-
Notifications
You must be signed in to change notification settings - Fork 175
/
ChangeLog
7137 lines (5229 loc) · 329 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Change log file for Exim from version 4.21
------------------------------------------
This document describes *changes* to previous versions, that might
affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
Since Exim version 4.90
-----------------------
GF/01 DEFER rather than ERROR on redis cluster MOVED response.
When redis_servers is set to a list of > 1 element, and the Redis servers
in that list are in cluster configuration, convert the REDIS_REPLY_ERROR
case of MOVED into a DEFER case instead, thus moving the query onto the
next server in the list. For a cluster of N elements, all N servers must
be defined in redis_servers.
GF/02 Catch and remove uninitialized value warning in exiqsumm
Check for existence of @ARGV before looking at $ARGV[0]
JH/01 Replace the store_release() internal interface with store_newblock(),
which internalises the check required to safely use the old one, plus
the allocate and data copy operations duplicated in both (!) of the
extant use locations.
JH/02 Disallow '/' characters in queue names specified for the "queue=" ACL
modifier. This matches the restriction on the commandline.
JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
we assumed that tags in the header were well-formed, and parsed the
element content after inspecting only the first char of the tag.
Assumptions at that stage could crash the receive process on malformed
input.
JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
While running the DKIM ACL we operate on the Permanent memory pool so that
variables created with "set" persist to the DATA ACL. Also (at any time)
DNS lookups that fail create cache records using the Permanent pool. But
expansions release any allocations made on the current pool - so a dnsdb
lookup expansion done in the DKIM ACL releases the memory used for the
DNS negative-cache, and bad things result. Solution is to switch to the
Main pool for expansions.
While we're in that code, add checks on the DNS cache during store_reset,
active in the testsuite.
Problem spotted, and debugging aided, by Wolfgang Breyha.
JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
When none of the hosts presented to a transport match an already-open
connection, close it and proceed with the list. Previously we would
queue the message. Spotted by Lena with Yahoo, probably involving
round-robin DNS.
JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
Previously a spurious "250 OK id=" response was appended to the proper
failure response.
JH/08 The "support for" informational output now, which built with Content
Scanning support, has a line for the malware scanner interfaces compiled
in. Interface can be individually included or not at build time.
JH/09 The "aveserver", "kavdaemon" and "mksd" interfaces are now not included
by the template makefile "src/EDITME". The "STREAM" support for an older
ClamAV interface method is removed.
JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
JH/11 The runtime Berkeley DB library version is now additionally output by
"exim -d -bV". Previously only the compile-time version was shown.
JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection. Previously, when one had more receipients than the
first, an abortive onward connection was made. Move to full support for
multiple onward connections in sequence, handling cutthrough connection
for all multi-message initiating connections.
JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers. Previously, a multi-recipient message would fail to match the
onward-connection opened for the first recipient, and cause its closure.
JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped. This mattered most when the callout
was marked defer_ok. Fix to keep the two timeout-detection methods
separate.
JH/15 Relax results from ACL control request to enable cutthrough, in
unsupported situations, from error to silently (except under debug)
ignoring. This covers use with PRDR, frozen messages, queue-only and
fake-reject.
HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
PP/01 Fix broken Heimdal GSSAPI authenticator integration.
Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
Broken also in d185889f4, with init system revamp.
JH/17 Bug 2113: Fix conversation closedown with the Avast malware scanner.
Previously we abruptly closed the connection after reading a malware-
found indication; now we go on to read the "scan ok" response line,
and send a quit.
JH/18 Bug 2239: Enforce non-usability of control=utf8_downconvert in the mail
ACL. Previously, a crash would result.
JH/19 Speed up macro lookups during configuration file read, by skipping non-
macro text after a replacement (previously it was only once per line) and
by skipping builtin macros when searching for an uppercase lead character.
JH/20 DANE support moved from Experimental to mainline. The Makefile control
for the build is renamed.
JH/21 Fix memory leak during multi-message connections using STARTTLS. A buffer
was allocated for every new TLS startup, meaning one per message. Fix
by only allocating once (OpenSSL) or freeing on TLS-close (GnuTLS).
JH/22 Bug 2236: When a DKIM verification result is overridden by ACL, DMARC
reported the original. Fix to report (as far as possible) the ACL
result replacing the original.
JH/23 Fix memory leak during multi-message connections using STARTTLS under
OpenSSL. Certificate information is loaded for every new TLS startup,
and the resources needed to be freed.
JH/24 Bug 2242: Fix exim_dbmbuild to permit directoryless filenames.
JH/25 Fix utf8_downconvert propagation through a redirect router. Previously it
was not propagated.
