Commit graph

5 commits

Author SHA1 Message Date
pettai
2917402513 2.9.0 2013/12/09
NOTE: During the development cycle for this release, SourceForge
                changed their bug numbering system.  Bug numbers are recorded
                here as they were generated by the current system at the time
                they were filed.  The older ones (prefixed "SF") have since
                been renumbered or may no longer be in the system.
        Feature request #169: Discontinue libxml2 support in the reputation
                code.
        Feature request #174: Drop internal libstrl implementation.
        Feature request #175: Discontinue support for libdkimrep.
        Feature request #176: Update to the final REPUTE RFCs.
        Activate _FFR_REDIRECT.
        Fix bug #178: Add support for "dmarc" as an authentication method
                (though it hasn't been formally registered yet) and fix
                a minor Authentication-Results parsing problem.
        Fix bug #179: Correct handling of SignatureTTL.
        Fix bug #180: Drain results object when doing a DB walk of a postgresql
                table.
        Fix bug #182: Add an Authentication-Results header field even for
                messages with no valid From: field or a fatal structural
                violation.
        Teach dkimf_db_walk() about LDAP soft starting, and don't escape the
                forced "*" when walking.  Also handle incorrect attribute
                counts without causing an assertion failure.
        Call dkimf_config_free() on shutdown so that all DBs get properly
                closed and everything gets deallocated.
        LIBOPENDKIM: Fix bug #168: Report an unresolved CNAME for ADSP records
                as simply absent.
        LIBOPENDKIM: Add DKIM_LIBFLAGS_REQUESTREPORTS to request that an
                "r=y" tag be added to signatures, per RFC6651.
        TOOLS: Fix boundary condition in opendkim-testmsg.
        DOCS: Feature request #168: Improve documentation of signature
                verification failure debugging features.
        DOCS: Feature request #172: Describe socket selection procedure in
                detail, and mention selinux command to get set up.
2013-12-12 14:11:32 +00:00
pettai
a6735e8680 2.6.7 2012/07/23
Fix input handling for file data sets for the macro case.
        Ensure NULL-termination of macro value tests.
        STATS: Fix hang bug in opendkim-reportstats.
        STATS: Fix bug #SF3547363: Fix "Top 10" and DNSSEC trend reports.

2.6.6           2012/07/18
        LIBAR: Fix bug #SF3544522: Not all systems define a "_len" member for
                the sockaddr structures.
        LIBOPENDKIM: Fix bug #SF3545490: If the body handed to the library was
                missing a trailing line terminator, then dkim_canon_closebody()
                would end the hashes with some data not included.  Now, if
                DKIM_LIBFLAGS_FIXCRLF is set, it will detect this condition
                and correct it; if not, an error is returned.
        LIBOPENDKIM: If the job ID passed in during handle creation includes
                slashes and temporary file creation is enabled, convert the
                slashes to dots in the temporary file template.

2.6.5           2012/07/14
        Swap order of "header.d" and "header.i" values in
                Authentication-Results fields.
        BUILD: Fix bug #SF3543282: Corrections to Darwin/libar build adjustment
                made in 2.6.3.

2.6.4           2012/07/12
        Feature request #SF3542099: Include "header.d" in all
                Authentication-Results fields, not just "header.i".  This
                makes life easier for users of OpenDMARC.
        BUILD: Fix SHA256 test on some systems.

2.6.3           2012/07/11
        Add "ResolvConf" setting, allowing the ability to pass a
                resolv.conf-like file to unbound to allow specific nameservers
                to be used instead of the default.
        LIBOPENDKIM: Return the correct error code when a SHA1-only library
                encounters a SHA1 signature that references a SHA256-only key.
        LIBAR: Add ar_resolvconf().
        BUILD: Fix bug #SF3538676: Build with -DDARWIN on MacOSX, and default
                to arlib if unbound isn't selected.

