with maildir quota file races. + Based on patch from Heiko Schlittermann. + +PP/14 Bugzilla 1019: DKIM multiple signature generation fix. + Patch from Uwe Doering, sign-off by Michael Haardt. + +NM/05 Fix to spam.c to accommodate older gcc versions which dislike + variable declaration deep within a block. Bug and patch from + Dennis Davis. + +PP/15 lookups-Makefile IRIX compatibility coercion. + +PP/16 Make DISABLE_DKIM build knob functional. + +NM/06 Bugzilla 968: child_open_uid: restore default SIGPIPE handler + Patch by Simon Arlott + +TF/03 Fix valgrind.h portability to C89 compilers that do not support + variable argument macros. Our copy now differs from upstream. + + +Exim version 4.74 +----------------- + +TF/01 Failure to get a lock on a hints database can have serious + consequences so log it to the panic log. + +TF/02 Log LMTP confirmation messages in the same way as SMTP, + controlled using the smtp_confirmation log selector. + +TF/03 Include the error message when we fail to unlink a spool file. + +DW/01 Bugzilla 139: Support dynamically loaded lookups as modules. + With thanks to Steve Haslam, Johannes Berg & Serge Demonchaux + for maintaining out-of-tree patches for some time. + +PP/01 Bugzilla 139: Documentation and portability issues. + Avoid GNU Makefile-isms, let Exim continue to build on BSD. + Handle per-OS dynamic-module compilation flags. + +PP/02 Let /dev/null have normal permissions. + The 4.73 fixes were a little too stringent and complained about the + permissions on /dev/null. Exempt it from some checks. + Reported by Andreas M. Kirchwitz. + +PP/03 Report version information for many libraries, including + Exim version information for dynamically loaded libraries. Created + version.h, now support a version extension string for distributors + who patch heavily. Dynamic module ABI change. + +PP/04 CVE-2011-0017 - check return value of setuid/setgid. This is a + privilege escalation vulnerability whereby the Exim run-time user + can cause root to append content of the attacker's choosing to + arbitrary files. + +PP/05 Bugzilla 1041: merged DCC maintainer's fixes for return code. + (Wolfgang Breyha) + +PP/06 Bugzilla 1071: fix delivery logging with untrusted macros. + If dropping privileges for untrusted macros, we disabled normal logging + on the basis that it would fail; for the Exim run-time user, this is not + the case, and it resulted in successful deliveries going unlogged. + Fixed. Reported by Andreas Metzler. + + +Exim version 4.73 +----------------- + +PP/01 Date: & Message-Id: revert to normally being appended to a message, + only prepend for the Resent-* case. Fixes regression introduced in + Exim 4.70 by NM/22 for Bugzilla 607. + +PP/02 Include check_rfc2047_length in configure.default because we're seeing + increasing numbers of administrators be bitten by this. + +JJ/01 Added DISABLE_DKIM and comment to src/EDITME + +PP/03 Bugzilla 994: added openssl_options main configuration option. + +PP/04 Bugzilla 995: provide better SSL diagnostics on failed reads. + +PP/05 Bugzilla 834: provide a permit_coredump option for pipe transports. + +PP/06 Adjust NTLM authentication to handle SASL Initial Response. + +PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but + without a peer certificate, leading to a segfault because of an + assumption that peers always have certificates. Be a little more + paranoid. Problem reported by Martin Tscholak. + +PP/08 Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content + filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes + NB: ClamAV planning to remove STREAM in "middle of 2010". + CL also introduces -bmalware, various -d+acl logging additions and + more caution in buffer sizes. + +PP/09 Implemented reverse_ip expansion operator. + +PP/10 Bugzilla 937: provide a "debug" ACL control. + +PP/11 Bugzilla 922: Documentation dusting, patch provided by John Horne. + +PP/12 Bugzilla 973: Implement --version. + +PP/13 Bugzilla 752: Refuse to build/run if Exim user is root/0. + +PP/14 Build without WITH_CONTENT_SCAN. Path from Andreas Metzler. + +PP/15 Bugzilla 816: support multiple condition rules on Routers. + +PP/16 Add bool_lax{} expansion operator and use that for combining multiple + condition rules, instead of bool{}. Make both bool{} and bool_lax{} + ignore trailing whitespace. + +JJ/02 prevent non-panic DKIM error from being sent to paniclog + +JJ/03 added tcp_wrappers_daemon_name to allow host entries other than + "exim" to be used + +PP/17 Fix malware regression for cmdline scanner introduced in PP/08. + Notification from Dr Andrew Aitchison. + +PP/18 Change ClamAV response parsing to be more robust and to handle ClamAV's + ExtendedDetectionInfo response format. + Notification from John Horne. + +PP/19 OpenSSL 1.0.0a compatibility const-ness change, should be backwards + compatible. + +PP/20 Added a CONTRIBUTING file. Fixed the documentation build to use http: + XSL and documented dependency on system catalogs, with examples of how + it normally works. + +DW/21 Added Valgrind hooks in store.c to help it capture out-of-bounds store + access. + +DW/22 Bugzilla 1044: CVE-2010-4345 - partial fix: restrict default behaviour + of CONFIGURE_OWNER and CONFIGURE_GROUP options to no longer allow a + configuration file which is writeable by the Exim user or group. + +DW/23 Bugzilla 1044: CVE-2010-4345 - part two: extend checks for writeability + of configuration files to cover files specified with the -C option if + they are going to be used with root privileges, not just the default + configuration file. + +DW/24 Bugzilla 1044: CVE-2010-4345 - part three: remove ALT_CONFIG_ROOT_ONLY + option (effectively making it always true). + +DW/25 Add TRUSTED_CONFIG_PREFIX_FILE option to allow alternative configuration + files to be used while preserving root privileges. + +DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure + that rogue child processes cannot use them. + +PP/27 Bugzilla 1047: change the default for system_filter_user to be the Exim + run-time user, instead of root. + +PP/28 Add WHITELIST_D_MACROS option to let some macros be overridden by the + Exim run-time user without dropping privileges. + +DW/29 Remove use of va_copy() which breaks pre-C99 systems. Duplicate the + result string, instead of calling string_vformat() twice with the same + arguments. + +DW/30 Allow TRUSTED_CONFIG_PREFIX_FILE only for Exim or CONFIGURE_OWNER, not + for other users. Others should always drop root privileges if they use + -C on the command line, even for a whitelisted configure file. + +DW/31 Turn TRUSTED_CONFIG_PREFIX_FILE into TRUSTED_CONFIG_FILE. No prefixes. + +NM/01 Fixed bug #1002 - Message loss when using multiple deliveries + + +Exim version 4.72 +----------------- + +JJ/01 installed exipick 20100104.1, adding $max_received_linelength, + $data_path, and $header_path variables; fixed documentation bugs and + typos + +JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow + exipick to access non-standard spools, including the "frozen" queue + (Finput) + +NM/01 Bugzilla 965: Support mysql stored procedures. + Patch from Alain Williams + +NM/02 Bugzilla 961: Spacing fix (syntax error) on Makefile directives for NetBSD + +NM/03 Bugzilla 955: Documentation fix for max_rcpts. + Patch from Andreas Metzler + +NM/04 Bugzilla 954: Fix for unknown responses from Dovecot authenticator. + Patch from Kirill Miazine + +NM/05 Bugzilla 671: Added umask to procmail example. + +JJ/03 installed exipick 20100323.0, fixing doc bug + +NM/06 Bugzilla 988: CVE-2010-2023 - prevent hardlink attack on sticky mail + directory. Notification and patch from Dan Rosenberg. + +TK/01 PDKIM: Upgrade PolarSSL files to upstream version 0.12.1. + +TK/02 Improve log output when DKIM signing operation fails. + +MH/01 Treat the transport option dkim_domain as a colon separated + list, not as a single string, and sign the message with each element, + omitting multiple occurences of the same signer. + +NM/07 Null terminate DKIM strings, Null initialise DKIM variable + Bugzilla 985, 986. Patch by Simon Arlott + +NM/08 Bugzilla 967. dnsdb DNS TXT record bug fix (DKIM-related) + Patch by Simon Arlott + +PP/01 Bugzilla 989: CVE-2010-2024 - work round race condition on + MBX locking. Notification from Dan Rosenberg. + + +Exim version 4.71 +----------------- + +TK/01 Bugzilla 912: Fix DKIM segfault on empty headers/body. + +NM/01 Bugzilla 913: Documentation fix for gnutls_* options. + +NM/02 Bugzilla 722: Documentation for randint. Better randomness defaults. + +NM/03 Bugzilla 847: Enable DNSDB lookup by default. + +NM/04 Bugzilla 915: Flag broken perl installation during build. + + +Exim version 4.70 +----------------- + +TK/01 Added patch by Johannes Berg that expands the main option + "spamd_address" if it starts with a dollar sign. + +TK/02 Write list of recipients to X-Envelope-Sender header when building + the mbox-format spool file for content scanning (suggested by Jakob + Hirsch). + +TK/03 Added patch by Wolfgang Breyha that adds experimental DCC + (http://www.dcc-servers.net/) support via dccifd. Activated by + setting EXPERIMENTAL_DCC=yes in Local/Makefile. + +TK/04 Bugzilla 673: Add f-protd malware scanner support. Patch submitted + by Mark Daniel Reidel <mr@df.eu>. + +NM/01 Bugzilla 657: Embedded PCRE removed from the exim source tree. + When building exim an external PCRE library is now needed - + PCRE is a system library on the majority of modern systems. + See entry on PCRE_LIBS in EDITME file. + +NM/02 Bugzilla 646: Removed unwanted C/R in Dovecot authenticator + conversation. Added nologin parameter to request. + Patch contributed by Kirill Miazine. + +TF/01 Do not log submission mode rewrites if they do not change the address. + +TF/02 Bugzilla 662: Fix stack corruption before exec() in daemon.c. + +NM/03 Bugzilla 602: exicyclog now handles panic log, and creates empty + log files in place. Contributed by Roberto Lima. + +NM/04 Bugzilla 667: Close socket used by dovecot authenticator. + +TF/03 Bugzilla 615: When checking the local_parts router precondition + after a local_part_suffix or local_part_prefix option, Exim now + does not use the address's named list lookup cache, since this + contains cached lookups for the whole local part. + +NM/05 Bugzilla 521: Integrated SPF Best Guess support contributed by + Robert Millan. Documentation is in experimental-spec.txt. + +TF/04 Bugzilla 668: Fix parallel build (make -j). + +NM/05.2 Bugzilla 437: Prevent Maildir aux files being created with mode 000. + +NM/05.3 Bugzilla 598: Improvement to Dovecot authenticator handling. + Patch provided by Jan Srzednicki. + +TF/05 Leading white space used to be stripped from $spam_report which + wrecked the formatting. Now it is preserved. + +TF/06 Save $spam_score, $spam_bar, and $spam_report in spool files, so + that they are available at delivery time. + +TF/07 Fix the way ${extract is skipped in the untaken branch of a conditional. + +TF/08 TLS error reporting now respects the incoming_interface and + incoming_port log selectors. + +TF/09 Produce a more useful error message if an SMTP transport's hosts + setting expands to an empty string. + +NM/06 Bugzilla 744: EXPN did not work under TLS. + Patch provided by Phil Pennock. + +NM/07 Bugzilla 769: Extraneous comma in usage fprintf + Patch provided by Richard Godbee. + +NM/08 Fixed erroneous documentation references to smtp_notquit_acl to be + acl_smtp_notquit, added index entry. + +NM/09 Bugzilla 787: Potential buffer overflow in string_format. + Patch provided by Eugene Bujak. + +NM/10 Bugzilla 770: Problem on some platforms modifying the len parameter to + accept(). Patch provided by Maxim Dounin. + +NM/11 Bugzilla 749: Preserve old behaviour of blanks comparing equal to zero. + Patch provided by Phil Pennock. + +NM/12 Bugzilla 497: Correct behaviour of exiwhat when no config exists. + +NM/13 Bugzilla 590: Correct handling of Resent-Date headers. + Patch provided by Brad "anomie" Jorsch. + +NM/14 Bugzilla 622: Added timeout setting to transport filter. + Patch provided by Dean Brooks. + +TK/05 Add native DKIM support (does not depend on external libraries). + +NM/15 Bugzilla 854: Removed code that symlinks to pcre as its no longer useful. + Patch provided by Graeme Fowler. + +NM/16 Bugzilla 851: Documentation example syntax fix. + +NM/17 Changed NOTICE file to remove references to embedded PCRE. + +NM/18 Bugzilla 894: Fix issue with very long lines including comments in + lsearch. + +NM/19 Bugzilla 745: TLS version reporting. + Patch provided by Phil Pennock. + +NM/20 Bugzilla 167: bool: condition support. + Patch provided by Phil Pennock. + +NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken + clients. Patch provided by Phil Pennock. + +NM/22 Bugzilla 607: prepend (not append) Resent-Message-ID and Resent-Date. + Patch provided by Brad "anomie" Jorsch. + +NM/23 Bugzilla 687: Fix misparses in eximstats. + Patch provided by Heiko Schlittermann. + +NM/24 Bugzilla 688: Fix exiwhat to handle log_selector = +pid. + Patch provided by Heiko Schlittermann. + +NM/25 Bugzilla 727: Use transport mode as default mode for maildirsize file. + plus update to original patch. + +NM/26 Bugzilla 799: Documentation correction for ratelimit. + +NM/27 Bugzilla 802: Improvements to local interface IP addr detection. + Patch provided by David Brownlee. + +NM/28 Bugzilla 807: Improvements to LMTP delivery logging. + +NM/29 Bugzilla 862, 866, 875: Documentation bugfixes. + +NM/30 Bugzilla 888: TLS documentation bugfixes. + +NM/31 Bugzilla 896: Dovecot buffer overrun fix. + +NM/32 Bugzilla 889: Change all instances of "expr" in shell scripts to "expr --" + Unlike the original bugzilla I have changed all shell scripts in src tree. + +NM/33 Bugzilla 898: Transport filter timeout fix. + Patch by Todd Rinaldo. + +NM/34 Bugzilla 901: Fix sign/unsigned and UTF mismatches. + Patch by Serge Demonchaux. + +NM/35 Bugzilla 39: Base64 decode bug fixes. + Patch by Jakob Hirsch. + +NM/36 Bugzilla 909: Correct connect() call in dcc code. + +NM/37 Bugzilla 910: Correct issue with relaxed/simple handling. + +NM/38 Bugzilla 908: Removed NetBSD3 support as no longer needed. + +NM/39 Bugzilla 911: Fixed MakeLinks build script. + + +Exim version 4.69 +----------------- + +TK/01 Add preliminary DKIM support. Currently requires a forked version of + ALT-N's libdkim that I have put here: + http://duncanthrax.net/exim-experimental/ + + Note to Michael Haardt: I had to rename some vars in sieve.c. They + were called 'true' and it seems that C99 defines that as a reserved + keyword to be used with 'bool' variable types. That means you could + not include C99-style headers which use bools without triggering + build errors in sieve.c. + +NM/01 Bugzilla 592: --help option is handled incorrectly if exim is invoked + as mailq or other aliases. Changed the --help handling significantly + to do whats expected. exim_usage() emits usage/help information. + +SC/01 Added the -bylocaldomain option to eximstats. + +NM/02 Bugzilla 619: Defended against bad data coming back from gethostbyaddr. + +NM/03 Bugzilla 613: Documentation fix for acl_not_smtp. + +NM/04 Bugzilla 628: PCRE update to 7.4 (work done by John Hall). + + +Exim version 4.68 +----------------- + +PH/01 Another patch from the Sieve maintainer. + +PH/02 When an IPv6 address is converted to a string for single-key lookup + in an address list (e.g. for an item such as "net24-dbm;/net/works"), + dots are used instead of colons so that keys in lsearch files need not + contain colons. This was done some time before quoting was made available + in lsearch files. However, iplsearch files do require colons in IPv6 keys + (notated using the quote facility) so as to distinguish them from IPv4 + keys. This meant that lookups for IP addresses in host lists did not work + for iplsearch lookups. + + This has been fixed by arranging for IPv6 addresses to be expressed with + colons if the lookup type is iplsearch. This is not incompatible, because + previously such lookups could never work. + + The situation is now rather anomalous, since one *can* have colons in + ordinary lsearch keys. However, making the change in all cases is + incompatible and would probably break a number of configurations. + +TK/01 Change PRVS address formatting scheme to reflect latests BATV draft + version. + +MH/01 The "spam" ACL condition code contained a sscanf() call with a %s + conversion specification without a maximum field width, thereby enabling + a rogue spamd server to cause a buffer overflow. While nobody in their + right mind would setup Exim to query an untrusted spamd server, an + attacker that gains access to a server running spamd could potentially + exploit this vulnerability to run arbitrary code as the Exim user. + +TK/02 Bugzilla 502: Apply patch to make the SPF-Received: header use + $primary_hostname instead of what libspf2 thinks the hosts name is. + +MH/02 The dsearch lookup now uses lstat(2) instead of stat(2) to look for + a directory entry by the name of the lookup key. Previously, if a + symlink pointed to a non-existing file or a file in a directory that + Exim lacked permissions to read, a lookup for a key matching that + symlink would fail. Now it is enough that a matching directory entry + exists, symlink or not. (Bugzilla 503.) + +PH/03 The body_linecount and body_zerocount variables are now exported in the + local_scan API. + +PH/04 Added the $dnslist_matched variable. + +PH/05 Unset $tls_cipher and $tls_peerdn before making a connection as a client. + This means they are set thereafter only if the connection becomes + encrypted. + +PH/06 Added the client_condition to authenticators so that some can be skipped + by clients under certain conditions. + +PH/07 The error message for a badly-placed control=no_multiline_responses left + "_responses" off the end of the name. + +PH/08 Added -Mvc to output a copy of a message in RFC 2822 format. + +PH/09 Tidied the code for creating ratelimiting keys, creating them explicitly + (without spaces) instead of just copying the configuration text. + +PH/10 Added the /noupdate option to the ratelimit ACL condition. + +PH/11 Added $max_received_linelength. + +PH/12 Added +ignore_defer and +include_defer to host lists. + +PH/13 Installed PCRE version 7.2. This needed some changes because of the new + way in which PCRE > 7.0 is built. + +PH/14 Implemented queue_only_load_latch. + +PH/15 Removed an incorrect (int) cast when reading the value of SIZE in a + MAIL command. The effect was to mangle the value on 64-bit systems. + +PH/16 Another patch from the Sieve maintainer. + +PH/17 Added the NOTQUIT ACL, based on a patch from Ted Cooper. + +PH/18 If a system quota error occurred while trying to create the file for + a maildir delivery, the message "Mailbox is full" was not appended to the + bounce if the delivery eventually timed out. Change 4.67/27 below applied + only to a quota excession during the actual writing of the file. + +PH/19 It seems that peer DN values may contain newlines (and other non-printing + characters?) which causes problems in log lines. The DN values are now + passed through string_printing() before being added to log lines. + +PH/20 Added the "servers=" facility to MySQL and PostgreSQL lookups. (Oracle + and InterBase are left for another time.) + +PH/21 Added message_body_newlines option. + +PH/22 Guard against possible overflow in moan_check_errorcopy(). + +PH/23 POSIX allows open() to be a macro; guard against that. + +PH/24 If the recipient of an error message contained an @ in the local part + (suitably quoted, of course), incorrect values were put in $domain and + $local_part during the evaluation of errors_copy. + + +Exim version 4.67 +----------------- + +MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address + is unset (happens when testing with -bh and -oMi isn't used). Thanks to + Jan Srzednicki. + +PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not + issue a MAIL command. + +PH/02 In an ACL statement such as + + deny dnslists = X!=127.0.0.2 : X=127.0.0.2 + + if a client was not listed at all, or was listed with a value other than + 127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list, + the condition was not true (as it should be), so access was not denied. + The bug was that the ! inversion was incorrectly passed on to the second + item. This has been fixed. + +PH/03 Added additional dnslists conditions == and =& which are different from + = and & when the dns lookup returns more than one IP address. + +PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the + cipher suites used by GnuTLS. These options are ignored by OpenSSL. + +PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_ + FSYNC, which compiles an option called disable_fsync that allows for + bypassing fsync(). The documentation is heavily laced with warnings. + +SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket. + +PH/06 Some tidies to the infrastructure of the Test Suite that is concerned + with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT + to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile, + including adding "make clean"; (3) Added -fPIC when compiling the test + dynamically loaded module, to get rid of a warning. + +MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce + message fails, move_frozen_messages = true and ignore_bounce_errors_after + = 0s. The bug is otherwise harmless. + +PH/07 There was a bug in the dovecot authenticator such that the value of + $auth1 could be overwritten, and so not correctly preserved, after a + successful authentication. This usually meant that the value preserved by + the server_setid option was incorrect. + +PH/08 Added $smtp_count_at_connection_start, deliberately with a long name. + +PH/09 Installed PCRE release 7.0. + +PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being + run for batched SMTP input. It is now run at the start of every message + in the batch. While fixing this I discovered that the process information + (output by running exiwhat) was not always getting set for -bs and -bS + input. This is fixed, and it now also says "batched" for BSMTP. + +PH/11 Added control=no_pipelining. + +PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's + patch, slightly modified), and move the expansion of helo_data till after + the connection is made in the smtp transport (so it can use these + values). + +PH/13 Added ${rfc2047d: to decoded RFC 2047 strings. + +PH/14 Added log_selector = +pid. + +PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set. + +PH/16 Add ${if forany and ${if forall. + +PH/17 Added dsn_from option to vary the From: line in DSNs. + +PH/18 Flush SMTP output before performing a callout, unless control = + no_callout_flush is set. + +PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender + was true (the default) a successful delivery failed to delete the retry + item, thus causing premature timeout of the address. The bug is now + fixed. + +PH/20 Added hosts_avoid_pipelining to the smtp transport. + +PH/21 Long custom messages for fakedefer and fakereject are now split up + into multiline responses in the same way that messages for "deny" and + other ACL rejections are. + +PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep, + with slight modification. + +PH/23 Applied sieve patches from the maintainer "tracking the latest notify + draft, changing the syntax and factoring some duplicate code". + +PH/24 When the log selector "outgoing_port" was set, the port was shown as -1 + for deliveries of the second and subsequent messages over the same SMTP + connection. + +PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and + ${reduce, with only minor "tidies". + +SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match. + +PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its + expansion side effects. + +PH/27 When a message times out after an over-quota error from an Exim-imposed + quota, the bounce message says "mailbox is full". This message was not + being given when it was a system quota that was exceeded. It now should + be the same. + +MH/03 Made $recipients available in local_scan(). local_scan() already has + better access to the recipient list through recipients_list[], but + $recipients can be useful in postmaster-provided expansion strings. + +PH/28 The $smtp_command and $smtp_command_argument variables were not correct + in the case of a MAIL command with additional options following the + address, for example: MAIL FROM:<foo@bar> SIZE=1234. The option settings + were accidentally chopped off. + +PH/29 SMTP synchronization checks are implemented when a command is read - + there is a check that no more input is waiting when there shouldn't be + any. However, for some commands, a delay in an ACL can mean that it is + some time before the response is written. In this time, more input might + arrive, invalidly. So now there are extra checks after an ACL has run for + HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when + pipelining has not been advertised. + +PH/30 MH's patch to allow iscntrl() characters to be list separators. + +PH/31 Unlike :fail:, a custom message specified with :defer: was not being + returned in the SMTP response when smtp_return_error_details was false. + This has been fixed. + +PH/32 Change the Dovecot authenticator to use read() and write() on the socket + instead of the C I/O that was originally supplied, because problems were + reported on Solaris. + +PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in + Exim which did not show up earlier: it was assuming that a call to + SSL_CTX_set_info_callback() might give an error value. In fact, there is + no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback() + was a macro that became an assignment, so it seemed to work. This has + changed to a proper function call with a void return, hence the compile + error. Exim's code has been fixed. + +PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit + cpus. + +PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify". + +PH/36 Applied John Jetmore's patch to add -v functionality to exigrep. + +PH/37 If a message is not accepted after it has had an id assigned (e.g. + because it turns out to be too big or there is a timeout) there is no + "Completed" line in the log. When some messages of this type were + selected by exigrep, they were listed as "not completed". Others were + picked up by some special patterns. I have improved the selection + criteria to be more general. + +PH/38 The host_find_failed option in the manualroute router can now be set + to "ignore", to completely ignore a host whose IP address cannot be + found. If all hosts are ignored, the behaviour is controlled by the new + host_all_ignored option. + +PH/39 In a list of hosts for manualroute, if one item (either because of multi- + homing or because of multiple MX records with /mx) generated more than + one IP address, and the following item turned out to be the local host, + all the secondary addresses of the first item were incorrectly removed + from the list, along with the local host and any following hosts (which + is what is supposed to happen). + +PH/40 When Exim receives a message, it writes the login name, uid, and gid of + whoever called Exim into the -H file. In the case of the daemon it was + behaving confusingly. When first started, it used values for whoever + started the daemon, but after a SIGHUP it used the Exim user (because it + calls itself on a restart). I have changed the code so that it now always + uses the Exim user. + +PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a + message are rejected with the same error (e.g. no authentication or bad + sender address), and a DATA command is nevertheless sent (as can happen + with PIPELINING or a stupid MUA), the error message that was given to the + RCPT commands is included in the rejection of the DATA command. This is + intended to be helpful for MUAs that show only the final error to their + users. + +PH/42 Another patch from the Sieve maintainer. + +SC/02 Eximstats - Differentiate between permanent and temporary rejects. + Eximstats - Fixed some broken HTML links and added missing column headers + (Jez Hancock). + Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email + columns for Rejects, Temp Rejects, Ham, and Spam rows. + +SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables. + +PH/43 Yet another patch from the Sieve maintainer. + +PH/44 I found a way to check for a TCP/IP connection going away before sending + the response to the final '.' that terminates a message, but only in the + case where the client has not sent further data following the '.' + (unfortunately, this is allowed). However, in many cases there won't be + any further data because there won't be any more messages to send. A call + to select() can be used: if it shows that the input is "ready", there is + either input waiting, or the socket has been closed. An attempt to read + the next input character can distinguish the two cases. Previously, Exim + would have sent an OK response which the client would never have see. + This could lead to message repetition. This fix should cure that, at + least in a lot of common cases. + +PH/45 Do not advertise STARTTLS in response to HELP unless it would be + advertised in response to EHLO. + + +Exim version 4.66 +----------------- + +PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one + fixed by 4.65/MH/01 (is this a record?) are fixed: + + (i) An empty string was always treated as zero by the numeric comparison + operators. This behaviour has been restored. + + (ii) It is documented that the numeric comparison operators always treat + their arguments as decimal numbers. This was broken in that numbers + starting with 0 were being interpreted as octal. + + While fixing these problems I realized that there was another issue that + hadn't been noticed. Values of message_size_limit (both the global option + and the transport option) were treated as octal if they started with 0. + The documentation was vague. These values are now always treated as + decimal, and I will make that clear in the documentation. + + +Exim version 4.65 +----------------- + +TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with + Linux large file support (_FILE_OFFSET_BITS=64) on older glibc + versions. (#438) + +MH/01 Don't check that the operands of numeric comparison operators are + integers when their expansion is in "skipping" mode (fixes bug + introduced by 4.64-PH/07). + +PH/01 If a system filter or a router generates more than SHRT_MAX (32767) + child addresses, Exim