* add JavaScript dependencies listed in jsdeps.json
* put them on /pub/pkgsrc/distfiles/roundcube to avoid checksum error due
to archive automatic generation (e.g. tinymce_languages.zip)
* remove patch-ac
* add example configuration fragment for www/lighttpd
CHANGELOG Roundcube Webmail
===========================
RELEASE 1.3.6
-------------
- Fix parsing date strings (e.g. from a Date: mail header) with comments (#6216)
- Fix PHP 7.2: count(): Parameter must be an array in enchant-based spellchecker (#6234)
- Fix possible IMAP command injection and type juggling vulnerabilities (#6229)
- Enigma: Fix key selection for signing
- Enigma: Enable keypair generation on Internet Explorer 11
- Fix check_request() bypass in places using get_uids() [CVE-2018-9846] (#6238)
- Fix bug where usernames without domain part could be malformed or converted to lower-case on logon (#6224)
RELEASE 1.3.5
-------------
- Managesieve: Fix bug where text: syntax was forced for strings longer than 1024 characters (#6143)
- Managesieve: Fix missing Save button in Edit Filter Set page of Classic skin (#6154)
- Fix duplicated labels in Test SMTP Config section (#6166)
- Fix PHP Warning: exif_read_data(...): Illegal IFD size (#6169)
- Enigma: Fix key generation in Safari by upgrade to OpenPGP 2.6.2 (#6149)
- Fix security issue in remote content blocking on HTML image and style tags (#6178)
- Added 9pt and 11pt to the list of font sizes in HTML editor
- Fix handling encoding of HTML tags in "inline" JSON output (#6207)
- Fix bug where some unix timestamps were not handled correctly by rcube_utils::anytodatetime() (#6212)
RELEASE 1.3.4
-------------
- Fix bug where contacts search could skip some records (#6130)
- Fix possible information leak - add more strict sql error check on user creation (#6125)
- Fix a couple of warnings on PHP 7.2 (#6098)
- Fix broken long filenames when using imap4d server - workaround server bug (#6048)
- Fix so temp_dir misconfiguration prints an error to the log (#6045)
- Fix untagged COPYUID responses handling - again (#5982)
- Fix PHP warning "idn_to_utf8(): INTL_IDNA_VARIANT_2003 is deprecated" with PHP 7.2 (#6075)
- Fix bug where Archive folder wasn't auto-created on login with create_default_folders=true
- Fix performance issue when parsing malformed and long Date header (#6087)
- Fix syntax error in mssql.initial.sql (#6097)
- Fix bug where contacts export by selection returned no more than 10 entries (#6103)
- Fix searching contacts by address in LDAP source (#6084)
- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
RELEASE 1.3.3
-------------
- Fix decoding of mailto: links with + character in HTML messages (#6020)
- Fix false reporting of failed upgrade in installto.sh (#6019)
- Fix file disclosure vulnerability caused by insufficient input validation [CVE-2017-16651] (#6026)
- Fix mangled non-ASCII characters in links in HTML messages (#6028)
RELEASE 1.3.2
-------------
- Improve detection for Egde browser and add pointer event support (#5922)
- Fix bug where pink image was used instead of a thumbnail when image resize fails (#5933)
- Fix so files size/count limit is verified (client-side) also on drag-n-drop uploads (#5940)
- Fix invalid template loading on a message error in preview frame (#5941)
- Fix bug where HTML messages could have been rendered empty on some systems (#5957)
- Fix wording of "Mark previewed messages as read" to "Mark messages as read" (#5952)
- Enigma: Fix decryption of messages encoded with non-ascii charset (#5962)
- Fix missing cursor in HTML editor on mail reply (#5969)
- Fix (again) bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where mail search could return empty result on servers without SORT capability (#5973)
- Fix bug where assets_path wasn't added to some watermark frames
- Fix so untagged COPYUID responses are also supported according to RFC6851 (#5982)
- Fix issue caused by non-default session.cookie_lifetime setting (#5961)
- Fix Edge encoding bug when pasting text into the HTML editor, update to TinyMCE 4.5.8 (#5885)
- Fix handling of unknown Content-Disposition type (#6002)
- Fix truncated folder name on messages list in multi-folder mode, for folders with non-ascii characters (#6004)
- Fix bug where removing the last subfolder did not hide toggle button on its parent record (#6007)
- Fix bug where ghost messages could be added to the list after fast delete (#5941)
RELEASE 1.3.1
-------------
- Don't ignore (global) userlogins/sendmail logs in per_user_logging mode
- Add Preferences > Mailbox View > Main Options > Layout (#5829)
- Password: Fix compatibility with PHP 7+ in cpanel_webmail driver (#5820)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838)
- Managesieve: Fix AM/PM suffix in vacation time selectors
- Managesieve: Fix bug where 'exists' operator was reset to 'contains' (#5899)
- Remove non-printable characters from filenames on download/display (#5880)
- Fix decoding non-ascii attachment names from TNEF attachments (#5646, #5799)
- Fix uninitialized string offset in rcube_utils::bin2ascii() and make sure rcube_utils::random_bytes() result has always requested length (#5788)
- Fix bug where HTML messages with @media styles could moddify style of page body (#5811)
- Fix style issue on selected and unfocused message that is part of a thread (#5798)
- Fix bug where a.button style from managesieve plugin could impact other elements (#5800)
- Fix position of selected icon for (Mailvelope) Encrypt button
- Fix fatal error when using DMY- or MDY-based date format in PostgreSQL (#5808)
- Fix bug where errors were not printed when using bin/update.sh (#5834)
- Fix PHP 7.2 warnings on count() use (#5845)
- Fix bug where Chrome could not upload the same file that was selected before (#5854)
- Fix duplicate messages on the list after deleting messages on the next to the last page (#5862)
- Fix bug where messages count was not updated after delete when imap_cache is set (#5872)
- Fix potential XSS vulnerability with malformed HTML message markup
- Fix sending message with "Too many public recipients" dialog buttons (#5924)
- Bring back double-click behavior on the message list which was removed in 1.3.0 (#5823)
- Enigma: Fix decrypting an encrypted+signed message when signature verification fails (#5914)
RELEASE 1.3.0
-------------
- Update to TinyMCE 4.5.7
- Fix bug where invalid recipients could be silently discarded (#5739)
- Fix conflict with _gid cookie of Google Analytics (#5748)
- Print error from CLI scripts when system/exec function is disabled (#5744)
- Fix bug where comment notation within style tag would cause the whole style to be ignored (#5747)
- Fix bug where it wasn't possible to scroll folders list in Edge (#5750)
- Fix folders list sorting on Windows - if php-intl is available (#5732)
- Fix addressbook searching by gender (#5757)
- Fix prevention from using % and * characters in folder name (#5762)
- Fix POST parameter reflection in default_charset selector (#5768)
- Enigma: Fix compatibility with assets_dir
- Managesieve: Skip redundant LISTSCRIPTS command
- Fix SQL syntax error on MariaDB 10.2 (#5774)
- Fix bug where zipdownload ignored files with the same name (#5777)
- Fix bug where it wasn't possible to set timezone to auto-detected value (#5782)
RELEASE 1.3-rc
--------------
- "Flattened" the larry theme: fresher look by removing shadows and gradients
- Support logging to php://stdout (#5721)
- Add support for DelSp=Yes in format=flowed messages (#5702)
- Update to jQuery 3.2.1
- Update to TinyMCE 4.5.6
- Plugin API: Call message_part_structure hook for sub-parts of multipart/alternative message (#5678)
- Enigma: Always use detached signatures (#5624)