2.6.2           2012/07/02
        Fix build confusion between _FFR_RATE_LIMIT and _FFR_RESIGN.
        Fix bug #SF3538639: Fix error when --domain is not provided to
                opendkim-genrates.  Problem noted by Andreas Schulze.
        Fix bug #SF3539449: Clarify legal "Socket" values.
        Fix bug #SF3539493: Handle certain cases of data set names that
                appear to be comma-separated lists which include IPv6
                addresses.

2.6.1           2012/06/25
        Restore and activate _FFR_SELECT_CANONICALIZATION.  Also adds a
                SelectCanonicalizationHeader configuration option.
        Remove _FFR_SELECTOR_HEADER.
        Update Authentication-Results parsing to understand "dkim-atps"
                (RFC6541) and no longer understand "hardfail" (RFC6577).
        LIBAR: Fix bug #SF3309946: Ensure the dispatcher doesn't hold the
                master lock when it might enter a read wait.
        STATS: Add a database index on messages.msgtime to aid with
                expiration performance.
        TOOLS: Feature request #SF3536385: Add "-a" to opendkim-genkey to
                include a domain name in the generated TXT record.

2.6.0           2012/06/07
        Feature request #SF3502777: Log all authentication results rather than
                relying on logging of Authentication-Results header fields.
        Feature request #SF3512286: Add "LDAPSoftStart" flag so the filter
                doesn't abort on startup when LDAP is not available.
        Feature request #SF3512836: Add _FFR_SOCKETDB, which enables support
                for a generic socket data set.
        Feature request #SF3514982: Add Erlang data set support.
        Feature request #SF3516253: Update to newest "repute" working group
                documents, which mainly means adding JSON support and
                promoting application-specific extensions to the top level
                in the reputon structure.
        Feature request #SF3518593: Add support for OpenLDAP's MDB as a
                data set backend.
        Feature request #SF3519002: Put reason information inside a "reason"
                tag in Authentication-Results header fields rather than in
                comments.
        Feature request #SF3521000: Log hostname and daemon name (taken from
                macros) when logging "no MTA name match".
        Feature request #SF3524756: Add ability to request TCP keepalive
                features via the OpenLDAP client library.
        Feature request #SF3529233: Add odkim.get_envfrom() to all Lua scripts.
        Fix bug #SF3518877: Separate variable expansion from literal text in
                opendkim-genkey.
        Fix bug #SF3522883: Allow TLS for ldapi URIs.  Problem noted by
                Quanah Gibson-Mount.
        Fix bug #SF3527428: Construct the LDAP URI list properly, rather than
                only keeping the last one, and add failover code.
        Patch #SF3522895: Add contrib/ldap/opendkim.ldif.
        Activate _FFR_XTAGS.
        Remove _FFR_SELECT_CANONICALIZATION.
        LIBAR: Fix bug #SF3444318: Do proper buffer size calculations to
                avoid valgrind warnings about references to unaddressable
                space.
        LIBOPENDKIM: Fix bug #SF3496041: Remove _FFR_PARSETIME.
        LIBOPENDKIM: Fix bug #SF3516653: By default, treat a syntax error
                in an ADSP record as an NXDOMAIN.  Add new library flag
                DKIM_LIBFLAGS_REPORTBADADSP to restore the original
                behaviour.
        LIBOPENDKIM: Fix bug #SF3524865: Disallow generation of signatures
                where signer and signing domain don't match per the DKIM
                specification.  Add DKIM_LIBFLAGS_DROPSIGNER which, if set,
                will still generate signatures in that case, but with the
                signer omitted so the signature is still compliant.
        BUILD: Fix bug #SF3425384: Add missing support for compiling
                against libevent2, which is an option for unbound.
        BUILD: Fix bug #SF3475799: Don't do a manual check for libdb.a.
                Use the AC_CHECK_* macros instead.
        DOCS: Fix bug #SF3518864: The license for IETF documents is not
                compatible with free software licensing, which makes packaging
                a bit of a chore.  Replace all the text files in the "docs"
                directory with a single HTML page that includes links to
                all the things we used to include here.
