| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
New stuff we've added since 4.95:
- A new ACL condition: seen. Records/tests a timestamp against a key.
- A variant of the "mask" expansion operator to give normalised IPv6.
- UTC output option for exim_dumpdb, exim_fixdb.
- An event for failing TLS connects to the daemon.
- The ACL "debug" control gains options "stop", "pretrigger" and "trigger".
- Query-style lookups are now checked for quoting, if the query string is
built using untrusted data ("tainted"). For now lack of quoting is merely
logged; a future release will upgrade this to an error.
- The expansion conditions match_<list-type> and inlist now set $value for
the expansion of the "true" result of the ${if}. With a static list, this
can be used for de-tainting.
Notable removals since 4.95:
- the "allow_insecure_tainted_data" main config option and the
"taint" log_selector. These were deprecated in the 4.95 release.
|
|
Version 4.95
------------
1. The fast-ramp two phase queue run support, previously experimental, is
now supported by default.
2. The native SRS support, previously experimental, is now supported. It is
not built unless specified in the Local/Makefile.
3. TLS resumption support, previously experimental, is now supported and
included in default builds.
4. Single-key LMDB lookups, previously experimental, are now supported.
The support is not built unless specified in the Local/Makefile.
5. Option "message_linelength_limit" on the smtp transport to enforce (by
default) the RFC 998 character limit.
6. An option to ignore the cache on a lookup.
7. Quota checking during reception (i.e. at SMTP time) for appendfile-
transport-managed quotas.
8. Sqlite lookups accept a "file=<path>" option to specify a per-operation
db file, replacing the previous prefix to the SQL string (which had
issues when the SQL used tainted values).
9. Lsearch lookups accept a "ret=full" option, to return both the portion
of the line matching the key, and the remainder.
10. A command-line option to have a daemon not create a notifier socket.
11. Faster TLS startup. When various configuration options contain no
expandable elements, the information can be preloaded and cached rather
than the previous behaviour of always loading at startup time for every
connection. This helps particularly for the CA bundle.
12. Proxy Protocol Timeout is configurable via "proxy_protocol_timeout"
main config option.
13. Option "smtp_accept_max_per_connection" is now expanded.
14. Log selector "queue_size_exclusive", enabled by default, to exclude the
time taken for reception from QT log elements.
15. Main option "smtp_backlog_monitor", to set a level above which listen
socket backlogs are logged.
16. Main option "hosts_require_helo", requiring HELO or EHLO before MAIL.
17. A main config option "allow_insecure_tainted_data" allows to turn
18. TLS ALPN handling. By default, refuse TLS connections that try to specify
a non-smtp (eg. http) use. Options for customising.
19. Support for MacOS (darwin) has been dropped.
|
|
All checksums have been double-checked against existing RMD160 and
SHA512 hashes
The following distfiles were unfetchable (possibly fetched
conditionally?):
./mail/qmail/distinfo netqmail-1.05-TAI-leapsecs.patch
|
|
|
|
This includes a number of serious security fixes (one of which was
included in a now obsoleted pkgsrc patch)
CVE-2020-28016
CVE-2020-BDATA
CVE-2020-EXOPT
CVE-2020-PFPSN
CVE-2020-RCPTL
CVE-2020-SLCWD
CVE-2020-SPRSS
Since Exim version 4.94
-----------------------
JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers. Similar fix for radius expansion condition.
JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions "dcc",
"log_reject_target", "malware" and "spam"; the arguments are expanded
so could be handling tainted values.
JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once"
record path was given (or the default used) without a leading directory
path, an error occurred on trying to open it. Use the transport's working
directory.
JH/06 Bug 2594: Change the name used for certificate name checks in the smtp
transport. Previously it was the name on the DNS A-record; use instead
the head of the CNAME chain leading there (if there is one). This seems
to align better with RFC 6125.
JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for
smtp_accept_max_per_host allocated resources which were not released
when the limit was exceeded. This eventually crashed the daemon. Fix
by adding a relase action in that path.
JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are
expanded; previously using tainted values was rejected. Fix by using
dynamically-created buffers.
JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once.
Previously a macro used one argument twice; when called with the
argument as an expression having side-effects, incorrect operation
resulted. Use an inlineable function.
JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already
held open for a verify callout. Previously this wan not accounted for
and a corrupt onward SMTP conversation resulted.
JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was
excluded, not matching the documentation.
JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename
was given for the sqlite_dbfile a trap resulted.
JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the
"name" argument resulted in a trap. There is no reason to disallow such;
this was a coding error.
JH/16 Bug 2615: Fix pause during message reception, on systems that have been
suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time
spent suspended, ignoring the Posix definition. Previously we assumed
it did and a constant offset from real time could be used as a correction.
Change to using the same clock source for the start-of-message and the
post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it
exists, just to get a clock slightly more aligned to reality.
JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the
RFC says it is optional some validators care. The missing char was not
intended but triggered by a line-wrap alignement. Discovery and fix by
Guillaume Outters, hacked on by JH.
JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the
name being quoted was tainted a trap would be taken. Fix by using
dynamicaly created buffers. The routine could have been called by a
rewrite with the "h" flag, by using the "-F" command-line option, or
by using a "name=" option on a control=submission ACL modifier.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
the domain part of the recipient address. This overrides any tls_sni
option set, which was previously used.
JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
in quotes.
JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more
than one server was defined and depending on the platform memory layout
details, an internal consistency trap could be hit while walking the list
of servers.
JH/27 Bug 2648: fix the passing of an authenticator public-name through spool
files. The value is used by the authresults expansion item. Previously
if this was used in a router or transport, a crash could result.
JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was
applied. This resulted, if any header-line rewrite rules were configured,
in a panic-log trigerrable by sending a message with a long address in
a header. Fix by increaing the arbitrary limit to larger than a single
(dewrapped) 5322 header line maximum size.
JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option
is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with
RFC 6648 which deprecates X- options in protocols as a general practice.
Changeover between the implementations is handled by the mechanisms
alrready coded.
JH/32 Bug 2599: fix delay of delivery to a local address where there is also
a remote which uses callout/hold. Previously the local was queued.
JH/33 Fix a taint trap in the ${listextract } expansion when the source data
was tainted.
JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files.
JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext
authenticator client_send option. Previously the next char, after a pair
was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became
^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the
documentation. There is still no way to get a leading ^ immediately
after a NUL (ie. for the password of a PLAIN method authenticator.
JH/39 Bug 2691: fix $local_part_data. When the matching list element
referred to a file, bad data was returned. This likely also affected
$domain_part_data.
JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was
left undeleted; the attempt to re-create it then failed - resulting in
the usual "SIGHUP tp have daemon reload configuration" to not work.
This affected any platform not supporting "abstract" Unix-domain
sockets (i.e. not Linux).
JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many
recipients" response to RCPT in a later response, with a 250. The
previous coding assumed this would not happen, and under PIPELINING
would result in both lost and duplicate recipients for a message.
JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
Previously the weighting was incorrectly applied. Similar fix for socks
proxies. Found and fixed by Heiko Schlichting.
JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did
not handle sub-lists included using the +namedlist syntax. While
investigating, the same found for dns_trust_aa, dns_again_means_nonexist,
dnssec_require_domains, dnssec_request_domains, srv_fail_domains,
mx_fail_domains.
HS/01 Enforce absolute PID file path name.
HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
PP/02 Bug 2643: Correct TLS DH constants.
A missing NUL termination in our code-generation tool had led to some
incorrect Diffie-Hellman constants in the Exim source.
Reported by kylon94, code-gen tool fix by Simon Arlott.
PP/03 Impose security length checks on various command-line options.
Fixes CVE-2020-SPRSS reported by Qualys.
PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better. Reported by Qualys.
PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
Reported by Qualys.
PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
PP/07 Refuse to allocate too little memory, block negative/zero allocations.
Security guard.
PP/08 Change default for recipients_max from unlimited to 50,000.
PP/09 Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
PP/10 Fix security issue in SMTP verb option parsing
Fixes CVE-2020-EXOPT reported by Qualys.
PP/11 Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
HS/03 Die on "/../" in msglog file names
QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
the Exim runtime user are allowed to create files.
QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
runtime user.
QS/03 When reading the output from interpreted forward files we do not
pass the pipe between the parent and the interpreting process to
executed child processes (if any).
QS/04 Always die if requested from internal logging, even is logging is
disabled.
|
|
The check whether a block of memory is tainted erroneously returns true
if the block in question starts the very next byte after a block in the
tainted pool. Depending on the memory allocator, this can cause problems.
For example, on NetBSD/amd64 9.0, this seems to allocate the first tainted
block immediately before log_buffer. This leads to a recursive error in
log_write the first time anything is written to the log, leading to a
segmentation fault when the stack fills up.
|
|
Exim version 4.94
-----------------
JH/01 Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
JH/02 Early-pipelining support code is now included unless disabled in Makefile.
JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
JH/04 Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
JH/05 Regard command-line receipients as tainted.
JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
JH/17 Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
JH/18 Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library
are now specifically given a NO_DATA response without hitting the system
resolver. The library goes on to do the now-standard TXT lookup.
Use of dnsdb lookups is not affected.
JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once. Previously two calls to dlerror()
were used, and the second one (for mainlog/paniclog) retrieved null
information.
JH/20 Taint checking: disallow use of tainted data for
- the appendfile transport file and directory options
- the pipe transport command
- the autoreply transport file, log and once options
- file names used by the redirect router (including filter files)
- named-queue names
- paths used by single-key lookups
Previously this was permitted.
JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The
previous fast-mode was untenable in the face of glibs using mmap to
support larger malloc requests.
PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c.
New values supported, if defined on system where compiled:
allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat,
no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding
JH/23 Performance improvement in the initial phase of a two-pass queue run. By
running a limited number of proceses in parallel, a benefit is gained. The
amount varies with the platform hardware and load. The use of the option
queue_run_in_order means we cannot do this, as ordering becomes
indeterminate.
JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix
had introduced a string-copy (for ensuring NUL-termination) which was not
appropriate for that case, which can include embedded NUL bytes in the
block of data. Investigation showed the copy to actually be needless, the
data being length-specified.
JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was
done during a receiving connection, and both used TLS, global info was
used rather than per-connection info for tracking the state of data
queued for transmission. This could result in a connection hang.
JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections.
Previously, when delivering serveral messages down a single connection
only the first would provide a SIZE. This was due to the size information
not being properly tracked.
JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as
TAI (at 37 seconds currently), pretend to be in UTC for time-related
expansion and logging. Previously, spurious values such as a future
minute could be seen.
JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations
it could crash from a null-deref. This could also affect the
${addresses: } operator and ${readsock } item.
JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime
message following a mime one, the variable was not reset.
JH/30 When an pipelined-connect fails at the first response, assume incorrect
cached capability (perhaps the peer reneged?) and immediately retry in
non-pipelined mode.
JH/31 Fix spurious detection of timeout while writing to transport filter.
JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously
an attempt to copy the string was made before checking it.
JH/33 Fix the dsearch lookup to return an untainted result. Previously the
taint of the lookup key was maintained; we now regard the presence in the
filesystem as sufficient validation.
JH/34 Fix the readsocket expansion to not segfault when an empty "options"
argument is supplied.
JH/35 The dsearch lookup now requires that the directory is an absolute path.