now panics and dies. Previously, because the count + is held in a short int, deliveries were likely to be lost. As such a + large number of recipients for a single message is ridiculous + (performance will be very, very poor), I have chosen to impose a limit + rather than extend the field. + + +Exim version 4.64 +----------------- + +TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a + leftover -K file (the existence of which was triggered by #402). + While we were at it, introduced process PID as part of the -K + filename. This should rule out race conditions when creating + these files. + +TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing + processing considerably. Previous code took too long for large mails, + triggering a timeout which in turn triggers #401. + +TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used + in the DK code in transports.c. sendfile() is not really portable, + hence the _LINUX specificness. + +TF/01 In the add_headers option to the mail command in an Exim filter, + there was a bug that Exim would claim a syntax error in any + header after the first one which had an odd number of characters + in the field name. + +PH/01 If a server that rejects MAIL FROM:<> was the target of a sender + callout verification, Exim cached a "reject" for the entire domain. This + is correct for most verifications, but it is not correct for a recipient + verification with use_sender or use_postmaster set, because in that case + the callout does not use MAIL FROM:<>. Exim now distinguishes the special + case of MAIL FROM:<> rejection from other early rejections (e.g. + rejection of HELO). When verifying a recipient using a non-null MAIL + address, the cache is ignored if it shows MAIL FROM:<> rejection. + Whatever the result of the callout, the value of the domain cache is + left unchanged (for any other kind of callout, getting as far as trying + RCPT means that the domain itself is ok). + +PH/02 Tidied a number of unused variable and signed/unsigned warnings that + gcc 4.1.1 threw up. + +PH/03 On Solaris, an unexpectedly close socket (dropped connection) can + manifest itself as EPIPE rather than ECONNECT. When tidying away a + session, the daemon ignores ECONNECT errors and logs others; it now + ignores EPIPE as well. + +PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c + (quoted-printable decoding). + +PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and + later the small subsequent patch to fix an introduced bug. + +PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer. + +PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}. + +PH/08 An error is now given if message_size_limit is specified negative. + +PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables + to be given (somewhat) arbitrary names. + +JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced + in 4.64-PH/09. + +JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions, + miscellaneous code fixes + +PH/10 Added the log_reject_target ACL modifier to specify where to log + rejections. + +PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_ + hostname. This is wrong, because it relates to the incoming message (and + probably the interface on which it is arriving) and not to the outgoing + callout (which could be using a different interface). This has been + changed to use the value of the helo_data option from the smtp transport + instead - this is what is used when a message is actually being sent. If + there is no remote transport (possible with a router that sets up host + addresses), $smtp_active_hostname is used. + +PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various + tweaks were necessary in order to get it to work (see also 21 below): + (a) The code assumed that strncpy() returns a negative number on buffer + overflow, which isn't the case. Replaced with Exim's string_format() + function. + (b) There were several signed/unsigned issues. I just did the minimum + hacking in of casts. There is scope for a larger refactoring. + (c) The code used strcasecmp() which is not a standard C function. + Replaced with Exim's strcmpic() function. + (d) The code set only $1; it now sets $auth1 as well. + (e) A simple test gave the error "authentication client didn't specify + service in request". It would seem that Dovecot has changed its + interface. Fortunately there's a specification; I followed it and + changed what the client sends and it appears to be working now. + +PH/13 Added $message_headers_raw to provide the headers without RFC 2047 + decoding. + +PH/14 Corrected misleading output from -bv when -v was also used. Suppose the + address A is aliased to B and C, where B exists and C does not. Without + -v the output is "A verified" because verification stops after a + successful redirection if more than one address is generated. However, + with -v the child addresses are also verified. Exim was outputting "A + failed to verify" and then showing the successful verification for C, + with its parentage. It now outputs "B failed to verify", showing B's + parentage before showing the successful verification of C. + +PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to + look up a TXT record in a specific list after matching in a combined + list. + +PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and + RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when + they consult the DNS. I had assumed they would set it the way they + wanted; and indeed my experiments on Linux seem to show that in some + cases they do (I could influence IPv6 lookups but not IPv4 lookups). + To be on the safe side, however, I have now made the interface to + host_find_byname() similar to host_find_bydns(), with an argument + containing the DNS resolver options. The host_find_byname() function now + sets these options at its start, just as host_find_bydns() does. The smtp + transport options dns_qualify_single and dns_search_parents are passed to + host_find_byname() when gethostbyname=TRUE in this transport. Other uses + of host_find_byname() use the default settings of RES_DEFNAMES + (qualify_single) but not RES_DNSRCH (search_parents). + +PH/17 Applied (a modified version of) Nico Erfurth's patch to make + spool_read_header() do less string testing, by means of a preliminary + switch on the second character of optional "-foo" lines. (This is + overdue, caused by the large number of possibilities that now exist. + Originally there were few.) While I was there, I also converted the + str(n)cmp tests so they don't re-test the leading "-" and the first + character, in the hope this might squeeze out yet more improvement. + +PH/18 Two problems with "group" syntax in header lines when verifying: (1) The + flag allowing group syntax was set by the header_syntax check but not + turned off, possible causing trouble later; (2) The flag was not being + set at all for the header_verify test, causing "group"-style headers to + be rejected. I have now set it in this case, and also caused header_ + verify to ignore an empty address taken from a group. While doing this, I + came across some other cases where the code for allowing group syntax + while scanning a header line wasn't quite right (mostly, not resetting + the flag correctly in the right place). These bugs could have caused + trouble for malformed header lines. I hope it is now all correct. + +PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called + with the "reply" argument non-NULL. The code, however (which originally + came from elsewhere) had *some* tests for NULL when it wrote to *reply, + but it didn't always do it. This confused somebody who was copying the + code for some other use. I have removed all the tests. + +PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a + feature that was used to support insecure browsers during the U.S. crypto + embargo. It requires special client support, and Exim is probably the + only MTA that supported it -- and would never use it because real RSA is + always available. This code has been removed, because it had the bad + effect of slowing Exim down by computing (never used) parameters for the + RSA_EXPORT functionality. + +PH/21 On the advice of Timo Sirainen, added a check to the dovecot + authenticator to fail if there's a tab character in the incoming data + (there should never be unless someone is messing about, as it's supposed + to be base64-encoded). Also added, on Timo's advice, the "secured" option + if the connection is using TLS or if the remote IP is the same as the + local IP, and the "valid-client-cert option" if a client certificate has + been verified. + +PH/22 As suggested by Dennis Davis, added a server_condition option to *all* + authenticators. This can be used for authorization after authentication + succeeds. (In the case of plaintext, it servers for both authentication + and authorization.) + +PH/23 Testing for tls_required and lost_connection in a retry rule didn't work + if any retry times were supplied. + +PH/24 Exim crashed if verify=helo was activated during an incoming -bs + connection, where there is no client IP address to check. In this + situation, the verify now always succeeds. + +PH/25 Applied John Jetmore's -Mset patch. + +PH/26 Added -bem to be like -Mset, but loading a message from a file. + +PH/27 In a string expansion for a processed (not raw) header when multiple + headers of the same name were present, leading whitespace was being + removed from all of them, but trailing whitespace was being removed only + from the last one. Now trailing whitespace is removed from each header + before concatenation. Completely empty headers in a concatenation (as + before) are ignored. + +PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John + Jetmore). It would have mis-read ACL variables from pre-4.61 spool files. + +PH/29 [Removed. This was a change that I later backed out, and forgot to + correct the ChangeLog entry (that I had efficiently created) before + committing the later change.] + +PH/30 Exim was sometimes attempting to deliver messages that had suffered + address errors (4xx response to RCPT) over the same connection as other + messages routed to the same hosts. Such deliveries are always "forced", + so retry times are not inspected. This resulted in far too many retries + for the affected addresses. The effect occurred only when there were more + hosts than the hosts_max_try setting in the smtp transport when it had + the 4xx errors. Those hosts that it had tried were not added to the list + of hosts for which the message was waiting, so if all were tried, there + was no problem. Two fixes have been applied: + + (i) If there are any address or message errors in an SMTP delivery, none + of the hosts (tried or untried) are now added to the list of hosts + for which the message is waiting, so the message should not be a + candidate for sending over the same connection that was used for a + successful delivery of some other message. This seems entirely + reasonable: after all the message is NOT "waiting for some host". + This is so "obvious" that I'm not sure why it wasn't done + previously. Hope I haven't missed anything, but it can't do any + harm, as the worst effect is to miss an optimization. + + (ii) If, despite (i), such a delivery is accidentally attempted, the + routing retry time is respected, so at least it doesn't keep + hammering the server. + +PH/31 Installed Andrew Findlay's patch to close the writing end of the socket + in ${readsocket because some servers need this prod. + +PH/32 Added some extra debug output when updating a wait-xxx database. + +PH/33 The hint "could be header name not terminated by colon", which has been + given for certain expansion errors for a long time, was not being given + for the ${if def:h_colon_omitted{... case. + +PH/34 The spec says: "With one important exception, whenever a domain list is + being scanned, $domain contains the subject domain." There was at least + one case where this was not true. + +PH/35 The error "getsockname() failed: connection reset by peer" was being + written to the panic log as well as the main log, but it isn't really + panic-worthy as it just means the connection died rather early on. I have + removed the panic log writing for the ECONNRESET error when getsockname() + fails. + +PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue + runs only) independently of the message's sender address. This meant + that, if the 4xx error was in fact related to the sender, a different + message to the same recipient with a different sender could confuse + things. In particular, this can happen when sending to a greylisting + server, but other circumstances could also provoke similar problems. + I have changed the default so that the retry time for these errors is now + based a combination of the sender and recipient addresses. This change + can be overridden by setting address_retry_include_sender=false in the + smtp transport. + +PH/37 For LMTP over TCP/IP (the smtp transport), error responses from the + remote server are returned as part of bounce messages. This was not + happening for LMTP over a pipe (the lmtp transport), but now it is the + same for both kinds of LMTP. + +PH/38 Despite being documented as not happening, Exim was rewriting addresses + in header lines that were in fact CNAMEs. This is no longer the case. + +PH/39 If -R or -S was given with -q<time>, the effect of -R or -S was ignored, + and queue runs started by the daemon processed all messages. This has + been fixed so that -R and -S can now usefully be given with -q<time>. + +PH/40 Import PCRE release 6.7 (fixes some bugs). + +PH/41 Add bitwise logical operations to eval (courtesy Brad Jorsch). + +PH/42 Give an error if -q is specified more than once. + +PH/43 Renamed the variables $interface_address and $interface_port as + $received_ip_address and $received_port, to make it clear that these + values apply to message reception, and not to the outgoing interface when + a message is delivered. (The old names remain recognized, of course.) + +PH/44 There was no timeout on the connect() call when using a Unix domain + socket in the ${readsocket expansion. There now is. + +PH/45 Applied a modified version of Brad Jorsch's patch to allow "message" to + be meaningful with "accept". + +SC/01 Eximstats V1.43 + Bug fix for V1.42 with -h0 specified. Spotted by Chris Lear. + +SC/02 Eximstats V1.44 + Use a glob alias rather than an array ref in the generated + parser. This improves both readability and performance. + +SC/03 Eximstats V1.45 (Marco Gaiarin / Steve Campbell) + Collect SpamAssassin and rejection statistics. + Don't display local sender or destination tables unless + there is data to show. + Added average volumes into the top table text output. + +SC/04 Eximstats V1.46 + Collect data on the number of addresses (recipients) + as well as the number of messages. + +SC/05 Eximstats V1.47 + Added 'Message too big' to the list of mail rejection + reasons (thanks to Marco Gaiarin). + +SC/06 Eximstats V1.48 + Mainlog lines which have GMT offsets and are too short to + have a flag are now skipped. + +SC/07 Eximstats V1.49 (Alain Williams) + Added the -emptyok flag. + +SC/08 Eximstats V1.50 + Fixes for obtaining the IP address from reject messages. + +JJ/03 exipick.20061117.2, made header handling as similar to exim as possible + (added [br]h_ prefixes, implemented RFC2047 decoding. Fixed + whitespace changes from 4.64-PH/27 + +JJ/04 exipick.20061117.2, fixed format and added $message_headers_raw to + match 4.64-PH/13 + +JJ/05 exipick.20061117.2, bug fixes (error out sooner when invalid criteria + are found, allow negative numbers in numeric criteria) + +JJ/06 exipick.20061117.2, added new $message_body_missing variable + +JJ/07 exipick.20061117.2, added $received_ip_address and $received_port + to match changes made in 4.64-PH/43 + +PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm. + +PH/47 Put in an explicit test for a DNS lookup of an address record where the + "domain" is actually an IP address, and force a failure. This locks out + those revolvers/nameservers that support "A-for-A" lookups, in + contravention of the specifications. + +PH/48 When a host name was looked up from an IP address, and the subsequent + forward lookup of the name timed out, the host name was left in + $sender_host_name, contrary to the specification. + +PH/49 Although default lookup types such as lsearch* or cdb*@ have always been + restricted to single-key lookups, Exim was not diagnosing an error if + * or *@ was used with a query-style lookup. + +PH/50 Increased the value of DH_BITS in tls-gnu.c from 768 to 1024. + +MH/01 local_scan ABI version incremented to 1.1. It should have been updated + long ago, but noone interested enough thought of it. Let's just say that + the "1.1" means that there are some new functions that weren't there at + some point in the past. + +PH/51 Error processing for expansion failure of helo_data from an smtp + transport during callout processing was broken. + +PH/52 Applied John Jetmore's patch to allow tls-on-connect and STARTTLS to be + tested/used via the -bh/-bhc/-bs options. + +PH/53 Added missing "#include <time.h>" to pcre/pcretest.c (this was a PCRE + bug, fixed in subsequent PCRE releases). + +PH/54 Applied Robert Bannocks' patch to avoid a problem with references that + arises when using the Solaris LDAP libraries (but not with OpenLDAP). + +PH/55 Check for a ridiculously long file name in exim_dbmbuild. + + +Exim version 4.63 +----------------- + +SC/01 Use a glob alias rather than an array ref in eximstats generated + parser. This improves both readability and performance. + +SC/02 Collect SpamAssassin and rejection statistics in eximstats. + Don't display local sender or destination tables in eximstats unless + there is data to show. + Added average volumes into the eximstats top table text output. + +SC/03 Collect data on the number of addresses (recipients) as well + as the number of messages in eximstats. + +TF/01 Correct an error in the documentation for the redirect router. Exim + does (usually) call initgroups() when daemonizing. + +TF/02 Call initgroups() when dropping privilege in exim.c, so that Exim runs + with consistent privilege compared to when running as a daemon. + +TF/03 Note in the spec that $authenticated_id is not set for local + submissions from trusted users. + +TF/04 The ratelimit per_rcpt option now works correctly in acl_not_smtp. + Thanks to Dean Brooks <dean@iglou.com> for the patch. + +TF/05 Make it easier to get SMTP authentication and TLS/SSL support working + by adding some example configuration directives to the default + configuration file. A little bit of work is required to uncomment the + directives and define how usernames and passwords are checked, but + there is now a framework to start from. + +PH/01 Added #define LDAP_DEPRECATED 1 to ldap.c because some of the "old" + functions that Exim currently uses aren't defined in ldap.h for OpenLDAP + without this. I don't know how relevant this is to other LDAP libraries. + +PH/02 Add the verb name to the "unknown ACL verb" error. + +PH/03 Magnus Holmgren's patch for filter_prepend_home. + +PH/03 Fixed Bugzilla #101: macro definition between ACLs doesn't work. + +PH/04 Applied Magnus Holmgren's patch to fix Bugzilla #98: transport's home + directory not expanded when it should be if an expanded home directory + was set for the address (which is overridden by the transport). + +PH/05 Applied Alex Kiernan's patch to fix Bugzilla #99: a problem with + libradius. + +PH/06 Added acl_not_smtp_start, based on Johannes Berg's patch, and set the + bit to forbid control=suppress_local_fixups in the acl_not_smtp ACL, + because it is too late at that time, and has no effect. + +PH/07 Changed ${quote_pgsql to quote ' as '' instead of \' because of a + security issue with \' (bugzilla #107). I could not use the + PQescapeStringConn() function, because it needs a PGconn value as one of + its arguments. + +PH/08 When testing addresses using -bt, indicate those final addresses that + are duplicates that would not cause an additional delivery. At least one + person was confused, thinking that -bt output corresponded to deliveries. + (Suppressing duplicates isn't a good idea as you lose the information + about possibly different redirections that led to the duplicates.) + +PH/09 Applied patch from Erik to use select() instead of poll() in spam.c on + systems where poll() doesn't work, in particular OS X. + +PH/10 Added more information to debugging output for retry time not reached. + +PH/11 Applied patch from Arkadiusz Miskiewicz to apply a timeout to read + operations in malware.c. + +PH/12 Applied patch from Magnus Holmgren to include the "h" tag in Domain Keys + signatures. + +PH/13 If write_rejectlog was set false when logging was sent to syslog with + syslog_duplication set false, log lines that would normally be written + both the the main log and to the reject log were not written to syslog at + all. + +PH/14 In the default configuration, change the use of "message" in ACL warn + statements to "add_header". + +PH/15 Diagnose a filter syntax error for "seen", "unseen", or "noerror" if not + not followed by a command (e.g. "seen endif"). + +PH/16 Recognize SMTP codes at the start of "message" in ACLs and after :fail: + and :defer: in a redirect router. Add forbid_smtp_code to suppress the + latter. + +PH/17 Added extra conditions to the default value of delay_warning_condition + so that it is now: + + ${if or { \ + { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} } \ + { match{$h_precedence:}{(?i)bulk|list|junk} } \ + { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} } \ + }{no}{yes}} + + The Auto-Submitted: and various List- headers are standardised, whereas I + don't think Precedence: ever was. + +PH/18 Refactored debugging code in route_finduser() to show more information, + in particular, the error code if getpwnam() issues one. + +PH/19 Added PQsetClientEncoding(conn, "SQL_ASCII") to the pgsql code module. + This is apparently needed in addition to the PH/07 change above to avoid + any possible encoding problems. + +PH/20 Perl can change the locale. Exim was resetting it after a ${perl call, + but not after initializing Perl. + +PH/21 Added a call to PQsetNoticeProcessor() to catch pgsql "notices" and + output them only if debugging. By default they are written stderr, + apparently, which is not desirable. + +PH/22 Added Alain Williams' LDAP patch to support setting REFERRALS=off on + queries. + +JJ/01 exipick: added --reverse (and -R synonym), --random, --size, --sort and + --not options + +JJ/02 exipick: rewrote --help documentation to hopefully make more clear. + +PH/23 Made -oMaa and -oMt work with -bh and -bs to pretend the connection is + authenticated or an ident call has been made. Suppress the default + values for $authenticated_id and $authenticated_sender (but permit -oMai + and -oMas) when testing with -bh. + +PH/24 Re-jigged the order of the tests in the default configuration so that the + tests for valid domains and recipients precede the DNS black list and CSA + tests, on the grounds that those ones are more expensive. + +PH/25 Exim was not testing for a space following SMTP commands such as EHLO + that require one. Thus, EHLORHUBARB was interpreted as a valid command. + This bug exists in every version of Exim that I still have, right back to + 0.12. + +PH/26 (n)wildlsearch lookups are documented as being done case-insensitively. + However, an attempt to turn on case-sensitivity in a regex key by + including (?-i) didn't work because the subject string was already + lowercased, and the effects were non-intuitive. It turns out that a + one-line patch can be used to allow (?-i) to work as expected. + + +Exim version 4.62 +----------------- + +TF/01 Fix the add_header change below (4.61 PH/55) which had a bug that (amongst + other effects) broke the use of negated acl sub-conditions. + +PH/01 ${readsocket now supports Internet domain sockets (modified John Jetmore + patch). + +PH/02 When tcp-wrappers is called from Exim, it returns only "deny" or "allow". + "Deny" causes Exim to reject the incoming connection with a 554 error. + Unfortunately, if there is a major crisis, such as a disk failure, + tcp-wrappers gives "deny", whereas what one would like would be some + kind of temporary error. A kludge has been added to help with this. + Before calling hosts_ctl(), errno is set zero. If the result is "deny", a + 554 error is used if errno is still zero or contains ENOENT (which occurs + if either of the /etc/hosts.{allow,deny} files is missing). Otherwise, a + 451 error is used. + +PH/03 Add -lutil to the default FreeBSD LIBS setting. + +PH/04 Change PH/19 for 4.61 was too wide. It should not be applied to host + errors. Otherwise a message that provokes a temporary error (when other + messages do not) can cause a whole host to time out. + +PH/05 Batch deliveries by appendfile and pipe transports did not work when the + addresses were routed directly to files or pipes from a redirect router. + File deliveries just didn't batch; pipe deliveries might have suffered + odd errors. + +PH/06 A failure to get a lock for a hints database would erroneously always say + "Failed to get write lock", even when it was really a read lock. + +PH/07 The appendfile transport was creating MBX lock files with a fixed mode + of 0600. This has been changed to use the value of the lockfile_mode + option (which defaults to 0600). + +PH/08 Applied small patch from the Sieve maintainer. + +PH/09 If maildir_quota_directory_regex was set to exclude (say) the .Trash + folder from quota calculations, a direct delivery into this folder messed + up the contents of the maildirsize file. This was because the regex was + used only to exclude .Trash (or whatever) when the size of the mailbox + was calculated. There was no check that a delivery was happening into an + excluded directory. This bug has been fixed by ignoring all quota + processing for deliveries into excluded directories. + +PH/10 Added the maildirfolder_create_regex option to appendfile. + + +Exim version 4.61 +----------------- + +PH/01 The code for finding all the local interface addresses on a FreeBSD + system running IPv6 was broken. This may well have applied to all BSD + systems, as well as to others that have similar system calls. The broken + code found IPv4 interfaces correctly, but gave incorrect values for the + IPv6 interfaces. In particular, ::1 was not found. The effect in Exim was + that it would not match correctly against @[] and not recognize the IPv6 + addresses as local. + +PH/02 The ipliteral router was not recognizing addresses of the form user@ + [ipv6:....] because it didn't know about the "ipv6:" prefix. + +PH/03 Added disable_ipv6. + +PH/04 Changed $reply_address to use the raw form of the headers instead of the + decoded form, because it is most often used to construct To: headers + lines in autoreplies, and the decoded form may well be syntactically + invalid. However, $reply_address has leading white space removed, and all + newlines turned into spaces so that the autoreply transport does not + grumble. + +PH/05 If group was specified without a user on a router, and no group or user + was specified on a transport, the group from the router was ignored. + +PH/06 Increased the number of ACL variables to 20 of each type, and arranged + for visible compile-time settings that can be used to change these + numbers, for those that want even more. Backwards compatibility with old + spool files has been maintained. However, going back to a previous Exim + release will lost any variables that are in spool files. + +PH/07 Two small changes when running in the test harness: increase delay when + passing a TCP/IP connection to a new process, in case the original + process has to generate a bounce, and remove special handling of + 127.0.0.2 (sic), which is no longer necessary. + +PH/08 Changed debug output of dbfn_open() flags from numbers to names, so as to + be the same on different OS. + +PH/09 Moved a debug statement in filter processing to avoid a race problem when + testing. + +JJ/01 exipick: fixed bug where -b (brief) output option showed "Vars:" + whether --show-vars was specified or not + +JJ/02 exipick: Added support for new ACL variable spool format introduced + in 4.61-PH/06 + +PH/10 Fixed another bug related to PH/04 above: if an incoming message had a + syntactically invalid From: or Reply-to: line, and a filter used this to + generate an autoreply, and therefore failed to obtain an address for the + autoreply, Exim could try to deliver to a non-existent relative file + name, causing unrelated and misleading errors. What now happens is that + it logs this as a hard delivery error, but does not attempt to create a + bounce message. + +PH/11 The exinext utility has a -C option for testing purposes, but although + the given file was scanned by exinext itself; it wasn't being passed on + when Exim was called. + +PH/12 In the smtp transport, treat an explicit ECONNRESET error the same as + an end-of-file indication when reading a command response. + +PH/13 Domain literals for IPv6 were not recognized unless IPv6 support was + compiled. In many other places in Exim, IPv6 addresses are always + recognized, so I have changed this. It also means that IPv4 domain + literals of the form [IPV4:n.n.n.n] are now always recognized. + +PH/14 When a uid/gid is specified for the queryprogram router, it cannot be + used if the router is not running as root, for example, when verifying at + ACL time, or when using -bh. The debugging output from this situation was + non-existent - all you got was a failure to exec. I have made two + changes: + + (a) Failures to set uid/gid, the current directory, or a process leader + in a subprocess such as that created by queryprogram now generate + suitable debugging output when -d is set. + + (b) The queryprogram router detects when it is not running as root, + outputs suitable debugging information if -d is set, and then runs + the subprocess without attempting to change uid/gid. + +PH/15 Minor change to Makefile for building test_host (undocumented testing + feature). + +PH/16 As discussed on the list in Nov/Dec: Exim no longer looks at the + additional section of a DNS packet that returns MX or SRV records. + Instead, it always explicitly searches for A/AAAA records. This avoids + major problems that occur when a DNS server includes only records of one + type (A or AAAA) in an MX/SRV packet. A byproduct of this change