path: root/debian/NEWS

exim4 (4.96-1) unstable; urgency=low

  The allow_insecure_tainted_data main config option and the "taint"
  log_selector were removed. (See previous entry for exim4 4.94-18.)

  Taint-check exec arguments for transport-initiated external processes.
  Previously, tainted values could be used.  This affects "pipe", "lmtp"
  and "queryprogram" transport, transport-filter, and ETRN commands.  The
  ${run} expansion is also affected: in "preexpand" mode no part of the
  command line may be tainted, in default mode the executable name may not
  be tainted.

  Query-style lookups are now checked for quoting, if the query string is
  built using untrusted data ("tainted").  For now lack of quoting is
  merely logged; a future release will upgrade this to an error.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 26 Jun 2022 14:11:00 +0200

exim4 (4.94-18) experimental; urgency=medium

  Please consider exim 4.93/4.94 a *major* exim upgrade. It introduces the
  concept of tainted data read from untrusted sources, like e.g. message
  sender or recipient. This tainted data (e.g. $local_part or $domain)
  cannot be used among other things as a file or directory name or command
  name.

  This WILL BREAK configurations which are not updated accordingly.
  Old Debian exim configuration files also will not work unmodified, the new
  configuration needs to be installed with local modifications merged in.

  Typical nonworking examples include:
  * Delivery to /var/mail/$local_part. Use $local_part_data in combination
    with check_local_user.
  * Using
    data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
    instead of
    data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
    for a virtual domain alias file.

  The basic strategy for dealing with this change is to use the result of a
  lookup in further processing instead of the original (remote provided)
  value.

  To ease upgrading there is a new main configuration option to temporarily
  downgrade taint errors to warnings, letting the old configuration work with
  the newer exim. To make use of this feature add
  .ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
   allow_insecure_tainted_data = yes
  .endif
  to the exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros)
  *before* upgrading to exim 4.93/4.94 and check the logfile for taint
  warnings. This is a temporary workaround which is already marked for
  removal on introduction.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 25 Apr 2021 07:42:26 +0200

exim4 (4.94-16) unstable; urgency=medium

  The configuration now enforces certificate verification against the
  system trust store on encrypted connections using the
  remote_smtp_smarthost transport (smarthost and satellite setups).
  Delivery will therefore fail if the host certificates are not verifyable
  and non TLS delivery is not available (e.g. because AUTH PLAIN is used).

 -- Andreas Metzler <ametzler@debian.org>  Wed, 17 Mar 2021 13:50:44 +0100

exim4 (4.87-3) unstable; urgency=medium

  Starting with 4.87~RC1-1 exim will not accept or send out messages with
  physical lines longer than 998 characters by SMTP DATA. Delivery of such
  RFC-violating message might fail and subsequently cause routing errors and
  loss of legitimate mail.  See <https://bugs.exim.org/show_bug.cgi?id=1684>.
  This limit can be disabled by setting the macro
  IGNORE_SMTP_LINE_LENGTH_LIMIT.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 08 May 2016 14:03:10 +0200

exim4 (4.87-2) unstable; urgency=medium

  exim4-daemon heavy does not support the "demime" ACL condition
  (WITH_OLD_DEMIME) anymore. It was superceded by the acl_smtp_mime ACL and
  will not be part of the next upstream release.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 30 Apr 2016 13:38:29 +0200

exim4 (4.87~RC6-3) unstable; urgency=medium

  As part of the fix for CVE-2016-1531 updated Exim versions clean
  the complete execution environment by default, affecting Exim and
  subprocesses such as routers calling other programs, and thus may break
  existing installations. New configuration options (keep_environment,
  add_environment) were introduced to adjust this behavior. Because of the
  possible breakage Exim will show a runtime warning if keep_environment is
  not set.

  The Debian exim4 configuration does not rely on specific environment
  variables and therefore sets 'keep_environment =' (i.e confirm empty
  environment).

  Users of custom Exim configurations will need to check whether their setup
  continues to work with the abovementioned upstream change and modify the
  Exim environment as needed otherwise. If the setup works fine with empty
  environment it is still necessary to set the main configuration option
  "keep_environment =" to quiet the runtime warning.