Previously this was not checked, and nonempty relative paths made an
access under Exim's current working directory.
JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case.
Previously no event was raised.
JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE
parameter supplied by the sender MAIL FROM command. Previously it was
ignored, and only the check_spool_space option value for the required
leeway checked.
JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present
the size of the signing public-key. Previously it was instead giving
the size of the signature hash.
JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now
the default. See the (new) dkim_verify_min_keysizes option.
JH/40 Fix a memory-handling bug: when a connection carried multiple messages
and an ACL use a lookup for checking either the local_part or domain,
stale data could be accessed. Ensure that variable references are
dropped between messages.
JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied
by the client was not checked as pointing within response data before
being used. A malicious client could thus cause an out-of-bounds read and
possibly gain authentication. Fix by adding the check.
JH/42 Internationalisation: change the default for downconversion in the smtp
transport to be "if needed". Previously it was "as previously set" for
the message, which usually meant "if needed" for message-submission but
"no" for everything else. However, MTAs have been seen using SMTPUTF8
even when the envelope addresses did not need it, resulting in forwarding
failures to non-supporting MTAs. A downconvert in such cases will be
a no-op on the addresses, merely dropping the use of SMTPUTF8 by the
transport. The change does mean that addresses needing conversion will
be converted when previously a delivery failure would occur.
JH/43 Fix possible long line in DSN. Previously when a very long SMTP error
response was received it would be used unchecked in a fail-DSN, violating
standards on line-length limits. Truncate if needed.
HS/01 Remove parameters of the link to www.open-spf.org. The linked form
doesn't work. (Additionally add a new main config option to configure the
spf_smtp_comment)
|
|
By default, pkgsrc uses 'mv -f' as MV_COMMAND. exicyclog is not resilient
to this, and breaks as a result. This patch quotes the command names
that are substituted into this script.
|
|
Based on patch provided by Mike Pumford on pkgsrc-users.
Exim version 4.93+fixes
-----------------------
This is not an official release. It is just a branch, collecting
proposed bugfixes. Depending on your environment the fixes may be
necessary to build and/or run Exim successfully.
JH/05 Regard command-line receipients as tainted.
JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
|
|
Exim version 4.93
-----------------
JH/01 OpenSSL: With debug enabled output keying information sufficient, server
side, to decode a TLS 1.3 packet capture.
JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
Previously the default library behaviour applied, sending two, each in
its own TCP segment.
JH/03 Debug output for ACL now gives the config file name and line number for
each verb.
JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
buffer overrun for (non-chunking) other transports.
JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
TLS1.3, means that a server rejecting a client certificate is not visible
to the client until the first read of encrypted data (typically the
response to EHLO). Add detection for that case and treat it as a failed
TLS connection attempt, so that the normal retry-in-clear can work (if
suitably configured).
JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
and/or domain. Found and fixed by Jason Betts.
JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
configuration). If a CNAME target was not a wellformed name pattern, a
crash could result.
JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
the OS reports them interleaved with other addresses.
JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
used both for input and for a verify callout, both encrypted, SMTP
responses being sent by the server could be lost. This resulted in
dropped connections and sometimes bounces generated by a peer sending
to this system.
JH/11 Harden plaintext authenticator against a badly misconfigured client-send
string. Previously it was possible to cause undefined behaviour in a
library routine (usually a crash). Found by "zerons".
JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no
output.
JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old
API was removed, so update to use the newer ones.
JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
any timeout set, is taking a long time. Previously we would hang on to a
rotated logfile "forever" if the input was arriving with long gaps
(a previous attempt to fix addressed lack, for a long time, of initial
input).
HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
shared (NFS) environment. The length of the tempfile name is now
4 + 16 ("hdr.$message_exim_id") which might break on file
systems which restrict the file name length to lower values.
(It was "hdr.$pid".)
HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
shared (NFS) environment.
HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
did for all versions <4.90). Notably -M, -m, --invert, -I may be
affected.
JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
on some platforms for bit 31.
JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks
to changes apparently associated with TLS1.3 handling some of the APIs
previously used were either nonfunctional or inappropriate. Strings
like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
This affects log line X= elements, the $tls_{in,out}_cipher variables,
and the use of specific cipher names in the encrypted= ACL condition.
JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
verification result was not updated unless hosts_require_ocsp applied.
JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option
queue_list_requires_admin set to false, non-admin users were denied the
facility.
JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
directory-of-certs mode. Previously they were advertised despite the
documentation.
JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
A single TCP connection by a client will now hold a TLS connection open
for multiple message deliveries, by default. Previoud the default was to
not do so.
JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
default. If built with the facility, DANE will be used. The facility
SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
must be defined and you must still, unless you define DISABLE_TLS, manage
the the include-dir and library-file requirements that go with that
choice. Non-TLS builds are still supported.
JH/24 Fix duplicated logging of peer name/address, on a transport connection-
reject under TFO.
JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
default. If the platform supports and has the facility enabled, it will
be requested on all coneections.
JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
controlled by the build-time option SUPPORT_PIPE_CONNECT.
PP/01 Unbreak heimdal_gssapi, broken in 4.92.
JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
success-DSN messages. Previously the From: header was always the default
one for these; the option was ignored.
JH/28 Fix the timeout on smtp response to apply to the whole response.
Previously it was reset for every read, so a teergrubing peer sending
single bytes within the time limit could extend the connection for a
long time. Credit to Qualsys Security Advisory Team for the discovery.
JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing
delivery address, which leaked information of the results of local
forwarding. Change to the original envelope recipient address, per
standards.
JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
requested. Previously not bounce was generated and a log entry of
error ignored was made.
JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
JH/32 Introduce a general tainting mechanism for values read from the input
channel, and values derived from them. Refuse to expand any tainted
values, to catch one form of exploit.
JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result
was unused and the unexpanded text used for the test. Found and
fixed by Ruben Jenster.
JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open,
an attempt to use a TLS library read routine dereffed a nul pointer,
causing a segfault.
JH/35 Bug 2409: filter out-of-spec chars from callout response before using
them in our smtp response.
JH/36 Have the general router option retry_use_local_part default to true when
any of the restrictive preconditions are set (to anything). Previously it
was only for check_local user. The change removes one item of manual
configuration which is required for proper retries when a remote router
handles a subset of addresses for a domain.
JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
link count into consideration.
HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
caused the extension of big_buffer, the following lines were ignored.
JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
accordance with RFC 2308. Previously there was no expiry, so a longlived
receive process (eg. due to ACL delays) versus a short SOA value could
surprise.
HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)
JH/39 Promote DMARC support to mainline.
JH/40 Bug 2452: Add a References: header to DSNs.
JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
parameters. The relevant library call is documented as "Deprecated: This
function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
3.6.0, DH parameters are negotiated following RFC7919."
HS/06 Change the default of dnssec_request_domains to "*"
JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we
carried on and emitted a BDAT command, even when PIPELINING was not
active.
JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted
buffer was used for the filename, resulting in a trap when tainted
arguments (eg. $domain) were used.
JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
recommended to avoid a possible server-load attack. The feature can be
re-enabled via the openssl_options main cofiguration option.
JH/45 local_scan API: documented the current smtp_printf() call. This changed
for version 4.90 - adding a "more data" boolean to the arguments.
Bumped the ABI version number also, this having been missed previously;
release versions 4.90 to 4.92.3 inclusive were effectively broken in
respect of usage of smtp_printf() by either local_scan code or libraries
accessed via the ${dlfunc } expansion item. Both will need coding
adjustment for any calls to smtp_printf() to match the new function
signature; a FALSE value for the new argument is always safe.
JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating
the file-offset (which the Linux syscall does, and exim expects); this
resulted in an indefinite loop.
JH/47 ARC: fix crash in signing, triggered when a configuration error failed
to do ARC verification. The Authentication-Results: header line added
by the configuration then had no ARC item.
|
|
Fix for CVE-2019-16928
|
|
Exim version 4.92.2
-------------------
HS/01 Handle trailing backslash gracefully. (CVE-2019-15846)
|
|
Exim version 4.92.1
-------------------
JH/31 Avoid re-expansion in ${sort } expansion.
(CVE-2019-13917, OVE-20190718-0006)
|
|
4.92:
New features include:
- ${l_header:<name>} expansion
- ${readsocket} now supports TLS
- "utf8_downconvert" option (if built with SUPPORT_I18N)
- "pipelining" log_selector
- JSON variants for ${extract } expansion
- "noutf8" debug option
- TCP Fast Open support on MacOS
|
|
Version 4.91
1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS
version 3.5.6 or later.
2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and
OpenSSL versions are moved to mainline support from Experimental.
New SMTP transport option "dane_require_tls_ciphers".
3. Feature macros for the compiled-in set of malware scanner interfaces.
4. SPF support is promoted from Experimental to mainline status. The template
src/EDITME makefile does not enable its inclusion.
5. Logging control for DKIM verification. The existing DKIM log line is
controlled by a "dkim_verbose" selector which is _not_ enabled by default.
A new tag "DKIM=<domain>" is added to <= lines by default, controlled by
a "dkim" log_selector.
6. Receive duration on <= lines, under a new log_selector "receive_time".
7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on
routing rules in the manualroute router.
8. Expansion item ${sha3:<string>} / ${sha3_<N>:<string>} now also supported
under OpenSSL version 1.1.1 or later.
9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
GnuTLS 3.6.0 or OpenSSL 1.1.1 or later.
10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library
version dependent.
11. "exim -bP macro <name>" returns caller-usable status.
12. Expansion item ${authresults {<machine>}} for creating an
Authentication-Results: header.
13. EXPERIMENTAL_ARC. See the experimental.spec file.
See also new util/renew-opendmarc-tlds.sh script for use with DMARC/ARC.
14: A dane:fail event, intended to facilitate reporting.
15. "Lightweight" support for Redis Cluster. Requires redis_servers list to
contain all the servers in the cluster, all of which must be reachable from
the running exim instance. If the cluster has master/slave replication, the
list must contain all the master and slave servers.
16. Add an option to the Avast scanner interface: "pass_unscanned". This
allows to treat unscanned files as clean. Files may be unscanned for
several reasons: decompression bombs, broken archives.
|
|
Exim version 4.90.1
JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
we assumed that tags in the header were well-formed, and parsed the
element content after inspecting only the first char of the tag.
Assumptions at that stage could crash the receive process on malformed
input.
JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
While running the DKIM ACL we operate on the Permanent memory pool so that
variables created with "set" persist to the DATA ACL. Also (at any time)
DNS lookups that fail create cache records using the Permanent pool. But
expansions release any allocations made on the current pool - so a dnsdb
lookup expansion done in the DKIM ACL releases the memory used for the
DNS negative-cache, and bad things result. Solution is to switch to the
Main pool for expansions.
While we're in that code, add checks on the DNS cache during store_reset,
active in the testsuite.
Problem spotted, and debugging aided, by Wolfgang Breyha.
JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
When none of the hosts presented to a transport match an already-open
connection, close it and proceed with the list. Previously we would
queue the message. Spotted by Lena with Yahoo, probably involving
round-robin DNS.
JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
Previously a spurious "250 OK id=" response was appended to the proper
failure response.
JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection. Previously, when one had more receipients than the
first, an abortive onward connection was made. Move to full support for
multiple onward connections in sequence, handling cutthrough connection
for all multi-message initiating connections.
JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers. Previously, a multi-recipient message would fail to match the
onward-connection opened for the first recipient, and cause its closure.
JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped. This mattered most when the callout
was marked defer_ok. Fix to keep the two timeout-detection methods
separate.
HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
PP/01 Fix broken Heimdal GSSAPI authenticator integration.
Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
Broken also in d185889f4, with init system revamp.
|
|
------------
1. Allow relative config file names for ".include"
2. A main-section config option "debug_store" to control the checks on
variable locations during store-reset. Normally false but can be enabled
when a memory corrution issue is suspected on a production system.
|
|
Security update to address CVE-2016-9963
Exim version 4.88
-----------------
JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
supports it and a size is available (ie. the sending peer gave us one).
JH/02 The obsolete acl condition "demime" is removed (finally, after ten
years of being deprecated). The replacements are the ACLs
acl_smtp_mime and acl_not_smtp_mime.
JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
a downgraded non-dane trust-anchor for the TLS connection (CA-style)
or even an in-clear connection were permitted. Now, if the host lookup
was dnssec and dane was requested then the host is only used if the
TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
if one fails this test.
This means that a poorly-configured remote DNS will make it incommunicado;
but it protects against a DNS-interception attack on it.
JH/04 Bug 1810: make continued-use of an open smtp transport connection
non-noisy when a race steals the message being considered.
JH/05 If main configuration option tls_certificate is unset, generate a
self-signed certificate for inbound TLS connections.
JH/06 Bug 165: hide more cases of password exposure - this time in expansions
in rewrites and routers.
JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
and logged a warning sing 4.83; now they are a configuration file error.
JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
JH/10 Support ${sha256:} applied to a string (as well as the previous
certificate).
JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
a cutthrough deliver is pending, as we always want to make a connection.
This also avoids re-routing the message when later placing the cutthrough
connection after a verify cache hit.
Do not update it with the verify result either.
JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
when routing results in more than one destination address.
JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
signing (which inhibits the cutthrough capability). Previously only
the presence of an option was tested; now an expansion evaluating as
empty is permissible (obviously it should depend only on data available
when the cutthrough connection is made).
JH/14 Fix logging of errors under PIPELINING. Previously the log line giving
the relevant preceding SMTP command did not note the pipelining mode.
JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
Previously they were not counted.
JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
as one having no matching records. Previously we deferred the message
that needed the lookup.
JH/17 Fakereject: previously logged as a norml message arrival "<="; now
distinguished as "(=".
JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
for missing MX records. Previously it only worked for missing A records.
JH/19 Bug 1850: support Radius libraries that return REJECT_RC.
JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
after the data-go-ahead and data-ack. Patch from Jason Betts.
JH/21 Bug 1846: Send DMARC forensic reports for reject and quaratine results,
even for a "none" policy. Patch from Tony Meyer.
JH/22 Fix continued use of a connection for further deliveries. If a port was
specified by a router, it must also match for the delivery to be
compatible.
JH/23 Bug 1874: fix continued use of a connection for further deliveries.
When one of the recipients of a message was unsuitable for the connection
(has no matching addresses), we lost track of needing to mark it
deferred. As a result mail would be lost.
JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
JH/25 Decoding ACL controls is now done using a binary search; the source code
takes up less space and should be simpler to maintain. Merge the ACL
condition decode tables also, with similar effect.
JH/26 Fix problem with one_time used on a redirect router which returned the
parent address unchanged. A retry would see the parent address marked as
delivered, so not attempt the (identical) child. As a result mail would
be lost.
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/28 Enable {spool,log} filesystem space and inode checks as default.
Main config options check_{log,spool}_{inodes,space} are now
100 inodes, 10MB unless set otherwise in the configuration.
JH/29 Fix the connection_reject log selector to apply to the connect ACL.
Previously it only applied to the main-section connection policy
options.
JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
by me. Added RFC7919 DH primes as an alternative.
PP/02 Unbreak build via pkg-config with new hash support when crypto headers
are not in the system include path.
JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
GnuTLS, when a session startup failed (eg because the client disconnected)
Exim did stdio operations after fclose. This was exposed by a recent
change which nulled out the file handle after the fclose.
JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
signed directly by the cert-signing cert, rather than an intermediate
OCSP-signing cert. This is the model used by LetsEncrypt.
JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
an incoming connection.
HS/02 Bug 1802: Do not half-close the connection after sending a request
to rspamd.
HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
fallback to "prime256v1".
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely explaoitable. CVE-2016-9963.
ok wiz@
|
|
1. The ACL conditions regex and mime_regex now capture substrings
into numeric variables $regex1 to 9, like the "match" expansion condition.
2. New $callout_address variable records the address used for a spam=,
malware= or verify= callout.
3. Transports now take a "max_parallel" option, to limit concurrency.
4. Expansion operators ${ipv6norm:<string>} and ${ipv6denorm:<string>}.
The latter expands to a 8-element colon-sep set of hex digits including
leading zeroes. A trailing ipv4-style dotted-decimal set is converted
to hex. Pure ipv4 addresses are converted to IPv4-mapped IPv6.
The former operator strips leading zeroes and collapses the longest
set of 0-groups to a double-colon.
5. New "-bP config" support, to dump the effective configuration.
6. New $dkim_key_length variable.
7. New base64d and base64 expansion items (the existing str2b64 being a
synonym of the latter). Add support in base64 for certificates.
8. New main configuration option "bounce_return_linesize_limit" to
avoid oversize bodies in bounces. The dafault value matches RFC
limits.
9. New $initial_cwd expansion variable.
|
|
Exim version 4.86.2
-------------------
Portability relase of 4.86.1
Exim version 4.86.1
-------------------
HS/04 Add support for keep_environment and add_environment options.
This fixes CVE-2016-1531.
All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally *any* user) can gain root
privileges. If you do not use 'perl_startup' you *should* be safe.
New options
-----------
We had to introduce two new configuration options:
keep_environment =
add_environment =
Both options are empty per default. That is, Exim cleans the complete
environment on startup. This affects Exim itself and any subprocesses,
as transports, that may call other programs via some alias mechanisms,
as routers (queryprogram), lookups, and so on. This may affect used
libraries (e.g. LDAP).
** THIS MAY BREAK your existing installation **
If both options are not used in the configuration, Exim issues a warning
on startup. This warning disappears if at least one of these options is
used (even if set to an empty value).
keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.
keep_environment = ^LDAP_ : FOO_PATH
To add (or override) variables, you can use add_environment:
add_environment = <; PATH=/sbin:/usr/sbin
New behaviour
-------------
Now Exim changes it's working directory to / right after startup,
even before reading it's configuration. (Later Exim changes it's working
directory to $spool_directory, as usual.)
Exim only accepts an absolute configuration file path now, when using
the -C option.
|
|
Exim version 4.86
-----------------
JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
expanded.
JH/02 The smtp transport option "multi_domain" is now expanded.
JH/03 The smtp transport now requests PRDR by default, if the server offers
it.
JH/04 Certificate name checking on server certificates, when exim is a client,
is now done by default. The transport option tls_verify_cert_hostnames
can be used to disable this per-host. The build option
EXPERIMENTAL_CERTNAMES is withdrawn.
JH/05 The value of the tls_verify_certificates smtp transport and main options
default to the word "system" to access the system default CA bundle.
For GnuTLS, only version 3.0.20 or later.
JH/06 Verification of the server certificate for a TLS connection is now tried
(but not required) by default. The verification status is now logged by
default, for both outbound TLS and client-certificate supplying inbound
TLS connections
JH/07 Changed the default rfc1413 lookup settings to disable calls. Few
sites use this now.
JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery
Status Notification (bounce) messages are now MIME format per RFC 3464.
Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised
under the control of the dsn_advertise_hosts option, and routers may
have a dsn_lasthop option.
JH/09 A timeout of 2 minutes is now applied to all malware scanner types by
default, modifiable by a malware= option. The list separator for
the options can now be changed in the usual way. Bug 68.
JH/10 The smtp_receive_timeout main option is now expanded before use.
JH/11 The incoming_interface log option now also enables logging of the
local interface on delivery outgoing connections.
JH/12 The cutthrough-routing facility now supports multi-recipient mails,
if the interface and destination host and port all match.
JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
/defer_ok option.
JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd.
Patch from Andrew Lewis.
JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition)
now supports optional time-restrictions, weighting, and priority
modifiers per server. Patch originally by <rommer@active.by>.
JH/16 The spamd_address main option now supports a mixed list of local
and remote servers. Remote servers can be IPv6 addresses, and
specify a port-range.
JH/17 Bug 68: The spamd_address main option now supports an optional
timeout value per server.
JH/18 Bug 1581: Router and transport options headers_add/remove can
now have the list separator specified.
JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
option values.
JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
under OpenSSL.
JH/21 Support for the A6 type of dns record is withdrawn.
JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
rather than the verbs used.
JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
from 255 to 1024 chars.
JH/24 Verification callouts now attempt to use TLS by default.
HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
are generic router options now. The defaults didn't change.
JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
Original patch from Alexander Shikoff, worked over by JH.
HS/02 Bug 1575: exigrep falls back to autodetection of compressed
files if ZCAT_COMMAND is not executable.
JH/26 Bug 1539: Add timout/retry options on dnsdb lookups.
JH/27 Bug 286: Support SOA lookup in dnsdb lookups.
JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN.
Normally benign, it bites when the pair was led to by a CNAME;
modern usage is to not canoicalize the domain to a CNAME target
(and we were inconsistent anyway for A-only vs AAAA+A).
JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards.
JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse,
when evaluating $sender_host_dnssec.
JH/31 Check the HELO verification lookup for DNSSEC, adding new
$sender_helo_dnssec variable.
JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve.
JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log.
JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues.
JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was
documented as working, but never had. Support all but $spam_report.
JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
added for tls authenticator.
|
|
Problems found locating distfiles:
Package mutt: missing distfile patch-1.5.24.rr.compressed.gz
Package p5-Email-Valid: missing distfile Email-Valid-1.198.tar.gz
Package pine: missing distfile fancy.patch.gz
Package postgrey: missing distfile targrey-0.31-postgrey-1.34.patch
Package qmail: missing distfile badrcptto.patch
Package qmail: missing distfile outgoingip.patch
Package qmail: missing distfile qmail-1.03-realrcptto-2006.12.10.patch
Package qmail: missing distfile qmail-smtpd-viruscan-1.3.patch
Package thunderbird24: missing distfile enigmail-1.7.2.tar.gz
Package thunderbird31: missing distfile enigmail-1.7.2.tar.gz
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
|
|
-----------------
TL/01 When running the test suite, the README says that variables such as
no_msglog_check are global and can be placed anywhere in a specific
test's script, however it was observed that placement needed to be near
the beginning for it to behave that way. Changed the runtest perl
script to read through the entire script once to detect and set these
variables, reset to the beginning of the script, and then run through
the script parsing/test process like normal.
TL/02 The BSD's have an arc4random API. One of the functions to induce
adding randomness was arc4random_stir(), but it has been removed in
OpenBSD 5.5. Detect this OpenBSD version and skip calling this
function when detected.
JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now
cause callback expansion.
TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that
syntax errors in an expansion can be treated as a string instead of
logging or causing an error, due to the internal use of bool_lax
instead of bool when processing it.
JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for
server certificates when making smtp deliveries.
JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups.
JH/04 Add ${sort {list}{condition}{extractor}} expansion item.
TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep.
TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups.
Merged patch from Sebastian Wiedenroth.
JH/05 Fix results-pipe from transport process. Several recipients, combined
with certificate use, exposed issues where response data items split
over buffer boundaries were not parsed properly. This eventually
resulted in duplicates being sent. This issue only became common enough
to notice due to the introduction of conection certificate information,
the item size being so much larger. Found and fixed by Wolfgang Breyha.
JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed
size buffer was used, resulting in syntax errors when an expansion
exceeded it.
JH/07 Add support for directories of certificates when compiled with a GnuTLS
version 3.3.6 or later.
JH/08 Rename the TPDA expermimental facility to Event Actions. The #ifdef
is EXPERIMENTAL_EVENT, the main-configuration and transport options
both become "event_action", the variables become $event_name, $event_data
and $event_defer_errno. There is a new variable $verify_mode, usable in
routers, transports and related events. The tls:cert event is now also
raised for inbound connections, if the main configuration event_action
option is defined.
TL/06 In test suite, disable OCSP for old versions of openssl which contained
early OCSP support, but no stapling (appears to be less than 1.0.0).
JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on
server certificate names available under the smtp transport option
"tls_verify_cert_hostname" now do not permit multi-component wildcard
matches.
JH/10 Time-related extraction expansions from certificates now use the main
option "timezone" setting for output formatting, and are consistent
between OpenSSL and GnuTLS compilations. Bug 1541.
JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047-
encoded parameter in the incoming message. Bug 1558.
JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now
include certificate info, eximon was claiming there were spoolfile
syntax errors.
JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return.
JH/14 Log delivery-related information more consistently, using the sequence
"H=<name> [<ip>]" wherever possible.
TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which
are problematic for Debian distribution, omit them from the release
tarball.
JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature.
JH/16 Fix string representation of time values on 64bit time_t anchitectures.
Bug 1561.
JH/17 Fix a null-indirection in certextract expansions when a nondefault
output list separator was used.
|
|
TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static
checkers that were complaining about end of non-void function with no
return.
JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers.
This was a regression intruduced in 4.83 by another bugfix.
JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled.
TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when
EXPERIMENTAL_DNS is enabled.
|
|
1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be
configured to expect an initial header from a proxy that will make the
actual external source IP:host be used in exim instead of the IP of the
proxy that is connecting to it.
2. New verify option header_names_ascii, which will check to make sure
there are no non-ASCII characters in header names. Exim itself handles
those non-ASCII characters, but downstream apps may not, so Exim can
detect and reject if those characters are present.
3. New expansion operator ${utf8clean:string} to replace malformed UTF8
codepoints with valid ones.
4. New malware type "sock". Talks over a Unix or TCP socket, sending one
command line and matching a regex against the return data for trigger
and a second regex to extract malware_name. The mail spoofile name can
be included in the command line.
5. The smtp transport now supports options "tls_verify_hosts" and
"tls_try_verify_hosts". If either is set the certificate verification
is split from the encryption operation. The default remains that a failed
verification cancels the encryption.
6. New SERVERS override of default ldap server list. In the ACLs, an ldap
lookup can now set a list of servers to use that is different from the
default list.
7. New command-line option -C for exiqgrep to specify alternate exim.conf
file when searching the queue.
8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that.
9. Support for DNSSEC on outbound connections.
10. New variables "tls_(in,out)_(our,peer)cert" and expansion item
"certextract" to extract fields from them. Hash operators md5 and sha1
work over them for generating fingerprints, and a new sha256 operator
for them added.
11. PRDR is now supported dy default.
12. OCSP stapling is now supported by default.
13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output
Delivery Status Notification messages in MIME format, and negociate
DSN features per RFC 3461.
|
|
This is a SECURITY release, addressing a CRITICAL remote code execution
flaw in Exim version 4.82 (only) when built with DMARC support (an
experimental feature, not on by default). This release is identical to
4.82 except for the small change needed to plug the security hole. The
next release of Exim will, eventually, be 4.83, which will include the
many improvements we've made since 4.82, but which will require the
normal release candidate baking process before release.
You are not vulnerable unless you built Exim with EXPERIMENTAL_DMARC.
This issue is known by the CVE ID of CVE-2014-2957, was reported
directly to the Exim development team by a company which uses Exim for
its mail server. An Exim developer constructed a small patch which
altered the way the contents of the From header is parsed by converting
it to use safer and better internal functions. It was applied and
tested on a production server for correctness. We were notified of the
vulnerability Friday night, created a patch on Saturday, applied and
tested it on Sunday, notified OS packagers on Monday/Tuesday, and are
releasing on the next available work day, which is Wednesday.
This is why we have made the smallest feasible changes to prevent
exploit: we want this chagne to be as safe as possible to expedite into
production (if the packages were built with DMARC).
|
|
- exim-lookup-redis: allow quering redis from within the exim
config, needs hiredis
- opendmarc: enables DMARC support
Both are disabled by default.
|
|
1. New command-line option -bI:sieve will list all supported sieve extensions
of this Exim build on standard output, one per line.
ManageSieve (RFC 5804) providers managing scripts for use by Exim should
query this to establish the correct list to include in the protocol's
SIEVE capability line.
2. If the -n option is combined with the -bP option, then the name of an
emitted option is not output, only the value (if visible to you).
For instance, "exim -n -bP pid_file_path" should just emit a pathname
followed by a newline, and no other text.
3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now
has a "tls_dh_min_bits" option, to set the minimum acceptable number of
bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites)
acceptable for security. (Option accepted but ignored if using OpenSSL).
Defaults to 1024, the old value. May be lowered only to 512, or raised as
far as you like. Raising this may hinder TLS interoperability with other
sites and is not currently recommended. Lowering this will permit you to
establish a TLS session which is not as secure as you might like.
Unless you really know what you are doing, leave it alone.
4. If not built with DISABLE_DNSSEC, Exim now has the main option
dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
to send the DO flag to your recursive resolver. If you have a recursive
resolver, which can set the Authenticated Data (AD) flag in results, Exim
can now detect this. Exim does not perform validation itself, instead
relying upon a trusted path to the resolver.
Current status: work-in-progress; $sender_host_dnssec variable added.
5. DSCP support for outbound connections: on a transport using the smtp driver,
set "dscp = ef", for instance, to cause the connections to have the relevant
DSCP (IPv4 TOS or IPv6 TCLASS) value in the header.
Similarly for inbound connections, there is a new control modifier, dscp,
so "warn control = dscp/ef" in the connect ACL, or after authentication.
Supported values depend upon system libraries. "exim -bI:dscp" to list the
ones Exim knows of. You can also set a raw number 0..0x3F.
6. The -G command-line flag is no longer ignored; it is now equivalent to an
ACL setting "control = suppress_local_fixups". The -L command-line flag
is now accepted and forces use of syslog, with the provided tag as the
process name. A few other flags used by Sendmail are now accepted and
ignored.
7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery"
ACL modifier; works for single-recipient mails which are recieved on and
deliverable via SMTP. Using the connection made for a recipient verify,
if requested before the verify, or a new one made for the purpose while
the inbound connection is still active. The bulk of the mail item is copied
direct from the inbound socket to the outbound (as well as the spool file).
When the source notifies the end of data, the data acceptance by the destination
is negociated before the acceptance is sent to the source. If the destination
does not accept the mail item, for example due to content-scanning, the item
is not accepted from the source and therefore there is no need to generate
a bounce mail. This is of benefit when providing a secondary-MX service.
The downside is that delays are under the control of the ultimate destination
system not your own.
The Recieved-by: header on items delivered by cutthrough is generated
early in reception rather than at the end; this will affect any timestamp
included. The log line showing delivery is recorded before that showing
reception; it uses a new ">>" tag instead of "=>".
To support the feature, verify-callout connections can now use ESMTP and TLS.
The usual smtp transport options are honoured, plus a (new, default everything)
hosts_verify_avoid_tls.
New variable families named tls_in_cipher, tls_out_cipher etc. are introduced
for specific access to the information for each connection. The old names
are present for now but deprecated.
Not yet supported: IGNOREQUOTA, SIZE, PIPELINING.
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
modules. For some situations this is desirable, but we expect admin in
those situations to know they want the feature. More commonly, it means
that GUI user modules get loaded and are broken by the setuid Exim being
unable to access files specified in environment variables and passed
through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
unless this new option is set.
Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
so have also added a build option which can be used to build Exim with GnuTLS
but without trying to use any kind of PKCS11 support. Uncomment this in the
Local/Makefile:
AVOID_GNUTLS_PKCS11=yes
10. The "acl = name" condition on an ACL now supports optional arguments.
New expansion item "${acl {name}{arg}...}" and expansion condition
"acl {{name}{arg}...}" are added. In all cases up to nine arguments
can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
Variable $acl_narg contains the number of arguments. If the ACL sets
a "message =" value this becomes the result of the expansion item,
or the value of $value for the expansion condition. If the ACL returns
accept the expansion condition is true; if reject, false. A defer
return results in a forced fail.
11. Routers and transports can now have multiple headers_add and headers_remove
option lines. The concatenated list is used.
12. New ACL modifier "remove_header" can remove headers before message gets
handled by routers/transports.
13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured),
"aaaa" and "a" lookups is done and the full set of results returned.
14. New expansion variable $headers_added with content from ACL add_header
modifier (but not yet added to messsage).
15. New 8bitmime status logging option for received messages. Log field "M8S".
16. New authenticated_sender logging option, adding to log field "A".
17. New expansion variables $router_name and $transport_name. Useful
particularly for debug_print as -bt commandline option does not
require privilege whereas -d does.
18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a
proposed extension to SMTP from Eric Hall.
19. The pipe transport has gained the force_command option, to allow
decorating commands from user .forward pipe aliases with prefix
wrappers, for instance.
20. Callout connections can now AUTH; the same controls as normal delivery
connections apply.
21. Support for DMARC, using opendmarc libs, can be enabled. It adds new
options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file.
It adds new expansion variables $dmarc_ar_header, $dmarc_status,
$dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier
dmarc_status. It adds new control flags dmarc_disable_verify and
dmarc_enable_forensic.
22. Add expansion variable $authenticated_fail_id, which is the username
provided to the authentication method which failed. It is available
for use in subsequent ACL processing (typically quit or notquit ACLs).
23. New ACL modifer "udpsend" can construct a UDP packet to send to a given
UDP host and port.
24. New ${hexquote:..string..} expansion operator converts non-printable
characters in the string to \xNN form.
25. Experimental TPDA (Transport Post Delivery Action) function added.
Patch provided by Axel Rau.
26. Experimental Redis lookup added. Patch provided by Warren Baker.
|
|
SunOS >= 5.11 where /bin/sh is ksh93.
|
|
Exim version 4.80.1
-------------------
PP/01 SECURITY: protect DKIM DNS decoding from remote exploit.
CVE-2012-5671
This, or similar/improved, will also be change PP/11 of 4.81.
See: https://secunia.com/advisories/51098/
|
|
1. New authenticator driver, "gsasl". Server-only (at present).
This is a SASL interface, licensed under GPL, which can be found at
http://www.gnu.org/software/gsasl/.