JH/26 Bug 2253: For logging delivery lines under PRDR, append the overall
DATA response info to the (existing) per-recipient response info for
the "C=" log element. It can have useful tracking info from the
destination system. Patch from Simon Arlott.
JH/27 Bug 2251: Fix ldap lookups that return a single attribute having zero-
length value. Previously this would segfault.
HS/02 Support Avast multiline protoocol, this allows passing flags to
newer versions of the scanner.
JH/28 Ensure that variables possibly set during message acceptance are marked
dead before release of memory in the daemon loop. This stops complaints
about them when the debug_store option is enabled. Discovered specifically
for sender_rate_period, but applies to a whole set of variables.
Do the same for the queue-runner loop, for variables set from spool
message files. Do the same for the SMTP per-message loop, for certain
variables indirectly set in ACL operations.
JH/29 Bug 2250: Fix a longstanding bug in heavily-pipelined SMTP input (such
as a multi-recipient message from a mailinglist manager). The coding had
an arbitrary cutoff number of characters while checking for more input;
enforced by writing a NUL into the buffer. This corrupted long / fast
input. The problem was exposed more widely when more pipelineing of SMTP
responses was introduced, and one Exim system was feeding another.
The symptom is log complaints of SMTP syntax error (NUL chars) on the
receiving system, and refused recipients seen by the sending system
(propating to people being dropped from mailing lists).
Discovered and pinpointed by David Carter.
JH/30 The (EXPERIMENTAL_DMARC) variable $dmarc_ar_header is withdrawn, being
replaced by the ${authresults } expansion.
JH/31 Bug 2257: Fix pipe transport to not use a socket-only syscall.
HS/03 Set a handler for SIGTERM and call exit(3) if running as PID 1. This
allows proper process termination in container environments.
JH/32 Bug 2258: Fix spool_wireformat in combination with LMTP transport.
Previously the "final dot" had a newline after it; ensure it is CR,LF.
Exim version 4.90
-----------------
JH/01 Rework error string handling in TLS interface so that the caller in
more cases is responsible for logging. This permits library-sourced
string to be attached to addresses during delivery, and collapses
pairs of long lines into single ones.
PP/01 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
during configuration. Wildcards are allowed and expanded.
JH/02 Rework error string handling in DKIM to pass more info back to callers.
This permits better logging.
JH/03 Rework the transport continued-connection mechanism: when TLS is active,
do not close it down and have the child transport start it up again on
the passed-on TCP connection. Instead, proxy the child (and any
subsequent ones) for TLS via a unix-domain socket channel. Logging is
affected: the continued delivery log lines do not have any DNSSEC, TLS
Certificate or OCSP information. TLS cipher information is still logged.
JH/04 Shorten the log line for daemon startup by collapsing adjacent sets of
identical IP addresses on different listening ports. Will also affect
"exiwhat" output.
PP/02 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers;
add noisy ifdef guards to special-case this sillyness.
Patch from Bernd Kuhls.
JH/05 Tighten up the checking in isip4 (et al): dotted-quad components larger
than 255 are no longer allowed.
JH/06 Default openssl_options to include +no_ticket, to reduce load on peers.
Disable the session-cache too, which might reduce our load. Since we
currrectly use a new context for every connection, both as server and
client, there is no benefit for these.
GnuTLS appears to not support tickets server-side by default (we don't
call gnutls_session_ticket_enable_server()) but client side is enabled
by default on recent versions (3.1.3 +) unless the PFS priority string
is used (3.2.4 +).
PP/03 Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
<https://reproducible-builds.org/specs/source-date-epoch/>.
JH/07 Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
the check for any unsuccessful recipients did not notice the limit, and
erroneously found still-pending ones.
JH/08 Pipeline CHUNKING command and data together, on kernels that support
MSG_MORE. Only in-clear (not on TLS connections).
JH/09 Avoid using a temporary file during transport using dkim. Unless a
transport-filter is involved we can buffer the headers in memory for
creating the signature, and read the spool data file once for the
signature and again for transmission.
JH/10 Enable use of sendfile in Linux builds as default. It was disabled in
4.77 as the kernel support then wasn't solid, having issues in 64bit
mode. Now, it's been long enough. Add support for FreeBSD also.
JH/11 Bug 2104: Fix continued use of a transport connection with TLS. In the
case where the routing stage had gathered several addresses to send to
a host before calling the transport for the first, we previously failed
to close down TLS in the old transport process before passing the TCP
connection to the new process. The new one sent a STARTTLS command
which naturally failed, giving a failed delivery and bloating the retry
database. Investigation and fix prototype from Wolfgang Breyha.