- Enigma: Fix handling of messages with nested PGP encrypted parts (#5634)
- Minimize unwanted message loading in preview frame on drag (#5616)
- Fix failing database schema check in all engines except mysql (#5730)
- Fix autocomplete popup closing with click outside the input, don't handle Tab key as Enter (#5606)
- Fix jsdeps.json synchronization on update, warn about missing requirements of install-jsdeps.sh (#5598)
- Fix missing thread expand icon on search result in widescreen mode (#5613)
- Fix bug where image data URIs in css style were treated as evil/remote in mail preview (#5580)
- Fix bug where external content in src attribute of input/video tags was not secured (#5583)
- Fix PHP error on update of a contact with multiple email addresses when using PHP 7.1 (#5587)
- Fix bug where mail content frame couldn't be reset in some corner cases (#5608)
- Fix bug where some classic skin images were not displayed in IE/Edge (#5614)
- Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628)
- Fix regression where groups with email address were resolved to its members' addresses
- Fix update of group name in the contacts list header on group rename (#5648)
- Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
- Fix bug where it was too easy accidentally move a folder when using the subscription checkbox (#5655)
- Managesieve: Fix parser issue with empty lines between comments (#5657)
- Managesieve: Fix possible defect in handling \r\n in scripts (#5685)
- Fix/rephrase "unsaved changes" warning when cancelling a draft (#5610)
- Fix XSS issue in handling of a style tag inside of an svg element [CVE-2017-6820]
- Fix bug where settings/upload.inc could not be used by plugins (#5694)
- Fix regression in LDAP fuzzy search where it always used prefix search instead (#5713)
- Fix bug where namespace prefix could not be truncated on folders list if show_real_foldernames=true (#5695)
- Fix undesired effects when postgres database uses different timezone than PHP host (#5708)
- Installer: Fix DB schema initialization on MS SQL Server
- Fix bug where base_dn setting was ignored inside group_filters (#5720)
- Password: Fix security issue in virtualmin and sasl drivers [CVE-2017-8114]
RELEASE 1.3-beta
----------------
- Nicely handle contact deletion on contact edit (#5522)
- vcard_attachments: Add possibility to attach contact vCard to composed message (#4997)
- Preserve message internal/received date on import in mbox format (#5559)
- Zipdownload: Fix date format in mbox "From line"
- Possibility to display QR code for contacts data (#5030)
- Added identicon plugin
- Widescreen layout aka three column view (#5093)
- Unify automatic marking as \Seen in preview pane, full-page and extwin views (#5071)
- Disable double-click on the list when preview pane is on (#5199)
- Support hostname and hostname:port in force_https option (#5511)
- Support ALLOW-FROM in x_frame_options (#5122)
- Allow to omit a subject when sending an email (#5068)
- Warn about too many disclosed recipients in composed email [max_disclosed_recipients] (#5132)
- identity_select: Support Received header (#5085)
- Plugin API: Added get_compose_responses hook (#5457)
- Display error when trying to upload more files than specified in max_file_uploads (#5483)
- Add missing sql upgrade file for 'ip' column resize in session table (#5465)
- Do not show inline images of unsupported mimetype (#5463)
- Password: Added replacement variables support in password_pop_host (#5539)
- Password: Don't store passwords in temp files when using dovecotpw (#5531)
- Password: Added LDAP PPolicy driver (#5364)
- Password: Added cpanel_webmail driver (#5549)
- Password: Added possibility to nicely redirect from other plugins on password expiration (#5468)
- Implement separate action to mark all messages in a folder as \Seen (#5006)
- Implement marking as \Seen in all folders or in a folder and its subfolders (#5076)
- Archive: Don't reload messages list when it's not needed (#5225)
- Archive: Add option to automatically mark archived messages as \Seen (#5142)
- Improve randomness of password salts and random hashes (#5266)
- Password/cPanel: Add support for hash authentication and reseller accounts (#5252)
- Support host-specific imap_conn_options/smtp_conn_options/managesieve_conn_options (#5136)
- Center and scale images in attachment preview frame (#5421)
- Added max_message_size option enforced when attaching files to a composed message (#4993)
- Added Search button in quick search menus (#5312)
- Implement "one click" attachment/messages/photo upload (#5024)
- Squirrelmail_usercopy: Add option to define character set of data files
- Removed useless 'created' column from 'session' table (#5389)
- Dropped legacy browsers support (#5167)
- Removed legacy_browser plugin
- Removed hacks for IE < 10
- Update to jQuery 3.1.1 and jQuery-UI 1.12.0
- compile .min.js files with ECMASCRIPT5 option
- Require PHP >= 5.4
- Add possibility to preview and download attachments in mail compose (#5053)
- Add possibility to rename attachments in mail compose (#4996)
- Remove backward compatibility "layer" of bc.php (#4902)
- Support WEBP images in mail messages (#5362)
- Support MathML in HTML message preview (#5182)
- Rename Addressbook to Contacts (#5233)
- Remove PHP mail() support, smtp_server is required now (#5340)
- Display full message subject in onmouseover on truncated subject in mail view (#5346)
- Enigma: Support GnuPG 2.1 (#5313)
- Enigma: Support key generation for multiple identities (#5383)
- Enigma: Import keys from key-server(s) (#5286)
- Enigma: Search missing public keys on a key-server in mail compose (#5286)
- Enigma: Delete user keys when using deluser.sh script
- Enigma: Fix redundant list-secret-keys/list-public-keys calls on signing/encryption
- Enigma: Implement PGP encryption and signing in one go (#5302)
- Enigma: Display signature verification status for encrypted+signed messages (#5302)
- Display different attachment icon on encrypted messages
- Display different confirmation text when moving messages to Trash (#5220)
- Indicate that a collapsed thread has flagged children (#5013)
- Implemented message/rfc822 attachment preview
- Update to jsTimezoneDetect 1.0.6
- Managesieve: Add (optional) RAW script editor (#5414)
- Managesieve: Add option to automatically set vacation :from address (#5428)
- Managesieve: Support 'string' test from variables extension [RFC 5229] (#5248)
- Managesieve: Support 'duplicate' extension [RFC 7352]
- Managesieve: Unhide advanced rule controls if there are inputs with errors
- Managesieve: Display warning message when filter form contains errors
- Control search engine crawlers via X-Robots-Tag header instead of <meta> and robots.txt (#5098)
- Fixed redundancy in sql caching system and compatibility with Galera Cluster (#5439)
- Removed redundant 'created' column from cache and cache_shared tables
- Removed use of redundant data records
- Added missing primary keys (dictionary, cache, cache_shared tables)
- Fix so templating system does not mess with external (e.g. email) content (#5499)
- Fix redundant keep-alive/refresh after session error on compose page (#5500)
- Managesieve: Fix handling of scripts with nested rules (#5540)
- Fix variable substitution in ldap host for some use-cases, e.g. new_user_identity (#5544)
- Enigma: Fix PHP fatal error when decrypting a message with invalid signature (#5555)
- Fix adding images to new identity signatures
- Fix rsync error handling in installto.sh script (#5562)
- Fix some advanced search issues with multiple addressbooks (#5572)
- Fix so group/addressbook selection is retained on page refresh
- Fix the build with OpenSSL 1.1.0 backporting a patch from upstream.
