Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Oct 8, 2012
Commits on Oct 3, 2012
  1. Bump all packages that use perl, or depend on a p5-* package, or

    wiz authored
    are called p5-*.
    I hope that's all of them.
Commits on Jun 12, 2012
Commits on Jun 11, 2012
  1. Changes 4.80:

    adam authored
     1. New authenticator driver, "gsasl".  Server-only (at present).
        This is a SASL interface, licensed under GPL, which can be found at
        This system does not provide sources of data for authentication, so
        careful use needs to be made of the conditions in Exim.
     2. New authenticator driver, "heimdal_gssapi".  Server-only.
        A replacement for using cyrus_sasl with Heimdal, now that $KRB5_KTNAME
        is no longer honoured for setuid programs by Heimdal.  Use the
        "server_keytab" option to point to the keytab.
     3. The "pkg-config" system can now be used when building Exim to reference
        cflags and library information for lookups and authenticators, rather
        than having to update "CFLAGS", "AUTH_LIBS", "LOOKUP_INCLUDE" and
        "LOOKUP_LIBS" directly.  Similarly for handling the TLS library support
        without adjusting "TLS_INCLUDE" and "TLS_LIBS".
        In addition, setting PCRE_CONFIG=yes will query the pcre-config tool to
        find the headers and libraries for PCRE.
     4. New expansion variable $tls_bits.
     5. New lookup type, "dbmjz".  Key is an Exim list, the elements of which will
        be joined together with ASCII NUL characters to construct the key to pass
        into the DBM library.  Can be used with gsasl to access sasldb2 files as
        used by Cyrus SASL.
     6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1.
        Avoid release 1.0.1a if you can.  Note that the default value of
        "openssl_options" is no longer "+dont_insert_empty_fragments", as that
        increased susceptibility to attack.  This may still have interoperability
        implications for very old clients (see version 4.31 change 37) but
        administrators can choose to make the trade-off themselves and restore
        compatibility at the cost of session security.
     7. Use of the new expansion variable $tls_sni in the main configuration option
        tls_certificate will cause Exim to re-expand the option, if the client
        sends the TLS Server Name Indication extension, to permit choosing a
        different certificate; tls_privatekey will also be re-expanded.  You must
        still set these options to expand to valid files when $tls_sni is not set.
        The SMTP Transport has gained the option tls_sni, which will set a hostname
        for outbound TLS sessions, and set $tls_sni too.
        A new log_selector, +tls_sni, has been added, to log received SNI values
        for Exim as a server.
     8. The existing "accept_8bitmime" option now defaults to true.  This means
        that Exim is deliberately not strictly RFC compliant.  We're following
        Dan Bernstein's advice in by default.
        Those who disagree, or know that they are talking to mail servers that,
        even today, are not 8-bit clean, need to turn off this option.
     9. Exim can now be started with -bw (with an optional timeout, given as
        -bw<timespec>).  With this, stdin at startup is a socket that is
        already listening for connections.  This has a more modern name of
        "socket activation", but forcing the activated socket to fd 0.  We're
        interested in adding more support for modern variants.
    10. ${eval } now uses 64-bit values on supporting platforms.  A new "G" suffix
        for numbers indicates multiplication by 1024^3.
    11. The GnuTLS support has been revamped; the three options gnutls_require_kx,
        gnutls_require_mac & gnutls_require_protocols are no longer supported.
        tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority
        string, documentation for which is at:
        SNI support has been added to Exim's GnuTLS integration too.
        For sufficiently recent GnuTLS libraries, ${randint:..} will now use
        gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness.
    12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file
        is now available.  If the contents of the file are valid, then Exim will
        send that back in response to a TLS status request; this is OCSP Stapling.
        Exim will not maintain the contents of the file in any way: administrators
        are responsible for ensuring that it is up-to-date.
    13. ${lookup dnsdb{ }} supports now SPF record types. They are handled
        identically to TXT record lookups.
    14. New expansion variable $tod_epoch_l for higher-precision time.
    15. New global option tls_dh_max_bits, defaulting to current value of NSS
        hard-coded limit of DH ephemeral bits, to fix interop problems caused by
        GnuTLS 2.12 library recommending a bit count higher than NSS supports.
    16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier.
        Option can now be a path or an identifier for a standard prime.
        If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23".
        Set to "historic" to get the old GnuTLS behaviour of auto-generated DH
    17. SSLv2 now disabled by default in OpenSSL.  (Never supported by GnuTLS).
        Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL
        install was not built with OPENSSL_NO_SSL2 ("no-ssl2").
Commits on Apr 27, 2012
Commits on Mar 3, 2012
Commits on Jan 24, 2012
Commits on Oct 10, 2011
  1. Changes 4.77:

    adam authored
    * Solaris build fix for Oracle's LDAP libraries.
    * HP/UX build fix: avoid arithmetic on a void pointer.
    * DKIM Verification: Fix relaxed canon for empty headers w/o whitespace trailer
    * Fix a couple more cases where we did not log the error message when unlink()
    * Make the exiwhat support code safe for signals. Previously Exim might lock up
      or crash if it happened to be inside a call to libc when it got a SIGUSR1
      from exiwhat.
    * Improved ratelimit ACL condition.
    * Removed a few PCRE remnants.
    * Automatically extract Exim's version number from tags in the git repository
      when doing development or release builds.
    * Raise smtp_cmd_buffer_size to 16kB.
    * Implement SSL-on-connect outbound with protocol=smtps on smtp transport.
    * Use .dylib instead of .so for dynamic library loading on MacOS.
    * Variable $av_failed, true if the AV scanner deferred.
    * Stop make process more reliably on build failure.
    * Make maildir_use_size_file an _expandable_ boolean.
    * Handle ${run} returning more data than OS pipe buffer size.
    * Handle IPv6 addresses with SPF.
    * GnuTLS: support TLS 1.2 & 1.1.
    * match_* no longer expand right-hand-side by default.
    * fix uninitialised greeting string from PP/03 (smtps client support).
    * shell and compiler warnings fixes for RC1-RC4 changes.
Commits on Aug 23, 2011
  1. Recursive bump from gdbm shlib bump.

    obache authored
Commits on Jun 10, 2011
  1. recursive bump from icu shlib major bump.

    obache authored
Commits on May 9, 2011
  1. Changes 4.76:

    adam authored
    * The new ldap_require_cert option would segfault if used.  Fixed.
    * Harmonised TLS library version reporting; only show if debugging.
      Layout now matches that introduced for other libraries in 4.74 PP/03.
    * New openssl_options items: no_sslv2 no_sslv3 no_ticket no_tlsv1
    * New "dns_use_edns0" global option.
    * Don't segfault on misconfiguration of ref:name exim-user as uid.
    * Extra paranoia around buffer usage at the STARTTLS transition.
      nb: Exim is not vulnerable to
    * Updated PolarSSL code to 0.14.2.
    * Catch divide-by-zero in ${eval:...}.
    * Condition negation of bool{}/bool_lax{} did not negate.  Fixed.
    * CVE-2011-1764 - DKIM log line was subject to a format-string attack --
      SECURITY: remote arbitrary code execution.
    * SECURITY - DKIM signature header parsing was double-expanded, second
      time unintentionally subject to list matching rules, letting the header
      cause arbitrary Exim lookups (of items which can occur in lists, *not*
      arbitrary string expansion). This allowed for information disclosure.
    * Fix another SIGFPE (x86) in ${eval:...} expansion, this time related to
      INT_MIN/-1 -- value coerced to INT_MAX.
Commits on May 7, 2011
  1. add patch from upstream to fix format string vulnerability (CVE-2011-…

    drochner authored
    bump PKGREV
Commits on Mar 22, 2011
  1. Changes 4.75:

    adam authored
    1. In addition to the existing LDAP and LDAP/SSL ("ldaps") support, there
       is now LDAP/TLS support, given sufficiently modern OpenLDAP client
       libraries.  The following global options have been added in support of
       this: ldap_ca_cert_dir, ldap_ca_cert_file, ldap_cert_file, ldap_cert_key,
       ldap_cipher_suite, ldap_require_cert, ldap_start_tls.
    2. The pipe transport now takes a boolean option, "freeze_signal", default
       false.  When true, if the external delivery command exits on a signal then
       Exim will freeze the message in the queue, instead of generating a bounce.
    3. Log filenames may now use %M as an escape, instead of %D (still available).
       The %M pattern expands to yyyymm, providing month-level resolution.
    4. The $message_linecount variable is now updated for the maildir_tag option,
       in the same way as $message_size, to reflect the real number of lines,
       including any header additions or removals from transport.
    5. When contacting a pool of SpamAssassin servers configured in spamd_address,
       Exim now selects entries randomly, to better scale in a cluster setup.
Commits on Jan 27, 2011
  1. Changes 4.74:

    adam authored
    * Failure to get a lock on a hints database can have serious
      consequences so log it to the panic log.
    * Log LMTP confirmation messages in the same way as SMTP,
      controlled using the smtp_confirmation log selector.
    * Include the error message when we fail to unlink a spool file.
    * Bugzilla 139: Support dynamically loaded lookups as modules.
    * Bugzilla 139: Documentation and portability issues.
      Avoid GNU Makefile-isms, let Exim continue to build on BSD.
      Handle per-OS dynamic-module compilation flags.
    * Let /dev/null have normal permissions.
      The 4.73 fixes were a little too stringent and complained about the
      permissions on /dev/null.  Exempt it from some checks.
    * Report version information for many libraries, including
      Exim version information for dynamically loaded libraries.  Created
      version.h, now support a version extension string for distributors
      who patch heavily. Dynamic module ABI change.
    * CVE-2011-0017 - check return value of setuid/setgid. This is a
      privilege escalation vulnerability whereby the Exim run-time user
      can cause root to append content of the attacker's choosing to
      arbitrary files.
    * Bugzilla 1041: merged DCC maintainer's fixes for return code.
    * Bugzilla 1071: fix delivery logging with untrusted macros.
      If dropping privileges for untrusted macros, we disabled normal logging
      on the basis that it would fail; for the Exim run-time user, this is not
      the case, and it resulted in successful deliveries going unlogged.
Commits on Jan 12, 2011
  1. Changes 4.73:

    adam authored
    * Date: & Message-Id: revert to normally being appended to a message,
      only prepend for the Resent-* case.  Fixes regression introduced in
      Exim 4.70 by NM/22 for Bugzilla 607.
    * Include check_rfc2047_length in configure.default because we're seeing
      increasing numbers of administrators be bitten by this.
    * Added DISABLE_DKIM and comment to src/EDITME
    * Bugzilla 994: added openssl_options main configuration option.
    * Bugzilla 995: provide better SSL diagnostics on failed reads.
    * Bugzilla 834: provide a permit_coredump option for pipe transports.
    * Adjust NTLM authentication to handle SASL Initial Response.
    * If TLS negotiated an anonymous cipher, we could end up with SSL but
      without a peer certificate, leading to a segfault because of an
      assumption that peers always have certificates.  Be a little more paranoid.
    * Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
      filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
      NB: ClamAV planning to remove STREAM in "middle of 2010".
      CL also introduces -bmalware, various -d+acl logging additions and
      more caution in buffer sizes.
    * Implemented reverse_ip expansion operator.
    * Bugzilla 937: provide a "debug" ACL control.
    * Bugzilla 922: Documentation dusting, patch provided by John Horne.
    * Bugzilla 973: Implement --version.
    * Bugzilla 752: Refuse to build/run if Exim user is root/0.
    * Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
    * Bugzilla 816: support multiple condition rules on Routers.
    * Add bool_lax{} expansion operator and use that for combining multiple
      condition rules, instead of bool{}.  Make both bool{} and bool_lax{}
      ignore trailing whitespace.
    * prevent non-panic DKIM error from being sent to paniclog
    * added tcp_wrappers_daemon_name to allow host entries other than
      "exim" to be used
    * Fix malware regression for cmdline scanner introduced in PP/08.
      Notification from Dr Andrew Aitchison.
    * Change ClamAV response parsing to be more robust and to handle ClamAV's
      ExtendedDetectionInfo response format.
    * OpenSSL 1.0.0a compatibility const-ness change, should be backwards
Commits on Nov 8, 2010
  1. * Fix resolver on NetBSD when Exim is linked with pthreads (e.g. when…

    adam authored
    … using
    * Pass LDFLAGS for linking (useful with different SDKs on Mac OS X).
Commits on Sep 17, 2010
  1. Added optional support for SPF

    adam authored
Commits on Jun 6, 2010
  1. Changes 4.72:

    adam authored
    * installed exipick 20100104.1, adding $max_received_linelength, $data_path,
      and $header_path variables; fixed documentation bugs and typos
    * installed exipick 20100222.0, added --input-dir and --finput to allow
       exipick to access non-standard spools, including the "frozen" queue (Finput)
    * Support mysql stored procedures.
    * Spacing fix (syntax error) on Makefile directives for NetBSD
    * Documentation fix for max_rcpts.
    * Fix for unknown responses from Dovecot authenticator.
    * Added umask to procmail example.
    * installed exipick 20100323.0, fixing doc bug
    * CVE-2010-2023 - prevent hardlink attack on sticky mail directory.
    * Upgrade PolarSSL files to upstream version 0.12.1.
    * Improve log output when DKIM signing operation fails.
    * Treat the transport option dkim_domain as a colon separated list, not as
      a single string, and sign the message with each element, omitting multiple
      occurences of the same signer.
    * Null terminate DKIM strings, Null initialise DKIM variable
    * dnsdb DNS TXT record bug fix (DKIM-related)
    * CVE-2010-2024 - work round race condition on MBX locking.
Commits on Jun 2, 2010
Commits on Jan 31, 2010
  1. Added complete support for installation to DESTDIR. The Exim executable

    heinz authored
    file cannot run without EXIM_USER being present on the system, so
    scripts/exim_install was changed to derive the Exim version from the
    pkgsrc package version (see PKGSRC_EXIM_VERSION in the Makefile and patch-ae).
    Added LICENSE information.
    Ok'd by abs@
Commits on Jan 15, 2010
  1. use official mirrors, remove broken ones.