This system does not provide sources of data for authentication, so
careful use needs to be made of the conditions in Exim.
2. New authenticator driver, "heimdal_gssapi". Server-only.
A replacement for using cyrus_sasl with Heimdal, now that $KRB5_KTNAME
is no longer honoured for setuid programs by Heimdal. Use the
"server_keytab" option to point to the keytab.
3. The "pkg-config" system can now be used when building Exim to reference
cflags and library information for lookups and authenticators, rather
than having to update "CFLAGS", "AUTH_LIBS", "LOOKUP_INCLUDE" and
"LOOKUP_LIBS" directly. Similarly for handling the TLS library support
without adjusting "TLS_INCLUDE" and "TLS_LIBS".
In addition, setting PCRE_CONFIG=yes will query the pcre-config tool to
find the headers and libraries for PCRE.
4. New expansion variable $tls_bits.
5. New lookup type, "dbmjz". Key is an Exim list, the elements of which will
be joined together with ASCII NUL characters to construct the key to pass
into the DBM library. Can be used with gsasl to access sasldb2 files as
used by Cyrus SASL.
6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1.
Avoid release 1.0.1a if you can. Note that the default value of
"openssl_options" is no longer "+dont_insert_empty_fragments", as that
increased susceptibility to attack. This may still have interoperability
implications for very old clients (see version 4.31 change 37) but
administrators can choose to make the trade-off themselves and restore
compatibility at the cost of session security.
7. Use of the new expansion variable $tls_sni in the main configuration option
tls_certificate will cause Exim to re-expand the option, if the client
sends the TLS Server Name Indication extension, to permit choosing a
different certificate; tls_privatekey will also be re-expanded. You must
still set these options to expand to valid files when $tls_sni is not set.
The SMTP Transport has gained the option tls_sni, which will set a hostname
for outbound TLS sessions, and set $tls_sni too.
A new log_selector, +tls_sni, has been added, to log received SNI values
for Exim as a server.
8. The existing "accept_8bitmime" option now defaults to true. This means
that Exim is deliberately not strictly RFC compliant. We're following
Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default.
Those who disagree, or know that they are talking to mail servers that,
even today, are not 8-bit clean, need to turn off this option.
9. Exim can now be started with -bw (with an optional timeout, given as
-bw<timespec>). With this, stdin at startup is a socket that is
already listening for connections. This has a more modern name of
"socket activation", but forcing the activated socket to fd 0. We're
interested in adding more support for modern variants.
10. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffix
for numbers indicates multiplication by 1024^3.
11. The GnuTLS support has been revamped; the three options gnutls_require_kx,
gnutls_require_mac & gnutls_require_protocols are no longer supported.
tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority
string, documentation for which is at:
http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
SNI support has been added to Exim's GnuTLS integration too.
For sufficiently recent GnuTLS libraries, ${randint:..} will now use
gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness.
12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file
is now available. If the contents of the file are valid, then Exim will
send that back in response to a TLS status request; this is OCSP Stapling.
Exim will not maintain the contents of the file in any way: administrators
are responsible for ensuring that it is up-to-date.
13. ${lookup dnsdb{ }} supports now SPF record types. They are handled
identically to TXT record lookups.
14. New expansion variable $tod_epoch_l for higher-precision time.
15. New global option tls_dh_max_bits, defaulting to current value of NSS
hard-coded limit of DH ephemeral bits, to fix interop problems caused by
GnuTLS 2.12 library recommending a bit count higher than NSS supports.
16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier.
Option can now be a path or an identifier for a standard prime.
If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23".
Set to "historic" to get the old GnuTLS behaviour of auto-generated DH
primes.
17. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS).
Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL
install was not built with OPENSSL_NO_SSL2 ("no-ssl2").
|
|
* Solaris build fix for Oracle's LDAP libraries.
* HP/UX build fix: avoid arithmetic on a void pointer.
* DKIM Verification: Fix relaxed canon for empty headers w/o whitespace trailer
* Fix a couple more cases where we did not log the error message when unlink()
failed.
* Make the exiwhat support code safe for signals. Previously Exim might lock up
or crash if it happened to be inside a call to libc when it got a SIGUSR1
from exiwhat.
* Improved ratelimit ACL condition.
* Removed a few PCRE remnants.
* Automatically extract Exim's version number from tags in the git repository
when doing development or release builds.
* Raise smtp_cmd_buffer_size to 16kB.
* Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
* Use .dylib instead of .so for dynamic library loading on MacOS.
* Variable $av_failed, true if the AV scanner deferred.
* Stop make process more reliably on build failure.
* Make maildir_use_size_file an _expandable_ boolean.
* Handle ${run} returning more data than OS pipe buffer size.
* Handle IPv6 addresses with SPF.
* GnuTLS: support TLS 1.2 & 1.1.
* match_* no longer expand right-hand-side by default.
* fix uninitialised greeting string from PP/03 (smtps client support).
* shell and compiler warnings fixes for RC1-RC4 changes.
|
|
* The new ldap_require_cert option would segfault if used. Fixed.
* Harmonised TLS library version reporting; only show if debugging.
Layout now matches that introduced for other libraries in 4.74 PP/03.
* New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
* New "dns_use_edns0" global option.
* Don't segfault on misconfiguration of ref:name exim-user as uid.
* Extra paranoia around buffer usage at the STARTTLS transition.
nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
* Updated PolarSSL code to 0.14.2.
* Catch divide-by-zero in ${eval:...}.
* Condition negation of bool{}/bool_lax{} did not negate. Fixed.
* CVE-2011-1764 - DKIM log line was subject to a format-string attack --
SECURITY: remote arbitrary code execution.
* SECURITY - DKIM signature header parsing was double-expanded, second
time unintentionally subject to list matching rules, letting the header
cause arbitrary Exim lookups (of items which can occur in lists, *not*
arbitrary string expansion). This allowed for information disclosure.
* Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
INT_MIN/-1 -- value coerced to INT_MAX.
|
|
bump PKGREV
|
|
1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there
is now LDAP/TLS support, given sufficiently modern OpenLDAP client
libraries. The following global options have been added in support of
this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key,
ldap_cipher_suite, ldap_require_cert, ldap_start_tls.
2. The pipe transport now takes a boolean option, "freeze_signal", default
false. When true, if the external delivery command exits on a signal then
Exim will freeze the message in the queue, instead of generating a bounce.
3. Log filenames may now use %M as an escape, instead of %D (still available).
The %M pattern expands to yyyymm, providing month-level resolution.
4. The $message_linecount variable is now updated for the maildir_tag option,
in the same way as $message_size, to reflect the real number of lines,
including any header additions or removals from transport.
5. When contacting a pool of SpamAssassin servers configured in spamd_address,
Exim now selects entries randomly, to better scale in a cluster setup.
|
|
* Failure to get a lock on a hints database can have serious
consequences so log it to the panic log.
* Log LMTP confirmation messages in the same way as SMTP,
controlled using the smtp_confirmation log selector.
* Include the error message when we fail to unlink a spool file.
* Bugzilla 139: Support dynamically loaded lookups as modules.
* Bugzilla 139: Documentation and portability issues.
Avoid GNU Makefile-isms, let Exim continue to build on BSD.
Handle per-OS dynamic-module compilation flags.
* Let /dev/null have normal permissions.
The 4.73 fixes were a little too stringent and complained about the
permissions on /dev/null. Exempt it from some checks.
* Report version information for many libraries, including
Exim version information for dynamically loaded libraries. Created
version.h, now support a version extension string for distributors
who patch heavily. Dynamic module ABI change.
* CVE-2011-0017 - check return value of setuid/setgid. This is a
privilege escalation vulnerability whereby the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.
* Bugzilla 1041: merged DCC maintainer's fixes for return code.
* Bugzilla 1071: fix delivery logging with untrusted macros.
If dropping privileges for untrusted macros, we disabled normal logging
on the basis that it would fail; for the Exim run-time user, this is not
the case, and it resulted in successful deliveries going unlogged.
|
|
* Date: & Message-Id: revert to normally being appended to a message,
only prepend for the Resent-* case. Fixes regression introduced in
Exim 4.70 by NM/22 for Bugzilla 607.
* Include check_rfc2047_length in configure.default because we're seeing
increasing numbers of administrators be bitten by this.
* Added DISABLE_DKIM and comment to src/EDITME
* Bugzilla 994: added openssl_options main configuration option.
* Bugzilla 995: provide better SSL diagnostics on failed reads.
* Bugzilla 834: provide a permit_coredump option for pipe transports.
* Adjust NTLM authentication to handle SASL Initial Response.
* If TLS negotiated an anonymous cipher, we could end up with SSL but
without a peer certificate, leading to a segfault because of an
assumption that peers always have certificates. Be a little more paranoid.
* Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
NB: ClamAV planning to remove STREAM in "middle of 2010".
CL also introduces -bmalware, various -d+acl logging additions and
more caution in buffer sizes.
* Implemented reverse_ip expansion operator.
* Bugzilla 937: provide a "debug" ACL control.
* Bugzilla 922: Documentation dusting, patch provided by John Horne.
* Bugzilla 973: Implement --version.
* Bugzilla 752: Refuse to build/run if Exim user is root/0.
* Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
* Bugzilla 816: support multiple condition rules on Routers.
* Add bool_lax{} expansion operator and use that for combining multiple
condition rules, instead of bool{}. Make both bool{} and bool_lax{}
ignore trailing whitespace.
* prevent non-panic DKIM error from being sent to paniclog
* added tcp_wrappers_daemon_name to allow host entries other than
"exim" to be used
* Fix malware regression for cmdline scanner introduced in PP/08.
Notification from Dr Andrew Aitchison.
* Change ClamAV response parsing to be more robust and to handle ClamAV's
ExtendedDetectionInfo response format.
* OpenSSL 1.0.0a compatibility const-ness change, should be backwards
compatible.
|
|
sqlite).
* Pass LDFLAGS for linking (useful with different SDKs on Mac OS X).
|
|
* installed exipick 20100104.1, adding $max_received_linelength, $data_path,
and $header_path variables; fixed documentation bugs and typos
* installed exipick 20100222.0, added --input-dir and --finput to allow
exipick to access non-standard spools, including the "frozen" queue (Finput)
* Support mysql stored procedures.
* Spacing fix (syntax error) on Makefile directives for NetBSD
* Documentation fix for max_rcpts.
* Fix for unknown responses from Dovecot authenticator.
* Added umask to procmail example.
* installed exipick 20100323.0, fixing doc bug
* CVE-2010-2023 - prevent hardlink attack on sticky mail directory.
* Upgrade PolarSSL files to upstream version 0.12.1.
* Improve log output when DKIM signing operation fails.
* Treat the transport option dkim_domain as a colon separated list, not as
a single string, and sign the message with each element, omitting multiple
occurences of the same signer.
* Null terminate DKIM strings, Null initialise DKIM variable
* dnsdb DNS TXT record bug fix (DKIM-related)
* CVE-2010-2024 - work round race condition on MBX locking.
|
|
file cannot run without EXIM_USER being present on the system, so
scripts/exim_install was changed to derive the Exim version from the
pkgsrc package version (see PKGSRC_EXIM_VERSION in the Makefile and patch-ae).
Added LICENSE information.
Ok'd by abs@
|
|
* Fix DKIM segfault on empty headers/body
* Documentation fix for gnutls_* options.