JH/12 Fix check on SMTP command input synchronisation. Previously there were
false-negatives in the check that the sender had not preempted a response
or prompt from Exim (running as a server), due to that code's lack of
awareness of the SMTP input buffering.
PP/04 Add commandline_checks_require_admin option.
Exim drops privileges sanely, various checks such as -be aren't a
security problem, as long as you trust local users with access to their
own account. When invoked by services which pass untrusted data to
Exim, this might be an issue. Set this option in main configuration
AND make fixes to the calling application, such as using `--` to stop
processing options.
JH/13 Do pipelining under TLS. Previously, although safe, no advantage was
taken. Now take care to pack both (client) MAIL,RCPT,DATA, and (server)
responses to those, into a single TLS record each way (this usually means
a single packet). As a side issue, smtp_enforce_sync now works on TLS
connections.
PP/05 OpenSSL/1.1: use DH_bits() for more accurate DH param sizes. This
affects you only if you're dancing at the edge of the param size limits.
If you are, and this message makes sense to you, then: raise the
configured limit or use OpenSSL 1.1. Nothing we can do for older
versions.
JH/14 For the "sock" variant of the malware scanner interface, accept an empty
cmdline element to get the documented default one. Previously it was
inaccessible.
JH/15 Fix a crash in the smtp transport caused when two hosts in succession
are unsuable for non-message-specific reasons - eg. connection timeout,
banner-time rejection.
JH/16 Fix logging of delivery remote port, when specified by router, under
callout/hold.
PP/06 Repair manualroute's ability to take options in any order, even if one
is the name of a transport.
Fixes bug 2140.
HS/01 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369)
JH/17 Change the list-building routines interface to use the expanding-string
triplet model, for better allocation and copying behaviour.
JH/18 Prebuild the data-structure for "builtin" macros, for faster startup.
Previously it was constructed the first time a possibly-matching string
was met in the configuration file input during startup; now it is done
during compilation.
JH/19 Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy-
compatible one, to avoid the (poorly documented) possibility of a config
file in the working directory redirecting the DB files, possibly correpting
some existing file. CVE-2017-10140 assigned for BDB.
JH/20 Bug 2147: Do not defer for a verify-with-callout-and-random which is not
cache-hot. Previously, although the result was properly cached, the
initial verify call returned a defer.
JH/21 Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but
the main verify for receipient in uncached-mode.
JH/22 Retire historical build files to an "unsupported" subdir. These are
defined as "ones for which we have no current evidence of testing".
JH/23 DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field,
if present. Previously it was ignored.
JH/24 Start using specified-initialisers in C structure init coding. This is
a C99 feature (it's 2017, so now considered safe).
JH/25 Use one-bit bitfields for flags in the "addr" data structure. Previously
if was a fixed-sized field and bitmask ops via macros; it is now more
extensible.
PP/07 GitHub PR 56: Apply MariaDB build fix.
Patch provided by Jaroslav Škarvada.
PP/08 Bug 2161: Fix regression in sieve quoted-printable handling introduced
during Coverity cleanups [4.87 JH/47]
Diagnosis and fix provided by Michael Fischer v. Mollard.
JH/26 Fix DKIM bug: when the pseudoheader generated for signing was exactly
the right size to place the terminating semicolon on its own folded
line, the header hash was calculated to an incorrect value thanks to
the (relaxed) space the fold became.
HS/02 Fix Bug 2130: large writes from the transport subprocess where chunked
and confused the parent.
JH/27 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process
which could crash as a result. This could lead to undeliverable messages.
JH/28 Logging: "next input sent too soon" now shows where input was truncated
for log purposes.
JH/29 Fix queue_run_in_order to ignore the PID portion of the message ID. This
matters on fast-turnover and PID-randomising systems, which were getting
out-of-order delivery.
JH/30 Fix a logging bug on aarch64: an unsafe routine was previously used for
a possibly-overlapping copy. The symptom was that "Remote host closed
connection in response to HELO" was logged instead of the actual 4xx
error for the HELO.
JH/31 Fix CHUNKING code to properly flush the unwanted chunk after an error.
Previously only that bufferd was discarded, resulting in SYMTP command
desynchronisation.
JH/32 DKIM: when a message has multiple signatures matching an identity given
in dkim_verify_signers, run the dkim acl once for each. Previously only
one run was done. Bug 2189.
JH/33 Downgrade an unfound-list name (usually a typo in the config file) from
"panic the current process" to "deliberately defer". The panic log is
still written with the problem list name; the mail and reject logs now
get a temp-reject line for the message that was being handled, saying
something like "domains check lookup or other defer". The SMTP 451
message is still "Temporary local problem".