- Minor mostly cosmetic changes (pointed out by pkglint)
- Take MAINTAINERship
Bump PKGREVISION
Fix CVE-2018-8741 and more.
- Added ability (and user preference) to return to message list
after moving a message
- Search enhancement: Added ability to search in more than one
header without having to search the body
- Add ability for saved drafts to indicate if they are a reply and
if so, to which message, and mark that message as replied when
the draft is finally sent
- Added option to allow returning to the message one had been
replying to after sending
- Sanitize user-supplied attachment filenames (thanks to Florian
Grunow for reporting this issue) [CVE-2018-8741]
- Allow users who cannot edit their email address but who have
multiple identities to edit all their identities
Notmuch 0.26.2 (2018-04-28)
===========================
Library Changes
---------------
Work around Xapian bug with `get_mset(0,0, x)`.
This causes aborts in `_notmuch_query_count_documents` on
e.g. Fedora 28. The underlying bug is fixed in Xapian commit
f92e2a936c1592, and will be fixed in Xapian 1.4.6.
Make thread indexing more robust against reference loops
Choose a thread root by date in case of reference loops. Fix a
related abort in `notmuch show`.
This is a security update to the stable version 1.2. It fixes a recently
reported vulnerability allowing IMAP command injection via a GET parameters.
More details about this are published under CVE-2018-9846.
The second fix is about a missed remote content blocking on HTML messages with
specially crafted image and style tags.
We strongly recommend to update all productive installations of Roundcube
1.2.x. Please do backup your data before updating!
CHANGELOG
* Fix check_request() bypass in places using get_uids() [CVE-2018-9846]
(#6238)
* Fix possible IMAP command injection vulnerability [CVE-2018-9846] (#6229)
* Fix security issue in remote content blocking on HTML image and style tags
(#6178)
Version 4.91
1. Dual-certificate stacks on servers now support OCSP stapling, under GnuTLS
version 3.5.6 or later.
2. DANE is now supported under GnuTLS version 3.0.0 or later. Both GnuTLS and
OpenSSL versions are moved to mainline support from Experimental.
New SMTP transport option "dane_require_tls_ciphers".
3. Feature macros for the compiled-in set of malware scanner interfaces.
4. SPF support is promoted from Experimental to mainline status. The template
src/EDITME makefile does not enable its inclusion.
5. Logging control for DKIM verification. The existing DKIM log line is
controlled by a "dkim_verbose" selector which is _not_ enabled by default.
A new tag "DKIM=<domain>" is added to <= lines by default, controlled by
a "dkim" log_selector.
6. Receive duration on <= lines, under a new log_selector "receive_time".
7. Options "ipv4_only" and "ipv4_prefer" on the dnslookup router and on
routing rules in the manualroute router.
8. Expansion item ${sha3:<string>} / ${sha3_<N>:<string>} now also supported
under OpenSSL version 1.1.1 or later.
9. DKIM operations can now use the Ed25519 algorithm in addition to RSA, under
GnuTLS 3.6.0 or OpenSSL 1.1.1 or later.
10. Builtin feature-macros _CRYPTO_HASH_SHA3 and _CRYPTO_SIGN_ED25519, library
version dependent.
11. "exim -bP macro <name>" returns caller-usable status.
12. Expansion item ${authresults {<machine>}} for creating an
Authentication-Results: header.
13. EXPERIMENTAL_ARC. See the experimental.spec file.
See also new util/renew-opendmarc-tlds.sh script for use with DMARC/ARC.
14: A dane:fail event, intended to facilitate reporting.
15. "Lightweight" support for Redis Cluster. Requires redis_servers list to
contain all the servers in the cluster, all of which must be reachable from
the running exim instance. If the cluster has master/slave replication, the
list must contain all the master and slave servers.
16. Add an option to the Avast scanner interface: "pass_unscanned". This
allows to treat unscanned files as clean. Files may be unscanned for
several reasons: decompression bombs, broken archives.
NEWS:
Changes of Sylpheed
* 3.7.0 (stable)
* The message catalogs were updated.
* 3.7.0beta1 (development)
* The function to export the address book to CSV files was added.
* 'Nick Name' column was added to the address book.
* Context menu was added to the search result of the query search dialog.
* When attaching UTF-16 text files, they are automatically converted
into UTF-8 now.
* Show original From on the summary view if the display-name seems to
be an e-mail address.
* The bug that wrong reply target could be selected when the summary was
sorted by the unread flag (#286).
* Win32: the bug that Japanese characters were overlapped on printings
with some font settings was fixed.
* Win32: the bug that empty lines were not properly spaced on printings
with some font settings was fixed.
Notmuch 0.26.1 (2018-04-02)
===========================
Library Changes
---------------
Bump the library minor version. This should have happened in 0.26, but
better late than never.
This is a bug fix release. Fixes include:
* GPGME S/MIME non-detached signature handling.
* A compilation issue with ncurses-6.1 when tinfow is split out.
Hopefully the fix doesn't impact anyone: please let me know of any
issues.
* Regular expression crashes and weird behavior problems on MacOS (and
possibly other BSDs). This was most noticeable with the recent Xcode
9.3 release, but the issue has existed for a while.
* GSSAPI authentication issues, which may have affected Exchange users.
We've changed behavior to match the RFC. If you are negatively
impacted by this, please let me know.
- Changed the filenames of response record files so they sort by time in
a directory listing. This may cause extra responses after upgrading.
- Added support for putting the original sender (%s) and recipient (%r)
in the response message.
- Added support for single file config mode, including the response.
- Fixed handling of MySQL default timestamp value.