has + fixed another bug: if SRV records were looked up and the corresponding + address records were *not* found in the additional section, the port + values from the SRV records were lost. + +PH/17 If a delivery to a pipe, file, or autoreply was deferred, Exim was not + using the correct key (the original address) when searching the retry + rules in order to find which one to use for generating the retry hint. + +PH/18 If quota_warn_message contains a From: header, Exim now refrains from + adding the default one. Similarly, if it contains a Reply-To: header, the + errors_reply_to option, if set, is not used. + +PH/19 When calculating a retry time, Exim used to measure the "time since + failure" by looking at the "first failed" field in the retry record. Now + it does not use this if it is later than than the arrival time of the + message. Instead it uses the arrival time. This makes for better + behaviour in cases where some deliveries succeed, thus re-setting the + "first failed" field. An example is a quota failure for a huge message + when small messages continue to be delivered. Without this change, the + "time since failure" will always be short, possible causing more frequent + delivery attempts for the huge message than are intended. + [Note: This change was subsequently modified - see PH/04 for 4.62.] + +PH/20 Added $auth1, $auth2, $auth3 to contain authentication data (as well as + $1, $2, $3) because the numerical variables can be reset during some + expansion items (e.g. "match"), thereby losing the authentication data. + +PH/21 Make -bV show the size of off_t variables so that the test suite can + decide whether to run tests for quotas > 2G. + +PH/22 Test the values given for quota, quota_filecount, quota_warn_threshold, + mailbox_size, and mailbox_filecount in the appendfile transport. If a + filecount value is greater than 2G or if a quota value is greater than 2G + on a system where the size of off_t is not greater than 4, a panic error + is given. + +PH/23 When a malformed item such as 1.2.3/24 appears in a host list, it can + never match. The debug and -bh output now contains an explicit error + message indicating a malformed IPv4 address or mask. + +PH/24 An host item such as 1.2.3.4/abc was being treated as the IP address + 1.2.3.4 without a mask. Now it is not recognized as an IP address, and + PH/23 above applies. + +PH/25 Do not write to syslog when running in the test harness. The only + occasion when this arises is a failure to open the main or panic logs + (for which there is an explicit test). + +PH/26 Added the /no_tell option to "control=freeze". + +PH/27 If a host name lookup failed very early in a connection, for example, if + the IP address matched host_lookup and the reverse lookup yielded a name + that did not have a forward lookup, an error message of the form "no IP + address found for host xxx.xxx.xxx (during SMTP connection from NULL)" + could be logged. Now it outputs the IP address instead of "NULL". + +PH/28 An enabling patch from MH: add new function child_open_exim2() which + allows the sender and the authenticated sender to be set when + submitting a message from within Exim. Since child_open_exim() is + documented for local_scan(), the new function should be too. + +PH/29 In GnuTLS, a forced expansion failure for tls_privatekey was not being + ignored. In both GnuTLS and OpenSSL, an expansion of tls_privatekey that + results in an empty string is now treated as unset. + +PH/30 Fix eximon buffer overflow bug (Bugzilla #73). + +PH/31 Added sender_verify_fail logging option. + +PH/32 In November 2003, the code in Exim that added an empty Bcc: header when + needed by RFC 822 but not by RFC 2822 was commented out. I have now + tidied the source and removed it altogether. + +PH/33 When a queue run was abandoned because the load average was too high, a + log line was always written; now it is written only if the queue_run log + selector is set. In addition, the log line for abandonment now contains + information about the queue run such as the pid. This is always present + in "start" and "stop" lines but was omitted from the "abandon" line. + +PH/34 Omit spaces between a header name and the colon in the error message that + is given when verify = headers_syntax fails (if there are lots of them, + the message gets confusing). + +PH/35 Change the default for dns_check_names_pattern to allow slashes within + names, as there are now some PTR records that contain slashes. This check + is only to protect against broken name servers that fall over on strange + characters, so the fact that it applies to all lookups doesn't matter. + +PH/36 Now that the new test suite is complete, we can remove some of the + special code in Exim that was needed for the old test suite. For example, + sorting DNS records because real resolvers return them in an arbitrary + order. The new test suite's fake resolver always returns records in the + same order. + +PH/37 When running in the test harness, use -odi for submitted messages (e.g. + bounces) except when queue_only is set, to avoid logging races between + the different processes. + +PH/38 Panic-die if .include specifies a non-absolute path. + +PH/39 A tweak to the "H" retry rule from its user. + +JJ/03 exipick: Removed parentheses from 'next' and 'last' calls that specified + a label. They prevented compilation on older perls. + +JJ/04 exipick: Refactored code to prevent implicit split to @_ which caused + a warning to be raised on newish perls. + +JJ/05 exipick: Fixed bug where -bpc always showed a count of all messages + on queue. Changes to match documented behaviour of showing count of + messages matching specified criteria. + +PH/40 Changed the default ident timeout from 30s to 5s. + +PH/41 Added support for the use of login_cap features, on those BSD systems + that have them, for controlling the resources used by pipe deliveries. + +PH/42 The content-scanning code uses fopen() to create files in which to put + message data. Previously it was not paying any attention to the mode of + the files. Exim runs with umask(0) because the rest of the code creates + files with open(), and sets the required mode explicitly. Thus, these + files were ending up world-writeable. This was not a big issue, because, + being within the spool directory, they were not world-accessible. I have + created a function called modefopen, which takes an additional mode + argument. It sets umask(777), creates the file, chmods it to the required + mode, then resets the umask. All the relevant calls to fopen() in the + content scanning code have been changed to use this function. + +PH/43 If retry_interval_max is set greater than 24 hours, it is quietly reset + to 24 hours. This avoids potential overflow problems when processing G + and H retry rules. I suspect nobody ever tinkers with this value. + +PH/44 Added STRIP_COMMAND=/usr/bin/strip to the FreeBSD Makefile. + +PH/45 When the plaintext authenticator is running as a client, the server's + challenges are checked to ensure they are valid base64 strings. By + default, the authentication attempt is cancelled if an invalid string is + received. Setting client_ignore_invalid_base64 true ignores these errors. + The decoded challenge strings are now placed in $auth1, $auth2, etc. as + they are received. Thus, the responses can be made to depend on the + challenges. If an invalid string is ignored, an empty string is placed in + the variable. + +PH/46 Messages that are created by the autoreply transport now contains a + References: header, in accordance with RFCs 2822 and 3834. + +PH/47 Added authenticated_sender_force to the smtp transport. + +PH/48 The ${prvs expansion was broken on systems where time_t was long long. + +PH/49 Installed latest patch from the Sieve maintainer. + +PH/50 When an Exim quota was set without a file count quota, and mailbox_size + was also set, the appendfile transport was unnecessarily scanning a + directory of message files (e.g. for maildir delivery) to find the count + of files (along with the size), even though it did not need this + information. It now does the scan only if it needs to find either the + size of the count of files. + +PH/51 Added ${time_eval: to convert Exim time strings into seconds. + +PH/52 Two bugs concerned with error handling when the smtp transport is + used in LMTP mode: + + (i) Exim was not creating retry information for temporary errors given + for individual recipients after the DATA command when the smtp transport + was used in LMTP mode. This meant that they could be retried too + frequently, and not timed out correctly. + + (ii) Exim was setting the flag that allows error details to be returned + for LMTP errors on RCPT commands, but not for LMTP errors for individual + recipients that were returned after the DATA command. + +PH/53 This is related to PH/52, but is more general: for any failing address, + when detailed error information was permitted to be returned to the + sender, but the error was temporary, then after the final timeout, only + "retry timeout exceeded" was returned. Now it returns the full error as + well as "retry timeout exceeded". + +PH/54 Added control=allow_auth_unadvertised, as it seems there are clients that + do this, and (what is worse) MTAs that accept it. + +PH/55 Added the add_header modified to ACLs. The use of "message" with "warn" + will now be deprecated. + +PH/56 New os.c-cygwin from the Cygwin maintainer. + +JJ/06 exipick: added --unsorted option to allow unsorted output in all output + formats (previously only available in exim formats via -bpr, -bpru, + and -bpra. Now also available in native and exiqgrep formats) + +JJ/07 exipick: added --freeze and --thaw options to allow faster interaction + with very large, slow to parse queues + +JJ/08 exipick: added ! as generic prefix to negate any criteria format + +JJ/09 exipick: miscellaneous performance enhancements (~24% improvements) + +PH/57 Tidies in SMTP dialogue display in debug output: (i) It was not showing + responses to authentication challenges, though it was showing the + challenges; (ii) I've removed the CR characters from the debug output for + SMTP output lines. + +PH/58 Allow for the insertion of a newline as well as a space when a string + is turned into more than one encoded-word during RFC 2047 encoding. The + Sieve code now uses this. + +PH/59 Added the following errors that can be detected in retry rules: mail_4xx, + data_4xx, lost_connection, tls_required. + +PH/60 When a VRFY deferred or FAILED, the log message rather than the user + message was being sent as an SMTP response. + +PH/61 Add -l and -k options to exicyclog. + +PH/62 When verifying, if an address was redirected to one new address, so that + verification continued, and the new address failed or deferred after + having set something in $address_data, the value of $address_data was not + passed back to the ACL. This was different to the case when no + redirection occurred. The value is now passed back in both cases. + +PH/63 Changed the macro HAVE_LOGIN_CAP (see PH/41 for this release above) to + HAVE_SETCLASSRESOURCES because there are different APIs in use that all + use login_cap.h, so on its own it isn't the distinguishing feature. The + new name refers directly to the setclassresources() function. + +PH/65 Added configuration files for NetBSD3. + +PH/66 Updated OS/Makefile-HP-UX for gcc 4.1.0 with HP-UX 11. + +PH/67 Fixed minor infelicity in the sorting of addresses to ensure that IPv6 + is preferred over IPv4. + +PH/68 The bounce_return_message and bounce_return_body options were not being + honoured for bounces generated during the reception of non-SMTP messages. + In particular, this applied to messages rejected by the ACL. This bug has + been fixed. However, if bounce_return_message is true and bounce_return_ + body is false, the headers that are returned for a non-SMTP message + include only those that have been read before the error was detected. + (In the case of an ACL rejection, they have all been read.) + +PH/69 The HTML version of the specification is now built in a directory called + spec_html instead of spec.html, because the latter looks like a path with + a MIME-type, and this confuses some software. + +PH/70 Catch two compiler warnings in sieve.c. + +PH/71 Fixed an obscure and subtle bug (thanks Alexander & Matthias). The + function verify_get_ident() calls ip_connect() to connect a socket, but + if the "connect()" function timed out, ip_connect() used to close the + socket. However, verify_get_ident() also closes the socket later, and in + between Exim writes to the log, which may get opened at this point. When + the socket was closed in ip_connect(), the log could get the same file + descriptor number as the socket. This naturally causes chaos. The fix is + not to close the socket in ip_connect(); the socket should be closed by + the function that creates it. There was only one place in the code where + this was missing, in the iplookup router, which I don't think anybody now + uses, but I've fixed it anyway. + +PH/72 Make dns_again_means_nonexist apply to lookups using gethostbyname() as + well as to direct DNS lookups. Otherwise the handling of names in host + lists is inconsistent and therefore confusing. + + +Exim version 4.60 +----------------- + +PH/01 Two changes to the default runtime configuration: + + (1) Move the checks for relay_from_hosts and authenticated clients from + after to before the (commented out) DNS black list checks. + + (2) Add control=submission to the relay_from_hosts and authenticated + clients checks, on the grounds that messages accepted by these + statements are most likely to be submissions. + +PH/02 Several tidies to the handling of ${prvs and ${prvscheck: + + (1) Generate an error if the third argument for the ${prvs expansion is + not a single digit. + + (2) Treat a missing third argument of ${prvscheck as if it were an empty + string. + + (3) Reset the variables that are obtained from the first argument of + ${prvscheck and used in the second argument before leaving the code, + because their memory is reclaimed, so using them afterwards may do + silly things. + + (4) Tidy up the code for expanding the arguments of ${prvscheck one by + one (it's much easier than Tom thought :-). + + (5) Because of (4), we can now allow for the use of $prvscheck_result + inside the third argument. + +PH/03 For some reason, the default setting of PATH when running a command from + a pipe transport was just "/usr/bin". I have changed it to + "/bin:/usr/bin". + +PH/04 SUPPORT_TRANSLATE_IP_ADDRESS and MOVE_FROZEN_MESSAGES did not cause + anything to be listed in the output from -bV. + +PH/05 When a filter generated an autoreply, the entire To: header line was + quoted in the delivery log line, like this: + + => >A.N.Other <ano@some.domain> <original@ddress> ... + + This has been changed so that it extracts the operative address. There + may be more than one such address. If so, they are comma-separated, like + this: + + => >ano@some.domain,ona@other.domain <original@ddress> ... + +PH/06 When a client host used a correct literal IP address in a HELO or EHLO + command, (for example, EHLO [1.2.3.4]) and the client's IP address was + not being looked up in the rDNS to get a host name, Exim was showing the + IP address twice in Received: lines, even though the IP addresses were + identical. For example: + + Received: from [1.2.3.4] (helo=[1.2.3.4]) + + However, if the real host name was known, it was omitting the HELO data + if it matched the actual IP address. This has been tidied up so that it + doesn't show the same IP address twice. + +PH/07 When both +timestamp and +memory debugging was on, the value given by + $tod_xxx expansions could be wrong, because the tod_stamp() function was + called by the debug printing, thereby overwriting the timestamp buffer. + Debugging no longer uses the tod_stamp() function when +timestamp is set. + +PH/08 When the original message was included in an autoreply transport, it + always said "this is a copy of the message, including all the headers", + even if body_only or headers_only was set. It now gives an appropriate + message. + +PH/09 Applied a patch from the Sieve maintainer which: + + o fixes some comments + o adds the (disabled) notify extension core + o adds some debug output for the result of if/elsif tests + o points to the current vacation draft in the documentation + and documents the missing references header update + + and most important: + + o fixes a bug in processing the envelope test (when testing + multiple envelope elements, the last element determined the + result) + +PH/10 Exim was violating RFC 3834 ("Recommendations for Automatic Responses to + Electronic Mail") by including: + + Auto-submitted: auto-generated + + in the messages that it generates (bounce messages and others, such as + warnings). In the case of bounce messages for non-SMTP messages, there was + also a typo: it was using "Auto_submitted" (underscore instead of + hyphen). Since every message generated by Exim is necessarily in response + to another message, thes have all been changed to: + + Auto-Submitted: auto-replied + + in accordance with these statements in the RFC: + + The auto-replied keyword: + + - SHOULD be used on messages sent in direct response to another + message by an automatic process, + + - MUST NOT be used on manually-generated messages, + + - MAY be used on Delivery Status Notifications (DSNs) and Message + Disposition Notifications (MDNs), + + - MUST NOT be used on messages generated by automatic or periodic + processes, except for messages which are automatic responses to + other messages. + +PH/11 Added "${if def:sender_address {(envelope-from <$sender_address>)\n\t}}" + to the default Received: header definition. + +PH/12 Added log selector acl_warn_skipped (default on). + +PH/13 After a successful wildlsearch lookup, discard the values of numeric + variables because (a) they are in the wrong storage pool and (b) even if + they were copied, it wouldn't work properly because of the caching. + +PH/14 Add check_rfc2047_length to disable enforcement of RFC 2047 length + checking when decoding. Apparently there are clients that generate + overlong encoded strings. Why am I not surprised? + +PH/15 If the first argument of "${if match_address" was not empty, but did not + contain an "@" character, Exim crashed. Now it writes a panic log message + and treats the condition as false. + +PH/16 In autoreply, treat an empty string for "once" the same as unset. + +PH/17 A further patch from the Sieve maintainer: "Introduce the new Sieve + extension "envelope-auth". The code is finished and in agreement with + other implementations, but there is no documentation so far and in fact, + nobody wrote the draft yet. This extension is currently #undef'ed, thus + not changing the active code. + + Print executed "if" and "elsif" statements when debugging is used. This + helps a great deal to understand what a filter does. + + Document more things not specified clearly in RFC3028. I had all this + sorted out, when out of a sudden new issues came to my mind. Oops." + +PH/18 Exim was not recognizing the "net-" search type prefix in match_ip lists + (Bugzilla #53). + +PH/19 Exim expands the IPv6 address given to -bh to its full non-abbreviated + canonical form (as documented). However, after a host name lookup from + the IP address, check_host() was doing a simple string comparison with + addresses acquired from the DNS when checking that the found name did + have the original IP as one of its addresses. Since any found IPv6 + addresses are likely to be in abbreviated form, the comparison could + fail. Luckily, there already exists a function for doing the comparison + by converting both addresses to binary, so now that is used instead of + the text comparison. + +PH/20 There was another similar case to PH/19, when a complete host name was + given in a host list; looking up its IP address could give an abbreviated + form, whereas the current host's name might or might not be abbreviated. + The same fix has been applied. + + +Exim version 4.54 +----------------- + +PH/01 The ${base62: operator adjusted itself to base 36 when BASE_62 was + set to 36 (for Darwin and Cygwin), but the ${base62d: operator did not. + It now does. + +PH/02 Two minor problems detected in Cygwin: the os.{c,h} files had lost */ on + the CVS lines, and there was a missing #if HAVE_IPV6 in host.c. + +PH/03 Typo: missing ".o" in src/pcre/Makefile. + +PH/04 Tighten up "personal" tests: Instead of testing for any "List-" + header line, restrict the check to what is listed in RFCs 2369 and 2929. + Also, for "Auto-Submitted", treat anything other than "no" as + non-personal, in accordance with RFC 3834. (Previously it treated + anything starting "auto-" as non-personal.) + +TF/01 The control=submission/name=... option had a problem with syntax + errors if the name included a slash character. The /name= option + now slurps the rest of the string, so it can include any characters + but it must come last in the list of options (after /sender_retain + or /domain=). + +PH/05 Some modifications to the interface to the fake nameserver for the new + testing suite. + + + +Exim version 4.53 +----------------- + +TK/01 Added the "success_on_redirect" address verification option. See + NewStuff for rationale and an example. + +PH/01 Added support for SQLite, basic code supplied by David Woodhouse. + +PH/02 Patch to exigrep to allow it to work on syslog lines. + +PH/03 When creating an mbox file for a virus/spam scan, use fseek() instead of + fread() to skip over the body file's header line, because in Cygwin the + header line is locked and is inaccessible. + +PH/04 Added $message_exim_id, ultimately to replace $message_id (they will both + co-exist for some time) to make it clear that it is the Exim ID that is + referenced, not the Message-ID: header line. + +PH/05 Replaced all Tom's calls to snprintf() with calls to the internal + string_format() function, because snprintf() does not exist on all + operating systems. + +PH/06 The use of forbid_filter_existstest now also locks out the use of the + ${stat: expansion item. + +PH/07 Changed "SMTP protocol violation: synchronization error" into "SMTP + protocol synchronization error", to keep the pedants happy. + +PH/08 Arrange for USE_INET_NTOA_FIX to be set in config.h for AIX systems as + well as for IRIX systems, when gcc is being used. See the host.c source + file for comments. + +PH/09 Installed latest Cygwin configuration files from the Cygwin maintainer. + +PH/10 Named domain lists were not working if used in a queue_smtp_domains + setting. + +PH/11 Added support for the IGNOREQUOTA extension to LMTP, both to the lmtp + transport and to the smtp transport in LMTP mode. + +TK/02 Remove one case of BASE64 error detection FTTB (undocumented anyway). + +PH/12 There was a missing call to search_tidyup() before the fork() in rda.c to + run a filter in a subprocess. This could lead to confusion in subsequent + lookups in the parent process. There should also be a search_tidyup() at + the end of the subprocess. + +PH/13 Previously, if "verify = helo" was set in an ACL, the condition was true + only if the host matched helo_try_verify_hosts, which caused the + verification to occur when the EHLO/HELO command was issued. The ACL just + tested the remembered result. Now, if a previous verification attempt has + not happened, "verify = helo" does it there and then. + +JJ/01 exipick: added $message_exim_id variable (see 4.53-PH/04) + +TK/03 Fix log output including CR from clamd. + +PH/14 A reference to $reply_address when Reply-to: was empty and From: did not + exist provoked a memory error which could cause a segfault. + +PH/15 Installed PCRE 6.2 + +PH/17 Defined BIND_8_COMPAT in the Darwin os.h file. + +PH/18 Reversed 4.52/PH/17 because the HP-UX user found it wasn't the cause + of the problem. Specifically, suggested +O2 rather than +O1 for the + HP-UX compiler. + +PH/19 Added sqlite_lock_timeout option (David Woodhouse's patch). + +PH/20 If a delivery was routed to a non-standard port by means of an SRV + record, the port was not correctly logged when the outgoing_port log + selector was set (it logged the transort's default port). + +PH/21 Added support for host-specific ports to manualroute, queryprogram, + fallback_hosts, and "hosts" in the smtp transport. + +PH/22 If the log selector "outgoing_port" is set, the port is now also given on + host errors such as "Connection refused". + +PH/23 Applied a patch to fix problems with exim-4.52 while doing radius + authentication with radiusclient 0.4.9: + + - Error returned from rc_read_config was caught wrongly + - Username/password not passed on to radius server due to wrong length. + + The presumption is that some radiusclient API changes for 4.51/PH/17 + were not taken care of correctly. The code is still untested by me (my + Linux distribution still has 0.3.2 of radiusclient), but it was + contributed by a Radius user. + +PH/24 When doing a callout, the value of $domain wasn't set correctly when + expanding the "port" option of the smtp transport. + +TK/04 MIME ACL: Fix buffer underrun that occurs when EOF condition is met + while reading a MIME header. Thanks to Tom Hughes for a patch. + +PH/24 Include config.h inside local_scan.h so that configuration settings are + available. + +PH/25 Make $smtp_command_argument available after all SMTP commands. This means + that in an ACL for RCPT (for example), you can examine exactly what was + received. + +PH/26 Exim was recognizing IPv6 addresses of the form [IPv6:....] in EHLO + commands, but it was not correctly comparing the address with the actual + client host address. Thus, it would show the EHLO address in Received: + header lines when this was not necessary. + +PH/27 Added the % operator to ${eval:}. + +PH/28 Exim tries to create and chdir to its spool directory when it starts; + it should be ignoring failures (because with -C, for example, it has lost + privilege). It wasn't ignoring creation failures other than "already + exists". + +PH/29 Added "crypteq" to the list of supported features that Exim outputs when + -bV or -d is used. + +PH/30 Fixed (presumably very longstanding) bug in exim_dbmbuild: if it failed + because an input line was too long, either on its own, or by virtue of + too many continuations, the temporary file was not being removed, and the + return code was incorrect. + +PH/31 Missing "BOOL" in function definition in filtertest.c. + +PH/32 Applied Sieve patches from the maintainer. + +TK/05 Domainkeys: Accomodate for a minor API change in libdomainkeys 0.67. + +PH/33 Added "verify = not_blind". + +PH/34 There are settings for CHOWN_COMMAND and MV_COMMAND that can be used in + Local/Makefile (with some defaults set). These are used in built scripts + such as exicyclog, but they have never been used in the exim_install + script (though there are many overriding facilities there). I have + arranged that the exim_install script now takes note of these two + settings. + +PH/35 Installed configuration files for Dragonfly. + +PH/36 When a locally submitted message by a trusted user did not contain a + From: header, and the sender address was obtained from -f or from an SMTP + MAIL command, and the trusted user did not use -F to supply a sender + name, $originator_name was incorrectly used when constructing a From: + header. Furthermore, $originator_name was used for submission mode + messages from external hosts without From: headers in a similar way, + which is clearly wrong. + +PH/37 Added control=suppress_local_fixups. + +PH/38 When log_selector = +received_sender was set, and the addition of the + sender made the log line's construction buffer exactly full, or one byte + less than full, an overflow happened when the terminating "\n" was + subsequently added. + +PH/39 Added a new log selector, "unknown_in_list", which provokes a log entry + when the result of a list match is failure because a DNS lookup failed. + +PH/40 RM_COMMAND is now used in the building process. + +PH/41 Added a "distclean" target to the top-level Makefile; it deletes all + the "build-* directories that it finds. + +PH/42 (But a TF fix): In a domain list, Exim incorrectly matched @[] if the IP + address in a domain literal was a prefix of an interface address. + +PH/43 (Again a TF fix): In the dnslookup router, do not apply widen_domains + when verifying a sender address, unless rewrite_headers is false. + +PH/44 Wrote a long comment about why errors_to addresses are verified as + recipients, not senders. + +TF/01 Add missing LIBS=-lm to OS/Makefile-OpenBSD which was overlooked when + the ratelimit ACL was added. + +PH/45 Added $smtp_command for the full command (cf $smtp_command_argument). + +PH/46 Added extra information about PostgreSQL errors to the error string. + +PH/47 Added an interface to a fake DNS resolver for use by the new test suite, + avoiding the need to install special zones in a real server. This is + backwards compatible; if it can't find the fake resolver, it drops back. + Thus, both old and new test suites can be run. + +TF/02 Added util/ratelimit.pl + +TF/03 Minor fix to the ratelimit code to improve its behaviour in case the + clock is set back in time. + +TF/04 Fix the ratelimit support in exim_fixdb. Patch provided by Brian + Candler <B.Candler@pobox.com>. + +TF/05 The fix for PH/43 was not completely correct; widen_domains is always + OK for addresses that are the result of redirections. + +PH/48 A number of further additions for the benefit of the new test suite, + including a fake gethostbyname() that interfaces to the fake DNS resolver + (see PH/47 above). + +TF/06 The fix for widen_domains has also been applied to qualify_single and + search_parents which are the other dnslookup options that can cause + header rewrites. + +PH/49 Michael Haardt's randomized retrying, but as a separate retry parameter + type ("H"). + +PH/50 Make never_users, trusted_users, admin_groups, trusted_groups expandable. + +TF/07 Exim produced the error message "an SRV record indicated no SMTP + service" if it encountered an MX record with an empty target hostname. + The message is now "an MX or SRV record indicated no SMTP service". + +TF/08 Change PH/13 introduced the possibility that verify=helo may defer, + if the DNS of the sending site is misconfigured. This is quite a + common situation. This change restores the behaviour of treating a + helo verification defer as a failure. + +PH/51 If self=fail was set on a router, the bounce message did