  See <https://exim.org/static/doc/CVE-2016-1531.txt> for details.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 23 Mar 2016 18:44:22 +0100

exim4 (4.80~rc6-1) experimental; urgency=low

  Upstream's handling of GnuTLS DH parameters has changed, hardcoded
  parameters (from RFCs are used by default. See
  /usr/share/doc/exim4-base/README.UPDATING* for details. Stop shipping
  /usr/share/exim4/exim4_refresh_gnutls-params /usr/share/exim4/timeout.pl
  and /var/spool/exim4/gnutls-params-2236.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 27 May 2012 18:46:48 +0200

exim4 (4.80~rc2-1) experimental; urgency=low

  Ldap lookups returning multi-valued attributes now separate the attributes
  with only a comma, not a comma-space sequence.

  The GnuTLS support has been mostly rewritten. exim main configuration
  options gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols,
  are no longer supported. (They are ignored if present now, but will trigger
  an error in later releases.) Their functionality is entirely subsumed into
  tls_require_ciphers.  In turn, tls_require_ciphers is no longer an Exim list
  and is not parsed by Exim, but is instead given to gnutls_priority_init(3).

  See /exim4-base/usr/share/doc/exim4-base/README.UPDATING.gz for details.

 -- Andreas Metzler <ametzler@debian.org>  Sat, 22 Oct 2011 19:16:58 +0200

exim4 (4.77~rc4-1) experimental; urgency=low

  Exim no longer performs string expansion on the second string of
  the match_* expansion conditions: "match_address", "match_domain",
  "match_ip" & "match_local_part". Named lists can still be used.

  The previous behavior made it too easy to create (remotely) vulnerable
  configurations. A more detailed rationale and explanation can be found on 
  https://lists.exim.org/lurker/message/20111003.122326.fbcf32b7.en.html

 -- Andreas Metzler <ametzler@debian.org>  Thu, 05 Oct 2011 19:22:52 +0200

exim4 (4.72-3) unstable; urgency=low

  Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345.
  This is a privilege escalation issue that allows the exim user to gain
  root privileges by specifying an alternate configuration file using the -C
  option. The macro override facility (-D) might also be misused for this
  purpose.

  In reaction to this security vulnerability upstream has made a number of
  user visible changes. This package includes these changes.
  ---------------------------------------------------------
  If exim is invoked with the -C or -D option the daemon will not regain
  root privileges though re-execution. This is usually necessary for local
  delivery, though. Therefore it is generally not possible anymore to run an
  exim daemon with -D or -C options.

  However this version of exim has been built with
  TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST
  defines a list of configuration files which are trusted; if a config file
  is owned by root and matches a pathname in the list, then it may be
  invoked by the Exim build-time user without Exim relinquishing root
  privileges.

  As a hotfix to not break existing installations of mailscanner we have
  also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start
  exim with -DOUTGOING while being able to do local deliveries.

  If you previously were using -D switches you will need to change your
  setup to use a separate configuration file. The ".include" mechanism
  makes this easy.
  ---------------------------------------------------------
  The system filter is run as exim_user instead of root by default. If your
  setup requies root privileges when running the system filter you will
  need to set the system_filter_user exim main configuration option.
  ---------------------------------------------------------

 -- Andreas Metzler <ametzler@debian.org>  Sat, 18 Dec 2010 18:57:16 +0100

exim4 (4.69-4) unstable; urgency=low

  In reaction to #475194, the size of the Diffie-Hellman parameters
  used by exim was increased to 2048, which is GnuTLS's default.
  
  Since periodically regenerating the Diffie-Hellman parameters
  doesn't increase security that much (they're sent in clear text in the
  TLS handshake, and some protocols even have hardcoded them in the
  standard document), and automatically generating 2048 bits
  Diffie-Hellman parameters can take a long time, this has been disabled
  in the Exim4 packages starting with 4.69-4. All exim installations
  will thus run with the Diffie-Hellman parameters shipped in the
  package by default.
  
  Really, really paranoid people with sufficiently fast machines will
  want to set up a cron job calling
  /usr/share/exim4/exim4_refresh_gnutls-params manually - suggested
  interval is weekly or monthly.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Sun, 27 Apr 2008 09:14:32 +0200

exim4 (4.68-1) unstable; urgency=low

    In order to fix #420217, the handling of incoming messages to
    system accounts has been changed once again. To allow system
    account mail addresses to be redirected via traditional
    /etc/aliases, system accounts are now processed later in the
    router chain.