JH/34 Bug 2199: Fix a use-after-free while reading smtp input for header lines.
A crafted sequence of BDAT commands could result in in-use memory beeing
freed. CVE-2017-16943.
HS/03 Bug 2201: Fix checking for leading-dot on a line during headers reading
from SMTP input. Previously it was always done; now only done for DATA
and not BDAT commands. CVE-2017-16944.
JH/35 Bug 2201: Flush received data in BDAT mode after detecting an error fatal
to the message (such as an overlong header line). Previously this was
not done and we did not exit BDAT mode. Followon from the previous item
though a different problem.
Exim version 4.89
-----------------
JH/01 Bug 1922: Support IDNA2008. This has slightly different conversion rules
than -2003 did; needs libidn2 in addition to libidn.
JH/02 The path option on a pipe transport is now expanded before use.
PP/01 GitHub PR 50: Do not call ldap_start_tls_s on ldapi:// connections.
Patch provided by "Björn", documentation fix added too.
JH/03 Bug 2003: fix Proxy Protocol v2 handling: the address size field was
missing a wire-to-host endian conversion.
JH/04 Bug 2004: fix CHUNKING in non-PIPELINEING mode. Chunk data following
close after a BDAT command line could be taken as a following command,
giving a synch failure. Fix by only checking for synch immediately
before acknowledging the chunk.
PP/02 GitHub PR 52: many spelling fixes, which include fixing parsing of
no_require_dnssec option and creation of _HAVE_TRANSPORT_APPEND_MAILDIR
macro. Patches provided by Josh Soref.
JH/05 Have the EHLO response advertise VRFY, if there is a vrfy ACL defined.
Previously we did not; the RFC seems ambiguous and VRFY is not listed
by IANA as a service extension. However, John Klensin suggests that we
should.
JH/06 Bug 2017: Fix DKIM verification in -bh test mode. The data feed into
the dkim code may be unix-mode line endings rather than smtp wire-format
CRLF, so prepend a CR to any bare LF.
JH/07 Rationalise the coding for callout smtp conversations and transport ones.
As a side-benfit, callouts can now use PIPELINING hence fewer round-trips.
JH/08 Bug 2016: Fix DKIM verification vs. CHUNKING. Any BDAT commands after
the first were themselves being wrongly included in the feed into dkim
processing; with most chunk sizes in use this resulted in an incorrect
body hash calculated value.
JH/09 Bug 2014: permit inclusion of a DKIM-Signature header in a received
DKIM signature block, for verification. Although advised against by
standards it is specifically not ruled illegal.
JH/10 Bug 2025: Fix reception of (quoted) local-parts with embedded spaces.
JH/11 Bug 2029: Fix crash in DKIM verification when a message signature block is
missing a body hash (the bh= tag).
JH/12 Bug 2018: Re-order Proxy Protocol startup versus TLS-on-connect startup.
It seems that HAProxy sends the Proxy Protocol information in clear and
only then does a TLS startup, so do the same.
JH/13 Bug 2027: Avoid attempting to use TCP Fast Open for non-transport client
TCP connections (such as for Spamd) unless the daemon successfully set
Fast Open mode on its listening sockets. This fixes breakage seen on
too-old kernels or those not configured for Fast Open, at the cost of
requiring both directions being enabled for TFO, and TFO never being used
by non-daemon-related Exim processes.
JH/14 Bug 2000: Reject messages recieved with CHUNKING but with malformed line
endings, at least on the first header line. Try to canonify any that get
past that check, despite the cost.
JH/15 Angle-bracket nesting (an error inserted by broken sendmails) levels are
now limited to an arbitrary five deep, while parsing addresses with the
strip_excess_angle_brackets option enabled.
PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and
instead leave the unprompted TLS handshake in socket buffer for the
TLS library to consume.
PP/04 Bug 2018: Also handle Proxy Protocol v2 safely.
PP/05 FreeBSD compat: handle that Ports no longer create /usr/bin/perl
JH/16 Drop variables when they go out of scope. Memory management drops a whole
region in one operation, for speed, and this leaves assigned pointers
dangling. Add checks run only under the testsuite which checks all
variables at a store-reset and panics on a dangling pointer; add code
explicitly nulling out all the variables discovered. Fixes one known
bug: a transport crash, where a dangling pointer for $sending_ip_address
originally assigned in a verify callout, is re-used.
PP/06 Drop '.' from @INC in various Perl scripts.
PP/07 Switch FreeBSD iconv to always use the base-system libc functions.
PP/08 Reduce a number of compilation warnings under clang; building with
CC=clang CFLAGS+=-Wno-dangling-else -Wno-logical-op-parentheses
should be warning-free.