not include the + actual error message. + + +Exim version 4.52 +----------------- + +TF/01 Added support for Client SMTP Authorization. See NewStuff for details. + +PH/01 When a transport filter timed out in a pipe delivery, and the pipe + command itself ended in error, the underlying message about the transport + filter timeout was being overwritten with the pipe command error. Now the + underlying error message should be appended to the second error message. + +TK/01 Fix poll() being unavailable on Mac OSX 10.2. + +PH/02 Reduce the amount of output that "make" produces by default. Full output + can still be requested. + +PH/03 The warning log line about a condition test deferring for a "warn" verb + was being output only once per connection, rather than after each + occurrence (because it was using the same function as for successful + "warn" verbs). This seems wrong, so I have changed it. + +TF/02 Two buglets in acl.c which caused Exim to read a few bytes of memory that + it should not have, which might have caused a crash in the right + circumstances, but probably never did. + +PH/04 Installed a modified version of Tony Finch's patch to make submission + mode fix the return path as well as the Sender: header line, and to + add a /name= option so that you can make the user's friendly name appear + in the header line. + +TF/03 Added the control = fakedefer ACL modifier. + +TF/04 Added the ratelimit ACL condition. See NewStuff for details. Thanks to + Mark Lowes for thorough testing. + +TK/02 Rewrote SPF support to work with libspf2 versions >1.2.0. + +TK/03 Merged latest SRS patch from Miles Wilton. + +PH/05 There's a shambles in IRIX6 - it defines EX_OK in unistd.h which conflicts + with the definition in sysexits.h (which is #included earlier). + Fortunately, Exim does not actually use EX_OK. The code used to try to + preserve the sysexits.h value, by assuming that macro definitions were + scanned for macro replacements. I have been disabused of this notion, + so now the code just undefines EX_OK before #including unistd.h. + +PH/06 There is a timeout for writing blocks of data, set by, e.g. data_timeout + in the smtp transport. When a block could not be written in a single + write() function, the timeout was being re-applied to each part-write. + This seems wrong - if the receiver was accepting one byte at a time it + would take for ever. The timeout is now adjusted when this happens. It + doesn't have to be particularly precise. + +TK/04 Added simple SPF lookup method in EXPERIMENTAL_SPF. See NewStuff for + details. Thanks to Chris Webb <chris@arachsys.com> for the patch! + +PH/07 Added "fullpostmaster" verify option, which does a check to <postmaster> + without a domain if the check to <postmaster@domain> fails. + +SC/01 Eximstats: added -xls and the ability to specify output files + (patch written by Frank Heydlauf). + +SC/02 Eximstats: use FileHandles for outputting results. + +SC/03 Eximstats: allow any combination of xls, txt, and html output. + +SC/04 Eximstats: fixed display of large numbers with -nvr option + +SC/05 Eximstats: fixed merging of reports with empty tables. + +SC/06 Eximstats: added the -include_original_destination flag + +SC/07 Eximstats: removed tabs and trailing whitespace. + +TK/05 Malware: Improve on aveserver error handling. Patch from Alex Miller. + +TK/06 MBOX spool code: Add real "From " MBOX separator line + so the .eml file is really in mbox format (even though + most programs do not really care). Patch from Alex Miller. + +TK/07 MBOX spool code: Add X-Envelope-From: and X-Envelope-To: headers. + The latter is generated from $received_to and is only set if the + message has one envelope recipient. SA can use these headers, + obviously out-of-the-box. Patch from Alex Miller. + +PH/08 The ${def test on a variable was returning false if the variable's + value was "0", contrary to what the specification has always said! + The result should be true unless the variable is empty. + +PH/09 The syntax error of a character other than { following "${if + def:variable_name" (after optional whitespace) was not being diagnosed. + An expansion such as ${if def:sender_ident:{xxx}{yyy}} in which an + accidental colon was present, for example, could give incorrect results. + +PH/10 Tidied the code in a number of places where the st_size field of a stat() + result is used (not including appendfile, where other changes are about + to be made). + +PH/11 Upgraded appendfile so that quotas larger than 2G are now supported. + This involved changing a lot of size variables from int to off_t. It + should work with maildirs and everything. + +TK/08 Apply fix provided by Michael Haardt to prevent deadlock in case of + spamd dying while we are connected to it. + +TF/05 Fixed a ${extract error message typo reported by Jeremy Harris + <jgh@wizmail.org> + +PH/12 Applied Alex Kiernan's patch for the API change for the error callback + function for BDB 4.3. + +PH/13 Changed auto_thaw such that it does not apply to bounce messages. + +PH/14 Imported PCRE 6.0; this was more than just a trivial operation because + the sources for PCRE have been re-arranged and more files are now + involved. + +PH/15 The code I had for printing potentially long long variables in PH/11 + above was not the best (it lost precision). The length of off_t variables + is now inspected at build time, and an appropriate printing format (%ld + or %lld) is chosen and #defined by OFF_T_FMT. We also define LONGLONG_T + to be "long long int" or "long int". This is needed for the internal + formatting function string_vformat(). + +PH/16 Applied Matthew Newton's patch to exicyclog: "If log_file_path is set in + the configuration file to be ":syslog", then the script "guesses" where + the logs files are, rather than using the compiled in default. In our + case the guess is not the same as the compiled default, so the script + suddenly stopped working when I started to use syslog. The patch checks + to see if log_file_path is "". If so, it attempts to read it from exim + with no configuration file to get the compiled in version, before it + falls back to the previous guessing code." + +TK/09 Added "prvs" and "prvscheck" expansion items. These help a lot with + implementing BATV in an Exim configuration. See NewStuff for the gory + details. + +PH/17 Applied Michael Haardt's patch for HP-UX, affecting only the os.h and + Makefile that are specific to HP-UX. + +PH/18 If the "use_postmaster" option was set for a recipient callout together + with the "random" option, the postmaster address was used as the MAIL + FROM address for the random test, but not for the subsequent recipient + test. It is now used for both. + +PH/19 Applied Michael Haardt's patch to update Sieve to RFC3028bis. "The + patch removes a few documentation additions to RFC 3028, because the + latest draft now contains them. It adds the new en;ascii-case comparator + and a new error check for 8bit text in MIME parts. Comparator and + require names are now matched exactly. I enabled the subaddress + extension, but it is not well tested yet (read: it works for me)." + +PH/20 Added macros for time_t as for off_t (see PH/15 above) and used them to + rework some of the code of TK/09 above to avoid the hardwired use of + "%lld" and "long long". Replaced the call to snprintf() with a call to + string_vformat(). + +PH/21 Added some other messages to those in 4.51/PH/42, namely "All relevant MX + records point to non-existent hosts", "retry timeout exceeded", and + "retry time not reached for any host after a long failure period". + +PH/22 Fixed some oversights/typos causing bugs when Exim is compiled with + experimental DomainKeys support: + + (1) The filter variables $n0-$n9 and $sn0-$sn9 were broken. + (2) On an error such as an illegally used "control", the wrong name for + the control was given. + + These problems did NOT occur unless DomainKeys support was compiled. + +PH/23 Added daemon_startup_retries and daemon_startup_sleep. + +PH/24 Added ${if match_ip condition. + +PH/25 Put debug statements on either side of calls to EXIM_DBOPEN() for hints + databases so that it will be absolutely obvious if a crash occurs in the + DB library. This is a regular occurrence (often caused by mis-matched + db.h files). + +PH/26 Insert a lot of missing (void) casts for functions such as chown(), + chmod(), fcntl(), sscanf(), and other functions from stdio.h. These were + picked up on a user's system that detects such things. There doesn't seem + to be a gcc warning option for this - only an attribute that has to be + put on the function's prototype. It seems that in Fedora Core 4 they have + set this on a number of new functions. No doubt there will be more in due + course. + +PH/27 If a dnslookup or manualroute router is set with verify=only, it need not + specify a transport. However, if an address that was verified by such a + router was the subject of a callout, Exim crashed because it tried to + read the rcpt_include_affixes from the non-existent transport. Now it + just assumes that the setting of that option is false. This bug was + introduced by 4.51/PH/31. + +PH/28 Changed -d+all to exclude +memory, because that information is very + rarely of interest, but it makes the output a lot bigger. People tend to + do -d+all out of habit. + +PH/29 Removed support for the Linux-libc5 build, as it is obsolete and the + code in os-type was giving problems when libc.so lives in lib64, like on + x86_64 Fedora Core. + +PH/30 Exim's DNS code uses the original T_xxx names for DNS record times. These + aren't the modern standard, and it seems that some systems' include files + don't always have them. Exim was already checking for some of the newer + ones like T_AAAA, and defining it itself. I've added checks for all the + record types that Exim uses. + +PH/31 When using GnuTLS, if the parameters cache file did not exist, Exim was + not automatically generating a new one, as it is supposed to. This + prevented TLS from working. If the file did exist, but contained invalid + data, a new version was generated, as expected. It was only the case of a + non-existent file that was broken. + +TK/10 Domainkeys: Fix a bug in verification that caused a crash in conjunction + with a change in libdomainkeys > 0.64. + +TK/11 Domainkeys: Change the logic how the "testing" policy flag is retrieved + from DNS. If the selector record carries the flag, it now has + precedence over the domain-wide flag. + +TK/12 Cleared some compiler warnings related to SPF, SRS and DK code. + +PH/32 In mua_wrapper mode, if an smtp transport configuration error (such as + the use of a port name that isn't defined in /etc/services) occurred, the + message was deferred as in a normal delivery, and thus remained on the + spool, instead of being failed because of the mua_wrapper setting. This + is now fixed, and I tidied up some of the mua_wrapper messages at the + same time. + +SC/08 Eximstats: whilst parsing the mainlog(s), store information about + the messages in a hash of arrays rather than using individual hashes. + This is a bit cleaner and results in dramatic memory savings, albeit + at a slight CPU cost. + +SC/09 Eximstats: added the -show_rt<list> and the -show_dt<list> flags + as requested by Marc Sherman. + +SC/10 Eximstats: added histograms for user specified patterns as requested + by Marc Sherman. + +SC/11 Eximstats: v1.43 - bugfix for pattern histograms with -h0 specified. + +PH/33 Patch from the Cygwin maintainer to add "b" to all occurences of + fopen() in the content-scanning modules that did not already have it. + + +Exim version 4.51 +----------------- + +TK/01 Added Yahoo DomainKeys support via libdomainkeys. See + doc/experimental-spec.txt for details. (http://domainkeys.sf.net) + +TK/02 Fix ACL "control" statement not being available in MIME ACL. + +TK/03 Fix ACL "regex" condition not being available in MIME ACL. + +PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used + to test Sieve filters that use "vacation". + +PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch + that changes the way the GnuTLS parameters are stored in the cache file. + The new format can be generated externally. For backward compatibility, + if the data in the cache doesn't make sense, Exim assumes it has read an + old-format file, and it generates new data and writes a new file. This + means that you can't go back to an older release without removing the + file. + +PH/03 A redirect router that has both "unseen" and "one_time" set does not + work if there are any delivery delays because "one_time" forces the + parent to be marked "delivered", so its unseen clone is never tried + again. For this reason, Exim now forbids the simultaneous setting of + these two options. + +PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are + redirected to themselves ("homonym" addresses). Read the long ChangeLog + entry if you want to know the details. The fix, however, neglected to + consider the case when local delivery batching is involved. The test for + "previously delivered" was not happening when checking to see if an + address could be batched with a previous (undelivered) one; under + certain circumstances this could lead to multiple deliveries to the same + address. + +PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T + in its include files, and this causes problems building Exim. + +PH/06 A number of "verify =" ACL conditions have no options (e.g. verify = + header_syntax) but Exim was just ignoring anything given after a slash. + In particular, this caused confusion with an attempt to use "verify = + reverse_host_lookup/defer_ok". An error is now given when options are + supplied for verify items that do not have them. (Maybe reverse_host_ + lookup should have a defer_ok option, but that's a different point.) + +PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as + defined by RFC 821) to 2048, because there were problems with some AUTH + commands, and RFC 1869 says the size should be increased for extended + SMTP commands that take arguments. + +PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony + Finch). + +PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an + "unknown" error; now it says that the functionality isn't in the binary. + +PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in + an address' error message when a string expansion fails (syntax or + whatever). Otherwise the password may appear in the log. Following change + PH/42 below, there is no longer a chance of it appearing in a bounce + message. + +PH/11 Installed exipick version 20050225.0 from John Jetmore. + +PH/12 If the last host in a fallback_hosts list was multihomed, only the first + of its addresses was ever tried. (Bugzilla bug #2.) + +PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed + the result incorrectly in the debug output. (It correctly added a newline + to what was transported.) + +TF/01 Added $received_time. + +PH/14 Modified the default configuration to add an acl_smtp_data ACL, with + commented out examples of how to interface to a virus scanner and to + SpamAssassin. Also added commented examples of av_scanner and + spamd_address settings. + +PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions + and controls are allowed in which ACLs. There were a couple of minor + errors. Some of the entries in the conditions table (which is a table of + where they are NOT allowed) were getting very unwieldy; rewrote them as a + negation of where the condition IS allowed. + +PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer. + +PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the + header file does not have a version number, so I've had to invent a new + value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new + API. The code is untested by me (my Linux distribution still has 0.3.2 of + radiusclient), but it was contributed by a Radius user. + +PH/18 Installed Lars Mainka's patch for the support of CRL collections in + files or directories, for OpenSSL. + +PH/19 When an Exim process that is running as root has to create an Exim log + file, it does so in a subprocess that runs as exim:exim so as to get the + ownership right at creation (otherwise, other Exim processes might see + the file with the wrong ownership). There was no test for failure of this + fork() call, which would lead to the process getting stuck as it waited + for a non-existent subprocess. Forks do occasionally fail when resources + run out. I reviewed all the other calls to fork(); they all seem to check + for failure. + +PH/20 When checking for unexpected SMTP input at connect time (before writing + the banner), Exim was not dealing correctly with a non-positive return + from the read() function. If the client had disconnected by this time, + the result was a log entry for a synchronization error with an empty + string after "input=" when read() returned zero. If read() returned -1 + (an event I could not check), uninitialized data bytes were printed. + There were reports of junk text (parts of files, etc) appearing after + "input=". + +PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages. + +PH/22 Added support for macro redefinition, and (re)definition in between + driver and ACL definitions. + +PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then + forgetting to use the resulting value; it was using the unexpanded value. + +PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it + hadn't been configured. The fix is from Juergen Kreileder, who + understands it better than I do: + + "Here's what I see happening with three configured cyrus_sasl + authenticators configured (plain, login, cram-md5): + + On startup auth_cyrus_sasl_init() gets called for each of these. + This means three calls to sasl_listmech() without a specified mech_list. + => SASL tests which mechs of all available mechs actually work + => three warnings about OTP not working + => the returned list contains: plain, login, cram-md5, digest-md5, ... + + With the patch, sasl_listmech() also gets called three times. But now + SASL's mech_list option is set to the server_mech specified in the the + authenticator. Or in other words, the answer from sasl_listmech() + gets limited to just the mech you're testing for (which is different + for each call.) + => the return list contains just 'plain' or 'login', 'cram-md5' or + nothing depending on the value of ob->server_mech. + + I've just tested the patch: Authentication still works fine, + unavailable mechs specified in the exim configuration are still + caught, and the auth.log warnings about OTP are gone." + +PH/25 When debugging is enabled, the contents of the command line are added + to the debugging output, even when log_selector=+arguments is not + specified. + +PH/26 Change scripts/os-type so that when "uname -s" returns just "GNU", the + answer is "GNU", and only if the return is "GNU/something" is the answer + "Linux". + +PH/27 $acl_verify_message is now set immediately after the failure of a + verification in an ACL, and so is available in subsequent modifiers. In + particular, the message can be preserved by coding like this: + + warn !verify = sender + set acl_m0 = $acl_verify_message + + Previously, $acl_verify_message was set only while expanding "message" + and "log_message" when a very denied access. + +PH/28 Modified OS/os.c-Linux with + + -#ifndef OS_LOAD_AVERAGE + +#if !defined(OS_LOAD_AVERAGE) && defined(__linux__) + + to make Exim compile on kfreebsd-gnu. (I'm totally confused about the + nomenclature these days.) + +PH/29 Installed patch from the Sieve maintainer that adds the options + sieve_useraddress and sieve_subaddress to the redirect router. + +PH/30 In these circumstances: + . Two addresses routed to the same list of hosts; + . First host does not offer TLS; + . First host accepts first address; + . First host gives temporary error to second address; + . Second host offers TLS and a TLS session is established; + . Second host accepts second address. + Exim incorrectly logged both deliveries with the TLS parameters (cipher + and peerdn, if requested) that were in fact used only for the second + address. + +PH/31 When doing a callout as part of verifying an address, Exim was not paying + attention to any local part prefix or suffix that was matched by the + router that accepted the address. It now behaves in the same way as it + does for delivery: the affixes are removed from the local part unless + rcpt_include_affixes is set on the transport. + +PH/32 Add the sender address, as F=<...>, to the log line when logging a + timeout during the DATA phase of an incoming message. + +PH/33 Sieve envelope tests were broken for match types other than :is. I have + applied a patch sanctioned by the Sieve maintainer. + +PH/34 Change 4.50/80 broke Exim in that it could no longer handle cases where + the uid or gid is negative. A case of a negative gid caused this to be + noticed. The fix allows for either to be negative. + +PH/35 ACL_WHERE_MIME is now declared unconditionally, to avoid too much code + clutter, but the tables that are indexed by ACL_WHERE_xxx values had been + overlooked. + +PH/36 The change PH/12 above was broken. Fixed it. + +PH/37 Exim used to check for duplicate addresses in the middle of routing, on + the grounds that routing the same address twice would always produce the + same answer. This might have been true once, but it is certainly no + longer true now. Routing a child address may depend on the previous + routing that produced that child. Some complicated redirection strategies + went wrong when messages had multiple recipients, and made Exim's + behaviour dependent on the order in which the addresses were given. + + I have moved the duplicate checking until after the routing is complete. + Exim scans the addresses that are assigned to local and remote + transports, and removes any duplicates. This means that more work will be + done, as duplicates will always all be routed, but duplicates are + presumably rare, so I don't expect this is of any significance. + + For deliveries to pipes, files, and autoreplies, the duplicate checking + still happens during the routing process, since they are not going to be + routed further. + +PH/38 Installed a patch from Ian Freislich, with the agreement of Tom Kistner. + It corrects a timeout issue with spamd. This is Ian's comment: "The + background is that sometimes spamd either never reads data from a + connection it has accepted, or it never writes response data. The exiscan + spam.[ch] uses a 3600 second timeout on spamd socket reads, further, it + blindly assumes that writes won't block so it may never time out." + +PH/39 Allow G after quota size as well as K and M. + +PH/40 The value set for $authenticated_id in an authenticator may not contain + binary zeroes or newlines because the value is written to log lines and + to spool files. There was no check on this. Now the value is run through + the string_printing() function so that such characters are converted to + printable escape sequences. + +PH/41 $message_linecount is a new variable that contains the total number of + lines in the message. Compare $body_linecount, which is the count for the + body only. + +PH/42 Exim no longer gives details of delivery errors for specific addresses in + bounce and delay warning messages, except in certain special cases, which + are as follows: + + (a) An SMTP error message from a remote host; + (b) A message specified in a :fail: redirection; + (c) A message specified in a "fail" command in a system filter; + (d) A message specified in a FAIL return from the queryprogram router; + (e) A message specified by the cannot_route_message router option. + + In these cases only, Exim does include the error details in bounce and + warning messages. There are also a few cases where bland messages such + as "unrouteable address" or "local delivery error" are given. + +PH/43 $value is now also set for the "else" part of a ${run expansion. + +PH/44 Applied patch from the Sieve maintainer: "The vacation draft is still + being worked on, but at least Exim now implements the latest version to + play with." + +PH/45 In a pipe transport, although a timeout while waiting for the pipe + process to complete was treated as a delivery failure, a timeout while + writing the message to the pipe was logged, but erroneously treated as a + successful delivery. Such timeouts include transport filter timeouts. For + consistency with the overall process timeout, these timeouts are now + treated as errors, giving rise to delivery failures by default. However, + there is now a new Boolean option for the pipe transport called + timeout_defer, which, if set TRUE, converts the failures into defers for + both kinds of timeout. A transport filter timeout is now identified in + the log output. + +PH/46 The "scripts/Configure-config.h" script calls "make" at one point. On + systems where "make" and "gmake" are different, calling "gmake" at top + level broke things. I've arranged for the value of $(MAKE) to be passed + from the Makefile to this script so that it can call the same version of + "make". + + +A note about Exim versions 4.44 and 4.50 +---------------------------------------- + +Exim 4.50 was meant to be the next release after 4.43. It contains a lot of +changes of various kinds. As a consequence, a big documentation update was +needed. This delayed the release for rather longer than seemed good, especially +in the light of a couple of (minor) security issues. Therefore, the changes +that fixed bugs were backported into 4.43, to create a 4.44 maintenance +release. So 4.44 and 4.50 are in effect two different branches that both start +from 4.43. + +I have left the 4.50 change log unchanged; it contains all the changes since +4.43. The change log for 4.44 is below; many of its items are identical to +those for 4.50. This seems to be the most sensible way to preserve the +historical information. + + +Exim version 4.50 +----------------- + + 1. Minor wording change to the doc/README.SIEVE file. + + 2. Change 4.43/35 introduced a bug: if quota_filecount was set, the + computation of the current number of files was incorrect. + + 3. Closing a stable door: arrange to panic-die if setitimer() ever fails. The + bug fixed in 4.43/37 would have been diagnosed quickly if this had been in + place. + + 4. Give more explanation in the error message when the command for a transport + filter fails to execute. + + 5. There are several places where Exim runs a non-Exim command in a + subprocess. The SIGUSR1 signal should be disabled for these processes. This + was being done only for the command run by the queryprogram router. It is + now done for all such subprocesses. The other cases are: ${run, transport + filters, and the commands run by the lmtp and pipe transports. + + 6. Added CONFIGURE_GROUP build-time option. + + 7. Some older OS have a limit of 256 on the maximum number of file + descriptors. Exim was using setrlimit() to set 1000 as a large value + unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these + systems. I've change it so that if it can't get 1000, it tries for 256. + + 8. "control=submission" was allowed, but had no effect, in a DATA ACL. This + was an oversight, and furthermore, ever since the addition of extra + controls (e.g. 4.43/32), the checks on when to allow different forms of + "control" were broken. There should now be diagnostics for all cases when a + control that does not make sense is encountered. + + 9. Added the /retain_sender option to "control=submission". + +10. $recipients is now available in the predata ACL (oversight). + +11. Tidy the search cache before the fork to do a delivery from a message + received from the command line. Otherwise the child will trigger a lookup + failure and thereby defer the delivery if it tries to use (for example) a + cached ldap connection that the parent has called unbind on. + +12. If verify=recipient was followed by verify=sender in a RCPT ACL, the value + of $address_data from the recipient verification was clobbered by the + sender verification. + +13. The value of address_data from a sender verification is now available in + $sender_address_data in subsequent conditions in the ACL statement. + +14. Added forbid_sieve_filter and forbid_exim_filter to the redirect router. + +15. Added a new option "connect=<time>" to callout options, to set a different + connection timeout. + +16. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0 + was its contents. (It was OK if the option was not defined at all.) + +17. A "Completed" log line is now written for messages that are removed from + the spool by the -Mrm option. + +18. New variables $sender_verify_failure and $recipient_verify_failure contain + information about exactly what failed. + +19. Added -dd to debug only the daemon process. + +20. Incorporated Michael Haardt's patch to ldap.c for improving the way it + handles timeouts, both on the server side and network timeouts. Renamed the + CONNECT parameter as NETTIMEOUT (but kept the old name for compatibility). + +21. The rare case of EHLO->STARTTLS->HELO was setting the protocol to "smtp". + It is now set to "smtps". + +22. $host_address is now set to the target address during the checking of + ignore_target_hosts. + +23. When checking ignore_target_hosts for an ipliteral router, no host name was + being passed; this would have caused $sender_host_name to have been used if + matching the list had actually called for a host name (not very likely, + since this list is usually IP addresses). A host name is now passed as + "[x.x.x.x]". + +24. Changed the calls that set up the SIGCHLD handler in the daemon to use the + code that specifies a non-restarting handler (typically sigaction() in + modern systems) in an attempt to fix a rare and obscure crash bug. + +25. Narrowed the window for a race in the daemon that could cause it to ignore + SIGCHLD signals. This is not a major problem, because they are used only to + wake it up if nothing else does. + +26. A malformed maildirsize file could cause Exim to calculate negative values + for the mailbox size or file count. Odd effects could occur as a result. + The maildirsize information is now recalculated if the size or filecount + end up negative. + +27. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this + support for a long time. Removed HAVE_SYS_VFS_H. + +28. Installed the latest version of exipick from John Jetmore. + +29. In an address list, if the pattern was not a regular expression, an empty + subject address (from a bounce message) matched only if the pattern was an + empty string. Non-empty patterns were not even tested. This was the wrong + because it is perfectly reasonable to use an empty address as part of a + database query. An empty address is now tested by patterns that are + lookups. However, all the other forms of pattern expect the subject to + contain a local part and a domain, and therefore, for them, an empty + address still always fails if the pattern is not itself empty. + +30. Exim went into a mad DNS loop when attempting to do a callout where the + host was specified on an smtp transport, and looking it up yielded more + than one IP address. + +31. Re-factored the code for checking spool and log partition space into a + function that finds that data and another that does the check. The former + is then used to implement four new variables: $spool_space, $log_space, + $spool_inodes, and $log_inodes. + +32. The RFC2047 encoding function was originally intended for short strings + such as real names; it was not keeping to the 75-character limit for + encoded words that the RFC imposes. It now respects the limit, and + generates multiple encoded words if necessary. To be on the safe side, I + have increased the buffer size for the ${rfc2047: expansion operator from + 1024 to 2048 bytes. + +33. It is now permitted to omit both strings after an "if" condition; if the + condition is true, the result is "true". As before, when the second string + is omitted, a false condition yields an empty string. This makes it less + cumbersome to write custom ACL and router conditions. + +34. Failure to deliver a bounce message always caused it to be frozen, even if + there was an errors_to setting on the router. The errors_to setting is now + respected. + +35. If an IPv6 address is given for -bh or -bhc, it is now converted to the + canonical form (fully expanded) before being placed in + $sender_host_address. + +36. The table in the code that translates DNS record types into text (T_A to + "A" for instance) was missing entries for NS and CNAME. It is just possible + that this could have caused confusion if both these types were looked up + for the same domain, because the text type is used as part of Exim's + per-process caching. But the chance of anyone hitting this buglet seems + very small. + +37. The dnsdb lookup has been extended in a number of ways. + + (1) There is a new type, "zns", which walks up the domain tree until it + finds some nameserver records. It should be used with care. + + (2) There is a new type, "mxh", which is like "mx" except that it returns + just the host names, not the priorities. + + (3) It is now possible to give a list of domains (or IP addresses) to be + looked up. The behaviour when one of the lookups defers can be + controlled by a keyword. + + (4) It is now possible to specify the separator character for use when + multiple records are returned. + +38. The dnslists ACL condition has been extended: it is now possible to supply + a list of IP addresses and/or domains to be looked up in a particular DNS + domain. + +39. Added log_selector=+queue_time_overall. + +40. When running the queue in the test harness, wait just a tad after forking a + delivery process, to get repeatability of debugging output. + +41. Include certificate and key file names in error message when GnuTLS fails + to set them up, because the GnuTLS error message doesn't include the name + of the failing file when there is a problem reading it. + +42. Allow both -bf and -bF in the same test run. + +43. Did the same fix as 41 above for OpenSSL, which had the same infelicity. + +44. The "Exiscan patch" is now merged into the mainline Exim source. + +45. Sometimes the final signoff response after QUIT could fail to get + transmitted in the non-TLS case. Testing !tls_active instead of tls_active + < 0 before doing a fflush(). This bug looks as though it goes back to the + introduction of TLS in release 3.20, but "sometimes" must have been rare + because the tests only now provoked it. + +46. Reset the locale to "C" after calling embedded Perl, in case it was changed + (this can affect the format of dates). + +47. exim_tidydb, when checking for the continued existence of a message for + which it has found a message-specific retry record, was not finding + messages that were in split spool directories. Consequently, it was + deleting retry records that should have stayed in existence. + +48. Steve fixed some bugs in eximstats. + +49. The SPA authentication driver was not abandoning authentication and moving + on to the next authenticator when an expansion was forced to fail, + contradicting the general specification for all authenticators. Instead it + was generating a temporary error. It now behaves as specified. + +50. The default ordering of permitted cipher suites for GnuTLS was pessimal + (the order specifies the preference for clients). The order is now AES256, + AES128, 3DES, ARCFOUR128. + +51. Small patch to Sieve code - explicitly set From: when generating an + autoreply. + +52. Exim crashed if a remote delivery caused a very long error message to be + recorded - for instance if somebody sent an entire SpamAssassin report back + as a large number of 550 error lines. This bug was coincidentally fixed by + increasing the size of one of Exim's internal buffers (big_buffer) that + happened as part of the Exiscan merge. However, to be on the safe side, I + have made the code more robust (and fixed the comments that describe what + is going on). + +53. Now that there can be additional text after "Completed" in log lines (if + the queue_time_overall log selector is set), a one-byte patch to exigrep + was needed to allow it to recognize "Completed" as not the last thing in + the line. + +54. The LDAP lookup was not handling a return of LDAP_RES_SEARCH_REFERENCE. A + patch that reportedly fixes this has been added. I am not expert enough to + create a test for it. This is what the patch creator wrote: + + "I found a little strange behaviour of ldap code when working with + Windows 2003 AD Domain, where users was placed in more than one + Organization Units. When I tried to give exim partial DN, the exit code + of ldap_search was unknown to exim because of LDAP_RES_SEARCH_REFERENCE. + But simultaneously result of request was absolutely normal ldap result, + so I produce this patch..." + + Later: it seems that not all versions of LDAP support LDAP_RES_SEARCH_ + REFERENCE, so I have modified the code to exclude the patch when that macro + is not defined. + +55. Some experimental protocols are using DNS PTR records for new purposes. The + keys for these records are domain names, not reversed IP addresses. The + dnsdb PTR lookup now tests whether its key is an IP address. If not, it + leaves it alone. Component reversal etc. now happens only for IP addresses. + CAN-2005-0021 + +56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP. + +57. Double the size of the debug message buffer (to 2048) so that more of very + long debug lines gets shown. + +58. The exicyclog utility now does better if the number of log files to keep + exceeds 99. In this case, it numbers them 001, 002 ... instead of 01, 02... + +59. Two changes related to the smtp_active_hostname option: + + (1) $smtp_active_hostname is now available as a variable. + (2) The default for smtp_banner uses $smtp_active_hostname instead + of $primary_hostname. + +60. The host_aton() function is supposed to be passed a string that is known + to be a valid IP address. However, in the case of IPv6 addresses, it was + not checking this. This is a hostage to fortune. Exim now panics and dies + if the condition is not met. A case was found where this could be provoked + from a dnsdb PTR lookup with an IPv6 address that had more than 8 + components; fortuitously, this particular loophole had already been fixed + by change 4.50/55 above. + + If there are any other similar loopholes, the new check in host_aton() + itself should stop them being exploited. The report I received stated that + data on the command line could provoke the exploit when Exim was running as + exim, but did not say which command line option was involved. All I could + find was the use of -be with a bad dnsdb PTR lookup, and in that case it is + running as the user. + CAN-2005-0021 + +61. There was a buffer overflow vulnerability in the SPA authentication code + (which came originally from the Samba project). I have added a test to the + spa_base64_to_bits() function which I hope fixes it. + CAN-2005-0022 + +62. Configuration update for GNU/Hurd and variations. Updated Makefile-GNU and + os.h-GNU, and added configuration files for GNUkFreeBSD and GNUkNetBSD. + +63. The daemon start-up calls getloadavg() while still root for those OS that + need the first call to be done as root, but it missed one case: when + deliver_queue_load_max is set with deliver_drop_privilege. This is + necessary for the benefit of the queue runner, because there is no re-exec + when deliver_drop_privilege is set. + +64. A call to exiwhat cut short delays set up by "delay" modifiers in ACLs. + This has been fixed. + +65. Caching of lookup data for "hosts =" ACL conditions, when a named host list + was in use, was not putting the data itself into the right store pool; + consequently, it could be overwritten for a subsequent message in the same + SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked + the caching.) + +66. Added hosts_max_try_hardlimit to the smtp transport, default 50. + +67. The string_is_ip_address() function returns 0, 4, or 6, for "no an IP + address", "IPv4 address", and "IPv6 address", respectively. Some calls of + the function were treating the return as a boolean value, which happened to + work because 0=false and not-0=true, but is not correct code. + +68. The host_aton() function was not handling scoped IPv6 addresses (those + with, for example, "%eth0" on the end) correctly. + +69. Fixed some compiler warnings in acl.c for the bitmaps specified with + negated items (that is, ~something) in unsigned ints. Some compilers + apparently mutter when there is no cast. + +70. If an address verification called from an ACL failed, and did not produce a + user-specific message (i.e. there was only a "system" message), nothing was + put in $acl_verify_message. In this situation, it now puts the system + message there. + +71. Change 4.23/11 added synchronization checking at the start of an SMTP + session; change 4.31/43 added the unwanted input to the log line - except + that it did not do this in the start of session case. It now does. + +72. After a timeout in a callout SMTP session, Exim still sent a QUIT command. + This is wrong and can cause the other end to generate a synchronization + error if it is another Exim or anything else that does the synchronization + check. A QUIT command is no longer sent after a timeout. + +73. $host_lookup_deferred has been added, to make it easier to detect DEFERs + during host lookups. + +74. The defer_ok option of callout verification was not working if it was used + when verifying addresses in header lines, that is, for this case: + + verify = header_sender/callout=defer_ok + +75. A backgrounded daemon closed stdin/stdout/stderr on entry; this meant that + those file descriptors could be used for SMTP connections. If anything + wrote to stderr (the example that came up was "warn" in embedded Perl), it + could be sent to the SMTP client, causing chaos. The daemon now opens + stdin, stdout, and stderr to /dev/null when it puts itself into the + background. + +76. Arrange for output from Perl's "warn" command to be written to Exim's main + log by default. The user can override this with suitable Perl magic. + +77. The use of log_message on a "discard" ACL verb, which is supposed to add to + the log message when discard triggers, was not working for the DATA ACL or + for the non-SMTP ACL. + +78. Error message wording change in sieve.c. + +79. If smtp_accept_max_per_host was set, the number of connections could be + restricted to fewer than expected, because the daemon was trying to set up + a new connection before checking whether the processes handling previous + connections had finished. The check for completed processes is now done + earlier. On busy systems, this bug wouldn't be noticed because something + else would have woken the daemon, and it would have reaped the completed + process earlier. + +80. If a message was submitted locally by a user whose login name contained one + or more spaces (ugh!), the spool file that Exim wrote was not re-readable. + It caused a spool format error. I have fixed the spool reading code. A + related problem was that the "from" clause in the Received: line became + illegal because of the space(s). It is now covered by ${quote_local_part. + +81. Included the latest eximstats from Steve (adds average sizes to HTML Top + tables). + +82. Updated OS/Makefile-AIX as per message from Mike Meredith. + +83. Patch from Sieve maintainer to fix unterminated string problem in + "vacation" handling. + +84. Some minor changes to the Linux configuration files to help with other + OS variants using glibc. + +85. One more patch for Sieve to update vacation handling to latest spec. + + +---------------------------------------------------- +See the note above about the 4.44 and 4.50 releases. +---------------------------------------------------- + + +Exim version 4.44 +----------------- + + 1. Change 4.43/35 introduced a bug that caused file counts to be + incorrectly computed when quota_filecount was set in an appendfile + transport + + 2. Closing a stable door: arrange to panic-die if setitimer() ever fails. The + bug fixed in 4.43/37 would have been diagnosed quickly if this had been in + place. + + 3. Give more explanation in the error message when the command for a transport + filter fails to execute. + + 4. There are several places where Exim runs a non-Exim command in a + subprocess. The SIGUSR1 signal should be disabled for these processes. This + was being done only for the command run by the queryprogram router. It is + now done for all such subprocesses. The other cases are: ${run, transport + filters, and the commands run by the lmtp and pipe transports. + + 5. Some older OS have a limit of 256 on the maximum number of file + descriptors. Exim was using setrlimit() to set 1000 as a large value + unlikely to be exceeded. Change 4.43/17 caused a lot of logging on these + systems. I've change it so that if it can't get 1000, it tries for 256. + + 6. "control=submission" was allowed, but had no effect, in a DATA ACL. This + was an oversight, and furthermore, ever since the addition of extra + controls (e.g. 4.43/32), the checks on when to allow different forms of + "control" were broken. There should now be diagnostics for all cases when a + control that does not make sense is encountered. + + 7. $recipients is now available in the predata ACL (oversight). + + 8. Tidy the search cache before the fork to do a delivery from a message + received from the command line. Otherwise the child will trigger a lookup + failure and thereby defer the delivery if it tries to use (for example) a + cached ldap connection that the parent has called unbind on. + + 9. If verify=recipient was followed by verify=sender in a RCPT ACL, the value + of $address_data from the recipient verification was clobbered by the + sender verification. + +10. If FIXED_NEVER_USERS was defined, but empty, Exim was assuming the uid 0 + was its contents. (It was OK if the option was not defined at all.) + +11. A "Completed" log line is now written for messages that are removed from + the spool by the -Mrm option. + +12. $host_address is now set to the target address during the checking of + ignore_target_hosts. + +13. When checking ignore_target_hosts for an ipliteral router, no host name was + being passed; this would have caused $sender_host_name to have been used if + matching the list had actually called for a host name (not very likely, + since this list is usually IP addresses). A host name is now passed as + "[x.x.x.x]". + +14. Changed the calls that set up the SIGCHLD handler in the daemon to use the + code that specifies a non-restarting handler (typically sigaction() in + modern systems) in an attempt to fix a rare and obscure crash bug. + +15. Narrowed the window for a race in the daemon that could cause it to ignore + SIGCHLD signals. This is not a major problem, because they are used only to + wake it up if nothing else does. + +16. A malformed maildirsize file could cause Exim to calculate negative values + for the mailbox size or file count. Odd effects could occur as a result. + The maildirsize information is now recalculated if the size or filecount + end up negative. + +17. Added HAVE_SYS_STATVFS_H to the os.h file for Linux, as it has had this + support for a long time. Removed HAVE_SYS_VFS_H. + +18. Updated exipick to current release from John Jetmore. + +19. Allow an empty sender to be matched against a lookup in an address list. + Previously the only cases considered were a regular expression, or an + empty pattern. + +20. Exim went into a mad DNS lookup loop when doing a callout where the + host was specified on the transport, if the DNS lookup yielded more than + one IP address. + +21. The RFC2047 encoding function was originally intended for short strings + such as real names; it was not keeping to the 75-character limit for + encoded words that the RFC imposes. It now respects the limit, and + generates multiple encoded words if necessary. To be on the safe side, I + have increased the buffer size for the ${rfc2047: expansion operator from + 1024 to 2048 bytes. + +22. Failure to deliver a bounce message always caused it to be frozen, even if + there was an errors_to setting on the router. The errors_to setting is now + respected. + +23. If an IPv6 address is given for -bh or -bhc, it is now converted to the + canonical form (fully expanded) before being placed in + $sender_host_address. + +24. Updated eximstats to version 1.33 + +25. Include certificate and key file names in error message when GnuTLS fails + to set them up, because the GnuTLS error message doesn't include the name + of the failing file when there is a problem reading it. + +26. Expand error message when OpenSSL has problems setting up cert/key files. + As per change 25. + +27. Reset the locale to "C" after calling embedded Perl, in case it was changed + (this can affect the format of dates). + +28. exim_tidydb, when checking for the continued existence of a message for + which it has found a message-specific retry record, was not finding + messages that were in split spool directories. Consequently, it was + deleting retry records that should have stayed in existence. + +29. eximstats updated to version 1.35 + 1.34 - allow eximstats to parse syslog lines as well as mainlog lines + 1.35 - bugfix such that pie charts by volume are generated correctly + +30. The SPA authentication driver was not abandoning authentication and moving + on to the next authenticator when an expansion was forced to fail, + contradicting the general specification for all authenticators. Instead it + was generating a temporary error. It now behaves as specified. + +31. The default ordering of permitted cipher suites for GnuTLS was pessimal + (the order specifies the preference for clients). The order is now AES256, + AES128, 3DES, ARCFOUR128. + +31. Small patch to Sieve code - explicitly set From: when generating an + autoreply. + +32. Exim crashed if a remote delivery caused a very long error message to be + recorded - for instance if somebody sent an entire SpamAssassin report back + as a large number of 550 error lines. This bug was coincidentally fixed by + increasing the size of one of Exim's internal buffers (big_buffer) that + happened as part of the Exiscan merge. However, to be on the safe side, I + have made the code more robust (and fixed the comments that describe what + is going on). + +33. Some experimental protocols are using DNS PTR records for new purposes. The + keys for these records are domain names, not reversed IP addresses. The + dnsdb PTR lookup now tests whether its key is an IP address. If not, it + leaves it alone. Component reversal etc. now happens only for IP addresses. + CAN-2005-0021 + +34. The host_aton() function is supposed to be passed a string that is known + to be a valid IP address. However, in the case of IPv6 addresses, it was + not checking this. This is a hostage to fortune. Exim now panics and dies + if the condition is not met. A case was found where this could be provoked + from a dnsdb PTR lookup with an IPv6 address that had more than 8 + components; fortuitously, this particular loophole had already been fixed + by change 4.50/55 or 4.44/33 above. + + If there are any other similar loopholes, the new check in host_aton() + itself should stop them being exploited. The report I received stated that + data on the command line could provoke the exploit when Exim was running as + exim, but did not say which command line option was involved. All I could + find was the use of -be with a bad dnsdb PTR lookup, and in that case it is + running as the user. + CAN-2005-0021 + +35. There was a buffer overflow vulnerability in the SPA authentication code + (which came originally from the Samba project). I have added a test to the + spa_base64_to_bits() function which I hope fixes it. + CAN-2005-0022 + +36. The daemon start-up calls getloadavg() while still root for those OS that + need the first call to be done as root, but it missed one case: when + deliver_queue_load_max is set with deliver_drop_privilege. This is + necessary for the benefit of the queue runner, because there is no re-exec + when deliver_drop_privilege is set. + +37. Caching of lookup data for "hosts =" ACL conditions, when a named host list + was in use, was not putting the data itself into the right store pool; + consequently, it could be overwritten for a subsequent message in the same + SMTP connection. (Fix 4.40/11 dealt with the non-cache case, but overlooked + the caching.) + +38. Sometimes the final signoff response after QUIT could fail to get + transmitted in the non-TLS case. Testing !tls_active instead of tls_active + < 0 before doing a fflush(). This bug looks as though it goes back to the + introduction of TLS in release 3.20, but "sometimes" must have been rare + because the tests only now provoked it. + + +Exim version 4.43 +----------------- + + 1. Fixed a longstanding but relatively impotent bug: a long time ago, before + PIPELINING, the function smtp_write_command() used to return TRUE or FALSE. + Now it returns an integer. A number of calls were still expecting a T/F + return. Fortuitously, in all cases, the tests worked in OK situations, + which is the norm. However, things would have gone wrong on any write + failures on the smtp file descriptor. This function is used when sending + messages over SMTP and also when doing verify callouts. + + 2. When Exim is called to do synchronous delivery of a locally submitted + message (the -odf or -odi options), it no longer closes stderr before doing + the delivery. + + 3. Implemented the mua_wrapper option. + + 4. Implemented mx_fail_domains and srv_fail_domains for the dnslookup router. + + 5. Implemented the functions header_remove(), header_testname(), + header_add_at_position(), and receive_remove_recipient(), and exported them + to local_scan(). + + 6. If an ACL "warn" statement specified the addition of headers, Exim already + inserted X-ACL-Warn: at the start if there was no header name. However, it + was not making this test for the second and subsequent header lines if + there were newlines in the string. This meant that an invalid header could + be inserted if Exim was badly configured. + + 7. Allow an ACL "warn" statement to add header lines at the start or after all + the Received: headers, as well as at the end. + + 8. Added the rcpt_4xx retry error code. + + 9. Added postmaster_mailfrom=xxx to callout verification option. + +10. Added mailfrom=xxxx to the callout verification option, for verify= + header_sender only. + +11. ${substr_1_:xxxx} and ${substr__3:xxxx} are now diagnosed as syntax errors + (they previously behaved as ${substr_1_0:xxxx} and ${substr:_0_3:xxxx}). + +12. Inserted some casts to stop certain compilers warning when using pointer + differences as field lengths or precisions in printf-type calls (mostly + affecting debugging statements). + +13. Added optional readline() support for -be (dynamically loaded). + +14. Obscure bug fix: if a message error (e.g. 4xx to MAIL) happened within the + same clock tick as a message's arrival, so that its received time was the + same as the "first fail" time on the retry record, and that message + remained on the queue past the ultimate address timeout, every queue runner + would try a delivery (because it was past the ultimate address timeout) but + after another failure, the ultimate address timeout, which should have then + bounced the address, did not kick in. This was a "< instead of <=" error; + in most cases the first failure would have been in the next clock tick + after the received time, and all would be well. + +15. The special items beginning with @ in domain lists (e.g. @mx_any) were not + being recognized when the domain list was tested by the match_domain + condition in an expansion string. + +16. Added the ${str2b64: operator. + +17. Exim was always calling setrlimit() to set a large limit for the number of + processes, without checking whether the existing limit was already + adequate. (It did check for the limit on file descriptors.) Furthermore, + errors from getrlimit() and setrlimit() were being ignored. Now they are + logged to the main and panic logs, but Exim does carry on, to try to do its + job under whatever limits there are. + +18. Imported PCRE 5.0. + +19. Trivial typo in log message " temporarily refused connection" (the leading + space). + +20. If the log selector return_path_on_delivery was set and an address was + redirected to /dev/null, the delivery process crashed because it assumed + that a return path would always be set for a "successful" delivery. In this + case, the whole delivery is bypassed as an optimization, and therefore no + return path is set. + +21. Internal re-arrangement: the function for sending a challenge and reading + a response while authentication was assuming a zero-terminated challenge + string. It's now changed to take a pointer and a length, to allow for + binary data in such strings. + +22. Added the cyrus_sasl authenticator (code supplied by MBM). + +23. Exim was not respecting finduser_retries when seeking the login of the + uid under which it was called; it was always trying 10 times. (The default + setting of finduser_retries is zero.) Also, it was sleeping after the final + failure, which is pointless. + +24. Implemented tls_on_connect_ports. + +25. Implemented acl_smtp_predata. + +26. If the domain in control=submission is set empty, Exim assumes that the + authenticated id is a complete email address when it generates From: or + Sender: header lines. + +27. Added "#define SOCKLEN_T int" to OS/os.h-SCO and OS/os.h-SCO_SV. Also added + definitions to OS/Makefile-SCO and OS/Makefile-SCO_SV that put basename, + chown and chgrp in /bin and hostname in /usr/bin. + +28. Exim was keeping the "process log" file open after each use, just as it + does for the main log. This opens the possibility of it remaining open for + long periods when the USR1 signal hits a daemon. Occasional processlog + errors were reported, that could have been caused by this. Anyway, it seems + much more sensible not to leave this file open at all, so that is what now + happens. + +29. The long-running daemon process does not normally write to the log once it + has entered its main loop, and it closes the log before doing so. This is + so that log files can straightforwardly be renamed and moved. However, + there are a couple of unusual error situations where the daemon does write + log entries, and I had neglected to close the log afterwards. + +30. The text of an SMTP error response that was received during a remote + delivery was being truncated at 512 bytes. This is too short for some of + the long messages that one sometimes sees. I've increased the limit to + 1024. + +31. It is now possible to make retry rules that apply only when a message has a + specific sender, in particular, an empty sender. + +32. Added "control = enforce_sync" and "control = no_enforce_sync". This makes + it possible to be selective about when SMTP synchronization is enforced. + +33. Added "control = caseful_local_part" and "control = "caselower_local_part". + +32. Implemented hosts_connection_nolog. + +33. Added an ACL for QUIT. + +34. Setting "delay_warning=" to disable warnings was not working; it gave a + syntax error. + +35. Added mailbox_size and mailbox_filecount to appendfile. + +36. Added control = no_multiline_responses to ACLs. + +37. There was a bug in the logic of the code that waits for the clock to tick + in the case where the clock went backwards by a substantial amount such + that the microsecond fraction of "now" was more than the microsecond + fraction of "then" (but the whole seconds number was less). + +38. Added support for the libradius Radius client library this is found on + FreeBSD (previously only the radiusclient library was supported). + + +Exim version 4.42 +----------------- + + 1. When certain lookups returned multiple values in the form name=value, the + quoting of the values was not always being done properly. Specifically: + (a) If the value started with a double quote, but contained no whitespace, + it was not quoted. + (b) If the value contained whitespace other than a space character (i.e. + tabs or newlines or carriage returns) it was not quoted. + This fix has been applied to the mysql and pgsql lookups by writing a + separate quoting function and calling it from the lookup code. The fix + should probably also be applied to nisplus, ibase and oracle lookups, but + since I cannot test any of those, I have not disturbed their existing code. + + 2. A hit in the callout cache for a specific address caused a log line with no + reason for rejecting RCPT. Now it says "Previous (cached) callout + verification failure". + + 3. There was an off-by-one bug in the queryprogram router. An over-long + return line was truncated at 256 instead of 255 characters, thereby + overflowing its buffer with the terminating zero. As well as fixing this, I + have increased the buffer size to 1024 (and made