Exim version 4.94
-----------------
JH/01 Avoid costly startup code when not strictly needed. This reduces time
for some exim process initialisations. It does mean that the logging
of TLS configuration problems is only done for the daemon startup.
JH/02 Early-pipelining support code is now included unless disabled in Makefile.
JH/03 DKIM verification defaults no long accept sha1 hashes, to conform to
RFC 8301. They can still be enabled, using the dkim_verify_hashes main
option.
JH/04 Support CHUNKING from an smtp transport using a transport_filter, when
DKIM signing is being done. Previously a transport_filter would always
disable CHUNKING, falling back to traditional DATA.
JH/05 Regard command-line receipients as tainted.
JH/06 Bug 340: Remove the daemon pid file on exit, whe due to SIGTERM.
JH/07 Bug 2489: Fix crash in the "pam" expansion condition. It seems that the
PAM library frees one of the arguments given to it, despite the
documentation. Therefore a plain malloc must be used.
JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
on-stack buffers were used, resulting in a taint trap when DSN information
copied from a received message was written into the buffer.
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
a new record was being constructed with information from the peer, a trap
was taken.
JH/11 Bug 2494: Unset the default for dmarc_tld_file. Previously a naiive
installation would get error messages from DMARC verify, when it hit the
nonexistent file indicated by the default. Distros wanting DMARC enabled
should both provide the file and set the option.
Also enforce no DMARC verification for command-line sourced messages.
JH/12 Fix an uninitialised flag in early-pipelining. Previously connections
could, depending on the platform, hang at the STARTTLS response.
JH/13 Bug 2498: Reset a counter used for ARC verify before handling another
message on a connection. Previously if one message had ARC headers and
the following one did not, a crash could result when adding an
Authentication-Results: header.
JH/14 Bug 2500: Rewind some of the common-coding in string handling between the
Exim main code and Exim-related utities. The introduction of taint
tracking also did many adjustments to string handling. Since then, eximon
frequently terminated with an assert failure.
JH/15 When PIPELINING, synch after every hundred or so RCPT commands sent and
check for 452 responses. This slightly helps the inefficieny of doing
a large alias-expansion into a recipient-limited target. The max_rcpt
transport option still applies (and at the current default, will override
the new feature). The check is done for either cause of synch, and forces
a fast-retry of all 452'd recipients using a new MAIL FROM on the same
connection. The new facility is not tunable at this time.
JH/16 Fix the variables set by the gsasl authenticator. Previously a pointer to
library live data was being used, so the results became garbage. Make
copies while it is still usable.
JH/17 Logging: when the deliver_time selector ise set, include the DT= field
on delivery deferred (==) and failed (**) lines (if a delivery was
attemtped). Previously it was only on completion (=>) lines.
JH/18 Authentication: the gsasl driver not provides the $authN variables in time
for the expansion of the server_scram_iter and server_scram_salt options.
WB/01 SPF: DNS lookups for the obsolete SPF RR type done by the libspf2 library
are now specifically given a NO_DATA response without hitting the system
resolver. The library goes on to do the now-standard TXT lookup.
Use of dnsdb lookups is not affected.
JH/19 Bug 2507: Modules: on handling a dynamic-module (lookups) open failure,
only retrieve the errormessage once. Previously two calls to dlerror()
were used, and the second one (for mainlog/paniclog) retrieved null
information.
JH/20 Taint checking: disallow use of tainted data for
- the appendfile transport file and directory options
- the pipe transport command
- the autoreply transport file, log and once options
- file names used by the redirect router (including filter files)
- named-queue names
- paths used by single-key lookups
Previously this was permitted.
JH/21 Bug 2501: Fix init call in the heimdal authenticator. Previously it
adjusted the size of a major service buffer; this failed because the
buffer was in use at the time. Change to a compile-time increase in the
buffer size, when this authenticator is compiled into exim.
JH/22 Taint-checking: move to safe-mode taint checking on all platforms. The
previous fast-mode was untenable in the face of glibs using mmap to
support larger malloc requests.
PP/01 Update the openssl_options possible values through OpenSSL 1.1.1c.
New values supported, if defined on system where compiled:
allow_no_dhe_kex, cryptopro_tlsext_bug, enable_middlebox_compat,
no_anti_replay, no_encrypt_then_mac, prioritize_chacha, tlsext_padding
JH/23 Performance improvement in the initial phase of a two-pass queue run. By
running a limited number of proceses in parallel, a benefit is gained. The
amount varies with the platform hardware and load. The use of the option
queue_run_in_order means we cannot do this, as ordering becomes
indeterminate.
JH/24 Bug 2524: fix the cyrus_sasl auth driver gssapi usage. A previous fix
had introduced a string-copy (for ensuring NUL-termination) which was not
appropriate for that case, which can include embedded NUL bytes in the
block of data. Investigation showed the copy to actually be needless, the
data being length-specified.
JH/25 Fix use of concurrent TLS connections under GnuTLS. When a callout was
done during a receiving connection, and both used TLS, global info was
used rather than per-connection info for tracking the state of data
queued for transmission. This could result in a connection hang.
JH/26 Fix use of the SIZE parameter on MAIL commands, on continued connections.