- [CritFix] Plug bad memory leak in protocol reply
- [Feature] Add avx2 codec for base64
- [Feature] Add method to receive all URL flags from Lua API
- [Feature] Allow to fold headers on stop characters
- [Feature] Allow to set lua_cpath from options
- [Feature] Allow to specify custom rejection message in milter
- [Feature] Deal with unnormalised Unicode obfuscation
- [Feature] Do not detect language twice for relative parts
- [Feature] Implement oversigning feature
- [Feature] Implement silent logging level to minimize noise in logs
- [Feature] Improve URL_IN_SUBJECT rule
- [Feature] Use hashing to reduce redis attack surface
- [Fix] Add oversigning for the most important headers
- [Fix] add 'rewrite subject' to History dropdown
- [Fix] Another fix in folding algorithm
- [Fix] Do not call multimap addr for parts of addr if filter is
presented
- [Fix] Do not clean hostname on generic reset
- [Fix] Do not create pid file in no-fork mode
- [Fix] Fix fold_after case to preserve multiple spaces
- [Fix] Fix folding and folding tests
- [Fix] Fix hostname usage in milter mode
- [Fix] Fix lua RSA verify and its tests
- [Fix] Fix metadata exporter send_mail backend (#2124)
- [Fix] Fix processing of '\v' in libucl
- [Fix] Fix shemaless URLs detection
- [Fix] Fix support of multiple headers in sign_header
- [Fix] Fix usage of util.parse_mail_address
- [Fix] Fix weights of dynamic squeezed rules
- [Fix] Leak from bucket before checking the burst
- [Fix] Stop using own localtime as DST could be messy in many cases
- [Fix] Treat unnormalised URLs as obscured
- [Rework] Restore leaky bucket model in ratelimit plugin
- [WebUI] Add messages total to throughput summary
- [WebUI] Add symbols order selector to history
- [WebUI] Config: Load list on demand
- [WebUI] Fix modalBody for maps that appear more than once
- [WebUI] History: Fix Tooltips on paging, filtering and sorting
- [WebUI] Remove a previously-attached event handler
- [WebUI] Update D3 to v5.0.0 and jQuery to v3.3.1
Changelog:
Fixed Searching message bodies of messages in local folders,
including filter and quick filter operations, did not find
content in message attachments
Fixed Better error handling for Yahoo accounts
Fixed Various security fixes
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5144: Integer overflow during Unicode conversion
#CVE-2018-5146: Out of bounds memory write in libvorbis
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
and Thunderbird 52.7
#CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
Thunderbird 52.7
- [Feature] Store emails in Clickhouse
- [Feature] Support single quotes in config
- [Feature] Use templates when publishing CH schema
- [Feature] Improve Docker image
- [Fix] Add rounding when printing a lot of FP variables
- [Fix] Allow to disable certain actions by assigning null to them
- [Fix] Disable results caching
- [Fix] Fix disabling of squeezed symbols
- [Fix] Fix scan time set
- [Fix] Rework logic of actions setting
- [Fix] Try to fix various Lua stack issues
- [WebUI] Add link tag for favicon.ico
- [WebUI] Display hostname:port/path in the page title
- [CritFix] Fix lowercase comparison
- [CritFix] Timezone defines seconds WEST UTC not East
- [Feature] Add filename to log format
- [Feature] Add lua rules squeezing
- [Feature] Add related symbols analysis to rspamd_stats
- [Feature] Remove upstream `X-Spam: Yes` header by default
- [Feature] rspamd_stats: Output progress info on STDERR
- [Feature] Whitelist for emails module
- [Fix] Do not allow dependencies on self
- [Fix] Do not cache metric result
- [Fix] Do not trust all issuers as a client certificate
- [Fix] Fix dependencies in lua squeeze
- [Fix] Fix enabling/disabling squeezed rules
- [Fix] Fix enabling/disabling symbols
- [Fix] Fix external dependencies
- [Fix] Fix processing of a single compressed file
- [Fix] Fix some typos
- [Fix] Fix various modules in case of empty message
- [Fix] Handle callbacks that returns table of options
- [Fix] Improve cached action interaction
- [Fix] Make dynamic conf more NaN aware
- [Fix] Never hide actions from WebUI `configuration` tab
- [Project] Implementation of Lua rules squeezing
Postfix stable release 3.3.0 is available. This release ends support
for legacy release Postfix 2.11.
The main changes are:
* Dual license: in addition to the historical IBM Public License
1.0, Postfix is now also distributed with the more recent Eclipse
Public License 2.0. Recipients can choose to take the software
under the license of their choice. Those who are more comfortable
with the IPL can continue with that license.
* The postconf command now warns about unknown parameter names
in a Postfix database configuration file. As with other unknown
parameter names, these warnings can help to find typos early.
* Container support: Postfix 3.3 will run in the foreground with
"postfix start-fg". This requires that Postfix multi-instance
support is disabled (the default). To collect Postfix syslog
information on the container's host, mount the host's /dev/log
socket into the container, for example with "docker run -v
/dev/log:/dev/log ...other options...", and specify a distinct
Postfix syslog_name setting in the container (for example with
"postconf syslog_name=the-name-here").
* Milter support: applications can now send RET and ENVID parameters
in SMFIR_CHGFROM (change envelope sender) requests.
* Postfix-generated From: headers with 'full name' information
are now formatted as "From: name <address>" by default. Specify
"header_from_format = obsolete" to get the earlier form "From:
address (name)".
* Interoperability: when Postfix IPv6 and IPv4 support are both
enabled, the Postfix SMTP client will now relax MX preferences
and attempt to schedule similar numbers of IPv4 and IPv6
addresses. This works around mail delivery problems when a
destination announces lots of primary MX addresses on IPv6, but
is reachable only over IPv4 (or vice versa). The new behavior
is controlled with the smtp_balance_mx_inet_protocols parameter.
* Compatibility safety net: with compatibility_level < 1, the
Postfix SMTP server now warns for mail that would be blocked
by the Postfix 2.10 smtpd_relay_restrictions feature, without
blocking that mail. There still is a steady trickle of sites
that upgrade from an earlier Postfix version.
Action Mailer is a framework for designing email-service layers. These layers
are used to consolidate code for sending out forgotten passwords, welcome
wishes on signup, invoices for billing, and any other use case that requires
a written notification to either a person or another system.
Action Mailer is in essence a wrapper around Action Controller and the
Mail gem. It provides a way to make emails using templates in the same
way that Action Controller renders views using templates.
Additionally, an Action Mailer class can be used to process incoming email,
such as allowing a weblog to accept new posts from an email (which could even
have been sent from a phone).
This is for Ruby on Rails 5.1.
1.03 Thu Mar 15 21:55:30 2018
- update dovecot parser from dovecot version 2.3.0.1
- fix reading from uninitialized memory when formatting invalid address without user or host part
- fix formatting email address which user part starts with null byte
- do not generate invalid email addresses by format functions, rather return empty string
1.1.0:
+ Changed from distutils to setuptools because it's the future
+ Implement RFC 7601 SHOULD to ignore unknown method identifiers (2.7.6):
+ Discard unknown ptypes and associated properties
+ Added tests to document errors raised by different kinds of broken header
fields
Version 2.7.0 (2017-10-31)
Security:
* #1097 – SMTP security: prevent command injection via To/From addresses.