* Documentation for randint. Better randomness defaults.
* Enable DNSDB lookup by default.
* Flag broken perl installation during build.
|
|
* Added patch by Johannes Berg that expands the main option
"spamd_servers" if it starts with a dollar sign.
* Write list of recipients to X-Envelope-Sender header when building
the mbox-format spool file for content scanning.
* Added patch by Wolfgang Breyha that adds experimental DCC
(http://www.dcc-servers.net/) support via dccifd. Activated by
setting EXPERIMENTAL_DCC=yes in Local/Makefile. Check out
experimental_spec.txt for more documentation.
* Bugzilla 673: Add f-protd malware scanner support.
* Bugzilla 657: Embedded PCRE removed from the exim source tree.
When building exim an external PCRE library is now needed -
PCRE is a system library on the majority of modern systems.
See entry on PCRE_LIBS in EDITME file.
* Bugzilla 646: Removed unwanted C/R in Dovecot authenticator
conversation. Added nologin parameter to request.
* Do not log submission mode rewrites if they do not change the address.
* Bugzilla 662: Fix stack corruption before exec() in daemon.c.
* Bugzilla 602: exicyclog now handles panic log, and creates empty
log files in place. Contributed by Roberto Lima
* Bugzilla 667: close socket used by dovecot authenticator
* Bugzilla 615: When checking the local_parts router precondition
after a local_part_suffix or local_part_prefix option, Exim now
does not use the address's named list lookup cache, since this
contains cached lookups for the whole local part.
* Bugzilla 521: Integrated SPF Best Guess support contributed by
Robert Millan. Documentation is in experimental-spec.txt
* Bugzilla 668: Fix parallel build (make -j).
* Bugzilla 437: Prevent Maildir aux files being created with mode 000
* Bugzilla 598: Improvement to Dovecot authenticator handling.
* Leading white space used to be stripped from $spam_report which
wrecked the formatting. Now it is preserved.
* Save $spam_score, $spam_bar, and $spam_report in spool files, so
that they are available at delivery time.
* Fix the way ${extract is skipped in the untaken branch of a conditional.
* TLS error reporting now respects the incoming_interface and
incoming_port log selectors.
* more...
|
|
|
|
- Add support for getifaddrs() and enable on NetBSD - submitted back to
exim bugzilla as http://bugs.exim.org/show_bug.cgi?id=802
- Increase size of addrbuf[512] used in old style ioctl() version of
os_common_find_running_interfaces()
Fixes issue on NetBSD 5.0
|
|
* Add preliminary DKIM support.
* Bugzilla 592: --help option is handled incorrectly if exim is invoked
as mailq or other aliases. Changed the --help handling significantly
to do whats expected. exim_usage() emits usage/help information.
* Added the -bylocaldomain option to eximstats.
* Bugzilla 619: Defended against bad data coming back from gethostbyaddr
* Bugzilla 613: Documentation fix for acl_not_smtp
* Bugzilla 628: PCRE update to 7.4 (work done by John Hall)
|
|
* Bug fixes
|
|
Prompted by report from Peter Avalos that exim 4.66 would not build
against openssl 0.9.8e
Changelog:
MH/01 Fix for bug #448, segfault in Dovecot authenticator when interface_address
is unset (happens when testing with -bh and -oMi isn't used). Thanks to
Jan Srzednicki.
PH/01 Added a new log selector smtp_no_mail, to log SMTP sessions that do not
issue a MAIL command.
PH/02 In an ACL statement such as
deny dnslists = X!=127.0.0.2 : X=127.0.0.2
if a client was not listed at all, or was listed with a value other than
127.0.0.2, in the X list, but was listed with 127.0.0.2 in the Y list,
the condition was not true (as it should be), so access was not denied.
The bug was that the ! inversion was incorrectly passed on to the second
item. This has been fixed.
PH/03 Added additional dnslists conditions == and =& which are different from
= and & when the dns lookup returns more than one IP address.
PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the
cipher suites used by GnuTLS. These options are ignored by OpenSSL.
PH/05 After discussion on the list, added a compile time option ENABLE_DISABLE_
FSYNC, which compiles an option called disable_fsync that allows for
bypassing fsync(). The documentation is heavily laced with warnings.
SC/01 Updated eximstats to collate all SpamAssassin rejects into one bucket.
PH/06 Some tidies to the infrastructure of the Test Suite that is concerned
with the auxiliary C programs that it uses: (1) Arrange for BIND_8_COMPAT
to be defined when compiling on OSX (Darwin); (2) Tidies to the Makefile,
including adding "make clean"; (3) Added -fPIC when compiling the test
dynamically loaded module, to get rid of a warning.
MH/02 Fix for bug #451, causing paniclog entries to be written if a bounce
message fails, move_frozen_messages = true and ignore_bounce_errors_after
= 0s. The bug is otherwise harmless.
PH/07 There was a bug in the dovecot authenticator such that the value of
$auth1 could be overwritten, and so not correctly preserved, after a
successful authentication. This usually meant that the value preserved by
the server_setid option was incorrect.
PH/08 Added $smtp_count_at_connection_start, deliberately with a long name.
PH/09 Installed PCRE release 7.0.
PH/10 The acl_not_smtp_start ACL was, contrary to the documentation, not being
run for batched SMTP input. It is now run at the start of every message
in the batch. While fixing this I discovered that the process information
(output by running exiwhat) was not always getting set for -bs and -bS
input. This is fixed, and it now also says "batched" for BSMTP.
PH/11 Added control=no_pipelining.
PH/12 Added $sending_ip_address and $sending_port (mostly Magnus Holmgren's
patch, slightly modified), and move the expansion of helo_data till after
the connection is made in the smtp transport (so it can use these
values).
PH/13 Added ${rfc2047d: to decoded RFC 2047 strings.
PH/14 Added log_selector = +pid.
PH/15 Flush SMTP output before delaying, unless control=no_delay_flush is set.
PH/16 Add ${if forany and ${if forall.
PH/17 Added dsn_from option to vary the From: line in DSNs.
PH/18 Flush SMTP output before performing a callout, unless control =
no_callout_flush is set.
PH/19 Change 4.64/PH/36 introduced a bug: when address_retry_include_sender
was true (the default) a successful delivery failed to delete the retry
item, thus causing premature timeout of the address. The bug is now
fixed.
PH/20 Added hosts_avoid_pipelining to the smtp transport.
PH/21 Long custom messages for fakedefer and fakereject are now split up
into multiline reponses in the same way that messages for "deny" and
other ACL rejections are.
PH/22 Applied Jori Hamalainen's speed-up changes and typo fixes to exigrep,
with slight modification.
PH/23 Applied sieve patches from the maintainer "tracking the latest notify
draft, changing the syntax and factoring some duplicate code".
PH/24 When the log selector "outgoing_port" was set, the port was shown as -1
for deliveries of the second and subsequent messages over the same SMTP
connection.
PH/25 Applied Magnus Holmgren's patch for ${addresses, ${map, ${filter, and
${reduce, with only minor "tidies".
SC/02 Applied Daniel Tiefnig's patch to improve the '($parent) =' pattern match.
PH/26 Added a "continue" ACL modifier that does nothing, for the benefit of its
expansion side effects.
PH/27 When a message times out after an over-quota error from an Exim-imposed
quota, the bounce message says "mailbox is full". This message was not
being given when it was a system quota that was exceeded. It now should
be the same.
MH/03 Made $recipients available in local_scan(). local_scan() already has
better access to the recipient list through recipients_list[], but
$recipients can be useful in postmaster-provided expansion strings.
PH/28 The $smtp_command and $smtp_command_argument variables were not correct
in the case of a MAIL command with additional options following the
address, for example: MAIL FROM:<foo@bar> SIZE=1234. The option settings
were accidentally chopped off.
PH/29 SMTP synchronization checks are implemented when a command is read -
there is a check that no more input is waiting when there shouldn't be
any. However, for some commands, a delay in an ACL can mean that it is
some time before the response is written. In this time, more input might
arrive, invalidly. So now there are extra checks after an ACL has run for
HELO/EHLO and after the predata ACL, and likewise for MAIL and RCPT when
pipelining has not been advertised.
PH/30 MH's patch to allow iscntrl() characters to be list separators.
PH/31 Unlike :fail:, a custom message specified with :defer: was not being
returned in the SMTP response when smtp_return_error_details was false.
This has been fixed.
PH/32 Change the Dovecot authenticator to use read() and write() on the socket
instead of the C I/O that was originally supplied, because problems were
reported on Solaris.
PH/33 Compile failed with OpenSSL 0.9.8e. This was due to a coding error in
Exim which did not show up earlier: it was assuming that a call to
SSL_CTX_set_info_callback() might give an error value. In fact, there is
no error. In previous releases of OpenSSL, SSL_CTX_set_info_callback()
was a macro that became an assignment, so it seemed to work. This has
changed to a proper function call with a void return, hence the compile
error. Exim's code has been fixed.
PH/34 Change HDA_SIZE in oracle.c from 256 to 512. This is needed for 64-bit
cpus.
PH/35 Applied a patch from the Sieve maintainer which fixes a bug in "notify".
PH/36 Applied John Jetmore's patch to add -v functionality to exigrep.
PH/37 If a message is not accepted after it has had an id assigned (e.g.
because it turns out to be too big or there is a timeout) there is no
"Completed" line in the log. When some messages of this type were
selected by exigrep, they were listed as "not completed". Others were
picked up by some special patterns. I have improved the selection
criteria to be more general.
PH/38 The host_find_failed option in the manualroute router can now be set
to "ignore", to completely ignore a host whose IP address cannot be
found. If all hosts are ignored, the behaviour is controlled by the new
host_all_ignored option.
PH/39 In a list of hosts for manualroute, if one item (either because of multi-
homing or because of multiple MX records with /mx) generated more than
one IP address, and the following item turned out to be the local host,
all the secondary addresses of the first item were incorrectly removed
from the list, along with the local host and any following hosts (which
is what is supposed to happen).
PH/40 When Exim receives a message, it writes the login name, uid, and gid of
whoever called Exim into the -H file. In the case of the daemon it was
behaving confusingly. When first started, it used values for whoever
started the daemon, but after a SIGHUP it used the Exim user (because it
calls itself on a restart). I have changed the code so that it now always
uses the Exim user.
PH/41 (Following a suggestion from Tony Finch) If all the RCPT commands in a
message are rejected with the same error (e.g. no authentication or bad
sender address), and a DATA command is nevertheless sent (as can happen
with PIPELINING or a stupid MUA), the error message that was given to the
RCPT commands is included in the rejection of the DATA command. This is
intended to be helpful for MUAs that show only the final error to their
users.
PH/42 Another patch from the Sieve maintainer.
SC/02 Eximstats - Differentiate between permanent and temporary rejects.
Eximstats - Fixed some broken HTML links and added missing column headers
(Jez Hancock).
Eximstats - Fixed Grand Total Summary Domains, Edomains, and Email
columns for Rejects, Temp Rejects, Ham, and Spam rows.
SC/03 Eximstats - V1.58 Fix to get <> and blackhole to show in edomain tables.
PH/43 Yet another patch from the Sieve maintainer.
PH/44 I found a way to check for a TCP/IP connection going away before sending
the response to the final '.' that terminates a message, but only in the
case where the client has not sent further data following the '.'