Previously, when delivering serveral messages down a single connection
only the first would provide a SIZE. This was due to the size information
not being properly tracked.
JH/27 Bug 2530: When operating in a timezone with sub-minute offset, such as
TAI (at 37 seconds currently), pretend to be in UTC for time-related
expansion and logging. Previously, spurious values such as a future
minute could be seen.
JH/28 Bug 2533: Fix expansion of ${tr } item. When called in some situations
it could crash from a null-deref. This could also affect the
${addresses: } operator and ${readsock } item.
JH/29 Bug 2537: Fix $mime_part_count. When a single connection had a non-mime
message following a mime one, the variable was not reset.
JH/30 When an pipelined-connect fails at the first response, assume incorrect
cached capability (perhaps the peer reneged?) and immediately retry in
non-pipelined mode.
JH/31 Fix spurious detection of timeout while writing to transport filter.
JH/32 Bug 2541: Fix segfault on bad cmdline -f (sender) argument. Previously
an attempt to copy the string was made before checking it.
JH/33 Fix the dsearch lookup to return an untainted result. Previously the
taint of the lookup key was maintained; we now regard the presence in the
filesystem as sufficient validation.
JH/34 Fix the readsocket expansion to not segfault when an empty "options"
argument is supplied.
JH/35 The dsearch lookup now requires that the directory is an absolute path.
Previously this was not checked, and nonempty relative paths made an
access under Exim's current working directory.
JH/36 Bug 2554: Fix msg:defer event for the hosts_max_try_hardlimit case.
Previously no event was raised.
JH/37 Bug 2552: Fix the check on spool space during reception to use the SIZE
parameter supplied by the sender MAIL FROM command. Previously it was
ignored, and only the check_spool_space option value for the required
leeway checked.
JH/38 Fix $dkim_key_length. This should, after a DKIM verification, present
the size of the signing public-key. Previously it was instead giving
the size of the signature hash.
JH/39 DKIM verification: the RFC 8301 restriction on sizes of RSA keys is now
the default. See the (new) dkim_verify_min_keysizes option.
JH/40 Fix a memory-handling bug: when a connection carried multiple messages
and an ACL use a lookup for checking either the local_part or domain,
stale data could be accessed. Ensure that variable references are
dropped between messages.
JH/41 Bug 2571: Fix SPA authenticator. Running as a server, an offset supplied
by the client was not checked as pointing within response data before
being used. A malicious client could thus cause an out-of-bounds read and
possibly gain authentication. Fix by adding the check.
JH/42 Internationalisation: change the default for downconversion in the smtp
transport to be "if needed". Previously it was "as previously set" for
the message, which usually meant "if needed" for message-submission but
"no" for everything else. However, MTAs have been seen using SMTPUTF8
even when the envelope addresses did not need it, resulting in forwarding
failures to non-supporting MTAs. A downconvert in such cases will be
a no-op on the addresses, merely dropping the use of SMTPUTF8 by the
transport. The change does mean that addresses needing conversion will
be converted when previously a delivery failure would occur.
JH/43 Fix possible long line in DSN. Previously when a very long SMTP error
response was received it would be used unchecked in a fail-DSN, violating
standards on line-length limits. Truncate if needed.
HS/01 Remove parameters of the link to www.open-spf.org. The linked form
doesn't work. (Additionally add a new main config option to configure the
spf_smtp_comment)
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Exim version 4.93
-----------------
JH/01 OpenSSL: With debug enabled output keying information sufficient, server
side, to decode a TLS 1.3 packet capture.
JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
Previously the default library behaviour applied, sending two, each in
its own TCP segment.
JH/03 Debug output for ACL now gives the config file name and line number for
each verb.
JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
buffer overrun for (non-chunking) other transports.
JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
TLS1.3, means that a server rejecting a client certificate is not visible
to the client until the first read of encrypted data (typically the
response to EHLO). Add detection for that case and treat it as a failed
TLS connection attempt, so that the normal retry-in-clear can work (if
suitably configured).
JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
and/or domain. Found and fixed by Jason Betts.
JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
configuration). If a CNAME target was not a wellformed name pattern, a
crash could result.
JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
the OS reports them interleaved with other addresses.
JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
used both for input and for a verify callout, both encrypted, SMTP
responses being sent by the server could be lost. This resulted in
dropped connections and sometimes bounces generated by a peer sending
to this system.
JH/11 Harden plaintext authenticator against a badly misconfigured client-send
string. Previously it was possible to cause undefined behaviour in a
library routine (usually a crash). Found by "zerons".
JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no
output.
JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old
API was removed, so update to use the newer ones.
JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
any timeout set, is taking a long time. Previously we would hang on to a
rotated logfile "forever" if the input was arriving with long gaps
(a previous attempt to fix addressed lack, for a long time, of initial
input).
HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
shared (NFS) environment. The length of the tempfile name is now
4 + 16 ("hdr.$message_exim_id") which might break on file
systems which restrict the file name length to lower values.
(It was "hdr.$pid".)
HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
shared (NFS) environment.
HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
did for all versions <4.90). Notably -M, -m, --invert, -I may be
affected.
JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
on some platforms for bit 31.
JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks
to changes apparently associated with TLS1.3 handling some of the APIs
previously used were either nonfunctional or inappropriate. Strings
like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
This affects log line X= elements, the $tls_{in,out}_cipher variables,
and the use of specific cipher names in the encrypted= ACL condition.
JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
verification result was not updated unless hosts_require_ocsp applied.
JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option
queue_list_requires_admin set to false, non-admin users were denied the
facility.
JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
directory-of-certs mode. Previously they were advertised despite the
documentation.
JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
A single TCP connection by a client will now hold a TLS connection open
for multiple message deliveries, by default. Previoud the default was to
not do so.
JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
default. If built with the facility, DANE will be used. The facility
SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
must be defined and you must still, unless you define DISABLE_TLS, manage
the the include-dir and library-file requirements that go with that
choice. Non-TLS builds are still supported.
JH/24 Fix duplicated logging of peer name/address, on a transport connection-
reject under TFO.
JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
default. If the platform supports and has the facility enabled, it will
be requested on all coneections.
JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
controlled by the build-time option SUPPORT_PIPE_CONNECT.
PP/01 Unbreak heimdal_gssapi, broken in 4.92.
JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
success-DSN messages. Previously the From: header was always the default
one for these; the option was ignored.
JH/28 Fix the timeout on smtp response to apply to the whole response.
Previously it was reset for every read, so a teergrubing peer sending
single bytes within the time limit could extend the connection for a
long time. Credit to Qualsys Security Advisory Team for the discovery.
JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing
delivery address, which leaked information of the results of local
forwarding. Change to the original envelope recipient address, per
standards.
JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
requested. Previously not bounce was generated and a log entry of
error ignored was made.
JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
JH/32 Introduce a general tainting mechanism for values read from the input
channel, and values derived from them. Refuse to expand any tainted
values, to catch one form of exploit.
JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result
was unused and the unexpanded text used for the test. Found and
fixed by Ruben Jenster.
JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open,
an attempt to use a TLS library read routine dereffed a nul pointer,
causing a segfault.
JH/35 Bug 2409: filter out-of-spec chars from callout response before using
them in our smtp response.
JH/36 Have the general router option retry_use_local_part default to true when
any of the restrictive preconditions are set (to anything). Previously it
was only for check_local user. The change removes one item of manual
configuration which is required for proper retries when a remote router
handles a subset of addresses for a domain.
JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
link count into consideration.
HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
caused the extension of big_buffer, the following lines were ignored.
JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
accordance with RFC 2308. Previously there was no expiry, so a longlived
receive process (eg. due to ACL delays) versus a short SOA value could
surprise.
HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)
JH/39 Promote DMARC support to mainline.
JH/40 Bug 2452: Add a References: header to DSNs.
JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
parameters. The relevant library call is documented as "Deprecated: This
function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
3.6.0, DH parameters are negotiated following RFC7919."
HS/06 Change the default of dnssec_request_domains to "*"
JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we
carried on and emitted a BDAT command, even when PIPELINING was not
active.
JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted
buffer was used for the filename, resulting in a trap when tainted
arguments (eg. $domain) were used.
JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
recommended to avoid a possible server-load attack. The feature can be
re-enabled via the openssl_options main cofiguration option.
JH/45 local_scan API: documented the current smtp_printf() call. This changed
for version 4.90 - adding a "more data" boolean to the arguments.
Bumped the ABI version number also, this having been missed previously;
release versions 4.90 to 4.92.3 inclusive were effectively broken in
respect of usage of smtp_printf() by either local_scan code or libraries
accessed via the ${dlfunc } expansion item. Both will need coding
adjustment for any calls to smtp_printf() to match the new function
signature; a FALSE value for the new argument is always safe.
JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating
the file-offset (which the Linux syscall does, and exim expects); this
resulted in an indefinite loop.
JH/47 ARC: fix crash in signing, triggered when a configuration error failed
to do ARC verification. The Authentication-Results: header line added
by the configuration then had no ARC item.
4.92:
New features include:
- ${l_header:<name>} expansion
- ${readsocket} now supports TLS
- "utf8_downconvert" option (if built with SUPPORT_I18N)
- "pipelining" log_selector
- JSON variants for ${extract } expansion
- "noutf8" debug option
- TCP Fast Open support on MacOS
Version 4.91
1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS
version 3.5.6 or later.
2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and
OpenSSL versions are moved to mainline support from Experimental.
New SMTP transport option "dane_require_tls_ciphers".
3. Feature macros for the compiled-in set of malware scanner interfaces.
4. SPF support is promoted from Experimental to mainline status. The template
src/EDITME makefile does not enable its inclusion.
5. Logging control for DKIM verification. The existing DKIM log line is
controlled by a "dkim_verbose" selector which is _not_ enabled by default.
A new tag "DKIM=<domain>" is added to <= lines by default, controlled by
a "dkim" log_selector.
6. Receive duration on <= lines, under a new log_selector "receive_time".
7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on
routing rules in the manualroute router.
8. Expansion item ${sha3:<string>} / ${sha3_<N>:<string>} now also supported
under OpenSSL version 1.1.1 or later.