JH/17 Fix inbound CHUNKING when DKIM disabled at runtime.
HS/01 Fix portability problems introduced by PP/08 for platforms where
realloc(NULL) is not equivalent to malloc() [SunOS et al].
HS/02 Bug 1974: Fix missing line terminator on the last received BDAT
chunk. This allows us to accept broken chunked messages. We need a more
general solution here.
PP/09 Wrote util/chunking_fixqueue_finalnewlines.pl to help recover
already-broken messages in the queue.
JH/18 Bug 2061: Fix ${extract } corrupting an enclosing ${reduce } $value.
JH/19 Fix reference counting bug in routing-generated-address tracking.
Exim version 4.88
-----------------
JH/01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
supports it and a size is available (ie. the sending peer gave us one).
JH/02 The obsolete acl condition "demime" is removed (finally, after ten
years of being deprecated). The replacements are the ACLs
acl_smtp_mime and acl_not_smtp_mime.
JH/03 Upgrade security requirements imposed for hosts_try_dane: previously
a downgraded non-dane trust-anchor for the TLS connection (CA-style)
or even an in-clear connection were permitted. Now, if the host lookup
was dnssec and dane was requested then the host is only used if the
TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
if one fails this test.
This means that a poorly-configured remote DNS will make it incommunicado;
but it protects against a DNS-interception attack on it.
JH/04 Bug 1810: make continued-use of an open smtp transport connection
non-noisy when a race steals the message being considered.
JH/05 If main configuration option tls_certificate is unset, generate a
self-signed certificate for inbound TLS connections.
JH/06 Bug 165: hide more cases of password exposure - this time in expansions
in rewrites and routers.
JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
and logged a warning sing 4.83; now they are a configuration file error.
JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
JH/09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
JH/10 Support ${sha256:} applied to a string (as well as the previous
certificate).
JH/11 Cutthrough: avoid using the callout hints db on a verify callout when
a cutthrough deliver is pending, as we always want to make a connection.
This also avoids re-routing the message when later placing the cutthrough
connection after a verify cache hit.
Do not update it with the verify result either.
JH/12 Cutthrough: disable when verify option success_on_redirect is used, and
when routing results in more than one destination address.
JH/13 Cutthrough: expand transport dkim_domain option when testing for dkim
signing (which inhibits the cutthrough capability). Previously only
the presence of an option was tested; now an expansion evaluating as
empty is permissible (obviously it should depend only on data available
when the cutthrough connection is made).
JH/14 Fix logging of errors under PIPELINING. Previously the log line giving
the relevant preceding SMTP command did not note the pipelining mode.
JH/15 Fix counting of empty lines in $body_linecount and $message_linecount.
Previously they were not counted.
JH/16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
as one having no matching records. Previously we deferred the message
that needed the lookup.
JH/17 Fakereject: previously logged as a normal message arrival "<="; now
distinguished as "(=".
JH/18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
for missing MX records. Previously it only worked for missing A records.
JH/19 Bug 1850: support Radius libraries that return REJECT_RC.
JH/20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
after the data-go-ahead and data-ack. Patch from Jason Betts.
JH/21 Bug 1846: Send DMARC forensic reports for reject and quarantine results,
even for a "none" policy. Patch from Tony Meyer.
JH/22 Fix continued use of a connection for further deliveries. If a port was
specified by a router, it must also match for the delivery to be
compatible.
JH/23 Bug 1874: fix continued use of a connection for further deliveries.
When one of the recipients of a message was unsuitable for the connection
(has no matching addresses), we lost track of needing to mark it
deferred. As a result mail would be lost.
JH/24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
JH/25 Decoding ACL controls is now done using a binary search; the source code
takes up less space and should be simpler to maintain. Merge the ACL
condition decode tables also, with similar effect.
JH/26 Fix problem with one_time used on a redirect router which returned the
parent address unchanged. A retry would see the parent address marked as
delivered, so not attempt the (identical) child. As a result mail would
be lost.
JH/27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454; no bug raised against Exim
itself :(
JH/28 Enable {spool,log} filesystem space and inode checks as default.
Main config options check_{log,spool}_{inodes,space} are now
100 inodes, 10MB unless set otherwise in the configuration.
JH/29 Fix the connection_reject log selector to apply to the connect ACL.
Previously it only applied to the main-section connection policy
options.
JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
by me. Added RFC7919 DH primes as an alternative.
PP/02 Unbreak build via pkg-config with new hash support when crypto headers
are not in the system include path.
JH/31 Fix longstanding bug with aborted TLS server connection handling. Under
GnuTLS, when a session startup failed (eg because the client disconnected)
Exim did stdio operations after fclose. This was exposed by a recent
change which nulled out the file handle after the fclose.