(jeremy)
Features:
* #647 – IMAP: specify IMAP server search charset with
Mail.find(search_charset: 'UTF-8'). (yalab)
* #650 - UTF-7 charset support. (johngrimes)
* #664 - RSpec: with_html and with_text matchers. (zakkie)
* #723 – IMAP: support `enable_starttls: true` for TLS upgrade on
non-IMAPS/SSL servers. (doits)
* #804 - Configurable SMTP open_timeout and read_timeout. (ankane)
* #853 - `Mail::Message#set_sort_order` overrides the default message part
sort order. (rafbm)
* #856 - Added :logger delivery method. (zacholauson)
* #900 - Support non-instance_eval builder API. Yield self to Mail.new if the
provided block takes any arguments. (taavo)
* #1065 - Require STARTTLS using :enable_starttls. (bk2204)
* #1002 - Transcoding replaces invalid chars with "�" instead of discarding
them. (kjg)
* #1053 - Ruby 2.4.0 compatibility. Fixnum+Bignum unified as
Integer. (peterkovacs)
* #1094 - Core extensions removal: Drop `String#at`, `from`, `last` and
`is_utf8?` since they are no longer used by Mail internals. (metcalf)
* #1095 - Core extensions removal: Drop `String#mb_chars`, `not_ascii_only?`,
`constantize`, `first`, `to` to avoid monkey patching the standard
library. (metcalf)
* #1111 - Mail::Field.parse API which deprecates calling Mail::Field.new with
unparsed header fields. (jeremy)
* #1117 - Configurable POP3 read_timeout. (hspazio)
Performance:
* #1059 - Switch from mime-types to mini_mime for a much smaller memory
footprint. (SamSaffron)
* #1119 - Speed up large attachment encoding by memoizing slow ASCII-only
checks. (dalibor)
Compatibility:
* #464 - Improve attachment filename detection by preferring
Content-Disposition filename. (lawrencepit)
* #535 - IMAP: fetch messages WITH IMAP FLAGS by passing a block with four
args. (lawrencepit)
* #558 - Parser: cope with unknown charsets in header fields by falling back
to ASCII. (boesemar)
* #655 - Sort attachments to the end of the parts list to work around email
clients that may mistake a text attachment for the message body. (npickens)
* #683 - SMTP: Work around Net::SMTP dot-stuffing bug with unterminated
newlines on Ruby 1.8 and 1.9. (yyyc514)
* #766 - No longer strip 'Subject: ' from legit subject lines. (grosser)
* #982 – Faithfully preserve unfolded whitespace rather than collapsing to a
single space. (jeremy)
* #1103 – Support parsing UTF-8 headers. Implements RFC 6532. (jeremy)
* #1106 – Limit message/rfc822 parts' transfer encoding per RFC 2046. (ahorek)
* #1112 – Support Windows-1258 charset by parsing it as Windows-1252 in
Ruby. (jeremy)
* #1114 – Setting `mail.body = …` on a multipart message now adds a new text
part instead of adding a raw MIME part. (jeremy)
* #1159 – Parse emails with n newlines so long as they have no binary
content. (jeremy)
Bugs:
* #539 - Fix that whitespace-only continued headers would be incorrectly
parsed as the break between headers and body. (ConradIrwin)
* #605 - Fix Mail::Address#name for nil addresses (peterkovacs)
* #684 - Fix recursively fetching attachments from an embedded message/rfc822
part whose Content-Type header has additional parameters. (vongruenigen)
* #689 - Fix Exim delivery method broken by #477 in 2.5.4. (jethrogb)
* #792 - Allow blank filenames in Content-Disposition field.
(robinroestenburg)
* #876 - Strip valid RFC-1342 separator characters between non-matching
encoded-words. (Caleb W. Corliss)
* #895 - Fix that Mail::Message#add_file was adding a stray filename
header. (kirikak2)
* #923 – Fix decoding nested quotes around non-US-ASCII addresses. (averell23)
* #978 - Fix for invalid chars being left in a string for invalid b_value from
encoding. (kjg)
* #996 - Fix that multipart/mixed emails with a delivery-status part could be
interpreted as bounces. (kjg)
* #998 - Fix header parameter parsing (such as attachment names) for values
encoded with a blank charset or language code. (kjg)
* #1000 - Fix header parameter parsing (such as attachment names) to transcode
to UTF-8 (kjg)
* #1003 - Fix decoding some b encoded headers on specific rubies that don't
account for lack of base64 padding (kjg)
* #1020 - Don't set SMTP verify mode to nil when config was not
provided. (jhass)
* #1023 - Fix double-quoting in display names. (garethrees)
* #1032 - Fix that comparing messages changed their raw Message-ID to their
parsed message_id. (bobjflong)
* #1074 - Fix that the first address in a list is dropped when a subsequent
address has non-US-ASCII characters. (domininik)
* #1107 - Fix Address#display_name and other formatting flip-flopping between
encoded and decoded forms depending on whether #encoded or #decoded was
called last. (jeremy)
* #1110 - Fix that Mail::Multibyte::Chars#initialize mutated its argument by
calling force_encoding on it. (jeremy)
* #1122 – Fix that tilde (~) shouldn't be escaped for Exim delivery. (Benabik)
* #1113 - Eliminate attachment corruption caused by CRLF conversion. (jeremy)
* #1131 - Fix that Message#without_attachments! didn't parse the remaining
parts. (jeremy)
* #1019 - Fix b value encoder incorrectly splitting multibyte characters.