9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
GnuTLS 3.6.0 or OpenSSL 1.1.1 or later.
10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library
version dependent.
11. "exim -bP macro <name>" returns caller-usable status.
12. Expansion item ${authresults {<machine>}} for creating an
Authentication-Results: header.
13. EXPERIMENTAL_ARC. See the experimental.spec file.
See also new util/renew-opendmarc-tlds.sh script for use with DMARC/ARC.
14: A dane:fail event, intended to facilitate reporting.
15. "Lightweight" support for Redis Cluster. Requires redis_servers list to
contain all the servers in the cluster, all of which must be reachable from
the running exim instance. If the cluster has master/slave replication, the
list must contain all the master and slave servers.
16. Add an option to the Avast scanner interface: "pass_unscanned". This
allows to treat unscanned files as clean. Files may be unscanned for
several reasons: decompression bombs, broken archives.
Exim version 4.90.1
JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
we assumed that tags in the header were well-formed, and parsed the
element content after inspecting only the first char of the tag.
Assumptions at that stage could crash the receive process on malformed
input.
JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
While running the DKIM ACL we operate on the Permanent memory pool so that
variables created with "set" persist to the DATA ACL. Also (at any time)
DNS lookups that fail create cache records using the Permanent pool. But
expansions release any allocations made on the current pool - so a dnsdb
lookup expansion done in the DKIM ACL releases the memory used for the
DNS negative-cache, and bad things result. Solution is to switch to the
Main pool for expansions.
While we're in that code, add checks on the DNS cache during store_reset,
active in the testsuite.
Problem spotted, and debugging aided, by Wolfgang Breyha.
JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
When none of the hosts presented to a transport match an already-open
connection, close it and proceed with the list. Previously we would
queue the message. Spotted by Lena with Yahoo, probably involving
round-robin DNS.
JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
Previously a spurious "250 OK id=" response was appended to the proper
failure response.
JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection. Previously, when one had more receipients than the
first, an abortive onward connection was made. Move to full support for
multiple onward connections in sequence, handling cutthrough connection
for all multi-message initiating connections.
JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers. Previously, a multi-recipient message would fail to match the
onward-connection opened for the first recipient, and cause its closure.
JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped. This mattered most when the callout
was marked defer_ok. Fix to keep the two timeout-detection methods
separate.
HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
PP/01 Fix broken Heimdal GSSAPI authenticator integration.
Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
Broken also in d185889f4, with init system revamp.
------------
1. Allow relative config file names for ".include"
2. A main-section config option "debug_store" to control the checks on
variable locations during store-reset. Normally false but can be enabled
when a memory corrution issue is suspected on a production system.
MASTER_SITES= site1 \
site2
style continuation lines to be simple repeated
MASTER_SITES+= site1
MASTER_SITES+= site2
lines. As previewed on tech-pkg. With thanks to rillig for fixing pkglint
accordingly.
1. The ACL conditions regex and mime_regex now capture substrings
into numeric variables $regex1 to 9, like the "match" expansion condition.
2. New $callout_address variable records the address used for a spam=,
malware= or verify= callout.
3. Transports now take a "max_parallel" option, to limit concurrency.
4. Expansion operators ${ipv6norm:<string>} and ${ipv6denorm:<string>}.
The latter expands to a 8-element colon-sep set of hex digits including
leading zeroes. A trailing ipv4-style dotted-decimal set is converted
to hex. Pure ipv4 addresses are converted to IPv4-mapped IPv6.
The former operator strips leading zeroes and collapses the longest
set of 0-groups to a double-colon.
5. New "-bP config" support, to dump the effective configuration.
6. New $dkim_key_length variable.
7. New base64d and base64 expansion items (the existing str2b64 being a
synonym of the latter). Add support in base64 for certificates.
8. New main configuration option "bounce_return_linesize_limit" to
avoid oversize bodies in bounces. The dafault value matches RFC
limits.
9. New $initial_cwd expansion variable.
Exim version 4.86.2
-------------------
Portability relase of 4.86.1
Exim version 4.86.1
-------------------
HS/04 Add support for keep_environment and add_environment options.
This fixes CVE-2016-1531.
All installations having Exim set-uid root and using 'perl_startup' are
vulnerable to a local privilege escalation. Any user who can start an
instance of Exim (and this is normally *any* user) can gain root
privileges. If you do not use 'perl_startup' you *should* be safe.
New options
-----------
We had to introduce two new configuration options:
keep_environment =
add_environment =
Both options are empty per default. That is, Exim cleans the complete
environment on startup. This affects Exim itself and any subprocesses,
as transports, that may call other programs via some alias mechanisms,
as routers (queryprogram), lookups, and so on. This may affect used
libraries (e.g. LDAP).
** THIS MAY BREAK your existing installation **
If both options are not used in the configuration, Exim issues a warning
on startup. This warning disappears if at least one of these options is
used (even if set to an empty value).
keep_environment should contain a list of trusted environment variables.
(Do you trust PATH?). This may be a list of names and REs.
keep_environment = ^LDAP_ : FOO_PATH
To add (or override) variables, you can use add_environment:
add_environment = <; PATH=/sbin:/usr/sbin
New behaviour
-------------
Now Exim changes it's working directory to / right after startup,
even before reading it's configuration. (Later Exim changes it's working
directory to $spool_directory, as usual.)