JH/32 Bug 1909: Fix OCSP proof verification for cases where the proof is
signed directly by the cert-signing cert, rather than an intermediate
OCSP-signing cert. This is the model used by LetsEncrypt.
JH/33 Bug 1914: Ensure socket is nonblocking before draining after SMTP QUIT.
HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on
an incoming connection.
HS/02 Bug 1802: Do not half-close the connection after sending a request
to rspamd.
HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2
fallback to "prime256v1".
JH/34 SECURITY: Use proper copy of DATA command in error message.
Could leak key material. Remotely exploitable. CVE-2016-9963.
Exim version 4.87
-----------------
JH/01 Bug 1664: Disable OCSP for GnuTLS library versions at/before 3.3.16
and 3.4.4 - once the server is enabled to respond to an OCSP request
it does even when not requested, resulting in a stapling non-aware
client dropping the TLS connection.
TF/01 Code cleanup: Overhaul the debug_selector and log_selector machinery to
support variable-length bit vectors. No functional change.
TF/02 Improve the consistency of logging incoming and outgoing interfaces.
The I= interface field on outgoing lines is now after the H= remote
host field, same as incoming lines. There is a separate
outgoing_interface log selector which allows you to disable the
outgoing I= field.
JH/02 Bug 728: Close logfiles after a daemon-process "exceptional" log write.
If not running log_selector +smtp_connection the mainlog would be held
open indefinitely after a "too many connections" event, including to a
deleted file after a log rotate. Leave the per net connection logging
leaving it open for efficiency as that will be quickly detected by the
check on the next write.
HS/01 Bug 1671: Fix post transport crash.
Processing the wait-<transport> messages could crash the delivery
process if the message IDs didn't exist for some reason. When
using 'split_spool_directory=yes' the construction of the spool
file name failed already, exposing the same netto behaviour.
JH/03 Bug 425: Capture substrings in $regex1, $regex2 etc from regex &
mime_regex ACL conditions.
JH/04 Bug 1686: When compiled with EXPERIMENTAL_DSN_INFO: Add extra information
to DSN fail messages (bounces): remote IP, remote greeting, remote response
to HELO, local diagnostic string.
JH/05 Downgrade message for a TLS-certificate-based authentication fail from
log line to debug. Even when configured with a tls authenticator many
client connections are expected to not authenticate in this way, so
an authenticate fail is not an error.
HS/02 Add the Exim version string to the process info. This way exiwhat
gives some more detail about the running daemon.
JH/06 Bug 1395: time-limit caching of DNS lookups, to the TTL value. This may
matter for fast-change records such as DNSBLs.
JH/07 Bug 1678: Always record an interface option value, if set, as part of a
retry record, even if constant. There may be multiple transports with
different interface settings and the retry behaviour needs to be kept
distinct.
JH/08 Bug 1586: exiqgrep now refuses to run if there are unexpected arguments.
JH/09 Bug 1700: ignore space & tab embedded in base64 during decode.
JH/10 Bug 840: fix log_defer_output option of pipe transport
JH/11 Bug 830: use same host for all RCPTS of a message, even under
hosts_randomize. This matters a lot when combined with mua_wrapper.
JH/12 Bug 1706: percent and underbar characters are no longer escaped by the
${quote_pgsql:<string>} operator.
JH/13 Bug 1708: avoid misaligned access in cached lookup.
JH/14 Change header file name for freeradius-client. Relevant if compiling
with Radius support; from the Gentoo tree and checked under Fedora.
JH/15 Bug 1712: Introduce $prdr_requested flag variable
JH/16 Bug 1714: Permit an empty string as expansion result for transport
option transport_filter, meaning no filtering.
JH/17 Bug 1713: Fix non-PDKIM_DEBUG build. Patch from Jasen Betts.
JH/18 Bug 1709: When built with TLS support, the tls_advertise_hosts option now
defaults to "*" (all hosts). The variable is now available when not built
with TLS, default unset, mainly to enable keeping the testsuite sane.
If a server certificate is not supplied (via tls_certificate) an error is
logged, and clients will find TLS connections fail on startup. Presumably
they will retry in-clear.
Packagers of Exim are strongly encouraged to create a server certificate
at installation time.
HS/03 Add -bP config_file as a synonym for -bP configure_file, for consistency
with the $config_file variable.
JH/19 Two additional event types: msg:rcpt:defer and msg:rcpt:host:defer. Both
in transport context, after the attempt, and per-recipient. The latter type
is per host attempted. The event data is the error message, and the errno
information encodes the lookup type (A vs. MX) used for the (first) host,
and the trailing two digits of the smtp 4xx response.