a note to document this). + + 4. If an interrupt, such as the USR1 signal that is send by exiwhat, arrives + when Exim is waiting for an SMTP response from a remote server, Exim + restarts its select() call on the socket, thereby resetting its timeout. + This is not a problem when such interrupts are rare. Somebody set up a cron + job to run exiwhat every 2 minutes, which is less than the normal select() + timeout (5 or 10 minutes). This meant that the select() timeout never + kicked in because it was always reset. I have fixed this by comparing the + time when an interrupt arrives with the time at the start of the first call + to select(). If more time than the timeout has elapsed, the interrupt is + treated as a timeout. + + 5. Some internal re-factoring in preparation for the addition of Sieve + extensions (by MH). In particular, the "personal" test is moved to a + separate function, and given an option for scanning Cc: and Bcc: (which is + not set for Exim filters). + + 6. When Exim created an email address using the login of the caller as the + local part (e.g. when creating a From: or Sender: header line), it was not + quoting the local part when it contained special characters such as @. + + 7. Installed new OpenBSD configuration files. + + 8. Reworded some messages for syntax errors in "and" and "or" conditions to + try to make them clearer. + + 9. Callout options, other than the timeout value, were being ignored when + verifying sender addresses in header lines. For example, when using + + verify = header_sender/callout=no_cache + + the cache was (incorrectly) being used. + +10. Added a missing instance of ${EXE} to the exim_install script; this affects + only the Cygwin environment. + +11. When return_path_on_delivery was set as a log selector, if different remote + addresses in the same message used different return paths and parallel + remote delivery occurred, the wrong values would sometimes be logged. + (Whenever a remote delivery process finished, the return path value from + the most recently started remote delivery process was logged.) + +12. RFC 3848 specifies standard names for the "with" phrase in Received: header + lines when AUTH and/or TLS are in use. This is the "received protocol" + field. Exim used to use "asmtp" for authenticated SMTP, without any + indication (in the protocol name) for TLS use. Now it follows the RFC and + uses "esmtpa" if the connection is authenticated, "esmtps" if it is + encrypted, and "esmtpsa" if it is both encrypted and authenticated. These + names appear in log lines as well as in Received: header lines. + +13. Installed MH's patches for Sieve to add the "copy" and "vacation" + extensions, and comparison tests, and to fix some bugs. + +14. Changes to the "personal" filter test: + + (1) The test was buggy in that it was just doing the equivalent of + "contains" tests on header lines. For example, if a user's address was + anne@some.where, the "personal" test would incorrectly be true for + + To: susanne@some.where + + This test is now done by extracting each address from the header in turn, + and checking the entire address. Other tests that are part of "personal" + are now done using regular expressions (for example, to check local parts + of addresses in From: header lines). + + (2) The list of non-personal local parts in From: addresses has been + extended to include "listserv", "majordomo", "*-request", and "owner-*", + taken from the Sieve specification recommendations. + + (3) If the message contains any header line starting with "List-" it is + treated as non-personal. + + (4) The test for "circular" in the Subject: header line has been removed + because it now seems ill-conceived. + +15. Minor typos in src/EDITME comments corrected. + +16. Installed latest exipick from John Jetmore. + +17. If headers_add on a router specified a text string that was too long for + string_sprintf() - that is, longer than 8192 bytes - Exim panicked. The use + of string_sprintf() is now avoided. + +18. $message_body_size was not set (it was always zero) when running the DATA + ACL and the local_scan() function. + +19. For the "mail" command in an Exim filter, no default was being set for + the once_repeat time, causing a random time value to be used if "once" was + specified. (If the value happened to be <= 0, no repeat happened.) The + default is now 0s, meaning "never repeat". The "vacation" command was OK + (its default is 7d). It's somewhat surprising nobody ever noticed this bug + (I found it when inspecting the code). + +20. There is now an overall timeout for performing a callout verification. It + defaults to 4 times the callout timeout, which applies to individual SMTP + commands during the callout. The overall timeout applies when there is more + than one host that can be tried. The timeout is checked before trying the + next host. This prevents very long delays if there are a large number of + hosts and all are timing out (e.g. when the network connections are timing + out). The value of the overall timeout can be changed by specifying an + additional sub-option for "callout", called "maxwait". For example: + + verify = sender/callout=5s,maxwait=20s + +21. Add O_APPEND to the open() call for maildirsize files (Exim already seeks + to the end before writing, but this should make it even safer). + +22. Exim was forgetting that it had advertised PIPELINING for the second and + subsequent messages on an SMTP connection. It was also not resetting its + memory on STARTTLS and an internal HELO. + +23. When Exim logs an SMTP synchronization error within a session, it now + records whether PIPELINING has been advertised or not. + +24. Added 3 instances of "(long int)" casts to time_t variables that were being + formatted using %ld, because on OpenBSD (and perhaps others), time_t is int + rather than long int. + +25. Installed the latest Cygwin configuration files from the Cygwin maintainer. + +26. Added the never_mail option to autoreply. + + +Exim version 4.41 +----------------- + + 1. A reorganization of the code in order to implement 4.40/8 caused a daemon + crash if the getsockname() call failed; this can happen if a connection is + closed very soon after it is established. The problem was simply in the + order in which certain operations were done, causing Exim to try to write + to the SMTP stream before it had set up the file descriptor. The bug has + been fixed by making things happen in the correct order. + + +Exim version 4.40 +----------------- + + 1. If "drop" was used in a DATA ACL, the SMTP output buffer was not flushed + before the connection was closed, thus losing the rejection response. + + 2. Commented out the definition of SOCKLEN_T in os.h-SunOS5. It is needed for + some early Solaris releases, but causes trouble in current releases where + socklen_t is defined. + + 3. When std{in,out,err} are closed, re-open them to /dev/null so that they + always exist. + + 4. Minor refactoring of os.c-Linux to avoid compiler warning when IPv6 is not + configured. + + 5. Refactoring in expand.c to improve memory usage. Pre-allocate a block so + that releasing the top of it at the end releases what was used for sub- + expansions (unless the block got too big). However, discard this block if + the first thing is a variable or header, so that we can use its block when + it is dynamic (useful for very large $message_headers, for example). + + 6. Lookups now cache *every* query, not just the most recent. A new, separate + store pool is used for this. It can be recovered when all lookup caches are + flushed. Lookups now release memory at the end of their result strings. + This has involved some general refactoring of the lookup sources. + + 7. Some code has been added to the store_xxx() functions to reduce the amount + of flapping under certain conditions. + + 8. log_incoming_interface used to affect only the <= reception log lines. Now + it causes the local interface and port to be added to several more SMTP log + lines, for example "SMTP connection from", and rejection lines. + + 9. The Sieve author supplied some patches for the doc/README.SIEVE file. + +10. Added a conditional definition of _BSD_SOCKLEN_T to os.h-Darwin. + +11. If $host_data was set by virtue of a hosts lookup in an ACL, its value + could be overwritten at the end of the current message (or the start of a + new message if it was set in a HELO ACL). The value is now preserved for + the duration of the SMTP connection. + +12. If a transport had a headers_rewrite setting, and a matching header line + contained an unqualified address, that address was qualified, even if it + did not match any rewriting rules. The underlying bug was that the values + of the flags that permit the existence of unqualified sender and recipient + addresses in header lines (set by {sender,recipient}_unqualified_hosts for + non-local messages, and by -bnq for local messages) were not being + preserved with the message after it was received. + +13. When Exim was logging an SMTP synchronization error, it could sometimes log + "next input=" as part of the text comprising the host identity instead of + the correct text. The code was using the same buffer for two different + strings. However, depending on which order the printing function evaluated + its arguments, the bug did not always show up. Under Linux, for example, my + test suite worked just fine. + +14. Exigrep contained a use of Perl's "our" scoping after change 4.31/70. This + doesn't work with some older versions of Perl. It has been changed to "my", + which in any case is probably the better facility to use. + +15. A really picky compiler found some instances of statements for creating + error messages that either had too many or two few arguments for the format + string. + +16. The size of the buffer for calls to the DNS resolver has been increased + from 1024 to 2048. A larger buffer is needed when performing PTR lookups + for addresses that have a lot of PTR records. This alleviates a problem; it + does not fully solve it. + +17. A dnsdb lookup for PTR records that receives more data than will fit in the + buffer now truncates the list and logs the incident, which is the same + action as happens when Exim is looking up a host name and its aliases. + Previously in this situation something unpredictable would happen; + sometimes it was "internal error: store_reset failed". + +18. If a server dropped the connection unexpectedly when an Exim client was + using GnuTLS and trying to read a response, the client delivery process + crashed while trying to generate an error log message. + +19. If a "warn" verb in an ACL added multiple headers to a message in a single + string, for example: + + warn message = H1: something\nH2: something + + the text was added as a single header line from Exim's point of view + though it ended up OK in the delivered message. However, searching for the + second and subsequent header lines using $h_h2: did not work. This has been + fixed. Similarly, if a system filter added multiple headers in this way, + the routers could not see them. + +20. Expanded the error message when iplsearch is called with an invalid key to + suggest using net-iplsearch in a host list. + +21. When running tests using -bh, any delays imposed by "delay" modifiers in + ACLs are no longer actually imposed (and a message to that effect is + output). + +22. If a "gecos" field in a passwd entry contained escaped characters, in + particular, if it contained a \" sequence, Exim got it wrong when building + a From: or a Sender: header from that name. A second bug also caused + incorrect handling when an unquoted " was present following a character + that needed quoting. + +23. "{crypt}" as a password encryption mechanism for a "crypteq" expansion item + was not being matched caselessly. + +24. Arranged for all hyphens in the exim.8 source to be escaped with + backslashes. + +25. Change 16 of 4.32, which reversed 71 or 4.31 didn't quite do the job + properly. Recipient callout cache records were still being keyed to include + the sender, even when use_sender was set false. This led to far more + callouts that were necessary. The sender is no longer included in the key + when use_sender is false. + +26. Added "control = submission" modifier to ACLs. + +27. Added the ${base62d: operator to decode base 62 numbers. + +28. dnsdb lookups can now access SRV records. + +29. CONFIGURE_OWNER can be set at build time to define an alternative owner for + the configuration file. + +30. The debug message "delivering xxxxxx-xxxxxx-xx" is now output in verbose + (-v) mode. This makes the output for a verbose queue run more intelligible. + +31. Added a use_postmaster feature to recipient callouts. + +32. Added the $body_zerocount variable, containing the number of binary zero + bytes in the message body. + +33. The time of last modification of the "new" subdirectory is now used as the + "mailbox time last read" when there is a quota error for a maildir + delivery. + +34. Added string comparison operators lt, lti, le, lei, gt, gti, ge, gei. + +35. Added +ignore_unknown as a special item in host lists. + +36. Code for decoding IPv6 addresses in host lists is now included, even if + IPv6 support is not being compiled. This fixes a bug in which an IPv6 + address was recognized as an IP address, but was then not correctly decoded + into binary, causing unexpected and incorrect effects when compared with + another IP address. + + +Exim version 4.34 +----------------- + + 1. Very minor rewording of debugging text in manualroute to say "list of + hosts" instead of "hostlist". + + 2. If verify=header_syntax was set, and a header line with an unqualified + address (no domain) and a large number of spaces between the end of the + name and the colon was received, the reception process suffered a buffer + overflow, and (when I tested it) crashed. This was caused by some obsolete + code that should have been removed. The fix is to remove it! + + 3. When running in the test harness, delay a bit after writing a bounce + message to get a bit more predictability in the log output. + + 4. Added a call to search_tidyup() just before forking a reception process. In + theory, someone could use a lookup in the expansion of smtp_accept_max_ + per_host which, without the tidyup, could leave open a database connection. + + 5. Added the variables $recipient_data and $sender_data which get set from a + lookup success in an ACL "recipients" or "senders" condition, or a router + "senders" option, similar to $domain_data and $local_part_data. + + 6. Moved the writing of debug_print from before to after the "senders" test + for routers. + + 7. Change 4.31/66 (moving the time when the Received: is generated) caused + problems for message scanning, either using a data ACL, or using + local_scan() because the Received: header was not generated till after they + were called (in order to set the time as the time of reception completion). + I have revised the way this works. The header is now generated after the + body is received, but before the ACL or local_scan() are called. After they + are run, the timestamp in the header is updated. + + +Exim version 4.33 +----------------- + + 1. Change 4.24/6 introduced a bug because the SIGALRM handler was disabled + before starting a queue runner without re-exec. This happened only when + deliver_drop_privilege was set or when the Exim user was set to root. The + effect of the bug was that timeouts during subsequent deliveries caused + crashes instead of being properly handled. The handler is now left at its + default (and expected) setting. + + 2. The other case in which a daemon avoids a re-exec is to deliver an incoming + message, again when deliver_drop_privilege is set or Exim is run as root. + The bug described in (1) was not present in this case, but the tidying up + of the other signals was missing. I have made the two cases consistent. + + 3. The ignore_target_hosts setting on a manualroute router was being ignored + for hosts that were looked up using the /MX notation. + + 4. Added /ignore=<ip list> feature to @mx_any, @mx_primary, and @mx_secondary + in domain lists. + + 5. Change 4.31/55 was buggy, and broke when there was a rewriting rule that + operated on the sender address. After changing the $sender_address to <> + for the sender address verify, Exim was re-instated it as the original + (before rewriting) address, but remembering that it had rewritten it, so it + wasn't rewriting it again. This bug also had the effect of breaking the + sender address verification caching when the sender address was rewritten. + + 6. The ignore_target_hosts option was being ignored by the ipliteral router. + This has been changed so that if the ip literal address matches + ignore_target_hosts, the router declines. + + 7. Added expansion conditions match_domain, match_address, and match_local_ + part (NOT match_host). + + 8. The placeholder for the Received: header didn't have a length field set. + + 9. Added code to Exim itself and to exim_lock to test for a specific race + condition that could lead to file corruption when using MBX delivery. The + issue is with the lockfile that is created in /tmp. If this file is removed + after a process has opened it but before that process has acquired a lock, + there is the potential for a second process to recreate the file and also + acquire a lock. This could lead to two Exim processes writing to the file + at the same time. The added code performs the same test as UW imapd; it + checks after acquiring the lock that its file descriptor still refers to + the same named file. + +10. The buffer for building added header lines was of fixed size, 8192 bytes. + It is now parameterized by HEADER_ADD_BUFFER_SIZE and this can be adjusted + when Exim is built. + +11. Added the smtp_active_hostname option. If used, this will typically be made + to depend on the incoming interface address. Because $interface_address is + not set up until the daemon has forked a reception process, error responses + that can happen earlier (such as "too many connections") no longer contain + a host name. + +12. If an expansion in a condition on a "warn" statement fails because a lookup + defers, the "warn" statement is abandoned, and the next ACL statement is + processed. Previously this caused the whole ACL to be aborted. + +13. Added the iplsearch lookup type. + +14. Added ident_timeout as a log selector. + +15. Added tls_certificate_verified as a log selector. + +16. Added a global option tls_require_ciphers (compare the smtp transport + option of the same name). This controls incoming TLS connections. + +17. I finally figured out how to make tls_require_ciphers do a similar thing + in GNUtls to what it does in OpenSSL, that is, set up an appropriate list + before starting the TLS session. + +18. Tabs are now shown as \t in -bP output. + +19. If the log selector return_path_on_delivery was set, Exim crashed when + bouncing a message because it had too many Received: header lines. + +20. If two routers both had headers_remove settings, and the first one included + a superfluous trailing colon, the final name in the first list and the + first name in the second list were incorrectly joined into one item (with a + colon in the middle). + + +Exim version 4.32 +----------------- + + 1. Added -C and -D options to the exinext utility, mainly to make it easier + to include in the automated testing, but these could be helpful when + multiple configurations are in use. + + 2. The exinext utility was not formatting the output nicely when there was + an alternate port involved in the retry record key, nor when there was a + message id as well (for retries that were specific to a specific message + and a specific host). It was also confused by IPv6 addresses, because of + the additional colons they contain. I have fixed the IPv4 problem, and + patched it up to do a reasonable job for IPv6. + + 3. When there is an error after a MAIL, RCPT, or DATA SMTP command during + delivery, the log line now contains "pipelined" if PIPELINING was used. + + 4. An SMTP transport process used to panic and die if the bind() call to set + an explicit outgoing interface failed. This has been changed; it is now + treated in the same way as a connect() failure. + + 5. A reference to $sender_host_name in the part of a conditional expansion + that was being skipped was still causing a DNS lookup. This no longer + occurs. + + 6. The def: expansion condition was not recognizing references to header lines + that used bh_ and bheader_. + + 7. Added the _cache feature to named lists. + + 8. The code for checking quota_filecount in the appendfile transport was + allowing one more file than it should have been. + + 9. For compatibility with Sendmail, the command line option + + -prval:sval + + is equivalent to + + -oMr rval -oMs sval + + and sets the incoming protocol and host name (for trusted callers). The + host name and its colon can be omitted when only the protocol is to be set. + Note the Exim already has two private options, -pd and -ps, that refer to + embedded Perl. It is therefore impossible to set a protocol value of "d" or + "s", but I don't think that's a major issue. + +10. A number of refactoring changes to the code, none of which should affect + Exim's behaviour: + + (a) The number of logging options was getting close to filling up the + 32-bit word that was used as a bit map. I have split them into two classes: + those that are passed in the argument to log_write(), and those that are + only ever tested independently outside of that function. These are now in + separate 32-bit words, so there is plenty of room for expansion again. + There is no change in the user interface or the logging behaviour. + + (b) When building, for example, log lines, the code previously used a + macro that called string_cat() twice, in order to add two strings. This is + not really sufficiently general. Furthermore, there was one instance where + it was actually wrong because one of the argument was used twice, and in + one call a function was used. (As it happened, calling the function twice + did not affect the overall behaviour.) The macro has been replaced by a + function that can join an arbitrary number of extra strings onto a growing + string. + + (c) The code for expansion conditions now uses a table and a binary chop + instead of a serial search (which was left over from when there were very + few conditions). Also, it now recognizes conditions like "pam" even when + the relevant support is not compiled in: a suitably worded error message is + given if an attempt is made to use such a condition. + +11. Added ${time_interval:xxxxx}. + +12. A bug was causing one of the ddress fields not to be passed back correctly + from remote delivery subprocesses. The field in question was not being + subsequently used, so this caused to problems in practice. + +13. Added new log selectors queue_time and deliver_time. + +14. Might have fixed a bug in maildirsizefile handling that threw up + "unexpected character" debug warnings, and recalculated the data + unnecessarily. In any case, I expanded the warning message to give more + information. + +15. Added the message "Restricted characters in address" to the statements in + the default ACL that block characters like @ and % in local parts. + +16. Change 71 for release 4.31 proved to be much less benign that I imagined. + Three changes have been made: + + (a) There was a serious bug; a negative response to MAIL caused the whole + recipient domain to be cached as invalid, thereby blocking all messages + to all local parts at the same domain, from all senders. This bug has + been fixed. The domain is no longer cached after a negative response to + MAIL if the sender used is not empty. + + (b) The default behaviour of using MAIL FROM:<> for recipient callouts has + been restored. + + (c) A new callout option, "use_sender" has been added for people who want + the modified behaviour. + + +Exim version 4.31 +----------------- + + 1. Removed "EXTRALIBS=-lwrap" from OS/Makefile-Unixware7 on the advice of + Larry Rosenman. + + 2. Removed "LIBS = -lresolv" from OS/Makefile-Darwin as it is not needed, and + indeed breaks things for older releases. + + 3. Added additional logging to the case where there is a problem reading data + from a filter that is running in a subprocess using a pipe, in order to + try to track down a specific problem. + + 4. Testing facility fudge: when running in the test harness and attempting + to connect to 10.x.x.x (expecting a connection timeout) I'm now sometimes + getting "No route to host". Convert this to a timeout. + + 5. Define ICONV_ARG2_TYPE as "char **" for Unixware7 to avoid compiler + warning. + + 6. Some OS don't have socklen_t but use size_t instead. This affects the + fifth argument of getsockopt() amongst other things. This is now + configurable by a macro called SOCKLEN_T which defaults to socklen_t, but + can be set for individual OS. I have set it for SunOS5, OSF1, and + Unixware7. Current versions of SunOS5 (aka Solaris) do have socklen_t, but + some earlier ones do not. + + 7. Change 4.30/15 was not doing the test caselessly. + + 8. The standard form for an IPv6 address literal was being rejected by address + parsing in, for example, MAIL and RCPT commands. An example of this kind of + address is [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts + this, as well as the form without the "IPv6" on the front (but only when + address literals are enabled, of course). + + 9. Added some casts to avoid compiler warnings in OS/os.c-Linux. + +10. Exim crashed if a message with an empty sender address specified by -f + encountered a router with an errors_to setting. This could be provoked only + by a command such as + + exim -f "" ... + + where an empty string was supplied; "<>" did not hit this bug. + +11. Installed PCRE release 4.5. + +12. If EHLO/HELO was rejected by an ACL, the value of $sender_helo_name + remained set. It is now erased. + +13. exiqgrep wasn't working on MacOS X because it didn't correctly compute + times from message ids (which are base 36 rather than the normal 62). + +14. "Expected" SMTP protocol errors that can arise when PIPELINING is in use + were being counted as actual protocol errors, and logged if the log + selector +smtp_protocol_error was set. One cannot be perfect in this test, + but now, if PIPELINING has been advertised, RCPT following a rejected MAIL, + and DATA following a set of rejected RCPTs do not count as protocol errors. + In other words, Exim assumes they were pipelined, though this may not + actually be the case. Of course, in all cases the client gets an + appropriate error code. + +15. If a lookup fails in an ACL condition, a message about the failure may + be available; it is used if testing the ACL cannot continue, because most + such messages specify what the cause of the deferral is. However, some + messages (e.g. "MYSQL: no data found") do not cause a defer. There was bug + that caused an old message to be retained and used if a later statement + caused a defer, replacing the real cause of the deferral. + +16. If an IP address had so many PTR records that the DNS lookup buffer + was not large enough to hold them, Exim could crash while trying to process + the truncated data. It now detects and logs this case. + +17. Further to 4.21/58, another change has been made: if (and only if) the + first line of a message (the first header line) ends with CRLF, a bare LF + in a subsequent header line has a space inserted after it, so as not to + terminate the header. + +18. Refactoring: tidied an ugly bit of code in appendfile that copied data + unnecessarily, used atoi() instead of strtol(), and didn't check the + termination when getting file sizes from file names by regex. + +19. Completely re-implemented the support for maildirsize files, in the light + of a number of problems with the previous contributed implementation + (4.30/29). In particular: + + . If the quota is zero, the maildirsize file is maintained, but no quota is + imposed. + + . If the maildir directory does not exist, it is created before any attempt + to write a maildirsize file. + + . The quota value in the file is just a cache; if the quota is changed in + the transport, the new value overrides. + + . A regular expression is available for excluding directories from the + count. + +20. The autoreply transport checks the characters in options that define the + message's headers; it allows continued headers, but it was checking with + isspace() after an embedded newline instead of explicitly looking for a + space or a tab. + +21. If all the "regular" hosts to which an address was routed had passed their + expiry times, and had not reached their retry times, the address was + bounced, even if fallback hosts were defined. Now Exim should go on to try + the fallback hosts. + +22. Increased buffer sizes in the callout code from 1024 to 4096 to match the + equivalent code in the SMTP transport. Some hosts send humungous responses + to HELO/EHLO, more than 1024 it seems. + +23. Refactoring: code in filter.c used (void *) for "any old type" but this + gives compiler warnings in some environments. I've now done it "properly", + using a union. + +24. The replacement for inet_ntoa() that is used with gcc on IRIX systems + (because of problems with the built-in one) was declared to return uschar * + instead of char *, causing compiler failure. + +25. Fixed a file descriptor leak when processing alias/forward files. + +26. Fixed a minor format string issue in dbfn.c. + +27. Typo in exim.c: ("dmbnz" for "dbmnz"). + +28. If a filter file refered to $h_xxx or $message_headers, and the headers + contained RFC 2047 "words", Exim's memory could, under certain conditions, + become corrupted. + +29. When a sender address is verified, it is cached, to save repeating the test + when there is more than one recipient in a message. However, when the + verification involves a callout, it is possible for different callout + options to be set for different recipients. It is too complicated to keep + track of this in the cache, so now Exim always runs a verification when a + callout is required, relying on the callout cache for the optimization. + The overhead is duplication of the address routing, but this should not be + too great. + +30. Fixed a bug in callout caching. If a RCPT command caused the sender address + to be verified with callout=postmaster, and the main callout worked but the + postmaster check failed, the verification correctly failed. However, if a + subsequent RCPT command asked for sender verification *without* the + postmaster check, incorrect caching caused this verification also to fail, + incorrectly. + +31. Exim caches DNS lookup failures so as to avoid multiple timeouts; however, + it was not caching the DNS options (qualify_single, search_parents) that + were used when the lookup failed. A subsequent lookup with different + options therefore always gave the same answer, though there were cases + where it should not have. (Example: a "domains = !