Exim only accepts an absolute configuration file path now, when using
the -C option.
-----------------
TL/01 When running the test suite, the README says that variables such as
no_msglog_check are global and can be placed anywhere in a specific
test's script, however it was observed that placement needed to be near
the beginning for it to behave that way. Changed the runtest perl
script to read through the entire script once to detect and set these
variables, reset to the beginning of the script, and then run through
the script parsing/test process like normal.
TL/02 The BSD's have an arc4random API. One of the functions to induce
adding randomness was arc4random_stir(), but it has been removed in
OpenBSD 5.5. Detect this OpenBSD version and skip calling this
function when detected.
JH/01 Expand the EXPERIMENTAL_TPDA feature. Several different events now
cause callback expansion.
TL/03 Bugzilla 1518: Clarify "condition" processing in routers; that
syntax errors in an expansion can be treated as a string instead of
logging or causing an error, due to the internal use of bool_lax
instead of bool when processing it.
JH/02 Add EXPERIMENTAL_DANE, allowing for using the DNS as trust-anchor for
server certificates when making smtp deliveries.
JH/03 Support secondary-separator specifier for MX, SRV, TLSA lookups.
JH/04 Add ${sort {list}{condition}{extractor}} expansion item.
TL/04 Bugzilla 1216: Add -M (related messages) option to exigrep.
TL/05 GitHub Issue 18: Adjust logic testing for true/false in redis lookups.
Merged patch from Sebastian Wiedenroth.
JH/05 Fix results-pipe from transport process. Several recipients, combined
with certificate use, exposed issues where response data items split
over buffer boundaries were not parsed properly. This eventually
resulted in duplicates being sent. This issue only became common enough
to notice due to the introduction of conection certificate information,
the item size being so much larger. Found and fixed by Wolfgang Breyha.
JH/06 Bug 1533: Fix truncation of items in headers_remove lists. A fixed
size buffer was used, resulting in syntax errors when an expansion
exceeded it.
JH/07 Add support for directories of certificates when compiled with a GnuTLS
version 3.3.6 or later.
JH/08 Rename the TPDA expermimental facility to Event Actions. The #ifdef
is EXPERIMENTAL_EVENT, the main-configuration and transport options
both become "event_action", the variables become $event_name, $event_data
and $event_defer_errno. There is a new variable $verify_mode, usable in
routers, transports and related events. The tls:cert event is now also
raised for inbound connections, if the main configuration event_action
option is defined.
TL/06 In test suite, disable OCSP for old versions of openssl which contained
early OCSP support, but no stapling (appears to be less than 1.0.0).
JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on
server certificate names available under the smtp transport option
"tls_verify_cert_hostname" now do not permit multi-component wildcard
matches.
JH/10 Time-related extraction expansions from certificates now use the main
option "timezone" setting for output formatting, and are consistent
between OpenSSL and GnuTLS compilations. Bug 1541.
JH/11 Fix a crash in mime ACL when meeting a zero-length, quoted or RFC2047-
encoded parameter in the incoming message. Bug 1558.
JH/12 Bug 1527: Autogrow buffer used in reading spool files. Since they now
include certificate info, eximon was claiming there were spoolfile
syntax errors.
JH/13 Bug 1521: Fix ldap lookup for single-attr request, multiple-attr return.
JH/14 Log delivery-related information more consistently, using the sequence
"H=<name> [<ip>]" wherever possible.
TL/07 Bug 1547: Omit RFCs from release. Draft and RFCs have licenses which
are problematic for Debian distribution, omit them from the release
tarball.
JH/15 Updates and fixes to the EXPERIMENTAL_DSN feature.
JH/16 Fix string representation of time values on 64bit time_t anchitectures.
Bug 1561.
JH/17 Fix a null-indirection in certextract expansions when a nondefault
output list separator was used.
TL/01 Bugzilla 1506: Re-add a 'return NULL' to silence complaints from static
checkers that were complaining about end of non-void function with no
return.
JH/01 Bug 1513: Fix parsing of quoted parameter values in MIME headers.
This was a regression intruduced in 4.83 by another bugfix.
JH/02 Fix broken compilation when EXPERIMENTAL_DSN is enabled.
TL/02 Bug 1509: Fix exipick for enhanced spoolfile specification used when
EXPERIMENTAL_DNS is enabled.
1. If built with the EXPERIMENTAL_PROXY feature enabled, Exim can be
configured to expect an initial header from a proxy that will make the
actual external source IP:host be used in exim instead of the IP of the
proxy that is connecting to it.
2. New verify option header_names_ascii, which will check to make sure
there are no non-ASCII characters in header names. Exim itself handles
those non-ASCII characters, but downstream apps may not, so Exim can
detect and reject if those characters are present.
3. New expansion operator ${utf8clean:string} to replace malformed UTF8
codepoints with valid ones.
4. New malware type "sock". Talks over a Unix or TCP socket, sending one
command line and matching a regex against the return data for trigger
and a second regex to extract malware_name. The mail spoofile name can
be included in the command line.