    This has made it necessary to change the default behavior of the
    real- prefix. real-foo is now only accessible for locally
    generated messages, such as the error message generated by the
    userforward router. If you need the old behavior back, set the
    macro COND_LOCAL_SUBMITTER=true. As a side-effect, you can
    entirely switch off the real- processing by setting
    COND_LOCAL_SUBMITTER=false.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Thu, 04 Oct 2007 22:34:01 +0200

exim4 (4.67-6) unstable; urgency=low

    acl_whitelist_local_deny was renamed to acl_local_deny_exceptions
    to avoid confusion. This means changes to ACLs, file names in
    /etc/exim4/conf.d/acl and the exception list file names themselves.
    
    CONFDIR/local_host_whitelist and CONFDIR/local_sender_whitelist
    have been renamed to CONFDIR/host_local_deny_exceptions and
    CONFDIR/sender_local_deny_exceptions. The old files will continue
    to be honored for a transition period.
    
    The old file conf.d/acl/20_exim4-config_whitelist_local_deny will
    get a .dpkg-bak suffix if it had local changes, and it will be
    removed if there were no local changes. In the case of local changes,
    you'll need to repeat these changes in the new file
    conf.d/acl/20_exim4-config_local_deny_exceptions.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Wed, 05 Sep 2007 21:22:22 +0200

exim4 (4.67-5) unstable; urgency=low

    The macro generation in update-exim4.conf has been changed once
    more. update-exim4.conf now looks for the (non-commented!)
    definition of the exim configuration macro UPEX4CmacrosUPEX4C to
    an arbitrary, non-empty value, and inserts the generated macro
    definitions right after this line, without changing it.
    
    update-exim4.conf looks for commented UPEX4CmacrosUPEX4C (which
    used to be the place marker in earlier 4.67-x versions) and barfs
    if it finds them anywhere in /etc/exim4/exim4.conf.template or
    recursively /etc/exim4/conf.d. This check - as a feature - also
    includes files that would normally be excluded by
    update-exim4.conf, such as .dpkg-old and .dpkg-dist files.
    
    If you insist on having a commented UPEX4CmacrosUPEX4C in your
    exim configuration and don't want update-exim4.conf to barf, set
    the exim macro UPEX4CmacrosOK_config_adapted to a non-empty value.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Thu, 28 Jun 2007 08:29:36 +0200

exim4 (4.67-4) unstable; urgency=low

    Since a lot of users did not read the docs while upgrading and
    filed bug reports about exim4-config failing to install due to a
    "malformed macro definition", update-exim4.conf.conf now checks
    for DEBCONFsomethingDEBCONF strings anywhere in
    /etc/exim4/exim4.conf.template or recursively /etc/exim4/conf.d
    and barfs if such strings are found. This check - as a feature - also
    includes files that would normally be excluded by
    update-exim4.conf.

    It _is_ necessary to either accept the offered configuration file
    change _or_ to manually check a manually changed exim config. Exim
    will _NOT_ run if a configuration file of an older version is
    being used with a more recent exim4-config.

    If you insist on having DEBCONFsomethingDEBCONF strings in your
    exim configuration and don't want update-exim4.conf to barf, set
    the exim macro DEBCONFstringOK_config_adapted to a non-empty
    value.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Fri, 22 Jun 2007 12:50:38 +0200

exim4 (4.67-2) experimental; urgency=low

    The symlink /etc/exim4/email-addresses caused data loss for people
    who had a local file named /etc/exim4/email-addresses. The Debian
    tools do not handle symlinks in /etc which are contained in
    packages very well, so we decided to simply remove it. Please
    submit a tested patch if you think that it would be a more elegant
    way to handle the transition from /etc/exim4/email-addresses to
    /etc/email-addresses.

    There is now a possibility to modify handling of incoming messages
    to system accounts, identified by their UID (see
    conf.d/router/250_exim4-config_lowuid). If you want this, set the
    macro FIRST_USER_ACCOUNT_UID (which defaults to 0) to the UID of
    your first "real" user account. Incoming messages for an account
    with an UID below that value get routed according to the extra
    alias file /etc/exim4/lowuid-aliases. If an account does not have
    an alias there, it gets routed to the value of the macro
    DEFAULT_SYSTEM_ACCOUNT_ALIAS, which defaults to ":fail: no mail to
    system accounts" and gets the message rejected. You can use this
    mechanism to route all messages for system accounts to a single
    address, with exceptions. Locally generated messages are not
    processed by this facility.