(unfortunately, this is allowed). However, in many cases there won't be
any further data because there won't be any more messages to send. A call
to select() can be used: if it shows that the input is "ready", there is
either input waiting, or the socket has been closed. An attempt to read
the next input character can distinguish the two cases. Previously, Exim
would have sent an OK response which the client would never have see.
This could lead to message repetition. This fix should cure that, at
least in a lot of common cases.
PH/45 Do not advertise STARTTLS in response to HELP unless it would be
advertised in response to EHLO.
|
|
Exim version 4.66
-----------------
PH/01 Two more bugs that were introduced by 4.64/PH/07, in addition to the one
fixed by 4.65/MH/01 (is this a record?) are fixed:
(i) An empty string was always treated as zero by the numeric comparison
operators. This behaviour has been restored.
(ii) It is documented that the numeric comparison operators always treat
their arguments as decimal numbers. This was broken in that numbers
starting with 0 were being interpreted as octal.
While fixing these problems I realized that there was another issue that
hadn't been noticed. Values of message_size_limit (both the global option
and the transport option) were treated as octal if they started with 0.
The documentation was vague. These values are now always treated as
decimal, and I will make that clear in the documentation.
Exim version 4.65
-----------------
TK/01 Disable default definition of HAVE_LINUX_SENDFILE. Clashes with
Linux large file support (_FILE_OFFSET_BITS=64) on older glibc
versions. (#438)
MH/01 Don't check that the operands of numeric comparison operators are
integers when their expansion is in "skipping" mode (fixes bug
introduced by 4.64-PH/07).
PH/01 If a system filter or a router generates more than SHRT_MAX (32767)
child addresses, Exim now panics and dies. Previously, because the count
is held in a short int, deliveries were likely to be lost. As such a
large number of recipients for a single message is ridiculous
(performance will be very, very poor), I have chosen to impose a limit
rather than extend the field.
Exim version 4.64
-----------------
TK/01 Bugzilla #401. Fix DK spooling code so that it can overwrite a
leftover -K file (the existence of which was triggered by #402).
While we were at it, introduced process PID as part of the -K
filename. This should rule out race conditions when creating
these files.
TK/02 Bugzilla #402. Apply patch from Simon Arlott, speeding up DK signing
processing considerably. Previous code took too long for large mails,
triggering a timeout which in turn triggers #401.
TK/03 Introduced HAVE_LINUX_SENDFILE to os.h-Linux. Currently only used
in the DK code in transports.c. sendfile() is not really portable,
hence the _LINUX specificness.
TF/01 In the add_headers option to the mail command in an Exim filter,
there was a bug that Exim would claim a syntax error in any
header after the first one which had an odd number of characters
in the field name.
PH/01 If a server that rejects MAIL FROM:<> was the target of a sender
callout verification, Exim cached a "reject" for the entire domain. This
is correct for most verifications, but it is not correct for a recipient
verification with use_sender or use_postmaster set, because in that case
the callout does not use MAIL FROM:<>. Exim now distinguishes the special
case of MAIL FROM:<> rejection from other early rejections (e.g.
rejection of HELO). When verifying a recipient using a non-null MAIL
address, the cache is ignored if it shows MAIL FROM:<> rejection.
Whatever the result of the callout, the value of the domain cache is
left unchanged (for any other kind of callout, getting as far as trying
RCPT means that the domain itself is ok).
PH/02 Tidied a number of unused variable and signed/unsigned warnings that
gcc 4.1.1 threw up.
PH/03 On Solaris, an unexpectedly close socket (dropped connection) can
manifest itself as EPIPE rather than ECONNECT. When tidying away a
session, the daemon ignores ECONNECT errors and logs others; it now
ignores EPIPE as well.
PH/04 Applied Nico Erfurth's refactoring patch to tidy up mime.c
(quoted-printable decoding).
PH/05 Applied Nico Erfurth's refactoring patch to tidy up spool_mbox.c, and
later the small subsequent patch to fix an introduced bug.
PH/06 Installed the latest Cygwin Makefile from the Cygwin maintainer.
PH/07 There was no check for overflow in expansions such as ${if >{1}{4096M}}.
PH/08 An error is now given if message_size_limit is specified negative.
PH/09 Applied and tidied up Jakob Hirsch's patch for allowing ACL variables
to be given (somewhat) arbitrary names.
JJ/01 exipick 20060919.0, allow for arbitrary acl_ variables introduced
in 4.64-PH/09.
JJ/02 exipick 20060919.0, --show-vars args can now be regular expressions,
miscellaneous code fixes
PH/10 Added the log_reject_target ACL modifier to specify where to log
rejections.
PH/11 Callouts were setting the name used for EHLO/HELO from $smtp_active_
hostname. This is wrong, because it relates to the incoming message (and
probably the interface on which it is arriving) and not to the outgoing
callout (which could be using a different interface). This has been
changed to use the value of the helo_data option from the smtp transport
instead - this is what is used when a message is actually being sent. If
there is no remote transport (possible with a router that sets up host
addresses), $smtp_active_hostname is used.
PH/12 Installed Andrey Panin's patch to add a dovecot authenticator. Various
tweaks were necessary in order to get it to work (see also 21 below):
(a) The code assumed that strncpy() returns a negative number on buffer
overflow, which isn't the case. Replaced with Exim's string_format()
function.
(b) There were several signed/unsigned issues. I just did the minimum
hacking in of casts. There is scope for a larger refactoring.
(c) The code used strcasecmp() which is not a standard C function.
Replaced with Exim's strcmpic() function.
(d) The code set only $1; it now sets $auth1 as well.
(e) A simple test gave the error "authentication client didn't specify
service in request". It would seem that Dovecot has changed its
interface. Fortunately there's a specification; I followed it and
changed what the client sends and it appears to be working now.
PH/13 Added $message_headers_raw to provide the headers without RFC 2047
decoding.
PH/14 Corrected misleading output from -bv when -v was also used. Suppose the
address A is aliased to B and C, where B exists and C does not. Without
-v the output is "A verified" because verification stops after a
successful redirection if more than one address is generated. However,
with -v the child addresses are also verified. Exim was outputting "A
failed to verify" and then showing the successful verification for C,
with its parentage. It now outputs "B failed to verify", showing B's
parentage before showing the successful verification of C.
PH/15 Applied Michael Deutschmann's patch to allow DNS black list processing to
look up a TXT record in a specific list after matching in a combined
list.
PH/16 It seems that the options setting for the resolver (RES_DEFNAMES and
RES_DNSRCH) can affect the behaviour of gethostbyname() and friends when
they consult the DNS. I had assumed they would set it the way they
wanted; and indeed my experiments on Linux seem to show that in some
cases they do (I could influence IPv6 lookups but not IPv4 lookups).
To be on the safe side, however, I have now made the interface to
host_find_byname() similar to host_find_bydns(), with an argument
containing the DNS resolver options. The host_find_byname() function now
sets these options at its start, just as host_find_bydns() does. The smtp
transport options dns_qualify_single and dns_search_parents are passed to
host_find_byname() when gethostbyname=TRUE in this transport. Other uses
of host_find_byname() use the default settings of RES_DEFNAMES
(qualify_single) but not RES_DNSRCH (search_parents).
PH/17 Applied (a modified version of) Nico Erfurth's patch to make
spool_read_header() do less string testing, by means of a preliminary
switch on the second character of optional "-foo" lines. (This is
overdue, caused by the large number of possibilities that now exist.
Originally there were few.) While I was there, I also converted the
str(n)cmp tests so they don't re-test the leading "-" and the first
character, in the hope this might squeeze out yet more improvement.
PH/18 Two problems with "group" syntax in header lines when verifying: (1) The
flag allowing group syntax was set by the header_syntax check but not
turned off, possible causing trouble later; (2) The flag was not being
set at all for the header_verify test, causing "group"-style headers to
be rejected. I have now set it in this case, and also caused header_
verify to ignore an empty address taken from a group. While doing this, I
came across some other cases where the code for allowing group syntax
while scanning a header line wasn't quite right (mostly, not resetting
the flag correctly in the right place). These bugs could have caused
trouble for malformed header lines. I hope it is now all correct.
PH/19 The functions {pwcheck,saslauthd}_verify_password() are always called
with the "reply" argument non-NULL. The code, however (which originally
came from elsewhere) had *some* tests for NULL when it wrote to *reply,
but it didn't always do it. This confused somebody who was copying the
code for some other use. I have removed all the tests.
PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a
feature that was used to support insecure browsers during the U.S. crypto
embargo. It requires special client support, and Exim is probably the
only MTA that supported it -- and would never use it because real RSA is
always available. This code has been removed, because it had the bad
effect of slowing Exim down by computing (never used) parameters for the
RSA_EXPORT functionality.
PH/21 On the advice of Timo Sirainen, added a check to the dovecot
authenticator to fail if there's a tab character in the incoming data
(there should never be unless someone is messing about, as it's supposed
to be base64-encoded). Also added, on Timo's advice, the "secured" option
if the connection is using TLS or if the remote IP is the same as the
local IP, and the "valid-client-cert option" if a client certificate has
been verified.
PH/22 As suggested by Dennis Davis, added a server_condition option to *all*
authenticators. This can be used for authorization after authentication
succeeds. (In the case of plaintext, it servers for both authentication
and authorization.)
PH/23 Testing for tls_required and lost_connection in a retry rule didn't work
if any retry times were supplied.
PH/24 Exim crashed if verify=helo was activated during an incoming -bs
connection, where there is no client IP address to check. In this
situation, the verify now always succeeds.
PH/25 Applied John Jetmore's -Mset patch.
PH/26 Added -bem to be like -Mset, but loading a message from a file.
PH/27 In a string expansion for a processed (not raw) header when multiple
headers of the same name were present, leading whitespace was being
removed from all of them, but trailing whitespace was being removed only
from the last one. Now trailing whitespace is removed from each header
before concatenation. Completely empty headers in a concatenation (as
before) are ignored.
PH/28 Fixed bug in backwards-compatibility feature of PH/09 (thanks to John
Jetmore). It would have mis-read ACL variables from pre-4.61 spool files.
PH/29 [Removed. This was a change that I later backed out, and forgot to
correct the ChangeLog entry (that I had efficiently created) before
committing the later change.]
PH/30 Exim was sometimes attempting to deliver messages that had suffered
address errors (4xx response to RCPT) over the same connection as other
messages routed to the same hosts. Such deliveries are always "forced",
so retry times are not inspected. This resulted in far too many retries
for the affected addresses. The effect occurred only when there were more
hosts than the hosts_max_try setting in the smtp transport when it had
the 4xx errors. Those hosts that it had tried were not added to the list
of hosts for which the message was waiting, so if all were tried, there
was no problem. Two fixes have been applied:
(i) If there are any address or message errors in an SMTP delivery, none
of the hosts (tried or untried) are now added to the list of hosts
for which the message is waiting, so the message should not be a
candidate for sending over the same connection that was used for a
successful delivery of some other message. This seems entirely
reasonable: after all the message is NOT "waiting for some host".
This is so "obvious" that I'm not sure why it wasn't done
previously. Hope I haven't missed anything, but it can't do any
harm, as the worst effect is to miss an optimization.
(ii) If, despite (i), such a delivery is accidentally attempted, the
routing retry time is respected, so at least it doesn't keep
hammering the server.