GF/01 Bug 1715: Fix for race condition in exicyclog, where exim could attempt
to write to mainlog (or rejectlog, paniclog) in the window between file
creation and permissions/ownership being changed. Particularly affects
installations where exicyclog is run as root, rather than exim user;
result is that the running daemon panics and dies.
JH/20 Bug 1701: For MySQL lookups, support MySQL config file option group names.
JH/21 Bug 1720: Add support for priority groups and weighted-random proxy
selection for the EXPERIMENTAL_SOCKS feature, via new per-proxy options
"pri" and "weight". Note that the previous implicit priority given by the
list order is no longer honoured.
JH/22 Bugs 963, 1721: Fix some corner cases in message body canonicalization
for DKIM processing.
JH/23 Move SOCKS5 support from Experimental to mainline, enabled for a build
by defining SUPPORT_SOCKS.
JH/26 Move PROXY support from Experimental to mainline, enabled for a build
by defining SUPPORT_PROXY. Note that the proxy_required_hosts option
is renamed to hosts_proxy, and the proxy_{host,target}_{address,port}.
variables are renamed to proxy_{local,external}_{address,port}.
JH/27 Move Internationalisation support from Experimental to mainline, enabled
for a build by defining SUPPORT_I18N
JH/28 Bug 1745: Fix redis lookups to handle (quoted) spaces embedded in parts
of the query string, and make ${quote_redis:} do that quoting.
JH/29 Move Events support from Experimental to mainline, enabled by default
and removable for a build by defining DISABLE_EVENT.
JH/30 Updated DANE implementation code to current from Viktor Dukhovni.
JH/31 Fix bug with hosts_connection_nolog and named-lists which were wrongly
cached by the daemon.
JH/32 Move Redis support from Experimental to mainline, enabled for a build
by defining LOOKUP_REDIS. The libhiredis library is required.
JH/33 Bug 1748: Permit ACL dnslists= condition in non-smtp ACLs if explicit
keys are given for lookup.
JH/34 Bug 1192: replace the embedded copy of PolarSSL RSA routines in the DKIM
support, by using OpenSSL or GnuTLS library ones. This means DKIM is
only supported when built with TLS support. The PolarSSL SHA routines
are still used when the TLS library is too old for convenient support.
JH/35 Require SINGLE_DH_USE by default in OpenSSL (main config option
openssl_options), for security. OpenSSL forces this from version 1.1.0
server-side so match that on older versions.
JH/36 Bug 1778: longstanding bug in memory use by the ${run } expansion: A fresh
allocation for $value could be released as the expansion processing
concluded, but leaving the global pointer active for it.
JH/37 Bug 1769: Permit a VRFY ACL to override the default 252 response,
and to use the domains and local_parts ACL conditions.
JH/38 Fix cutthrough bug with body lines having a single dot. The dot was
incorrectly not doubled on cutthrough transmission, hence seen as a
body-termination at the receiving system - resulting in truncated mails.
Commonly the sender saw a TCP-level error, and retransmitted the message
via the normal store-and-forward channel. This could result in duplicates
received - but deduplicating mailstores were liable to retain only the
initial truncated version.
JH/39 Bug 1781: Fix use of DKIM private-keys having trailing '=' in the base-64.
JH/40 Fix crash in queryprogram router when compiled with EXPERIMENTAL_SRS.
JH/41 Bug 1792: Fix selection of headers to sign for DKIM: bottom-up. While
we're in there, support oversigning also; bug 1309.
JH/42 Bug 1796: Fix error logged on a malware scanner connection failure.
HS/04 Add support for keep_environment and add_environment options.
JH/43 Tidy coding issues detected by gcc --fsanitize=undefined. Some remain;
either intentional arithmetic overflow during PRNG, or testing config-
induced overflows.
JH/44 Bug 1800: The combination of a -bhc commandline option and cutthrough
delivery resulted in actual delivery. Cancel cutthrough before DATA
stage.
JH/45 Fix cutthrough, when connection not opened by verify and target hard-
rejects a recipient: pass the reject to the originator.
JH/46 Multiple issues raised by Coverity. Some were obvious or plausible bugs.
Many were false-positives and ignorable, but it's worth fixing the
former class.
JH/47 Fix build on HP-UX and older Solaris, which need (un)setenv now also
for the new environment-manipulation done at startup. Move the routines
from being local to tls.c to being global via the os.c file.
JH/48 Bug 1807: Fix ${extract } for the numeric/3-string case. While preparsing
an extract embedded as result-arg for a map, the first arg for extract
is unavailable so we cannot tell if this is a numbered or keyed
extraction. Accept either.