    Generation of the final exim configuration has changed. The
    configuration no longer has the DEBCONFsomethingDEBCONF
    placeholders. All data from Debconf are put into exim
    configuration macros by update-exim4.conf, which are then
    appropriately picked up by the configuration itself. There should
    be no visible change to people who have not modified their
    configuration, but customized configurations need to adapt.
    
    We now do basic sanitizing of input read from
    update-exim4.conf.conf. If your update-exim4.conf complains about
    non-ascii values, you have found a bug. Please report it.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Mon, 11 Jun 2007 14:09:24 +0200

exim4 (4.62-7) unstable; urgency=low

    Bug #392993 says that 4.63-5 and -6 have overwritten manual
    setting of dc_local_delivery with one of the default versions if
    you have set dc_local_delivery to a value that is not either
    mail_spool or maildir_home. Please verify that your
    dc_local_delivery does still point to the transport you have
    chosen.

    Please note that the debconf configuration only supports plain
    lists. Advanced features like "dsearch;" entered there may work
    today, but are not guaranteed to continue working in the future.

    If you want to use such features, please use the macros made
    available for use in the configuration or edit the configuration
    itself.

    This allows us to use semicolons as list delimiters consistently
    while still being backwards compatible to colon-separated lists
    without driving code complexity up too high.

    Starting with this version, update-exim4.conf will print a warning
    if a dsearch lookup is found in the list of local domains,
    dc_local_domains since there is a HOWTO on the Internet that
    recommends doing this kind of things and this will _not_ work any
    more.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Sun, 15 Oct 2006 10:00:15 +0000

exim4 (4.62-4) unstable; urgency=low

    exim4-config has had its debconf templates re-worked. Basic
    functionality is unchanged, so you shouldn't expect a real
    difference. The priority of most questions has been lowered to
    medium, so that the Installer can install exim4 with no questions
    being asked. The default is local delivery only. Mail messages for
    root and postmaster are delivered to an mbox file in
    /var/mail/mail, make sure to read them.

    You can do the full exim4 configuration by calling
    dpkg-reconfigure exim4-config as root.

    It is now finally possible to configure exim4 to deliver outgoing
    mail to a smarthost on a port number different from 25 via debconf.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Mon,  9 Oct 2006 14:12:25 +0000

exim4 (4.62-3) unstable; urgency=low

    A template for SPF support is now provided.  It is disabled by
    default, and relies on external calls to spfquery(1) from the
    libmail-spf-query-perl package. For details, check README.Debian,
    and conf.d/acl/30_exim4-config_check_rcpt.

 -- Robert Millan <rmh@aybabtu.com>  Fri, 28 Jul 2006 22:43:56 +0200

exim4 (4.62-1) unstable; urgency=low

    Please note that the handling of update-exim4.conf.conf has
    changed with regard to dc_local_interfaces and dc_relay_nets: If
    the strings given there contain a semicolon, the string "<;" is
    now prepended to the value written to the configuration file to
    consider ; a list separator. This significantly helps writing down
    IPv6 addresses, but means that if you use complex things like
    lookups in update-exim4.conf.conf, you'll have to change your
    configuration to use the macros that directly interfere with the
    configuration.

    127.0.0.1 and ::1 have been removed from the default hostlist
    relay_from_hosts - these addresses are now added by
    update-exim4.conf with the appropriate separator. If you set
    MAIN_RELAY_NETS manually, you'll need to add these two addresses
    to your local host list.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Sat, 29 Apr 2006 22:36:31 +0000

exim4 (4.60-2) unstable; urgency=low

    The exim4 daemon packages now include a symlink from
    /usr/sbin/exim4 to /usr/sbin/exim. This can break exim 3 cron and
    init scripts if the last exim 3 you had installed was any earlier
    than 3.36-5 and the conffiles from your exim 3 package are still
    around. Be sure to have any exim 4 earlier than 3.36-5 _purged_
    (not removed) before installing this package.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Wed, 24 Jan 2006 14:58:08 +0100

exim4 (4.50-5) unstable; urgency=low

    mailname, the local name of the system used to qualify senders and
    recipients is no longer a local domain by default. Having local
    delivery for that host name used to break satellite and smarthost
    setups where no local delivery was expected.
    /etc/exim4/update-exim4.conf.conf is modified automatically on
    upgrade from the appropriate earlier versions, so if you don't do any
    funky things with /etc/exim4/update-exim4.conf.conf, you should be fine.