PH/31 Installed Andrew Findlay's patch to close the writing end of the socket
in ${readsocket because some servers need this prod.
PH/32 Added some extra debug output when updating a wait-xxx database.
PH/33 The hint "could be header name not terminated by colon", which has been
given for certain expansion errors for a long time, was not being given
for the ${if def:h_colon_omitted{... case.
PH/34 The spec says: "With one important exception, whenever a domain list is
being scanned, $domain contains the subject domain." There was at least
one case where this was not true.
PH/35 The error "getsockname() failed: connection reset by peer" was being
written to the panic log as well as the main log, but it isn't really
panic-worthy as it just means the connection died rather early on. I have
removed the panic log writing for the ECONNRESET error when getsockname()
fails.
PH/36 After a 4xx response to a RCPT error, that address was delayed (in queue
runs only) independently of the message's sender address. This meant
that, if the 4xx error was in fact related to the sender, a different
message to the same recipient with a different sender could confuse
things. In particualar, this can happen when sending to a greylisting
server, but other circumstances could also provoke similar problems.
I have changed the default so that the retry time for these errors is now
based a combination of the sender and recipient addresses. This change
can be overridden by setting address_retry_include_sender=false in the
smtp transport.
PH/37 For LMTP over TCP/IP (the smtp transport), error responses from the
remote server are returned as part of bounce messages. This was not
happening for LMTP over a pipe (the lmtp transport), but now it is the
same for both kinds of LMTP.
PH/38 Despite being documented as not happening, Exim was rewriting addresses
in header lines that were in fact CNAMEs. This is no longer the case.
PH/39 If -R or -S was given with -q<time>, the effect of -R or -S was ignored,
and queue runs started by the daemon processed all messages. This has
been fixed so that -R and -S can now usefully be given with -q<time>.
PH/40 Import PCRE release 6.7 (fixes some bugs).
PH/41 Add bitwise logical operations to eval (courtesy Brad Jorsch).
PH/42 Give an error if -q is specified more than once.
PH/43 Renamed the variables $interface_address and $interface_port as
$received_ip_address and $received_port, to make it clear that these
values apply to message reception, and not to the outgoing interface when
a message is delivered. (The old names remain recognized, of course.)
PH/44 There was no timeout on the connect() call when using a Unix domain
socket in the ${readsocket expansion. There now is.
PH/45 Applied a modified version of Brad Jorsch's patch to allow "message" to
be meaningful with "accept".
SC/01 Eximstats V1.43
Bug fix for V1.42 with -h0 specified. Spotted by Chris Lear.
SC/02 Eximstats V1.44
Use a glob alias rather than an array ref in the generated
parser. This improves both readability and performance.
SC/03 Eximstats V1.45 (Marco Gaiarin / Steve Campbell)
Collect SpamAssassin and rejection statistics.
Don't display local sender or destination tables unless
there is data to show.
Added average volumes into the top table text output.
SC/04 Eximstats V1.46
Collect data on the number of addresses (recipients)
as well as the number of messages.
SC/05 Eximstats V1.47
Added 'Message too big' to the list of mail rejection
reasons (thanks to Marco Gaiarin).
SC/06 Eximstats V1.48
Mainlog lines which have GMT offsets and are too short to
have a flag are now skipped.
SC/07 Eximstats V1.49 (Alain Williams)
Added the -emptyok flag.
SC/08 Eximstats V1.50
Fixes for obtaining the IP address from reject messages.
JJ/03 exipick.20061117.2, made header handling as similar to exim as possible
(added [br]h_ prefixes, implemented RFC2047 decoding. Fixed
whitesspace changes from 4.64-PH/27
JJ/04 exipick.20061117.2, fixed format and added $message_headers_raw to
match 4.64-PH/13
JJ/05 exipick.20061117.2, bug fixes (error out sooner when invalid criteria
are found, allow negative numbers in numeric criteria)
JJ/06 exipick.20061117.2, added new $message_body_missing variable
JJ/07 exipick.20061117.2, added $received_ip_address and $received_port
to match changes made in 4.64-PH/43
PH/46 Applied Jori Hamalainen's patch to add features to exiqsumm.
PH/47 Put in an explicit test for a DNS lookup of an address record where the
"domain" is actually an IP address, and force a failure. This locks out
those revolvers/nameservers that support "A-for-A" lookups, in
contravention of the specifications.
PH/48 When a host name was looked up from an IP address, and the subsequent
forward lookup of the name timed out, the host name was left in
$sender_host_name, contrary to the specification.
PH/49 Although default lookup types such as lsearch* or cdb*@ have always been
restricted to single-key lookups, Exim was not diagnosing an error if
* or *@ was used with a query-style lookup.
PH/50 Increased the value of DH_BITS in tls-gnu.c from 768 to 1024.
MH/01 local_scan ABI version incremented to 1.1. It should have been updated
long ago, but noone interested enough thought of it. Let's just say that
the "1.1" means that there are some new functions that weren't there at
some point in the past.
PH/51 Error processing for expansion failure of helo_data from an smtp
transport during callout processing was broken.
PH/52 Applied John Jetmore's patch to allow tls-on-connect and STARTTLS to be
tested/used via the -bh/-bhc/-bs options.
PH/53 Added missing "#include <time.h>" to pcre/pcretest.c (this was a PCRE
bug, fixed in subsequent PCRE releases).
PH/54 Applied Robert Bannocks' patch to avoid a problem with references that
arises when using the Solaris LDAP libraries (but not with OpenLDAP).
PH/55 Check for a ridiculously long file name in exim_dbmbuild.
|
|
- Add options exim-appendfile-maildir exim-appendfile-mailstore
exim-appendfile-mbx exim-lookup-cdb exim-tcp-wrappers exim-tls
All but exim-lookup-cdb default to off, to preserve previous
defaults.
|
|
SC/01 Use a glob alias rather than an array ref in eximstats generated
parser. This improves both readability and performance.
SC/02 Collect SpamAssassin and rejection statistics in eximstats.
Don't display local sender or destination tables in eximstats unless
there is data to show.
Added average volumes into the eximstats top table text output.
SC/03 Collect data on the number of addresses (recipients) as well
as the number of messages in eximstats.
TF/01 Correct an error in the documentation for the redirect router. Exim
does (usually) call initgroups() when daemonizing.
TF/02 Call initgroups() when dropping privilege in exim.c, so that Exim runs
with consistent privilege compared to when running as a daemon.
TF/03 Note in the spec that $authenticated_id is not set for local
submissions from trusted users.
TF/04 The ratelimit per_rcpt option now works correctly in acl_not_smtp.
Thanks to Dean Brooks for the patch.
TF/05 Make it easier to get SMTP authentication and TLS/SSL support working
by adding some example configuration directives to the default
configuration file. A little bit of work is required to uncomment the
directives and define how usernames and passwords are checked, but
there is now a framework to start from.
PH/01 Added #define LDAP_DEPRECATED 1 to ldap.c because some of the "old"
functions that Exim currently uses aren't defined in ldap.h for OpenLDAP
without this. I don't know how relevant this is to other LDAP libraries.
PH/02 Add the verb name to the "unknown ACL verb" error.
PH/03 Magnus Holmgren's patch for filter_prepend_home.
PH/03 Fixed Bugzilla #101: macro definition between ACLs doesn't work.
PH/04 Applied Magnus Holmgren's patch to fix Bugzilla #98: transport's home
directory not expanded when it should be if an expanded home directory
was set for the address (which is overridden by the transport).
PH/05 Applied Alex Kiernan's patch to fix Bugzilla #99: a problem with
libradius.
PH/06 Added acl_not_smtp_start, based on Johannes Berg's patch, and set the
bit to forbid control=suppress_local_fixups in the acl_not_smtp ACL,
because it is too late at that time, and has no effect.
PH/07 Changed ${quote_pgsql to quote ' as '' instead of \' because of a
security issue with \' (bugzilla #107). I could not use the
PQescapeStringConn() function, because it needs a PGconn value as one of
its arguments.
PH/08 When testing addresses using -bt, indicate those final addresses that
are duplicates that would not cause an additional delivery. At least one
person was confused, thinking that -bt output corresponded to deliveries.
(Suppressing duplicates isn't a good idea as you lose the information
about possibly different redirections that led to the duplicates.)
PH/09 Applied patch from Erik to use select() instead of poll() in spam.c on
systems where poll() doesn't work, in particular OS X.
PH/10 Added more information to debugging output for retry time not reached.
PH/11 Applied patch from Arkadiusz Miskiewicz to apply a timeout to read
operations in malware.c.
PH/12 Applied patch from Magnus Holmgren to include the "h" tag in Domain Keys
signatures.
PH/13 If write_rejectlog was set false when logging was sent to syslog with
syslog_duplication set false, log lines that would normally be written
both the the main log and to the reject log were not written to syslog at
all.
PH/14 In the default configuration, change the use of "message" in ACL warn
statements to "add_header".
PH/15 Diagnose a filter syntax error for "seen", "unseen", or "noerror" if not
not followed by a command (e.g. "seen endif").
PH/16 Recognize SMTP codes at the start of "message" in ACLs and after :fail:
and :defer: in a redirect router. Add forbid_smtp_code to suppress the
latter.
PH/17 Added extra conditions to the default value of delay_warning_condition
so that it is now:
${if or { \
{ !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} } \
{ match{$h_precedence:}{(?i)bulk|list|junk} } \
{ match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} } \
}{no}{yes}}
The Auto-Submitted: and various List- headers are standardised, whereas I
don't think Precedence: ever was.
PH/18 Refactored debugging code in route_finduser() to show more information,
in particular, the error code if getpwnam() issues one.
PH/19 Added PQsetClientEncoding(conn, "SQL_ASCII") to the pgsql code module.
This is apparently needed in addition to the PH/07 change above to avoid
any possible encoding problems.
PH/20 Perl can change the locale. Exim was resetting it after a ${perl call,
but not after initializing Perl.
PH/21 Added a call to PQsetNoticeProcessor() to catch pgsql "notices" and
output them only if debugging. By default they are written stderr,
apparently, which is not desirable.
PH/22 Added Alain Williams' LDAP patch to support setting REFERRALS=off on
queries.
JJ/01 exipick: added --reverse (and -R synonym), --random, --size, --sort and
--not options
JJ/02 exipick: rewrote --help documentation to hopefully make more clear.
PH/23 Made -oMaa and -oMt work with -bh and -bs to pretend the connection is
authenticated or an ident call has been made. Suppress the default
values for $authenticated_id and $authenticated_sender (but permit -oMai
and -oMas) when testing with -bh.
PH/24 Re-jigged the order of the tests in the default configuration so that the
tests for valid domains and recipients precede the DNS black list and CSA
tests, on the grounds that those ones are more expensive.
PH/25 Exim was not testing for a space following SMTP commands such as EHLO
that require one. Thus, EHLORHUBARB was interpreted as a valid command.
This bug exists in every version of Exim that I still have, right back to
0.12.
PH/26 (n)wildlsearch lookups are documented as being done case-insensitively.
However, an attempt to turn on case-sensitivity in a regex key by
including (?-i) didn't work because the subject string was already
lowercased, and the effects were non-intuitive. It turns out that a
one-line patch can be used to allow (?-i) to work as expected.
|