Exim version 4.86
-----------------
JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
expanded.
JH/02 The smtp transport option "multi_domain" is now expanded.
JH/03 The smtp transport now requests PRDR by default, if the server offers
it.
JH/04 Certificate name checking on server certificates, when exim is a client,
is now done by default. The transport option tls_verify_cert_hostnames
can be used to disable this per-host. The build option
EXPERIMENTAL_CERTNAMES is withdrawn.
JH/05 The value of the tls_verify_certificates smtp transport and main options
default to the word "system" to access the system default CA bundle.
For GnuTLS, only version 3.0.20 or later.
JH/06 Verification of the server certificate for a TLS connection is now tried
(but not required) by default. The verification status is now logged by
default, for both outbound TLS and client-certificate supplying inbound
TLS connections
JH/07 Changed the default rfc1413 lookup settings to disable calls. Few
sites use this now.
JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery
Status Notification (bounce) messages are now MIME format per RFC 3464.
Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised
under the control of the dsn_advertise_hosts option, and routers may
have a dsn_lasthop option.
JH/09 A timeout of 2 minutes is now applied to all malware scanner types by
default, modifiable by a malware= option. The list separator for
the options can now be changed in the usual way. Bug 68.
JH/10 The smtp_receive_timeout main option is now expanded before use.
JH/11 The incoming_interface log option now also enables logging of the
local interface on delivery outgoing connections.
JH/12 The cutthrough-routing facility now supports multi-recipient mails,
if the interface and destination host and port all match.
JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
/defer_ok option.
JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd.
Patch from Andrew Lewis.
JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition)
now supports optional time-restrictions, weighting, and priority
modifiers per server. Patch originally by <rommer@active.by>.
JH/16 The spamd_address main option now supports a mixed list of local
and remote servers. Remote servers can be IPv6 addresses, and
specify a port-range.
JH/17 Bug 68: The spamd_address main option now supports an optional
timeout value per server.
JH/18 Bug 1581: Router and transport options headers_add/remove can
now have the list separator specified.
JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
option values.
JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
under OpenSSL.
JH/21 Support for the A6 type of dns record is withdrawn.
JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
rather than the verbs used.
JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
from 255 to 1024 chars.
JH/24 Verification callouts now attempt to use TLS by default.
HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
are generic router options now. The defaults didn't change.
JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
Original patch from Alexander Shikoff, worked over by JH.
HS/02 Bug 1575: exigrep falls back to autodetection of compressed
files if ZCAT_COMMAND is not executable.
JH/26 Bug 1539: Add timeout/retry options on dnsdb lookups.
JH/27 Bug 286: Support SOA lookup in dnsdb lookups.
JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN.
Normally benign, it bites when the pair was led to by a CNAME;
modern usage is to not canonicalize the domain to a CNAME target
(and we were inconsistent anyway for A-only vs AAAA+A).
JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards.
JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse,
when evaluating $sender_host_dnssec.
JH/31 Check the HELO verification lookup for DNSSEC, adding new
$sender_helo_dnssec variable.
JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve.
JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log.
JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues.
JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was
documented as working, but never had. Support all but $spam_report.
JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
added for tls authenticator.
HS/03 Add perl_taintmode main config option
Exim version 4.85
-----------------
TL/01 When running the test suite, the README says that variables such as
no_msglog_check are global and can be placed anywhere in a specific
test's script, however it was observed that placement needed to be near
the beginning for it to behave that way. Changed the runtest perl
script to read through the entire script once to detect and set these
variables, reset to the beginning of the script, and then run through
the script parsing/test process like normal.
TL/02 The BSD's have an arc4random API. One of the functions to induce
adding randomness was arc4random_stir(), but it has been removed in
OpenBSD 5.5. Detect this OpenBSD version and skip calling this
function when detected.
JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now
cause callback expansion.
TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that
syntax errors in an expansion can be treated as a string instead of
logging or causing an error, due to the internal use of bool_lax
instead of bool when processing it.
JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for
server certificates when making smtp deliveries.
JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups.
JH/04 Add ${sort {list}{condition}{extractor}} expansion item.
TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep.
TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups.
Merged patch from Sebastian Wiedenroth.
JH/05 Fix results-pipe from transport process. Several recipients, combined
with certificate use, exposed issues where response data items split
over buffer boundaries were not parsed properly. This eventually
resulted in duplicates being sent. This issue only became common enough
to notice due to the introduction of connection certificate information,
the item size being so much larger. Found and fixed by Wolfgang Breyha.
JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed
size buffer was used, resulting in syntax errors when an expansion
exceeded it.