(Kenneth-KT)
* #1157 - Fix base64 attachment transfer encoding being overridden by
quoted-printable. (dalibor)
- [Conf] Add bayes_expiry as explicit module
- [Conf] Adjust names and weights for neural network plugin
- [Conf] Change updates url
- [Conf] Default statistics is stored in Redis now
- [Conf] Disable fann_redis module by default
- [Conf] Fix default elastic configuration
- [Conf] Fix double quote position
- [Conf] Massive config rework for new structure of symbols and scores
- [Conf] Rename Rambler BLs as they are now Rspamd's ones
- [Conf] Use dedicated rspamd.com subdomains
- [Conf] Use more data from rspamd.com fuzzy storage
- [CritFix] Add sanity guards for badly broken HTML
- [CritFix] Another errors path handling fix
- [CritFix] Another portion of tokenization fixes
- [CritFix] Do not send reject messages after set reply
- [CritFix] Fix ARC chain verification
- [CritFix] Fix crash in milter errors handler
- [CritFix] Fix memory leak in spf caching logic
- [CritFix] Fix milter commands pipelining
- [CritFix] Fix newlines detection
- [CritFix] Fix semicolons parsing in the content type
- [CritFix] Plug memory leak in zstd protocol compression
- [Feature] Add ability to match score in force_actions module
- [Feature] Add aes-rng PRF to libottery
- [Feature] Add 'composites' debug module
- [Feature] Add concept of experimental modules
- [Feature] Add DKIM trace symbol
- [Feature] Add EBL to the default config
- [Feature] Add expected ip check for emails plugin
- [Feature] Add framework to manage Redis scripts
- [Feature] Add framing for the new reputation generic plugin
- [Feature] Add function to show plugins stat
- [Feature] Add gzip compression support for clickhouse module
- [Feature] Add gzip compression support for rspamd controller
- [Feature] Add gzip support when sending lua http requests
- [Feature] Add json output for rspamd_stats
- [Feature] Add method to do a synchronous Redis connection
- [Feature] Add method to get all content-type attributes in Lua
- [Feature] Add `-m` flag to configdump to show modules states
- [Feature] Add mime types to extensions map
- [Feature] Add more features to rescore utility
- [Feature] Add more gtube like patterns to test other spam actions
- [Feature] Add more metafunctions, improve logging
- [Feature] Add more text attributes
- [Feature] Add new configwizard command to rspamadm
- [Feature] Add new tooling for stats conversation
- [Feature] Add old groups migration tool
- [Feature] Add plugins state variable
- [Feature] Add preliminary ecdsa keys support in DKIM
- [Feature] Add preliminary support of idempotent symbols
- [Feature] Add Redis server wizard
- [Feature] Add routine to convert old style stats to a new one
- [Feature] Add some sanity checks for actions and controller
- [Feature] Add statistic convertation module to configwizard
- [Feature] Add sugestions logic to mempool allocator
- [Feature] Add support of config transform in Lua
- [Feature] Add timeout to rspamc when doing corpus test
- [Feature] Add tooling to convert bayes schemas
- [Feature] Add torch conditional to configuration
- [Feature] Add torch-decisiontree package
- [Feature] Add torch-optim contrib package
- [Feature] Add TTL autodetection
- [Feature] Add urls reputation to the reputation framework
- [Feature] Allow floating and negative values in expressions limits
- [Feature] Allow multiple CTs in full extensions map
- [Feature] Allow multiple fann rules
- [Feature] Allow randomly select User-Agent from a list
- [Feature] Allow rspamadm commands to export methods in Lua
- [Feature] Allow rule specific min_bytes in fuzzy check
- [Feature] Allow to adjust symbols scores from Lua
- [Feature] Allow to attach stat signature to messages
- [Feature] Allow to change SMTP from via milter headers
- [Feature] Allow to configure monitored
- [Feature] Allow to create directories in Lua API
- [Feature] Allow to disable torch and skip train samples for ANN
- [Feature] Allow to discard messages dynamically
- [Feature] Allow to enable/disable languages from the detector
- [Feature] Allow to generate DKIM keys from rspamadm API
- [Feature] Allow to get CPU flags from Lua
- [Feature] Allow to have high precision timestamps in logs
- [Feature] Allow to insert headers into specific position
- [Feature] Allow to limit redirector requests per task
- [Feature] Allow to load and use dynamic ANNs with torch
- [Feature] Allow to quarantine rejected messages using milter
interface
- [Feature] Allow to receive signing keys from mempool vars
- [Feature] Allow to reserve elements in libucl
- [Feature] Allow to reuse signal handlers chains
- [Feature] Allow to set custom mempool variables from settings
- [Feature] Allow to set headers from settings
- [Feature] Allow to set Settings-Id for all connections
- [Feature] Allow to skip real action and add a header instead
- [Feature] Allow to skip specific hashes in fuzzy storage
- [Feature] Allow to spawn asynchronous processes from Lua
- [Feature] Allow to specify number of threads for ANN learning
- [Feature] Allow to use global lua maps in settings
- [Feature] Allow to use postfilters in composites
- [Feature] Allow to verify signatures from HTTP headers in maps
- [Feature] Antivirus: ordered pattern matches
- [Feature] Authentication-Results: support hiding usernames
- [Feature] Automatically create tables in clickhouse
- [Feature] Catch next-to-last bad extension
- [Feature] Check cached maps more frequently
- [Feature] Check groups sanity
- [Feature] Deal with obscured URLs with @ symbols
- [Feature] Enhance task:store_in_file method
- [Feature] Export password encryption routines to Redis
- [Feature] Filter nan and inf when adding scores
- [Feature] Finalize 7zip files support
- [Feature] Further improvements in language detection
- [Feature] Further improvements in language detection algorithm
- [Feature] Generic key name expansion for Redis keys
- [Feature] Hash whitelist for fuzzy_check
- [Feature] Implement bayes signatures storage
- [Feature] Implement buckets for Redis backend
- [Feature] Implement DKIM reputation adjustments
- [Feature] Implement forked workers children monitoring
- [Feature] Implement headers flags in mime parser
- [Feature] Implement l1/l2 regularization against the current weights
- [Feature] Implement manual ANN train mode
- [Feature] Implement per-user ANN support
- [Feature] Implement torch based ANN learning
- [Feature] Implement upstreams logic for clickhouse exporter
- [Feature] Import torch to Rspamd...