5. The smtp transport now supports options "tls_verify_hosts" and
"tls_try_verify_hosts". If either is set the certificate verification
is split from the encryption operation. The default remains that a failed
verification cancels the encryption.
6. New SERVERS override of default ldap server list. In the ACLs, an ldap
lookup can now set a list of servers to use that is different from the
default list.
7. New command-line option -C for exiqgrep to specify alternate exim.conf
file when searching the queue.
8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that.
9. Support for DNSSEC on outbound connections.
10. New variables "tls_(in,out)_(our,peer)cert" and expansion item
"certextract" to extract fields from them. Hash operators md5 and sha1
work over them for generating fingerprints, and a new sha256 operator
for them added.
11. PRDR is now supported dy default.
12. OCSP stapling is now supported by default.
13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output
Delivery Status Notification messages in MIME format, and negociate
DSN features per RFC 3461.
1. New command-line option -bI:sieve will list all supported sieve extensions
of this Exim build on standard output, one per line.
ManageSieve (RFC 5804) providers managing scripts for use by Exim should
query this to establish the correct list to include in the protocol's
SIEVE capability line.
2. If the -n option is combined with the -bP option, then the name of an
emitted option is not output, only the value (if visible to you).
For instance, "exim -n -bP pid_file_path" should just emit a pathname
followed by a newline, and no other text.
3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now
has a "tls_dh_min_bits" option, to set the minimum acceptable number of
bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites)
acceptable for security. (Option accepted but ignored if using OpenSSL).
Defaults to 1024, the old value. May be lowered only to 512, or raised as
far as you like. Raising this may hinder TLS interoperability with other
sites and is not currently recommended. Lowering this will permit you to
establish a TLS session which is not as secure as you might like.
Unless you really know what you are doing, leave it alone.
4. If not built with DISABLE_DNSSEC, Exim now has the main option
dns_dnssec_ok; if set to 1 then Exim will initialise the resolver library
to send the DO flag to your recursive resolver. If you have a recursive
resolver, which can set the Authenticated Data (AD) flag in results, Exim
can now detect this. Exim does not perform validation itself, instead
relying upon a trusted path to the resolver.
Current status: work-in-progress; $sender_host_dnssec variable added.
5. DSCP support for outbound connections: on a transport using the smtp driver,
set "dscp = ef", for instance, to cause the connections to have the relevant
DSCP (IPv4 TOS or IPv6 TCLASS) value in the header.
Similarly for inbound connections, there is a new control modifier, dscp,
so "warn control = dscp/ef" in the connect ACL, or after authentication.
Supported values depend upon system libraries. "exim -bI:dscp" to list the
ones Exim knows of. You can also set a raw number 0..0x3F.
6. The -G command-line flag is no longer ignored; it is now equivalent to an
ACL setting "control = suppress_local_fixups". The -L command-line flag
is now accepted and forces use of syslog, with the provided tag as the
process name. A few other flags used by Sendmail are now accepted and
ignored.
7. New cutthrough routing feature. Requested by a "control = cutthrough_delivery"
ACL modifier; works for single-recipient mails which are recieved on and
deliverable via SMTP. Using the connection made for a recipient verify,
if requested before the verify, or a new one made for the purpose while
the inbound connection is still active. The bulk of the mail item is copied
direct from the inbound socket to the outbound (as well as the spool file).
When the source notifies the end of data, the data acceptance by the destination
is negociated before the acceptance is sent to the source. If the destination
does not accept the mail item, for example due to content-scanning, the item
is not accepted from the source and therefore there is no need to generate
a bounce mail. This is of benefit when providing a secondary-MX service.
The downside is that delays are under the control of the ultimate destination
system not your own.
The Recieved-by: header on items delivered by cutthrough is generated
early in reception rather than at the end; this will affect any timestamp
included. The log line showing delivery is recorded before that showing
reception; it uses a new ">>" tag instead of "=>".
To support the feature, verify-callout connections can now use ESMTP and TLS.
The usual smtp transport options are honoured, plus a (new, default everything)
hosts_verify_avoid_tls.
New variable families named tls_in_cipher, tls_out_cipher etc. are introduced
for specific access to the information for each connection. The old names
are present for now but deprecated.
Not yet supported: IGNOREQUOTA, SIZE, PIPELINING.
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
modules. For some situations this is desirable, but we expect admin in
those situations to know they want the feature. More commonly, it means
that GUI user modules get loaded and are broken by the setuid Exim being
unable to access files specified in environment variables and passed
through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
unless this new option is set.
Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
so have also added a build option which can be used to build Exim with GnuTLS
but without trying to use any kind of PKCS11 support. Uncomment this in the
Local/Makefile:
AVOID_GNUTLS_PKCS11=yes
10. The "acl = name" condition on an ACL now supports optional arguments.
New expansion item "${acl {name}{arg}...}" and expansion condition
"acl {{name}{arg}...}" are added. In all cases up to nine arguments
can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
Variable $acl_narg contains the number of arguments. If the ACL sets
a "message =" value this becomes the result of the expansion item,
or the value of $value for the expansion condition. If the ACL returns
accept the expansion condition is true; if reject, false. A defer
return results in a forced fail.
