Exim version 4.51 ----------------- TK/01 Added Yahoo DomainKeys support via libdomainkeys. See doc/experimental-spec.txt for details. (http://domainkeys.sf.net) TK/02 Fix ACL "control" statement not being available in MIME ACL. TK/03 Fix ACL "regex" condition not being available in MIME ACL. PH/01 Installed a patch from the Sieve maintainer that allows -bf to be used to test Sieve filters that use "vacation". PH/02 Installed a slightly modified version of Nikos Mavrogiannopoulos' patch that changes the way the GnuTLS parameters are stored in the cache file. The new format can be generated externally. For backward compatibility, if the data in the cache doesn't make sense, Exim assumes it has read an old-format file, and it generates new data and writes a new file. This means that you can't go back to an older release without removing the file. PH/03 A redirect router that has both "unseen" and "one_time" set does not work if there are any delivery delays because "one_time" forces the parent to be marked "delivered", so its unseen clone is never tried again. For this reason, Exim now forbids the simultaneous setting of these two options. PH/04 Change 4.11/85 fixed an obscure bug concerned with addresses that are redirected to themselves ("homonym" addresses). Read the long ChangeLog entry if you want to know the details. The fix, however, neglected to consider the case when local delivery batching is involved. The test for "previously delivered" was not happening when checking to see if an address could be batched with a previous (undelivered) one; under certain circumstances this could lead to multiple deliveries to the same address. PH/05 Renamed the macro SOCKLEN_T as EXIM_SOCKLEN_T because AIX uses SOCKLEN_T in its include files, and this causes problems building Exim. PH/06 A number of "verify =" ACL conditions have no options (e.g. verify = header_syntax) but Exim was just ignoring anything given after a slash. In particular, this caused confusion with an attempt to use "verify = reverse_host_lookup/defer_ok". An error is now given when options are supplied for verify items that do not have them. (Maybe reverse_host_ lookup should have a defer_ok option, but that's a different point.) PH/07 Increase the size of the buffer for incoming SMTP commands from 512 (as defined by RFC 821) to 2048, because there were problems with some AUTH commands, and RFC 1869 says the size should be increased for extended SMTP commands that take arguments. PH/08 Added ${dlfunc dynamically loaded function for expansion (code from Tony Finch). PH/09 Previously, an attempt to use ${perl when it wasn't compiled gave an "unknown" error; now it says that the functionality isn't in the binary. PH/10 Added a nasty fudge to try to recognize and flatten LDAP passwords in an address' error message when a string expansion fails (syntax or whatever). Otherwise the password may appear in the log. Following change PH/42 below, there is no longer a chance of it appearing in a bounce message. PH/11 Installed exipick version 20050225.0 from John Jetmore. PH/12 If the last host in a fallback_hosts list was multihomed, only the first of its addresses was ever tried. (Bugzilla bug #2.) PH/13 If "headers_add" in a transport didn't end in a newline, Exim printed the result incorrectly in the debug output. (It correctly added a newline to what was transported.) TF/01 Added $received_time. PH/14 Modified the default configuration to add an acl_smtp_data ACL, with commented out examples of how to interface to a virus scanner and to SpamAssassin. Also added commented examples of av_scanner and spamd_address settings. PH/15 Further to TK/02 and TK/03 above, tidied up the tables of what conditions and controls are allowed in which ACLs. There were a couple of minor errors. Some of the entries in the conditions table (which is a table of where they are NOT allowed) were getting very unwieldy; rewrote them as a negation of where the condition IS allowed. PH/16 Installed updated OS/os.c-cygwin from the Cygwin maintainer. PH/17 The API for radiusclient changed at release 0.4.0. Unfortunately, the header file does not have a version number, so I've had to invent a new value for RADIUS_LIB_TYPE, namely "RADIUSCLIENTNEW" to request the new API. The code is untested by me (my Linux distribution still has 0.3.2 of radiusclient), but it was contributed by a Radius user. PH/18 Installed Lars Mainka's patch for the support of CRL collections in files or directories, for OpenSSL. PH/19 When an Exim process that is running as root has to create an Exim log file, it does so in a subprocess that runs as exim:exim so as to get the ownership right at creation (otherwise, other Exim processes might see the file with the wrong ownership). There was no test for failure of this fork() call, which would lead to the process getting stuck as it waited for a non-existent subprocess. Forks do occasionally fail when resources run out. I reviewed all the other calls to fork(); they all seem to check for failure. PH/20 When checking for unexpected SMTP input at connect time (before writing the banner), Exim was not dealing correctly with a non-positive return from the read() function. If the client had disconnected by this time, the result was a log entry for a synchronization error with an empty string after "input=" when read() returned zero. If read() returned -1 (an event I could not check), uninitialized data bytes were printed. There were reports of junk text (parts of files, etc) appearing after "input=". PH/21 Added acl_not_smtp_mime to allow for MIME scanning for non-SMTP messages. PH/22 Added support for macro redefinition, and (re)definition in between driver and ACL definitions. PH/23 The cyrus_sasl authenticator was expanding server_hostname, but then forgetting to use the resulting value; it was using the unexpanded value. PH/24 The cyrus_sasl authenticator was advertising mechanisms for which it hadn't been configured. The fix is from Juergen Kreileder, who understands it better than I do: "Here's what I see happening with three configured cyrus_sasl authenticators configured (plain, login, cram-md5): On startup auth_cyrus_sasl_init() gets called for each of these. This means three calls to sasl_listmech() without a specified mech_list. => SASL tests which mechs of all available mechs actually work => three warnings about OTP not working => the returned list contains: plain, login, cram-md5, digest-md5, ... With the patch, sasl_listmech() also gets called three times. But now SASL's mech_list option is set to the server_mech specified in the the authenticator. Or in other words, the answer from sasl_listmech() gets