 -- Marc Haber <mh+debian-packages@zugschlus.de>  Sat,  2 Apr 2005 20:31:27 +0200

exim4 (4.43-3) unstable; urgency=low

    /etc/exim4/email-addresses is ignored now, please use /etc/email-addresses!
    The last version of exim4 that shipped this file was uploaded on the
    19th of May 2003, and I really do not want to start sarge with cruft like
    that.

 -- Andreas Metzler <ametzler@debian.org>  Mon, 10 Jan 2004 10:05:34 +0100

exim4 (4.34-1) unstable; urgency=low

    Debconf will not ask for relay_domains if configuring smarthost or
    satellite-type systems. - This functionality was untested and could
    generate mail-loops.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 12 May 2004 13:42:23 +0200

exim4 (4.31-2) unstable; urgency=low

    The local_scan perl-plugin has been removed because upstream
    development has stopped. (am)

 -- Andreas Metzler <ametzler@debian.org>  Mon,  5 Apr 2004 15:55:12 +0200

exim4 (4.30-5) unstable; urgency=low

    (Re)introduce /etc/exim4/exim4.conf.template as alternative to the
    multiple small files in /etc/exim4/conf.d/ and make it the default choice
    for fresh installations. This trades in a loss of comfort (you will again
    need to merge in each small change manually) for increased stability.

 -- Andreas Metzler <ametzler@debian.org>  Sun, 11 Jan 2004 13:03:43 +0100

exim4 (4.30-1) unstable; urgency=low

  * Exim now runs under its own uid (Debian-exim) instead of using mail:mail.
  
    WARNING: You cannot downgrade this version to an older one without
    manual chown|chrgrp all files owned by Debian-exim to mail.
    
    Securitywise this is a tradeoff:
    - if exim is SUID root and runs without deliver_drop_privilege you win:
      exim's internal data in /var/spool/exim4 is not open to attacks by
      bugs in programs SGID mail (mail delivery agents like deliver or
      procmail, or MUAs like pine) anymore. This is Debian's default setup.
    - OTOH if you need to be able to make local deliveries to /var/mail and
      want to run exim with reduced priviledge you have some additional work
      to do:
      * Use an SGID MDA for the actual delivery (I suggest maildrop.)
      * Make changes to run exim4 under group mail:
        - exim_group=mail.
        - Hack: make Debian-exim a group with gid=8, i.e. an alias for
          the mail group, _before_ you make the upgrade. (groupadd -o -g 8
          Debian-exim)

 -- Andreas Metzler <ametzler@debian.org>  Sun,  7 Dec 2003 13:59:46 +0100

exim4 (4.24-1) unstable; urgency=low

  * This version of exim cannot run deliveries as root anymore, see change
    5a for exim 4.23 in /usr/share/doc/exim4-base/changelog.gz. If you
    don't redirect mail for root via /etc/aliases to a nonpriviledged
    account the mail will be delivered to /var/mail/mail with permissions
    0600 and owner mail:mail.

 -- Andreas Metzler <ametzler@debian.org>  Fri,  3 Oct 2003 18:11:17 +0200
 
exim4 (4.22-2) unstable; urgency=low

    Include exiscan-acl patch http://duncanthrax.net/exiscan-acl/ in
    -heavy and -custom for easy integration of content-scanning and
    invoking spamassassin at SMTP time.

 -- Andreas Metzler <ametzler@debian.org>  Wed, 27 Aug 2003 12:50:59 +0200

exim4 (4.22-1) unstable; urgency=low

  * The way that the $h_ (and $header_) expansions work has been changed
    by the addition of RFC 2047 decoding. See the main documentation (the
    NewStuff file until release 4.30, then the manual) for full details.

    Exim shipped with Debian defaults to HEADER_DECODE_TO="UTF-8"

 -- Andreas Metzler <ametzler@debian.org>  Mon, 18 Aug 2003 16:51:47 +0200

exim4 (4.20-2) unstable; urgency=low

    Rewriting now uses /etc/email-addresses instead of 
    /etc/exim4/email-addresses like exim v3 did. Please move the contents to
    the new file and delete the old one, when you have time to spare.

 -- Andreas Metzler <ametzler@debian.org>  Tue, 15 Jul 2003 10:20:15 +0200