11. Routers and transports can now have multiple headers_add and headers_remove
option lines. The concatenated list is used.
12. New ACL modifier "remove_header" can remove headers before message gets
handled by routers/transports.
13. New dnsdb lookup pseudo-type "a+". A sequence of "a6" (if configured),
"aaaa" and "a" lookups is done and the full set of results returned.
14. New expansion variable $headers_added with content from ACL add_header
modifier (but not yet added to messsage).
15. New 8bitmime status logging option for received messages. Log field "M8S".
16. New authenticated_sender logging option, adding to log field "A".
17. New expansion variables $router_name and $transport_name. Useful
particularly for debug_print as -bt commandline option does not
require privilege whereas -d does.
18. If built with EXPERIMENTAL_PRDR, per-recipient data responses per a
proposed extension to SMTP from Eric Hall.
19. The pipe transport has gained the force_command option, to allow
decorating commands from user .forward pipe aliases with prefix
wrappers, for instance.
20. Callout connections can now AUTH; the same controls as normal delivery
connections apply.
21. Support for DMARC, using opendmarc libs, can be enabled. It adds new
options: dmarc_forensic_sender, dmarc_history_file, and dmarc_tld_file.
It adds new expansion variables $dmarc_ar_header, $dmarc_status,
$dmarc_status_text, and $dmarc_used_domain. It adds a new acl modifier
dmarc_status. It adds new control flags dmarc_disable_verify and
dmarc_enable_forensic.
22. Add expansion variable $authenticated_fail_id, which is the username
provided to the authentication method which failed. It is available
for use in subsequent ACL processing (typically quit or notquit ACLs).
23. New ACL modifer "udpsend" can construct a UDP packet to send to a given
UDP host and port.
24. New ${hexquote:..string..} expansion operator converts non-printable
characters in the string to \xNN form.
25. Experimental TPDA (Transport Post Delivery Action) function added.
Patch provided by Axel Rau.
26. Experimental Redis lookup added. Patch provided by Warren Baker.
* Failure to get a lock on a hints database can have serious
consequences so log it to the panic log.
* Log LMTP confirmation messages in the same way as SMTP,
controlled using the smtp_confirmation log selector.
* Include the error message when we fail to unlink a spool file.
* Bugzilla 139: Support dynamically loaded lookups as modules.
* Bugzilla 139: Documentation and portability issues.
Avoid GNU Makefile-isms, let Exim continue to build on BSD.
Handle per-OS dynamic-module compilation flags.
* Let /dev/null have normal permissions.
The 4.73 fixes were a little too stringent and complained about the
permissions on /dev/null. Exempt it from some checks.
* Report version information for many libraries, including
Exim version information for dynamically loaded libraries. Created
version.h, now support a version extension string for distributors
who patch heavily. Dynamic module ABI change.
* CVE-2011-0017 - check return value of setuid/setgid. This is a
privilege escalation vulnerability whereby the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.
* Bugzilla 1041: merged DCC maintainer's fixes for return code.
* Bugzilla 1071: fix delivery logging with untrusted macros.
If dropping privileges for untrusted macros, we disabled normal logging
on the basis that it would fail; for the Exim run-time user, this is not
the case, and it resulted in successful deliveries going unlogged.
patches to add it). Drop pax from the default USE_TOOLS list.
Make bsdtar the default for those places that wanted gtar to extract
long links etc, as bsdtar can be built of the tree.
* Add preliminary DKIM support.
* Bugzilla 592: --help option is handled incorrectly if exim is invoked
as mailq or other aliases. Changed the --help handling significantly
to do whats expected. exim_usage() emits usage/help information.
* Added the -bylocaldomain option to eximstats.
* Bugzilla 619: Defended against bad data coming back from gethostbyaddr
* Bugzilla 613: Documentation fix for acl_not_smtp
* Bugzilla 628: PCRE update to 7.4 (work done by John Hall)
The main change is the incorporation of the content scanning from
the exiscan patch. (There are over 650 lines of Changes)
Retire exim-exiscan
Update exim-html from 4.40 to 4.50
Update exim-exiscan to 4.43_28 from 4.42_27
Update exim-html to 4.40 from 4.30
exim-exiscan:
28 - Added F-Secure support, thanks to Johan Thelmen <jth@home.se>.
- Upgraded SRS support to libsrs_alt 0.5 via Miles
Wilton's patch.
- REMOVED exiscan-acl implementation of custom header
placement in favor of Philip Hazel's native implementation.
However, a new option option was added for it to
mimic the behaviour of the old header_pos_middle option.
Read section 10 of exiscan-acl-spec.txt.
exim:
1. Fixed a longstanding but relatively impotent bug: a long time ago, before
PIPELINING, the function smtp_write_command() used to return TRUE or FALSE.
Now it returns an integer. A number of calls were still expecting a T/F
return. Fortuitously, in all cases, the tests worked in OK situations,
which is the norm. However, things would have gone wrong on any write
failures on the smtp file descriptor. This function is used when sending
messages over SMTP and also when doing verify callouts.