        STATS: Feature request #SF3110059: Move opendkim-reportstats from
                contrib/stats to stats, making it fully supported.
        STATS: Feature request #SF3525786: Add opendkim-expire script.
        STATS: Feature request #SF3528652: Allow a specific list of domains,
                possibly read from a file, for opendkim-gengraphs and
                opendkim-genrates.
2012-11-12 19:23:35 +00:00
pettai
7cb6fe3dd2 2.3.0 2011/02/21
Feature request #SF2964396: Allow SignHeaders, OmitHeaders and
                SenderHeaders to be specified as deltas to the default lists.
        Feature request #SF3053094: Correct documentation and improve function
                of the AuthservID configuration setting.  Requested by
                Andreas Schulze.
        Feature request #SF3060152: Add odkim.replace_header() function.
        Feature request #SF3060161: Add odkim.del_header() function.
        Feature request #SF3061189: Add new "quarantine" option to all the
                various "On-" settings.
        Feature request #SF3066104: Add "AnonymousDomains" configuration
                option.
        Feature request #SF3074290: Add _FFR_ATPS, experimental support for
                draft-kucherawy-dkim-atps.
        Feature request #SF3076684: Add "VBR-TrustedCertifiersOnly" flag.
        Feature request #SF3080604: Add odkim.parse_field() function.
                Requested by Todd Lyons.
        Feature request #SF3081697: Add "OversignHeaders" configuration
                option.
        Feature request #SF3085536: Activate _FFR_STATS_I, providing
                statistics reporting about use of "i=" in signatures.
        Feature request #SF3096630: Add odkim.rbl_check() function.
        Feature request #SF3097083: Make SigningTable accessible from Lua.
        Feature request #SF3103095: Allow "%" in a KeyTable entry's filename
                component as well as the domain name.
        Feature request #SF3105480: Improved VBR correctness; don't conduct
                VBR checks at all if there are disagreeing "mc" values in
                multiple VBR-Info header fields.
        Feature request #SF3106132: Allow "%" in a SigningTable's value.
        Feature request #SF3109963: Add "MaximumSignaturesToVerify" setting.
                Suggested by John Wood.
        Feature request #SF3110593: Add compile-time support for GnuTLS as
                an alternative to OpenSSL.  Suggested by Alessandro Vesely.
        Feature request #SF3136772: Sign the VBR-Info header field, if added.
                Requested by Frederik Pettai.
        Fix bug #SF3134119: With AutoRestart enabled, arrange to relay
                SIGUSR1 from the parent to the child rather than terminating.
                Reported by Yoshiaki Yanagihara.
        Fix bug #SF3141313: Trim whitespace from values in in-core data
                sets.  Reported by Todd Lyons.
        Fix bug #SF3156124: More robust handling of database disconnects.
                Also add _FFR_POSTGRESQL_RECONNECT_HACK, which will hopefully
                be temporary.  Reported by Miha Vrhovnik.
        Fix bug #SF3181180: Correct handling of quoted strings containing
                parentheses (and the opposite) when parsing
                Authentication-Results header fields.  Reported by
                Mark Martinec.
        Fix back-compatibility with very old implementations of milter in MTAs.
        Fix case-insensitive matching for domain names when doing signing
                selection.  Problem noted by John Espiro.
        New configuration file options:
                - "CaptureUnknownErrors", replacing the FFR of the same name
                - "DNSConnect", requesting the resolver use TCP mode
                - "KeepAuthResults", suppressing required removal of
                  Authentication-Results header fields
                - "ResolverTracing", adding detailed logging of libar activity
                - "StrictHeaders", requesing libopendkim to assert header
                  field counts according to the standards
                - "UnboundConfigFile", passing a configuration file name to
                  libunbound (suggested by Andreas Schulze)
                - "VBR-PurgeFields", removing "X-VBR-*" fields after using them
        Trim whitespace from the end of all values in a config file, not just
                strings.  Problem noted by Reuben Farrelly.
        Assume a default location for opendkim.conf.  Suggested by Andreas