$mx_any" option on a + dnslookup router: the "domains" option is always processed without any + widening, but the router might have qualify_single set.) Now Exim uses the + cached value only when the same options are set. + +32. Added John Jetmore's "exipick" utility to the distribution. + +33. GnuTLS: When an attempt to start a TLS session fails for any reason other + than a timeout (e.g. a certificate is required, and is not provided), an + Exim server now closes the connection immediately. Previously it waited for + the client to close - but if the client is SSL, it seems that they each + wait for each other, leading to a delay before one of them times out. + +34: GnuTLS: Updated the code to use the new GnuTLS 1.0.0 API. I have not + maintained 0.8.x compatibility because I don't think many are using it, and + it is clearly obsolete. + +35. Added TLS support for CRLs: a tls_crl global option and one for the smtp + transport. + +36. OpenSSL: $tls_certificate_verified was being set to 1 even if the + client certificate was expired. A simple patch fixes this, though I don't + understand the full logic of why the verify callback is called multiple + times. + +37. OpenSSL: a patch from Robert Roselius: "Enable client-bug workaround. + Versions of OpenSSL as of 0.9.6d include a 'CBC countermeasure' feature, + which causes problems with some clients (such as the Certicom SSL Plus + library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, + disables the coutermeasure allowing Eudora to connect." + +38. Exim was not checking that a write() to a log file succeeded. This could + lead to Bad Things if a log got too big, in particular if it hit a file + size limit. Exim now panics and dies if it cannot write to a log file, just + as it does if it cannot open a log file. + +39. Modified OS/Makefile-Linux so that it now contains + + CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE + + The two -D definitions ensure that Exim is compiled with large file + support, which makes it possible to handle log files that are bigger than + 2^31. + +40. Fixed a subtle caching bug: if (in an ACL or a set of routers, for + instance) a domain was checked against a named list that involved a lookup, + causing $domain_data to be set, then another domain was checked against the + same list, then the first domain was re-checked, the value of $domain_data + after the final check could be wrong. In particular, if the second check + failed, it could be set empty. This bug probably also applied to + $local_part_data. + +41. The strip_trailing_dot option was not being applied to the address given + with the -f command-line option. + +42. The code for reading a message's header from the spool was incrementing + $received_count, but never initializing it. This meant that the value was + incorrect (doubled) while delivering a message in the same process in which + it was received. In the most common configuration of Exim, this never + happens - a fresh exec is done - but it can happen when + deliver_drop_privilege is set. + +43. When Exim logs an SMTP synchronization error - client data sent too soon - + it now includes up to 150 characters of the unexpected data in the log + line. + +44. The exim_dbmbuild utility uses fixed size buffers for reading input lines + and building data strings. The size of both of these buffers was 10 000 + bytes - far larger than anybody would *ever* want, thought I. Needless to + say, somebody hit the limit. I have increased the maximum line length to + 20 000 and the maximum data length of concatenated lines to 100 000. I have + also fixed two bugs, because there was no checking on these buffers. Tsk, + tsk. Now exim_dbmbuild gives a message and exits with an error code if a + buffer is too small. + +45. The exim_dbmbuild utility did not support quoted keys, as Exim does in + lsearch lookups. Now it does. + +46. When parsing a route_list item in a manualroute router, a fixed-length + buffer was used for the list of hosts. I made this 1024 bytes long, + thinking that nobody would ever have a list of hosts that long. Wrong. + Somebody had a whole pile of complicated expansion conditions, and the + string was silently truncated, leading to an expansion error. It turns out + that it is easier to change to an unlimited length (owing to other changes + that have happened since this code was originally written) than to build + structure for giving a limitation error. The length of the item that + expands into the list of hosts is now unlimited. + +47. The lsearch lookup could not handle data where the length of text line was + more than 4095 characters. Such lines were truncated, leading to shortened + data being returned. It should now handle lines of any length. + +48. Minor wording revision: "cannot test xxx in yyy ACL" becomes "cannot test + xxx condition in yyy ACL" (e.g. "cannot test domains condition in DATA + ACL"). + +49. Cosmetic tidy to scripts like exicyclog that are generated by globally + replacing strings such as BIN_DIRECTORY in a source file: the replacement + no longer happens in comment lines. A list of replacements is now placed + at the head of all of the source files, except those whose only change is + to replace PERL_COMMAND in the very first #! line. + +50. Replaced the slow insertion sort in queue.c, for sorting the list of + messages on the queue, with a bottom-up merge sort, using code contributed + by Michael Haardt. This should make operations like -bp somewhat faster on + large queues. It won't affect queue runners, except when queue_run_in_order + is set. + +51. Installed eximstats 1.31 in the distribution. + +52. Added support for SRV lookups to the dnslookup router. + +53. If an ACL referred to $message_body or $message_body_end, the value was not + reset for any messages that followed in the same SMTP session. + +54. The store-handling optimization for building very long strings was not + differentiating between the different store pools. I don't think this + actually made any difference in practice, but I've tidied it. + +55. While running the routers to verify a sender address, $sender_address + was still set to the sender address. This is wrong, because when routing to + send a bounce to the sender, it would be empty. Therefore, I have changed + it so that, while verifying a sender address, $sender_address is set to <>. + (There is no change to what happens when verifying a recipient address.) + +56. After finding MX (or SRV) records, Exim was doing a DNS lookup for the + target A or AAAA records (if not already returned) without resetting the + qualify_single or search_parents options of the DNS resolver. These are + inappropriate in this case because the targets of MX and SRV records must + be FQDNs. A broken DNS record could cause trouble if it happened to have a + target that, when qualified, matched something in the local domain. These + two options are now turned off when doing these lookups. + +57. It seems that at least some releases of Reiserfs (which does not have the + concept of a fixed number of inodes) returns zero and not -1 for the + number of available inodes. This interacted badly with check_spool_inodes, + which assumed that -1 was the "no such thing" setting. What I have done is + to check that the total number of inodes is greater than zero before doing + the test of how many are available. + +58. When a "warn" ACL statement has a log_message modifier, the message is + remembered, and not repeated. This is to avoid a lot of repetition when a + message has many recipients that cause the same warning to be written. + However, Exim was preserving the list of already written lines for an + entire SMTP session, which doesn't seem right. The memory is now reset if a + new message is started. + +59. The "rewrite" debugging flag was not showing the result of rewriting in the + debugging output unless log_rewrite was also set. + +60. Avoid a compiler warning on 64-bit systems in dsearch.c by avoiding the use + of (int)(handle) when we know that handle contains (void *)(-1). + +61. The Exim daemon panic-logs an error return when it closes the incoming + connection. However "connection reset by peer" seems to be common, and + isn't really an error worthy of noting specially, so that particular error + is no long logged. + +62. When Exim is trying to find all the local interfaces, it used to panic and + die if the ioctl to get the interface flags failed. However, it seems that + on at least one OS (Solaris 9) it is possible to have an interface that is + included in the list of interfaces, but for which you get a failure error + for this call. This happens when the interface is not "plumbed" into a + protocol (i.e. neither IPv4 nor IPv6). I've changed the code so that a + failure of the "get flags" call assumes that the interface is down. + +63. Added a ${eval10: operator, which assumes all numbers are decimal. This + makes life easier for people who are doing arithmetic on fields extracted + from dates, where you often get leading zeros that should not be + interpreted as octal. + +64. Added qualify_domain to the redirect router, to override the global + setting. + +65. If a pathologically long header line contained very many addresses (the + report of this problem mentioned 10 000) and each of them was rewritten, + Exim could use up a very large amount of memory. (It kept on making new + copies of the header line as it rewrote, and never released the old ones.) + At the expense of a bit more processing, the header rewriting function has + been changed so that it no longer eats memory in this way. + +66. The generation of the Received: header has been moved from the time that a + message starts to be received, to the time that it finishes. The timestamp + in the Received: header should now be very close to that of the <= log + line. There are two side-effects of this change: + + (a) If a message is rejected by a DATA or non-SMTP ACL or local_scan(), the + logged header lines no longer include the local Received: line, because + it has not yet been created. The same applies to a copy of the message + that is returned to a non-SMTP sender when a message is rejected. + + (b) When a filter file is tested using -bf, no additional Received: header + is added to the test message. After some thought, I decided that this + is a bug fix. + + This change does not affect the value of $received_for. It is still set + after address rewriting, but before local_scan() is called. + +67. Installed the latest Cygwin-specific files from the Cygwin maintainer. + +68. GnuTLS: If an empty file is specified for tls_verify_certificates, GnuTLS + gave an unhelpful panic error message, and a defer error. I have managed to + change this behaviour so that it now rejects any supplied certificate, + which seems right, as the list of acceptable certificates is empty. + +69. OpenSSL: If an empty file is specified for tls_verify_certificates, OpenSSL + gave an unhelpful defer error. I have not managed to make this reject any + supplied certificates, but the error message it gives is "no certificate + supplied", which is not helpful. + +70. exigrep's output now also includes lines that are not associated with any + message, but which match the given pattern. Implemented by a patch from + Martin Sluka, which also tidied up the Perl a bit. + +71. Recipient callout verification, like sender verification, was using <> in + the MAIL FROM command. This isn't really the right thing, since the actual + sender may affect whether the remote host accepts the recipient or not. I + have changed it to use the actual sender in the callout; this means that + the cache record is now keyed on a recipient/sender pair, not just the + recipient address. There doesn't seem to be a real danger of callout loops, + since a callout by the remote host to check the sender would use <>. + [SEE ABOVE: changed after hitting problems.] + +72. Exim treats illegal SMTP error codes that do not begin with 4 or 5 as + temporary errors. However, in the case of such a code being given after + the end of a data transmission (i.e. after ".") Exim was failing to write + a retry record for the message. (Yes, there was some broken host that was + actually sending 8xx at this point.) + +73. An unknown lookup type in a host list could cause Exim to panic-die when + the list was checked. (An example that provoked this was putting <; in the + middle of a list instead of at the start.) If this happened during a DATA + ACL check, a -D file could be left lying around. This kind of configuration + error no longer causes Exim to die; instead it causes a defer error. The + incident is still logged to the main and panic logs. + +74. Buglet left over from Exim 3 conversion. The message "too many messages + in one connection" was written to the rejectlog but not the mainlog, except + when address rewriting (yes!) was being logged. + +75. Added write_rejectlog option. + +76. When a system filter was run not as root (that is, when system_filter_user + was set), the values of the $n variables were not being returned to the + main process; thus, they were not subsequently available in the $sn + variables. + +77. Added +return_path_on_delivery log selector. + +78. A connection timeout was being treated differently from recipients deferred + when testing hosts_max_try with a message that was older than the host's + retry timeout. (The host should not be counted, thus allowing all hosts to + be tried at least once before bouncing.) This may have been the cause of an + occasionally reported bug whereby a message would remain on the queue + longer than the retry timeout, but would be bounced if a delivery was + forced. I say "may" because I never totally pinned down the problem; + setting up timeout/retry tests is difficult. See also the next item. + +79. The ultimate address timeout was not being applied to errors that involved + a combination of host plus message (for example, a timeout on a MAIL + command). When an address resolved to a number of possible hosts, and they + were not all tried for each delivery (e.g. because of hosts_max_try), a + message could remain on the queue longer than the retry timeout. + +80. Sieve bug: "stop" inside "elsif" was broken. Applied a patch from Michael + Haardt. + +81. Fixed an obscure SMTP outgoing bug which required at least the following + conditions: (a) there was another message waiting for the same server; + (b) the server returned 5xx to all RCPT commands in the first message so + that the message was not completed; (c) the server dropped the connection + or gave a negative response to the RSET that Exim sends to abort the + transaction. The observed case was a dropped connection after DATA that had + been sent in pipelining mode. That is, the server had advertised PIPELINING + but was not implementing it correctly. The effect of the bug was incorrect + behaviour, such as trying another host, and this could lead to a crash. + + +Exim version 4.30 +----------------- + + 1. The 3rd arguments to getsockname(), getpeername(), and accept() in exim.c + and daemon.c were passed as pointers to ints; they should have been + pointers to socklen_t variables (which are typically unsigned ints). + + 2. Some signed/unsigned type warnings in the os.c file for Linux have been + fixed. + + 3. Fixed a really odd bug that affected only the testing scheme; patching a + certain fixed string in the binary changed the value of another string that + happened to be identical to the end of the original first string. + + 4. When gethostbyname() (or equivalent) is passed an IP address as a "host + name", it returns that address as the IP address. On some operating + systems (e.g. Solaris), it also passes back the IP address string as the + "host name". However, on others (e.g. Linux), it passes back an empty + string. Exim wasn't checking for this, and was changing the host name to an + empty string, assuming it had been canonicalized. + + 5. Although rare, it is permitted to have more than one PTR record for a given + IP address. I thought that gethostbyaddr() or getipnodebyaddr() always gave + all the names associated with an address, because they do in Solaris. + However, it seems that they do not in Linux for data that comes from the + DNS. If an address in /etc/hosts has multiple names, they _are_ all given. + I found this out when I moved to a new Linux workstation and tried to run + the Exim test suite. + + To get round this problem I have changed the code so that it now does its + own call to the DNS to look up PTR records when searching for a host name. + If nothing can be found in the DNS, it tries gethostbyaddr(), so that + addresses that are only in /etc/hosts are still found. + + This behaviour is, however, controlled by an option called host_lookup_ + order, which defaults to "bydns:byaddr". If people want to use the other + order, or indeed, just use one or the other means of lookup, they can + specify it in this variable. + + 6. If a PTR record yields an empty name, Exim treats it as non-existent. In + some operating systems, this comes back from gethostbyaddr() as an empty + string, and this is what Exim used to test for. However, it seems that in + other systems, "." is yielded. Exim now tests for this case too. + + 7. The values of check_spool_space and check_log_space are now held internally + as a number of kilobytes instead of an absolute number of bytes. If a + numbers is specified without 'K' or 'M', it is rounded up to the nearest + kilobyte. This means that much larger values can be stored. + + 8. Exim monitor: an attempt to get the action menu when not actually pointing + at a message produces an empty menu entitled "No message selected". This + works on Solaris (OpenWindows). However, XFree86 does not like a menu with + no entries in it ("Shell widget menu has zero width and/or height"). So I + have added a single, blank menu entry in this case. + + 9. Added ${quote_local_part. + +10. MIME decoding is now applied to the contents of Subject: header lines when + they are logged. + +11. Now that a reference to $sender_host_address automatically causes a reverse + lookup to occur if necessary (4.13/18), there is no need to arrange for a + host lookup before query-style lookups in lists that might use this + variable. This has therefore been abolished, and the "net-" prefix is no + longer necessary for query-style lookups. + +12. The Makefile for SCO_SV contained a setting of LDFLAGS. This appears to + have been a typo for LFLAGS, so it has been changed. + +13. The install script calls Exim with "-C /dev/null" in order to find the + version number. If ALT_CONFIG_PREFIX was set, this caused an error message + to be output. However, since Exim outputs its version number before the + error, it didn't break the script. It just looked ugly. I fixed this by + always allowing "-C /dev/null" if the caller is root. + +14. Ignore overlarge ACL variable number when reading spool file - insurance + against a later release with more variables having written the file. + +15. The standard form for an IPv6 address literal was being rejected by EHLO. + Example: [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts + this, as well as the form without the "IPv6" on the front. + +16. Added CHOWN_COMMAND=/usr/sbin/chown and LIBS=-lresolv to the + OS/Makefile-Darwin file. + +17. Fixed typo in lookups/ldap.c: D_LOOKUP should be D_lookup. This applied + only to LDAP libraries that do not have LDAP_OPT_DEREF. + +18. After change 4.21/52, "%ld" was used to format the contents of the $inode + variable. However, some OS use ints for inodes. I've added cast to long int + to get rid of the compiler warning. + +19. I had forgotten to lock out "/../" in configuration file names when + ALT_CONFIG_PREFIX was set. + +20. Routers used for verification do not need to specify transports. However, + if such a router generated a host list, and callout was configured, Exim + crashed, because it could not find a port number from the (non-existent) + transport. It now assumes port 25 in this circumstance. + +21. Added the -t option to exigrep. + +22. If LOOKUP_LSEARCH is defined, all three linear search methods (lsearch, + wildlsearch, nwildlsearch) are compiled. LOOKUP_WILDLSEARCH and LOOKUP_ + NWILDLSEARCH are now obsolete, but retained for compatibility. If either of + them is set, LOOKUP_LSEARCH is forced. + +23. "exim -bV" now outputs a list of lookups that are included in the binary. + +24. Added sender and host information to the "rejected by local_scan()" log + line; previously there was no indication of these. + +25. Added .include_if_exists. + +26. Change 3.952/11 added an explicit directory sync on top of a file sync for + Linux. It turns out that not all file systems support this. Apparently some + versions of NFS do not. (It's rare to put Exim's spool on NFS, but people + do it.) To cope with this, the error EINVAL, which means that sync-ing is + not supported on the file descriptor, is now ignored when Exim is trying to + sync a directory. This applies only to Linux. + +27. Added -DBIND_8_COMPAT to the CLFAGS setting for Darwin. + +28. In Darwin (MacOS X), the PAM headers are in /usr/include/pam and not in + /usr/include/security. There's now a flag in OS/os.h-Darwin to cope with + this. + +29. Added support for maildirsize files from supplied patch (modified a bit). + +30. The use of :fail: followed by an empty string could lead Exim to respond to + sender verification failures with (e.g.): + + 550 Verification failed for <xxx> + 550 Sender verify failed + + where the first response line was missing the '-' that indicates it is not + the final line of the response. + +31. The loop for finding the name of the user that called Exim had a hardwired + limit of 10; it now uses the value of finduser_retries, which is used for + all other user lookups. + +32. Added $received_count variable, available in data and not_smtp ACLs, and at + delivery time. + +33. Exim was neglecting to zero errno before one call of strtol() when + expanding a string and expecting an integer value. On some systems this + resulted in spurious "integer overflow" errors. Also, it was casting the + result into an int without checking. + +34. Testing for a connection timeout using "timeout_connect" in the retry rules + did not work. The code looks as if it has *never* worked, though it appears + to have been documented since at least release 1.62. I have made it work. + +35. The "timeout_DNS" error in retry rules, also documented since at least + 1.62, also never worked. As it isn't clear exactly what this means, and + clearly it isn't a major issue, I have abolished the feature by treating it + as "timeout", and writing a warning to the main and panic logs. + +36. The display of retry rules for -brt wasn't always showing the error code + correctly. + +37. Added new error conditions to retry rules: timeout_A, timeout_MX, + timeout_connect_A, timeout_connect_MX. + +38. Rewriting the envelope sender at SMTP time did not allow it to be rewritten + to the empty sender. + +39. The daemon was not analysing the content of -oX till after it had closed + stderr and disconnected from the controlling terminal. This meant that any + syntax errors were only noted on the panic log, and the return code from + the command was 0. By re-arranging the code a little, I've made the + decoding happen first, so such errors now appear on stderr, and the return + code is 1. However, the actual setting up of the sockets still happens in + the disconnected process, so errors there are still only recorded on the + panic log. + +40. A daemon listener on a wildcard IPv6 socket that also accepts IPv4 + connections (as happens on some IP stacks) was logged at start up time as + just listening for IPv6. It now logs "IPv6 with IPv4". This differentiates + it from "IPv6 and IPv4", which means that two separate sockets are being + used. + +41. The debug output for gethostbyname2() or getipnodebyname() failures now + says whether AF_INET or AF_INET6 was passed as an argument. + +42. Exiwhat output was messed up when time zones were included in log + timestamps. + +43. Exiwhat now gives more information about the daemon's listening ports, + and whether -tls-on-connect was used. + +44. The "port" option of the smtp transport is now expanded. + +45. A "message" modifier in a "warn" statement in a non-message ACL was being + silently ignored. Now an error message is written to the main and panic + logs. + +46. There's a new ACL modifier called "logwrite" which writes to a log file + as soon as it is encountered. + +47. Added $local_user_uid and $local_user_gid at routing time. + +48. Exim crashed when trying to verify a sender address that was being + rewritten to "<>". + +49. Exim was recognizing only a space character after ".include". It now also + recognizes a tab character. + +50. Fixed several bugs in the Perl script that creates the exim.8 man page by + extracting the relevant information from the specification. The man page no + longer contains scrambled data for the -d option, and I've added a section + at the front about calling Exim under different names. + +51. Added "extra_headers" argument to the "mail" command in filter files. + +52. Redirecting mail to an unqualified address in a Sieve filter caused Exim to + crash. + +53. Installed eximstats 1.29. + +54. Added transport_filter_timeout as a generic transport option. + +55. Exim no longer adds an empty Bcc: header to messages that have no To: or + Cc: header lines. This was required by RFC 822, but it not required by RFC + 2822. + +56. Exim used to add From:, Date:, and Message-Id: header lines to any + incoming messages that did not have them. Now it does so only if the + message originates locally, that is, if there is no associated remote host + address. When Resent- header lines are present, this applies to the Resent- + lines rather than the non-Resent- lines. + +57. Drop incoming SMTP connection after too many syntax or protocol errors. The + limit is controlled by smtp_max_synprot_errors, defaulting to 3. + +58. Messages for configuration errors now include the name of the main + configuration file - useful now that there may be more than one file in a + list (.included file names were always shown). + +59. Change 4.21/82 (run initgroups() when starting the daemon) causes problems + for those rare installations that do not start the daemon as root or run it + setuid root. I've cut out the call to initgroups() if the daemon is not + root at that time. + +60. The Exim user and group can now be bound into the binary as text strings + that are looked up at the start of Exim's processing. + +61. Applied a small patch for the Interbase code, supplied by Ard Biesheuvel. + +62. Added $mailstore_basename variable. + +63. Installed patch to sieve.c from Michael Haardt. + +64. When Exim failed to open the panic log after failing to open the main log, + the original message it was trying to log was written to stderr and debug + output, but if they were not available (the usual case in production), it + was lost. Now it is written to syslog before the two lines that record the + failures to open the logs. + +65. Users' Exim filters run in subprocesses under the user's uid. It is + possible for a "deliver" command or an alias in a "personal" command to + provoke an address rewrite. If logging of address rewriting is configured, + this fails because the process is not running as root or exim. There may be + a better way of dealing with this, but for the moment (because 4.30 needs + to be released), I have disabled address rewrite logging when running a + filter in a non-root, non-exim process. + + +Exim version 4.24 +----------------- + + 1. The buildconfig auxiliary program wasn't quoting the value set for + HEADERS_CHARSET. This caused a compilation error complaining that 'ISO' was + not defined. This bug was masked in 4.22 by the effect that was fixed in + change 4.23/1. + + 2. Some messages that were rejected after a message id was allocated were + shown as "incomplete" by exigrep. It no longer does this for messages that + are rejected by local_scan() or the DATA or non-SMTP ACLs. + + 3. If a Message-ID: header used a domain literal in the ID, and Exim did not + have allow_domain_literals set, the ID did not get logged in the <= line. + Domain literals are now always recognized in Message-ID: header lines. + + 4. The first argument for a ${extract expansion item is the key name or field + number. Leading and trailing spaces in this item were not being ignored, + causing some misleading effects. + + 5. When deliver_drop_privilege was set, single queue runner processes started + manually (i.e. by the command "exim -q") or by the daemon (which uses the + same command in the process it spins off) were not dropping privilege. + + 6. When the daemon running as "exim" started a queue runner, it always + re-executed Exim in the spun-off process. This is a waste of effort when + deliver_drop_privilege is set. The new process now just calls the + queue-runner function directly. + + +Exim version 4.23 +----------------- + + 1. Typo in the src/EDITME file: it referred to HEADERS_DECODE_TO instead of + HEADERS_CHARSET. + + 2. Change 4.21/73 introduced a bug. The pid file path set by -oP was being + ignored. Though the use of -oP was forcing the writing of a pid file, it + was always written to the default place. + + 3. If the message "no IP address found for host xxxx" is generated during + incoming verification, it is now followed by identification of the incoming + connection (so you can more easily find what provoked it). + + 4. Bug fix for Sieve filters: "stop" inside a block was not working properly. + + 5. Added some features to "harden" Exim a bit more against certain attacks: + + (a) There is now a build-time option called FIXED_NEVER_USERS that can + be put in Local/Makefile. This is like the never_users runtime option, + but it cannot be overridden. The default setting is "root". + + (b) If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a + prefix string with which any file named in a -C command line option + must start. + + (c) If ALT_CONFIG_ROOT_ONLY is defined in Local/Makefile, root privilege + is retained for -C and -D only if the caller of Exim is root. Without + it, the exim user may also use -C and -D and retain privilege. + + (d) If DISABLE_D_OPTION is defined in Local/Makefile, the use of the -D + command line option is disabled. + + 6. Macro names set by the -D option must start with an upper case letter, just + like macro names defined in the configuration file. + + 7. Added "dereference=" facility to LDAP. + + 8. Two instances of the typo "uknown" in the source files are fixed. + + 9. If a PERL_COMMAND setting in Local/Makefile was not at the start of a line, + the Configure-Makefile script screwed up while processing it. + +10. Incorporated PCRE 4.4. + +11. The SMTP synchronization check was not operating right at the start of an + SMTP session. For example, it could not catch a HELO sent before the client + waited for the greeting. There is now a check for outstanding input at the + point when the greeting is written. Because of the duplex, asynchronous + nature of TCP/IP, it cannot be perfect - the incorrect input may be on its + way, but not yet received, when the check is performed. + +12. Added tcp_nodelay to make it possible to turn of the setting of TCP_NODELAY + on TCP/IP sockets, because this apparently causes some broken clients to + timeout. + +13. Installed revised OS/Makefile-CYGWIN and OS/os.c-cygwin (the .h file was + unchanged) from the Cygwin maintainer. + +14. The code for -bV that shows what is in the binary showed "mbx" when maildir + was supported instead of testing for mbx. Effectively a typo. + +15. The spa authenticator server code was not checking that the input it + received was valid base64. + +16. The debug output line for the "set" modifier in ACLs was not showing the + name of the variable that was being set. + +17. Code tidy: the variable type "vtype_string" was never used. Removed it. + +18. Previously, a reference to $sender_host_name did not cause a DNS reverse + lookup on its own. Something else was needed to trigger the lookup. For + example, a match in host_lookup or the need for a host name in a host list. + Now, if $sender_host_name is referenced and the host name has not yet been + looked up, a lookup is performed. If the lookup fails, the variable remains + empty, and $host_lookup_failed is set to "1". + +19. Added "eqi" as a case-independent comparison operator. + +20. The saslauthd authentication condition could segfault if neither service + nor realm was specified. + +21. If an overflowing value such as "2048M" was set for message_size_limit, the + error message that was logged was misleading, and incoming SMTP + connections were dropped. The message is now more accurate, and temporary + errors are given to SMTP connections. + +22. In some error situations (such as 21 above) Exim rejects all SMTP commands + (except RSET) with a 421 error, until QUIT is received. However, it was + failing to send a response to QUIT. + +23. The HELO ACL was being run before the code for helo_try_verify_hosts, + which made it impossible to use "verify = helo" in the HELO ACL. The HELO + ACL is now run after the helo_try_verify_hosts code. + +24. "{MD5}" and "{SHA1}" are now recognized as equivalent to "{md5"} and + "{sha1}" in the "crypteq" expansion condition (in fact the comparison is + case-independent, so other case variants are also recognized). Apparently + some systems use these upper case variants. + +25. If more than two messages were waiting for the same host, and a transport + filter was specified for the transport, Exim sent two messages over the + same TCP/IP connection, and then failed with "socket operation on non- + socket" when it tried to send the third. + +26. Added Exim::debug_write and Exim::log_write for embedded Perl use. + +27. The extern definition of crypt16() in expand.c was not being excluded when + the OS had its own crypt16() function. + +28. Added bounce_return_body as a new option, and bounce_return_size_limit + as a preferred synonym for return_size_limit, both as an option and as an + expansion variable. + +29. Added LIBS=-liconv to OS/Makefile-OSF1. + +30. Changed the default configuration ACL to relax the local part checking rule + for addresses that are not in any local domains. For these addresses, + slashes and pipe symbols are allowed within local parts, but the sequence + /../ is explicitly forbidden. + +31. SPA server authentication was not clearing the challenge buffer before + using it. + +32. log_message in a "warn" ACL statement was writing to the reject log as + well as to the main log, which contradicts the documentation and doesn't + seem right (because no rejection is happening). So I have stopped it. + +33. Added Ard Biesheuvel's lookup code for accessing an Interbase database. + However, I am unable to do any testing of this. + +34. Fixed an infelicity in the appendfile transport. When checking directories + for a mailbox, to see if any needed to be created, it was accidentally + using path names with one or more superfluous leading slashes; tracing + would show up entries such as stat("///home/ph10", 0xFFBEEA48). + +35. If log_message is set on a "discard" verb in a MAIL or RCPT ACL, its + contents are added to the log line that is written for every discarded + recipient. (Previously a log_message setting was ignored.) + +36. The ${quote: operator now quotes the string if it is empty. + +37. The install script runs exim in order to find its version number. If for + some reason other than non-existence or emptiness, which it checks, it + could not run './exim', it was installing it with an empty version number, + i.e. as "exim-". This error state is now caught, and the installation is + aborted. + +38. An argument was missing from the function that creates an error message + when Exim fails to connect to the socket for saslauthd authentication. + This could cause Exim to crash, or give a corrupted message. + +39. Added isip, isip4, and isip6 to ${if conditions. + +40. The ACL variables $acl_xx are now saved with the message, and can be + accessed later in routers, transports, and filters. + +41. The new lookup type nwildlsearch is like wildlsearch, except that the key + strings in the file are not string-expanded. + +42. If a MAIL command specified a SIZE value that was too large to fit into an + int variable, the check against message_size_limit failed. Such values are + now forced to INT_MAX, which is around 2Gb for a 32-bit variable. Maybe one + day this will have to be increased, but I don't think I want to be around + when emails are that large. + + + +Exim version 4.22 +----------------- + + 1. Removed HAVE_ICONV=yes from OS/Makefile-FreeBSD, since it seems that + iconv() is not standard in FreeBSD. + + 2. Change 4.21/17 was buggy and could cause stack overwriting on a system with + IPv6 enabled. The observed symptom was a segmentation fault on return from + the function os_common_find_running_interfaces() in src/os.c. + + 3. In the check_special_case() function in daemon.c I had used "errno" as an + argument name, which causes warnings on some systems. This was basically a + typo, since it was named "eno" in the comments! + + 4. The code that waits for the clock to tick (at a resolution of some fraction + of a second) so as to ensure message-id uniqueness was always waiting for + at least one whole tick, when it could have waited for less. [This is + almost certainly not relevant at current processor speeds, where it is + unlikely to ever wait at all. But we try to future-proof.] + + 5. The function that sleeps for a time interval that includes fractions of a + second contained a race. It did not block SIGALRM between setting the + timer, and suspending (a couple of lines later). If the interval was short + and the sigsuspend() was delayed until after it had expired, the suspension + never ended. On busy systems this could lead to processes getting stuck for + ever. + + 6. Some uncommon configurations may cause a lookup to happen in a queue runner + process, before it forks any delivery processes. The open lookup caching + mechanism meant that the open file or database connection was passed into + the delivery process. The problem was that delivery processes always tidy + up cached lookup data. This could cause a problem for the next delivery + process started by the queue runner, because the external queue runner + process does not know about the closure. So the next delivery process + still has data in the lookup cache. In the case of a file lookup, there was + no problem because closing a file descriptor in a subprocess doesn't affect + the parent. However, if the lookup was caching a connection to a database, + the connection was closed, and the second delivery process was likely to + see errors such as "PGSQL: query failed: server closed the connection + unexpectedly". The problem has been fixed by closing all cached lookups + in a queue runner before running a delivery process. + + 7. Compiler warning on Linux for the second argument of iconv(), which doesn't + seem to have the "const" qualifier which it has on other OS. I've + parameterised it. + + 8. Change 4.21/2 was too strict. It is only if there are two authenticators + *of the same type* (client or server) with the same public name that an + error should be diagnosed. + + 9. When Exim looked up a host name for an IP address, but failed to find the + original IP address when looking up the host name (a safety check), it + output the message "<ip address> does not match any IP for NULL", which was + confusing, to say the least. The bug was that the host name should have + appeared instead of "NULL". + +10. Since release 3.03, if Exim is called by a uid other than root or the Exim + user that is built into the binary, and the -C or -D options is used, root + privilege is dropped before the configuration file is read. In addition, + logging is switched to stderr instead of the normal log files. If the + configuration then re-defines the Exim user, the unprivileged environment + is probably not what is expected, so Exim logs a panic warning message (but + proceeds). + + However, if deliver_drop_privilege is set, the unprivileged state may well + be exactly what is intended, so the warning has been cut out in that case, + and Exim is allowed to try to write to its normal log files. + + +Exim version 4.21 +----------------- + + 1. smtp_return_error_details was not giving details for temporary sender + or receiver verification errors. + + 2. Diagnose a configuration error if two authenticators have the same public + name. + + 3. Exim used not to create the message log file for a message until the first + delivery attempt. This could be confusing when incoming messages were held + for policy or load reasons. The message log file is now created at the time + the message is received, and an initial "Received" line is written to it. + + 4. The automatically generated man page for command line options had a minor + bug that caused no ill effects; however, a more serious problem was that + the procedure for building the man page automatically didn't always + operate. Consequently, release 4.20 contains an out-of-date version. This + shouldn't happen again. + + 5. When building Exim with embedded Perl support, the script that builds the + Makefile was calling 'perl' to find its compile-time parameters, ignoring + any setting of PERL_COMMAND in Local/Makefile. This is now fixed. + + 6. The freeze_tell option was not being used for messages that were frozen on + arrival, either by an ACL or by local_scan(). + + 7. Added the smtp_incomplete_transaction log selector. + + 8. After STARTTLS, Exim was not forgetting that it had advertised AUTH, so it + was accepting AUTH without a new EHLO. + + 9. Added tls_remember_esmtp to cope with YAEB. This allows AUTH and other + ESMTP extensions after STARTTLS without a new EHLO, in contravention of the + RFC. + +10. Logging of TCP/IP connections (when configured) now happens in the main + daemon process instead of the child process, so that the TCP/IP connection + count is more accurate (but it can never be perfect). + +11. The use of "drop" in a nested ACL was not being handled correctly in the + outer ACL. Now, if condition failure induced by the nested "drop" causes + the outer ACL verb to deny access ("accept" or "discard" after "endpass", + or "require"), the connection is dropped. + +12. Similarly, "discard" in a nested ACL wasn't being handled. A nested ACL + that yield "discard" can now be used with an "accept" or a "discard" verb, + but an error is generated for any others (because I can't see a useful way + to define what should happen). + +13. When an ACL is read dynamically from a file (or anywhere else), the lines + are now processed in the same way as lines in the Exim configuration file. + In particular, continuation lines are supported. + +14. Added the "dnslists = a.b.c!=n.n.n.n" feature. + +15. Added -ti meaning -t -i. + +16. Check for letters, digits, hyphens, and dots in the names of dnslist + domains, and warn by logging if others are found. + +17. At least on BSD, alignment is not guaranteed for the array of ifreq's + returned from GIFCONF when Exim is trying to find the list of interfaces on + a host. The code in os.c has been modified to copy each ifreq to an aligned + structure in all cases. + + Also, in some cases, the returned ifreq's were being copied to a 'struct + ifreq' on the stack, which was subsequently passed to host_ntoa(). That + means the last couple of bytes of an IPv6 address could be chopped if the + ifreq contained only a normal sockaddr (14 bytes storage). + +18. Named domain lists were not supported in the hosts_treat_as_local option. + An entry such as +xxxx was not recognized, and was treated as a literal + domain name. + +19. Ensure that header lines added by a DATA ACL are included in the reject log + if the ACL subsequently rejects the message. + +20. Upgrade the cramtest.pl utility script to use Digest::MD5 instead of just + MD5 (which is deprecated). + +21. When testing a filter file using -bf, Exim was writing a message when it + took the sender from a "From " line in the message, but it was not doing so + when it took $return_path from a Return-Path: header line. It now does. + +22. If the contents of a "message" modifier for a "warn" ACL verb do not begin + with a valid header line field name (a series of printing characters + terminated by a colon, Exim now inserts X-ACL-Warn: at the beginning. + +23. Changed "disc" in the source to "disk" to conform to the documentation and + the book and for uniformity. + +24. Ignore Sendmail's -Ooption=value command line item. + +25. When execve() failed while trying to run a command in a pipe transport, + Exim was returning EX_UNAVAILABLE (69) from the subprocess. However, this + could be confused with a return value of 69 from the command itself. This + has been changed to 127, the value the shell returns if it is asked to run + a non-existent command. The wording for the related log line suggests a + non-existent command as the problem. + +26. If received_header_text expands to an empty string, do not add a Received: + header line to the message. (Well, it adds a token one on the spool, but + marks it "old" so that it doesn't get used or transmitted.) + +27. Installed eximstats 1.28 (addition of -nt option). + +28. There was no check for failure on the call to getsockname() in the daemon + code. This can fail if there is a shortage of resources on the system, with + ENOMEM, for example. A temporary error is now given on failure. + +29. Contrary to the C standard, it seems that in some environments, the + equivalent of setlocale(LC_ALL, "C") is not obeyed at the start of a C + program. Exim now does this explicitly; it affects the formatting of + timestamps using strftime(). + +30. If exiqsumm was given junk data, it threw up some uninitialized variable + complaints. I've now initialized all the variables, to avoid this. + +32. Header lines added by a system filter were not being "seen" during + transport-time rewrites. + +33. The info_callback() function passed to OpenSSL is set up with type void + (*)(SSL *, int, int), as described somewhere. However, when calling the + function (actually a macro) that sets it up, the type void(*)() is + expected. I've put in a cast to prevent warnings from picky compilers. + +34. If a DNS black list lookup found a CNAME record, but there were no A + records associated with the domain it pointed at, Exim crashed. + +35. If a DNS black list lookup returned more than one A record, Exim ignored + all but the first. It now scans all returned addresses if a particular IP + value is being sought. In this situation, the contents of the + $dnslist_value variable are a list of all the addresses, separated by a + comma and a space. + +36. Tightened up the rules for host name lookups using reverse DNS. Exim used + to accept a host name and all its aliases if the forward lookup for any of + them yielded the IP address of the incoming connection. Now it accepts only + those names whose forward lookup yields the correct IP address. Any other + names are discarded. This closes a loophole whereby a rogue DNS + administrator could create reverse DNS records to break through a + wildcarded host restriction in an ACL. + +37. If a user filter or a system filter that ran in a subprocess used any of + the numerical variables ($1, $2 etc), or $thisaddress, in a pipe command, + the wrong values were passed to the pipe command ($thisaddress had the + value of $0, $0 had the value of $1, etc). This bug was introduced by + change 4.11/101, and not discovered because I wrote an inadequate test. :-( + +38. Improved the line breaking for long SMTP error messages from ACLs. + Previously, if there was no break point between 40 and 75 characters, Exim + left the rest of the message alone. Two changes have been made: (a) I've + reduced the minimum length to 35 characters; (b) if it can't find a break + point between 35 and 75 characters, it looks ahead and uses the first one + that it finds. This may give the occasional overlong line, but at least the + remaining text gets split now. + +39. Change 82 of 4.11 was unimaginative. It assumed the limit on the number of + file descriptors might be low, and that setting 1000 would always raise it. + It turns out that in some environments, the limit is already over 1000 and + that lowering it causes trouble. So now Exim takes care not to decrease it. + +40. When delivering a message, the value of $return_path is set to $sender_ + address at the start of routing (routers may change the value). By an + oversight, this default was not being set up when an address was tested by + -bt or -bv, which affected the outcome if any router or filter referred to + $return_path. + +41. The idea of the "warn" ACL verb is that it adds a header or writes to the + log only when "message" or "log_message" are set. However, if one of the + conditions was an address verification, or a call to a nested ACL, the + messages generated by the underlying test were being passed through. This + no longer happens. The underlying message is available in $acl_verify_ + message for both "message" and "log_message" expansions, so it can be + passed through if needed. + +42. Added RFC 2047 interpretation of header lines for $h_ expansions, with a + new expansion $bh_ to give the encoded byte string without charset + translation. Translation happens only if iconv() is available; HAVE_ICONV + indicates this at build time. HEADERS_CHARSET gives the charset to + translate to; headers_charset can change it in the configuration, and + "headers charset" can change it in an individual filter file. + +43. Now that we have a default RFC 2047 charset (see above), the code in Exim + that creates RFC 2047 encoded "words" labels them as that charset instead + of always using iso-8859-1. The cases are (i) the explicit ${rfc2047: + expansion operator; (ii) when Exim creates a From: line for a local + message; (iii) when a header line is rewritten to include a "phrase" part. + +44. Nasty bug in exiqsumm: the regex to skip already-delivered addresses was + buggy, causing it to skip the first lines of messages whose message ID + ended in 'D'. This would not have bitten before Exim release 4.14, because + message IDs were unlikely to end in 'D' before then. The effect was to have + incorrect size information for certain domains. + +45. #include "config.h" was missing at the start of the crypt16.c module. This + caused trouble on Tru64 (aka OSF1) systems, because HAVE_CRYPT16 was not + noticed. + +46. If there was a timeout during a "random" callout check, Exim treated it as + a failure of the random address, and carried on sending RSET and the real + address. If the delay was just some slowness somewhere, the response to the + original RCPT would be taken as a response to RSET and so on, causing + mayhem of various kinds. + +47. Change 50 for 4.20 was a heap of junk. I don't know what I was thinking + when I implemented it. It didn't allow for the fact that some option values + may legitimately be negative (e.g. size_addition), and it didn't even do + the right test for positive values. + +48. Domain names in DNS records are case-independent. Exim always looks them up + in lower case. Some resolvers return domain names in exactly the case they + appear in the zone file, that is, they may contain uppercase letters. Not + all resolvers do this - some return always lower case. Exim was treating a + change of case by a resolver as a change of domain, similar to a widening + of a domain abbreviation. This triggered its re-routing code and so it was + trying to route what was effectively the same domain again. This normally + caused routing to fail (because the router wouldn't handle the domain + twice). Now Exim checks for this case specially, and just changes the + casing of the domain that it ultimately uses when it transmits the message + envelope. + +49. Added Sieve (RFC 3028) support, courtesy of Michael Haardt's contributed + module. + +50. If a filter generated a file delivery with a non-absolute name (possible if + no home directory exists for the router), the forbid_file option was not + forbidding it. + +51. Added '&' feature to dnslists, to provide bit mask matching in addition to + the existing equality matching. + +52. Exim was using ints instead of ino_t variables in some places where it was + dealing with inode numbers. + +53. If TMPDIR is defined in Local/Makefile (default in src/EDITME is + TMPDIR="/tmp"), Exim checks for the presence of an environment variable + called TMPDIR, and if it finds it is different, it changes its value. + +54. The smtp_printf() function is now made available to local_scan() so + additional output lines can be written before returning. There is also an + smtp_fflush() function to enable the detection of a dropped connection. + The variables smtp_input and smtp_batched_input are exported to + local_scan(). + +55. Changed the default runtime configuration: the message "Unknown user" + has been removed from the ACL, and instead placed on the localuser router, + using the cannot_route_message feature. This means that any verification + failures that generate their own messages won't get overridden. Similarly, + the "Unrouteable address" message that was in the ACL for unverifiable + relay addresses has also been removed. + +56. Added hosts_avoid_esmtp to the smtp transport. + +57. The exicyclog script was not checking for the esoteric option + CONFIGURE_FILE_USE_EUID in the Local/Makefile. It now does this, but it + will work only if exicyclog is run under the appropriate euid. + +58. Following a discussion on the list, the rules by which Exim recognises line + endings on incoming messages have been changed. The -dropcr and drop_cr + options are now no-ops, retained only for backwards compatibility. The + following line terminators are recognized: LF CRLF CR. However, special + processing applies to CR: + + (i) The sequence CR . CR does *not* terminate an incoming SMTP message, + nor a local message in the state where . is a terminator. + + (ii) If a bare CR is encountered in a header line, an extra space is added + after the line terminator so as not to end the header. The reasoning + behind this is that bare CRs in header lines are most likely either + to be mistakes, or people trying to play silly games. + +59. The size of a message, as listed by "-bp" or in the Exim monitor window, + was being incorrectly given as 18 bytes larger than it should have been. + This is a VOB (very old bug). + +60. This may never have affected anything current, but just in case it has: + When the local host is found other than at the start of a list of hosts, + the local host, those with the same MX, and any that follow, are discarded. + When the list in question was part of a longer list of hosts, the following + hosts (not currently being processed) were also being discarded. This no + longer happens. I'm not sure if this situation could ever has previously + arisen. + +61. Added the "/MX" feature to lists of hosts in the manualroute and query + program routers. + +62. Whenever Exim generates a new message, it now adds an Auto-Submitted: + header. This is something that is recommended in a new Internet Draft, and + is something that is documented as being done by Sendmail. There are two + possible values. For messages generated by the autoreply transport, Exim + adds: + + Auto-Submitted: auto-replied + + whereas for all other generated messages (e.g. bounces) it adds + + Auto-Submitted: auto-generated + +63. The "personal" condition in filters now includes a test for the + Auto-Submitted: header. If it contains the string "auto-" the message it + not considered personal. + +64. Added rcpt_include_affixes as a generic transport option. + +65. Added queue_only_override (default true). + +66. Added the syslog_duplication option. + +67. If what should have been the first header line of a message consisted of + a space followed by a colon, Exim was mis-interpreting it as a header line. + It isn't of course - it is syntactically invalid and should therefore be + treated as the start of the message body. The misbehaviour could have + caused a number of strange effects, including loss of data in subsequent + header lines, and spool format errors. + +68. Formerly, the AUTH parameter on a MAIL command was trusted only if the + client host had authenticated. This control can now be exercised by an ACL + for more flexibility. + +69. By default, callouts do not happen when testing with -bh. There is now a + variant, -bhc, which does actually run the callout code, including + consulting and updating the callout cache. + +70. Added support for saslauthd authentication, courtesy of Alexander + Sabourenkov. + +71. If statvfs() failed on the spool or log directories while checking their + size for availability, Exim confusingly gave the error "space shortage". + Furthermore, in debugging mode it crashed with a floating point exception. + These checks are done if check_{spool,log}_{space,inodes} are set, and when + an SMTP message arrives with SIZE= on the MAIL command. As this is a really + serious problem, Exim now writes to the main and panic logs when this + happens, with details of the failure. It then refuses to accept the + incoming message, giving the message "spool directory problem" or "log + directory problem" with a 421 code for SMTP messages. + +72. When Exim is about to re-exec itself, it ensures that the file descriptors + 0, 1, and 2 exist, because some OS complain for execs without them (see + ChangeLog 4.05/30). If necessary, Exim opens /dev/null to use for these + descriptors. However, the code omitted to check that the open succeeded, + causing mysterious errors if for some reason the permissions on /dev/null + got screwed. Now Exim writes a message to the main and panic logs, and + bombs out if it can't open /dev/null. + +73. Re-vamped the way daemon_smtp_port, local_interfaces, and -oX work and + interact so that it is all more flexible. It is supposed to remain + backwards compatible. Also added extra_local_interfaces. + +74. Invalid data sent to a SPA (NTLM) server authenticator could cause the code + to bomb out with an assertion failure - to the client this appears as a + connection drop. This problem occurs in the part of the code that was taken + from the Samba project. Fortunately, the assertion is in a very simple + function, so I have fixed this by reproducing the function inline in the + one place where it is called, and arranging for authentication to fail + instead of killing the process with assert(). + +75. The SPA client code was not working when the server requested OEM rather + than Unicode encoding. + +76. Added code to make require_files with a specific uid setting more usable in + the case where statting the file as root fails - usually a non-root-mounted + NFS file system. When this happens and the failure is EACCES, Exim now + forks a subprocess and does the per-uid checking as the relevant uid. + +77. Added process_log_path. + +78. If log_file_path was not explicitly set, a setting of check_log_space or + check_log_inodes was ignored. + +79. If a space check for the spool or log partitions fails, the incident is now + logged. Of course, in the latter case the data may get lost... + +80. Added the %p formatting code to string_format() so that it can be used to + print addresses in debug_print(). Adjusted all the address printing in the + debugging in store.c to use %p rather than %d. + +81. There was a concern that a line of code in smtp_in.c could overflow a + buffer if a HELO/EHLO command was given followed by 500 or so spaces. As + initially expressed, the concern was not well-founded, because trailing + spaces are removed early. However, if the trailing spaces were followed by + a NULL, they did not get removed, so the overflow was possible. Two fixes + were applied: + + (a) I re-wrote the offending code in a cleaner fashion. + (b) If an incoming SMTP command contains a NULL character, it is rejected + as invalid. + +82. When Exim changes uid/gid to the Exim user at daemon start time, it now + runs initgroups(), so that if the Exim user is in any additional groups, + they will be used during message reception. + + +Exim version 4.20 +----------------- + +The change log for 4.20 and earlier releases has been archived. + +**** |