limited to just the mech you're testing for (which is different for each call.) => the return list contains just 'plain' or 'login', 'cram-md5' or nothing depending on the value of ob->server_mech. I've just tested the patch: Authentication still works fine, unavailable mechs specified in the exim configuration are still caught, and the auth.log warnings about OTP are gone." PH/25 When debugging is enabled, the contents of the command line are added to the debugging output, even when log_selector=+arguments is not specified. PH/26 Change scripts/os-type so that when "uname -s" returns just "GNU", the answer is "GNU", and only if the return is "GNU/something" is the answer "Linux". PH/27 $acl_verify_message is now set immediately after the failure of a verification in an ACL, and so is available in subsequent modifiers. In particular, the message can be preserved by coding like this: warn !verify = sender set acl_m0 = $acl_verify_message Previously, $acl_verify_message was set only while expanding "message" and "log_message" when a very denied access. PH/28 Modified OS/os.c-Linux with -#ifndef OS_LOAD_AVERAGE +#if !defined(OS_LOAD_AVERAGE) && defined(__linux__) to make Exim compile on kfreebsd-gnu. (I'm totally confused about the nomenclature these days.) PH/29 Installed patch from the Sieve maintainer that adds the options sieve_useraddress and sieve_subaddress to the redirect router. PH/30 In these circumstances: . Two addresses routed to the same list of hosts; . First host does not offer TLS; . First host accepts first address; . First host gives temporary error to second address; . Second host offers TLS and a TLS session is established; . Second host accepts second address. Exim incorrectly logged both deliveries with the TLS parameters (cipher and peerdn, if requested) that were in fact used only for the second address. PH/31 When doing a callout as part of verifying an address, Exim was not paying attention to any local part prefix or suffix that was matched by the router that accepted the address. It now behaves in the same way as it does for delivery: the affixes are removed from the local part unless rcpt_include_affixes is set on the transport. PH/32 Add the sender address, as F=<...>, to the log line when logging a timeout during the DATA phase of an incoming message. PH/33 Sieve envelope tests were broken for match types other than :is. I have applied a patch sanctioned by the Sieve maintainer. PH/34 Change 4.50/80 broke Exim in that it could no longer handle cases where the uid or gid is negative. A case of a negative gid caused this to be noticed. The fix allows for either to be negative. PH/35 ACL_WHERE_MIME is now declared unconditionally, to avoid too much code clutter, but the tables that are indexed by ACL_WHERE_xxx values had been overlooked. PH/36 The change PH/12 above was broken. Fixed it. PH/37 Exim used to check for duplicate addresses in the middle of routing, on the grounds that routing the same address twice would always produce the same answer. This might have been true once, but it is certainly no longer true now. Routing a child address may depend on the previous routing that produced that child. Some complicated redirection strategies went wrong when messages had multiple recipients, and made Exim's behaviour dependent on the order in which the addresses were given. I have moved the duplicate checking until after the routing is complete. Exim scans the addresses that are assigned to local and remote transports, and removes any duplicates. This means that more work will be done, as duplicates will always all be routed, but duplicates are presumably rare, so I don't expect this is of any significance. For deliveries to pipes, files, and autoreplies, the duplicate checking still happens during the routing process, since they are not going to be routed further. PH/38 Installed a patch from Ian Freislich, with the agreement of Tom Kistner. It corrects a timeout issue with spamd. This is Ian's comment: "The background is that sometimes spamd either never reads data from a connection it has accepted, or it never writes response data. The exiscan spam.[ch] uses a 3600 second timeout on spamd socket reads, further, it blindly assumes that writes won't block so it may never time out." PH/39 Allow G after quota size as well as K and M. PH/40 The value set for $authenticated_id in an authenticator may not contain binary zeroes or newlines because the value is written to log lines and to spool files. There was no check on this. Now the value is run through the string_printing() function so that such characters are converted to printable escape sequences. PH/41 $message_linecount is a new variable that contains the total number of lines in the message. Compare $body_linecount, which is the count for the body only. PH/42 Exim no longer gives details of delivery errors for specific addresses in bounce and delay warning messages, except in certain special cases, which are as follows: (a) An SMTP error message from a remote host; (b) A message specified in a :fail: redirection; (c) A message specified in a "fail" command in a system filter; (d) A message specified in a FAIL return from the queryprogram router; (e) A message specified by the cannot_route_message router option. In these cases only, Exim does include the error details in bounce and warning messages. There are also a few cases where bland messages such as "unrouteable address" or "local delivery error" are given. PH/43 $value is now also set for the "else" part of a ${run expansion. PH/44 Applied patch from the Sieve maintainer: "The vacation draft is still being worked on, but at least Exim now implements the latest version to play with." PH/45 In a pipe transport, although a timeout while waiting for the pipe process to complete was treated as a delivery failure, a timeout while writing the message to the pipe was logged, but erroneously treated as a successful delivery. Such timeouts include transport filter timeouts. For consistency with the overall process timeout, these timeouts are now treated as errors, giving rise to delivery failures by default. However, there is now a new Boolean option for the pipe transport called timeout_defer, which, if set TRUE, converts the failures into defers for both kinds of timeout. A transport filter timeout is now identified in the log output. PH/46 The "scripts/Configure-config.h" script calls "make" at one point. On systems where "make" and "gmake" are different, calling "gmake" at top level broke things. I've arranged for the value of $(MAKE) to be passed from the Makefile to this script so that it can call the same version of "make". ****