                Schulze.
        Don't needlessly demand milter features, causing aborts when they're
                not available.  Problem noted by Todd Lyons.
        Make odkim.get_clienthost(), odkim.get_clientip() and
                odkim.get_fromdomain() available in the final script.
        When "SyslogSuccess" is active, log the selector and domain used.
                Suggested by Miha Vrhovnik.
        LIBAR: Feature request #SF3115073: Add flag for fine-grained activity
                logging for debugging purposes.
        LIBAR: Add support for using poll() instead of socket().
        LIBOPENDKIM: Feature request #SF3087029: Add DKIM_LIBFLAGS_STRICTHDRS.
        LIBOPENDKIM: Feature request #SF3089990: Add dkim_sig_getsignedhdrs().
        LIBOPENDKIM: Fix bug #SF3079094: Have dkim_diffheaders() take
                canonicalization into account when generating its results
                to avoid false positives.
        LIBOPENDKIM: Fix bug #SF3184670: Add error codes for missing and empty
                "v=" tags, thus avoiding a possible assertion failure when
                DKIM_LIBFLAGS_BADSIGHANDLES is in use.  Reported by J. Coloos.
        LIBOPENDKIM: Fix up handling of multi-TXT DNS replies inside
                dkim_get_policy_dns().
        LIBOPENDKIM: Add dkim_getid().
        LIBOPENDKIM: Treat no answers as an NXDOMAIN with respect to
                retrieving ADSP records.
        LIBOPENDKIM: When an unexpected DNS type or class is received,
                log the received values.
        LIBVBR: Feature request #SF3105477: Copy the generic DNS work from
                libopendkim.
        STATS: Feature request #SF3085536: Activate _FFR_STATS_I, providing
                statistics reporting about use of "i=" in signatures.
        STATS: Feature request #SF3125701: Add "s=" key value tracking.
        STATS: Feature request #SF3137445: Track key sizes.  Suggested by
                Todd Lyons.
        MILTERTEST: When asserting negotiation state, don't forget to capture
                what was negotiated.
        TOOLS: Feature request #SF3106876: Amend opendkim-testkey to return
                the DNSSEC results as well.
        TOOLS: Fix bug #SF3143922: Command line parameters to opendkim-testkey
                now override their configuration file counterparts.
        TOOLS: Experimental new "opendkim-spam" tool to let users update a
                stats database to indicate a message is spam, for possible
                later correlation use.
        BUILD: opendkim-genzone needs LIBCRYPTO_LDFLAGS.  Reported by
                John Smith.
        Activate _FFR_CAPTURE_UNKNOWN_ERRORS.
2011-03-13 23:31:31 +00:00
pettai
3f0387de0b 2.2.2 2010/11/28
Fix bug #SF2903325: Clean up numerous signed vs. unsigned warnings.
        Fix bug #SF3095782: When VBR is enabled, only perform a query when
                the "md" domain in the VBR-Info header field matches the
                "d" field for any valid signature.
        Fix bug #SF3105993: Better handling of missing records in Lua DB
                lookups.
        When reading keys, ensure what's being read is a regular file and
                not something else.
        Complain if TrustAnchorFile names something that can't be opened
                for reading.
        LIBOPENDKIM: Don't complain about multiple records returned if one
                of them was an RRSIG.
        LIBAR: Rework some I/O logic to avoid a deadlock when the nameserver
                becomes unresponsive during response processing.
        BUILD: Move all scripts and executables except opendkim to a bin
                directory for adminstrator convenience. They were previously in
                the sbin directory.
        BUILD: Fix bug #SF3101842: Fix opendkim-genzone build when OpenDBX
                is in use.
        BUILD: opendkim-testkey can require SASL build information when used
                with OpenLDAP, or Lua information when built with Lua.
        BUILD: Dissociate libopendkim and libunbound, as this is now handled
                through the application rather than the library.
        BUILD: Convert to using git for source code management.
        STATS: Additional reporting improvements.
        STATS: Fix bug #SF3107659: Add additional diagnostic output to
                opendkim-importstats when malformed input is found.
        TOOLS: Handle input generated with and without the _FFR_STATS_I
                extensions.