2. When Exim is called to do synchronous delivery of a locally submitted
message (the -odf or -odi options), it no longer closes stderr before doing
the delivery.
3. Implemented the mua_wrapper option.
4. Implemented mx_fail_domains and srv_fail_domains for the dnslookup router.
5. Implemented the functions header_remove(), header_testname(),
header_add_at_position(), and receive_remove_recipient(), and exported them
to local_scan().
6. If an ACL "warn" statement specified the addition of headers, Exim already
inserted X-ACL-Warn: at the start if there was no header name. However, it
was not making this test for the second and subsequent header lines if
there were newlines in the string. This meant that an invalid header could
be inserted if Exim was badly configured.
7. Allow an ACL "warn" statement to add header lines at the start or after all
the Received: headers, as well as at the end.
8. Added the rcpt_4xx retry error code.
9. Added postmaster_mailfrom=xxx to callout verification option.
10. Added mailfrom=xxxx to the callout verification option, for verify=
header_sender only.
11. ${substr_1_:xxxx} and ${substr__3:xxxx} are now diagnosed as syntax errors
(they previously behaved as ${substr_1_0:xxxx} and ${substr:_0_3:xxxx}).
12. Inserted some casts to stop certain compilers warning when using pointer
differences as field lengths or precisions in printf-type calls (mostly
affecting debugging statements).
13. Added optional readline() support for -be (dynamically loaded).
14. Obscure bug fix: if a message error (e.g. 4xx to MAIL) happened within the
same clock tick as a message's arrival, so that its received time was the
same as the "first fail" time on the retry record, and that message
remained on the queue past the ultimate address timeout, every queue runner
would try a delivery (because it was past the ultimate address timeout) but
after another failure, the ultimate address timeout, which should have then
bounced the address, did not kick in. This was a "< instead of <=" error;
in most cases the first failure would have been in the next clock tick
after the received time, and all would be well.
15. The special items beginning with @ in domain lists (e.g. @mx_any) were not
being recognized when the domain list was tested by the match_domain
condition in an expansion string.
16. Added the ${str2b64: operator.
17. Exim was always calling setrlimit() to set a large limit for the number of
processes, without checking whether the existing limit was already
adequate. (It did check for the limit on file descriptors.) Furthermore,
18. Imported PCRE 5.0.
19. Trivial typo in log message " temporarily refused connection" (the leading
space).
20. If the log selector return_path_on_delivery was set and an address was
redirected to /dev/null, the delivery process crashed because it assumed
that a return path would always be set for a "successful" delivery. In this
case, the whole delivery is bypassed as an optimization, and therefore no
return path is set.
21. Internal re-arrangement: the function for sending a challenge and reading
a response while authentication was assuming a zero-terminated challenge
string. It's now changed to take a pointer and a length, to allow for
binary data in such strings.
22. Added the cyrus_sasl authenticator (code supplied by MBM).
23. Exim was not respecting finduser_retries when seeking the login of the
uid under which it was called; it was always trying 10 times. (The default
setting of finduser_retries is zero.) Also, it was sleeping after the final
failure, which is pointless.
24. Implemented tls_on_connect_ports.
25. Implemented acl_smtp_predata.
26. If the domain in control=submission is set empty, Exim assumes that the
authenticated id is a complete email address when it generates From: or
Sender: header lines.
27. Added "#define SOCKLEN_T int" to OS/os.h-SCO and OS/os.h-SCO_SV. Also added
definitions to OS/Makefile-SCO and OS/Makefile-SCO_SV that put basename,
chown and chgrp in /bin and hostname in /usr/bin.
28. Exim was keeping the "process log" file open after each use, just as it
does for the main log. This opens the possibility of it remaining open for
long periods when the USR1 signal hits a daemon. Occasional processlog
errors were reported, that could have been caused by this. Anyway, it seems
much more sensible not to leave this file open at all, so that is what now
happens.
29. The long-running daemon process does not normally write to the log once it
has entered its main loop, and it closes the log before doing so. This is
so that log files can straightforwardly be renamed and moved. However,
there are a couple of unusual error situations where the daemon does write
log entries, and I had neglected to close the log afterwards.
30. The text of an SMTP error response that was received during a remote
delivery was being truncated at 512 bytes. This is too short for some of
the long messages that one sometimes sees. I've increased the limit to
1024.
31. It is now possible to make retry rules that apply only when a message has a
specific sender, in particular, an empty sender.
32. Added "control = enforce_sync" and "control = no_enforce_sync". This makes
it possible to be selective about when SMTP synchronization is enforced.
33. Added "control = caseful_local_part" and "control = "caselower_local_part".
32. Implemented hosts_connection_nolog.
33. Added an ACL for QUIT.
34. Setting "delay_warning=" to disable warnings was not working; it gave a
syntax error.
35. Added mailbox_size and mailbox_filecount to appendfile.
36. Added control = no_multiline_responses to ACLs.
37. There was a bug in the logic of the code that waits for the clock to tick
in the case where the clock went backwards by a substantial amount such
that the microsecond fraction of "now" was more than the microsecond
fraction of "then" (but the whole seconds number was less).
38. Added support for the libradius Radius client library this is found on
FreeBSD (previously only the radiusclient library was supported).