    zafer authored
Commits on Dec 30, 2009
Commits on Dec 7, 2009
  1. Changes 4.71:

    adam authored
    * Fix DKIM segfault on empty headers/body
    * Documentation fix for gnutls_* options.
    * Documentation for randint.  Better randomness defaults.
    * Enable DNSDB lookup by default.
    * Flag broken perl installation during build.
Commits on Nov 17, 2009
  1. Changes 4.70:

    adam authored
    * Added patch by Johannes Berg that expands the main option
      "spamd_servers" if it starts with a dollar sign.
    * Write list of recipients to X-Envelope-Sender header when building
      the mbox-format spool file for content scanning.
    * Added patch by Wolfgang Breyha that adds experimental DCC
      ( support via dccifd. Activated by
      setting EXPERIMENTAL_DCC=yes in Local/Makefile. Check out
      experimental_spec.txt for more documentation.
    * Bugzilla 673: Add f-protd malware scanner support.
    * Bugzilla 657: Embedded PCRE removed from the exim source tree.
      When building exim an external PCRE library is now needed -
      PCRE is a system library on the majority of modern systems.
      See entry on PCRE_LIBS in EDITME file.
    * Bugzilla 646: Removed unwanted C/R in Dovecot authenticator
      conversation.  Added nologin parameter to request.
    * Do not log submission mode rewrites if they do not change the address.
    * Bugzilla 662: Fix stack corruption before exec() in daemon.c.
    * Bugzilla 602: exicyclog now handles panic log, and creates empty
      log files in place.  Contributed by Roberto Lima
    * Bugzilla 667: close socket used by dovecot authenticator
    * Bugzilla 615: When checking the local_parts router precondition
      after a local_part_suffix or local_part_prefix option, Exim now
      does not use the address's named list lookup cache, since this
      contains cached lookups for the whole local part.
    * Bugzilla 521: Integrated SPF Best Guess support contributed by
      Robert Millan.  Documentation is in experimental-spec.txt
    * Bugzilla 668: Fix parallel build (make -j).
    * Bugzilla 437: Prevent Maildir aux files being created with mode 000
    * Bugzilla 598: Improvement to Dovecot authenticator handling.
    * Leading white space used to be stripped from $spam_report which
      wrecked the formatting. Now it is preserved.
    * Save $spam_score, $spam_bar, and $spam_report in spool files, so
      that they are available at delivery time.
    * Fix the way ${extract is skipped in the untaken branch of a conditional.
    * TLS error reporting now respects the incoming_interface and
      incoming_port log selectors.
    * more...
Commits on Jun 14, 2009
  1. Remove @dirrm entries from PLISTs

    joerg authored
Commits on Feb 13, 2009
  1. Add PKG_DESTDIR_SUPPORT=destdir

    abs authored
Commits on Jan 12, 2009
  1. Update exim to 4.69nb4

    abs authored
    - Add support for getifaddrs() and enable on NetBSD - submitted back to
      exim bugzilla as
    - Increase size of addrbuf[512] used in old style ioctl() version of
    Fixes issue on NetBSD 5.0
Commits on Nov 10, 2008
Commits on Sep 7, 2008
  1. Bump PKGREVISION for db4 shlib name change (4.6 -> 4.7).

    wiz authored
    Noted by OBATA Akio.
Commits on Jan 31, 2008
  1. Fixed pkglint warning about BUILD_DEFS.

    rillig authored
Commits on Jan 18, 2008
  1. Per the process outlined in revbump(1), perform a recursive revbump

    tnn authored
    on packages that are affected by the switch from the openssl 0.9.7
    branch to the 0.9.8 branch. ok jlam@
Commits on Jan 14, 2008
  1. Changes 4.69:

    adam authored
    * Add preliminary DKIM support.
    * Bugzilla 592: --help option is handled incorrectly if exim is invoked
      as mailq or other aliases.  Changed the --help handling significantly
      to do whats expected.  exim_usage() emits usage/help information.
    * Added the -bylocaldomain option to eximstats.
    * Bugzilla 619: Defended against bad data coming back from gethostbyaddr
    * Bugzilla 613: Documentation fix for acl_not_smtp
    * Bugzilla 628: PCRE update to 7.4 (work done by John Hall)
Commits on Dec 15, 2007
Commits on Oct 14, 2007
  1. Changes 4.68:

    adam authored
    * Bug fixes
Commits on Sep 11, 2007
  1. Update to exim-4.67nb1:

    abs authored
    - When -inet6, explicitly set HAVE_IPV6=NO to avoid use of any inet6 APIs
    Note: For entertainment purposes build a NetBSD distribution with
    'MKINET=no' and see what breaks in pkgsrc
Something went wrong with that request. Please try again.