2.2.1           2010/10/25
        Avoid assertion failures when using "-V" and arlib.
        Fix "refile" loading.
        Fix collision between "ReputationRoot" and "StatisticsName" in the
                configuration file.
        Convert sender's domain name to lowercase prior to doing any database
                queries with it.  This was done before, but lost during the
                database overhaul in 1.2.0.
        Fix up Authentication-Results header field generation for VBR.
                Reported by Fredrik Pettai.
        Add _FFR_STATS_I enabling statistics reporting of "i=" signature
                properties.
        LIBOPENDKIM: Fix bug #SF3081964: dkim.h requires <sys/time.h>.
        LIBOPENDKIM: Fix bug #SF3087251: Use thread-safe resolver functions
                when avaialble.
        LIBOPENDKIM: Cancel completed reputation queries.
        LIBOPENDKIM: Simplify DKIM_OPTS_ALWAYSHDRS handling.
        LIBAR: Fix bug #SF3080720: Don't compute timeouts based on completed
                or dead queries.
        LIBVBR: Fix some pointer errors causing false negatives.
        TOOLS: Write "v=" tags in key records output by opendkim-genzone.

2.2.0           2010/10/03
        Feature request #SF2874043: Add _FFR_ADSP_LISTS allowing control over
                action taken when mail is sent to known lists from
                ADSP "discardable" sources.
        Feature request #SF2964366: Allow arbitrary data set operations
                from inside Lua script hooks.
        Feature request #SF2981598: Add "NoHeaderB" and "SingleAuthResult"
                settings so that only one Authentication-Results header field
                is added, and reduce its variability.
        Feature request #SF3013084: Add "DomainKeysCompat" setting.
        Feature request #SF3017358: Allow a token in the KeyTable that gets
                replaced with the sender's domain name.
        Feature request #SF3019876: Enable registration and use of generic
                DNS functions.
        Feature request #SF3021566: Change "ADSPDiscard" to "ADSPAction",
                allowing selection of what action to take when a message is
                determined by ADSP to be "discardable".
        Feature request #SF3023232: Allow selection of a signer (for the
                signature's "i=" tag) when calling odkim.sign() or via an
                optional second parameter in the SigningTable.
        Feature request #SF3024854: Always log a warning if a key file
                has unsafe group/other read/write bits set.  Further, if the
                new "RequireSafeKeys" setting is true, refuse to use the data.
        Feature request #SF3030548: Add _FFR_DEFAULT_SENDER, adding the
                "DefaultSender" setting.
        Feature request #SF3049483: Use ReportAddress for ADSP Reports and for
                the sender envelope address.
        Feature request #SF3056571: Extend signer selection in the SigningTable
                to include a token that will be replaced by the From:
                domain.
        Feature request #SF3062077: Allow the specification of additional
                recipients when delivering DKIM/ADSP failure reports through
                a new ReportBccAddress configuration option.
        Fix bug #SF3004995: Don't apply "SenderHeaders" to the library
                as that impacts how ADSP works.
        Fix bug #SF3025856: Fix "AllowSHA1Only", which was not working at all.
        Fix bug #SF3037504: Rework database schema and tools to meet revised
                reporting requirements.
        Fix bug #SF3051536: Allow disabling of reputation queries.
        Fix bug #SF3058204: Fix numerous possible double-free() incidents in
                dkimf_config_free().
        Fix PeerList to work with IPv6 addresses.
        Fix loop boundary check in dkimf_db_close().
        Fix assertion failure in dkimf_db_get() when used with a "match both"
                operation.
        Fix "LocalADSP", which was not working at all.