- [Feature] Improve allocation policy when interacting with Lua
- [Feature] Improve Lua/C interaction in history_redis
- [Feature] Improve multiple fuzzy results combining
- [Feature] Improve parsing of DKIM keys: parse algorithm
- [Feature] Improve subprocesses termination handle
- [Feature] Improve symbol type parsing in Lua API
- [Feature] Metadata Exporter: e-Mail Alerts: support multiple
recipients; alerting senders/recipients/users
- [Feature] Milter headers: support adding/removing arbitrary headers
from config
- [Feature] More metatokens
- [Feature] Multimap: checking of symbol options
- [Feature] Multimap: template URL filter
- [Feature] New bayes expiry plugin
- [Feature] Periodically save rspamd stats to disk
- [Feature] Preliminary import of the elasticsearch module
- [Feature] Ratelimit: allow full addresses in whitelisted_rcpts
- [Feature] Ratelimit: support fetching limits from Redis
- [Feature] RBL: received: filtering by position & flags
- [Feature] Read global maps for lua
- [Feature] Redis settings: support checking multiple keys
- [Feature] Rework fann plugin to be a normal post-filter
- [Feature] Rework logging configuration for rspamadm case
- [Feature] Rework short hashes generation to avoid FP
- [Feature] Save real ucl types when exporting to Lua
- [Feature] Set TCP_NODELAY for milter sockets
- [Feature] Setup DKIM signing from configwizard
- [Feature] Skip certain symbols from ANN classify
- [Feature] Store plugins state
- [Feature] Support etag for HTTP maps
- [Feature] Support Expires header when using HTTP maps
- [Feature] Support sending given header multiple times in lua_http
- [Feature] Support sha512 in DKIM signatures
- [Feature] Try to detect HTML messages better
- [Feature] Use array instead of queue to reduce memory fragmentation
- [Feature] Use controller port by default when connecting to local IP
- [Feature] Use rdtsc where possible
- [Fix] Actively load skip hashes map in fuzzy storage
- [Fix] Add another workaround to display history properly
- [Fix] Add definition for old glib compatibility method
- [Fix] Add missing rspamadm control options to help
- [Fix] Add workaround for IPv6 in sendmail
- [Fix] Add workaround for system with non-XSI compatible tzset
- [Fix] Allow oversigning in DKIM signatures
- [Fix] Allow to check negative scores in force_actions
- [Fix] Allow to have negative actions limits
- [Fix] Allow to set any layers number for fann rules
- [Fix] Another fix for rdtcs
- [Fix] Another fix to lua xmlrpc
- [Fix] Another try to deal with #1998
- [Fix] Another try to fix#1998
- [Fix] Another try to fix threading in torch
- [Fix] Apply language detection when adding fuzzy hashes
- [Fix] ARC: Fix Lua 5.3 compatibility; timestamp should be integer
- [Fix] Authentication Results: Fix SPF smtp.mail_from
- [Fix] Auth-Results: Multiple DKIM signatures
- [Fix] Avoid changing content-transfer-encoding header's value
- [Fix] Better handling of the legacy protocol
- [Fix] Check decoded headers sanity (e.g. by excluding \0)
- [Fix] Check for magic when checking for an archive
- [Fix] Cleanup mess with groups
- [Fix] Clickhouse: Insertion in the symbols table
- [Fix] Crash in URL processing
- [Fix] Deal with another case when processing exceptions
- [Fix] Deal with deeply nested messages more aggressively
- [Fix] Deal with nan and inf encoding in json/ucl
- [Fix] Deal with non-key arguments in lua_redis.exec_script
- [Fix] Deal with unknown weight
- [Fix] Deal with URLs with no slashes after protocol
- [Fix] Deal with URLs wrapped in [] in text parts
- [Fix] Deal with zero scores symbols
- [Fix] Default monitoring domain for surbl plugin
- [Fix] Delay upstream re-resolving when one upstream is defined
- [Fix] Detection of maillist optimized and fixed
- [Fix] DKIM signing: allow for auth_only to be false
- [Fix] DMARC: require report_settings for sending reports only
- [Fix] Do not allow garbadge when checking url domain
- [Fix] Do not cache SPF records with PTR elements
- [Fix] Do not constantly re-resolve failed upstreams with a single
element
- [Fix] Do not crash if no words defined
- [Fix] Do not crash on empty subtype
- [Fix] Do not expose spamtrap messages to SMTP reply
- [Fix] Do not fail rbl plugin when there are no received or emails
- [Fix] Do not ignore short words
- [Fix] Do not include idempotent/nostat symbols to checksum
- [Fix] Do not override groups when converting metrics
- [Fix] Do not override unix socket group when group comes before
owner
- [Fix] Do not skip the last character
- [Fix] Do not spawn too many workers by default
- [Fix] Do not stop monitored on dns errors
- [Fix] Do not stop parsing headers on bad IP header
- [Fix] Do not strip last character in the last word
- [Fix] Do not treat script content as text
- [Fix] Do not try to connect to non-supported addresses
- [Fix] Do not try to dereference last character
- [Fix] Do not try to sign unknown domains
- [Fix] Don't use whitelist/greylist maps as regexp, but as map
- [Fix] Erase unknown HTML entities
- [Fix] Exim Received header protocol parsing
- [Fix] First load selector_map and path_map. And only return false
when domain not found if try_fallback is false
- [Fix] Fix a lot of FP in chartable in mixed languages
- [Fix] Fix ANN checks
- [Fix] Fix ANN loading logic
- [Fix] Fix another tokenization issue
- [Fix] Fix autolearn parameters reading
- [Fix] Fix bad archive characters stripping
- [Fix] Fix bad extension check
- [Fix] Fix bayes schema conversion
- [Fix] Fix blacklists and DMARC in whitelist
- [Fix] Fix brain-damaged torch build system
- [Fix] Fix build on FreeBSD
- [Fix] Fix clickhouse exporter
- [Fix] Fix clickhouse schema
- [Fix] Fix comparision
- [Fix] Fix composites processing
- [Fix] Fix connecting to a unix socket in rspamadm statconvert
- [Fix] Fix couple of warnings
- [Fix] Fix crashes in the rspamd_control path
- [Fix] Fix deletion from hash
- [Fix] Fix DKIM forgeries via multiple headers
- [Fix] FIx dynamic conf plugin
- [Fix] Fix emails detection
- [Fix] Fix empty headers simple canonicalization
- [Fix] Fix empty threshold check in greylisting module
- [Fix] Fix encrypted legacy reply in fuzzy storage
- [Fix] Fix enormous scores for R_WHITE_ON_WHITE
- [Fix] Fix exceptions list in surbl
- [Fix] Fix *_EXCESS_BASE64 rules
- [Fix] Fix expire rounding
- [Fix] Fix extra hits in PCRE mode for regular expressions
- [Fix] Fix format strings
- [Fix] Fix get_content method
- [Fix] Fix groups override when defining symbols
- [Fix] Fix learned count in new schema
- [Fix] Fix learn errors propagation
- [Fix] Fix loading of per-user redis backend for statistics
- [Fix] Fix logging buffer corruption in case of repeated messages
- [Fix] Fix lua cached elements invalidation
- [Fix] Fix merging of the implicit arrays
- [Fix] Fix mime_types scoring
- [Fix] Fix multiple headers in DKIM headers list
- [Fix] Fix null callee case in clang plugin
- [Fix] Fix obscured url in format user@@example.com
- [Fix] Fix parsing of the per-user script
- [Fix] Fix priorities in rspamd_update, disable rules execution
- [Fix] Fix processing of closed tags
- [Fix] Fix processing of idempotent rules when autolearn fails
- [Fix] Fix processing of multipart parts with no headers
- [Fix] Fix processing of skip-hashes in fuzzy storage
- [Fix] Fix PTR processing in SPF
- [Fix] Fix pushing country to clickhouse asn table
- [Fix] Fix random forests module
- [Fix] Fix real IP parsing for some strange Exim received
- [Fix] Fix Redis timeout setup
- [Fix] Fix reload crash when hyperscan is enabled
- [Fix] Fix reusing of redis connection after exec
- [Fix] Fix sanity checks on macro value
- [Fix] Fix setting of path and cpath for Lua
- [Fix] Fix setting of signals when spawning a thread
- [Fix] Fix text splitting: stack overflow (too many captures)
- [Fix] Fix ticks processing
- [Fix] Fix upstream addrs updating
- [Fix] Fix urls/emails distinguishing found in queries
- [Fix] Fix user settings check
- [Fix] Fix variable increment
- [Fix] Fix various issues in stat_convert
- [Fix] F-PROT Antivirus infection string for all known occurences
- [Fix] F-PROT Antivirus: only check return code to determine
infection
- [Fix] Further fixes around floating point expressions
- [Fix] Further fixes to ANN module
- [Fix] Further fixes to rescore tool
- [Fix] Further fixes to support ES 6
- [Fix] Further tokenization fixes
- [Fix] Greylisting set phase is not idempotent
- [Fix] Handle proxy copy errors
- [Fix] Header checks: Fix get_raw_header method
- [Fix] Header checks: REPLYTO_UNPARSEABLE rule
- [Fix] Kill spawned processes on termination
- [Fix] Load skip map from all processes as shared cache is
unavailable
- [Fix] Lowercase HTTP headers to make them searchable from Lua
- [Fix] Lowercase words
- [Fix] Lua_http: freeing
- [Fix] Lua: lpeg to be loaded with rspamd_lua_add_preload, to avoid
"rspamd_config_read: rcl parse error: cannot init lua file [...]