        Fix some Lua test mode logic and a build issue that prevented
                "ScreenPolicyScript" from working.
        Added MTACommand for overriding default (mainly for testing).
        Ignore "Domain" and "Selector" settings if "KeyTable" is set.
        Add "On-PolicyError" to configuration tables.
        Don't automatically temp-fail messages bearing signatures that
                reference revoked keys.
        Some fixes to the "final" Lua script self-test code.
        Include libmilter version in "-V" output.
        Single-thread DB queries done via OpenDBX handles as they can't be
                used to do parallel queries.
        Attempt to reconnect after SQL disconnections.
        Revise text/plain portion of policy reports.
        Fix up DSN parsing so that it is not needlessly restrictive.
        Add _FFR_STATSEXT: Allows arbitrary local extensions to statistics
                gathering via a fourth Lua script that can cause the
                generation of additional SQL insertion operations.
        LIBOPENDKIM: Feature request #SF3026287: Add dkim_getuser() function.
        LIBOPENDKIM: Feature request #SF3065035: Apply library query
                configuration to ADSP lookups as well, mainly to support
                auotmated testing.
        LIBOPENDKIM: Fix bug #SF3071368: Fix tiny memory leak in dkim_init().
        LIBOPENDKIM: Fix bug #SF3051762: Don't error out of dkim_get_key()
                when in test mode by testing signature-specific features when
                against dummy data.
        LIBOPENDKIM: Don't build against pthread libraries if not needed.
        LIBOPENDKIM: Add dkim_get_signer(), dkim_policy_state_new() and
                dkim_policy_state_free().
        LIBOPENDKIM: Don't assert a "g=" default when processing keys so that
                statistics reporting can tell whether or not it was originally
                there.
        LIBOPENDKIM: Minor fix to internal state machine when dealing with
                unsigned messages.
        LIBOPENDKIM: Rename DKIM_PRESULT_AUTHOR to DKIM_PRESULT_FOUND.
        LIBOPENDKIM: Improved error reporting from dkim_ohdrs().
        LIBOPENDKIM: Improved re-entrancy of dkim_eoh_verify().
        LIBOPENDKIM: Undefine DKIM_FEATURE_ASYNC_DNS (obsolete).
        MILTERTEST: Feature request #SF3005002: Enable testing of
                "unspecified" protocol family connections.
        MILTERTEST: Add "-u" option to report resource usage statistics on
                completion.
        MILTERTEST: Add mt.signal() to allow signaling of filters for things
                like configuration file reloads.
        MILTERTEST: Enhance mt.connect() to accept optional retry and interval
                arguments.
        MILTERTEST: Add "-w" option to request no waiting for the child process
                to exit and report status.
        MILTERTEST: Allow partial seconds argument to mt.sleep().
        TOOLS: Feature request #SF3004335: Add support to opendkim-testkey
                to get configuration file values and validate an entire
                KeyTable.
        TOOLS: Update opendkim-genkeys script to support
                draft-ietf-marf-dkim-reporting.
        TOOLS: Flip logic of "-a" flag to opendkim-stats.
        TOOLS: Fix bug #SF3037452: Change owner/group/mode of stats database
                when resetting it to whatever the replaced file had.
        CONTRIB: Add opendkim-reportstats, contributed by John Wood.
        BUILD: Fix --with-db.
        Activate _FFR_ZTAGS.
2011-02-21 00:04:21 +00:00
pettai
6eee611b7e OpenDKIM is an open source implementation of the DKIM (Domain Keys Identified
Mail) sender authentication system proposed by the E-mail Signing Technology
Group (ESTG), now standardized by the IETF (RFC4871). It also includes
implementations of the Author Domain Signing Practises (ADSP, RFC5617) and
Vouch By Reference (VBR, RFC5518) proposed standards.

The project started from a code fork of version 2.8.3 of the open source
dkim-milter package developed and maintained by Sendmail, Inc.
2010-10-19 23:11:42 +00:00