module 'lpeg' not found"
- [Fix] Map absence is not an error
- [Fix] Metadata exporter: check IP sanity
- [Fix] Milter headers: custom headers: removing headers
- [Fix] Milter headers: skip_local / skip_authenticated settings
- [Fix] Milter headers: X-Spamd-Result header if X-Virus ran first
- [Fix] mime_types: fix next-to-last extension length check
- [Fix] More hacks to deal with old configs
- [Fix] Move composites second pass to the dedicated stage
- [Fix] Multimap: received: filtering of artificial header
- [Fix] Multiple fixes in torch based ANN plugins
- [Fix] Once more fix bad extension check
- [Fix] Optimize rspamd_fstring_t reallocations
- [Fix] options.local_networks setting
- [Fix] Parse HREF urls without explicit prefix
- [Fix] Plan new event on HTTP errors
- [Fix] Plug another possible memory leak
- [Fix] Plug memory leak
- [Fix] Plug memory leak in lua_tcp
- [Fix] Plug memory leak when setting email addresses from Lua
- [Fix] Propagate learn/stat errors more precisely
- [Fix] Ratelimit: fix whitelisted_rcpts matching
- [Fix] Ratelimit: lowercase email addresses
- [Fix] RBL: received: deal with missing data
- [Fix] Rebalance and slightly rework MX check plugin
- [Fix] Redis key expansion: EVAL: deal with strings
- [Fix] Redis script loading in DMARC; URL tags; URL reputation
- [Fix] Reject invalid bh for DKIM signatures earlier
- [Fix] Relax pem signature detection
- [Fix] Relax unicode properties requirements for chartable module
- [Fix] Remove extra noise from dkim and arc signing
- [Fix] Remove hop-by-hop headers in proxy
- [Fix] Remove incorrect method `task:set_metric_subject`
- [Fix] Replace space like characters in headers with plain space
- [Fix] Restore old style ratelimits support
- [Fix] Rework elasticsearch plugin
- [Fix] Rewriting subjects via force actions module
- [Fix] RPM postinstall
- [Fix] Sanitize IP in history redis
- [Fix] Select the correct signature when doing simple canon
- [Fix] Set CLOEXEC flag on files opened
- [Fix] Setting check_local / check_authed in plugins
- [Fix] Settings: avoid checking invalid IP
- [Fix] Settings: header: deal with multiple settings
- [Fix] Skip checks if both extensions are not bad
- [Fix] Skip nostat tokens when get number of tokens
- [Fix] Some more fixes towards emails detection
- [Fix] SpamAssassin: Fail check_freemail_header if regexp didn't
match
- [Fix] Stop using of g_slice...
- [Fix] Switch rspamadm logging to message level
- [Fix] Symbol 'FANNR_SPAM' has its score defined..
- [Fix] Table parameter for rspamd_config:add_doc()
- [Fix] Treat 'rewrite subject' as spam action
- [Fix] Try harder in passing IPv6 addresses
- [Fix] Try harder to find rfc822 notifications
- [Fix] Try harder to find urls
- [Fix] Use decoded values when parsing mime addresses
- [Fix] Use full URL when making an HTTP request
- [Fix] Use greylisting threshold in greylisting module
- [Fix] Use n_words attribute from ngramms
- [Fix] Use raw urls when sending requests to redirector
- [Fix] Use the right boolean operator on error check
- [Fix] Use weight from map for fuzzy scoring
- [Fix] Various fixes to elastic plugin
- [Fix] Various fixes to fann_redis instantiation
- [Fix] Various improvements in language detection
- [Fix] Virus infection string for F-PROT Antivirus
- [Fix] Virus infetction string for F-PROT Antivirus
- [Fix] WebUI: use relative path for savemap
- [Fix] WHITE_ON_WHITE: Ensure score is matched to part that fired the
rule
- [Fix] Write configuration changes as UCL config
- [Project] Add detection logic for words
- [Project] Add fast debug logging infrastructure
- [Project] Add more flags to languages
- [Project] Add n-gramms data files
- [Project] Add ngramms frequencies detector
- [Project] Add random words selection logic
- [Project] Add unigramms to language detection as well
- [Project] Convert all C modules to fast debug infrastructure
- [Project] Detect some languages based on unicode script
- [Project] Enable fast debug lookup for some modules
- [Project] Enable language detector init in scanner workers
- [Project] Further improvements to language detector
- [Project] Implement logic of ngramms application
- [Project] Improve weighting in lang_detection
- [Project] Initialize language detector
- [Project] Preliminary version of ngramms based language detector
- [Project] Preliminary version of the new stat_convert
- [Project] Remove old language detector
- [Project] Rework language detection ngramms structure
- [Project] Start language detection project
- [Project] Start rework of language detection to improve quality
- [Project] Use fast debug logging check
- [Rework] Add frame for new reputation based IP score module
- [Rework] Continue stat_convert rework task
- [Rework] Implement new version of fuzzy replies
- [Rework] Improve readability of xmlrpc API
- [Rework] Kill metrics!11
- [Rework] Ratelimit module
- [Rework] Rename fann_redis to neural plugin
- [Rework] Reorganize mime_types module
- [Rework] Rework rescore utility
- [Rework] Rewrite model and learning logic for rescore
- [Rework] Run post-loads when all initialization is completed
- [Rework] Simplify lua path initialization
- [Rework] Start major stat_convert rework
- [Rework] Start mempool fragmentation reduce project
- [Rework] Start moving of fann redis to torch
- [Rework] Stop embedding rspamadm scripts into C
- [Rework] Use floating point arithmetics in Rspamd expressions
- [Rework] Use frequencies distribution in language detector
- [Rules] Penalise R_BAD_CTE_7BIT for utf8 messages
- [WebUI] Compact graph selectors
- [WebUI] Escape strings inside HTML in history
- [WebUI] Fix message count in throughput summary
- [WebUI] Fix NaNs display on Throughput graph
- [WebUI] Migrate widgets to D3 v4
- [WebUI] Restore passwordless login support
- [WebUI] Show symbol descriptions as tooltips in history
- [WebUI] Stop using commas in pie chart tooltips
- [WebUI] Update D3 and jQuery
- [WebUI] Update D3Evolution 1.0.0 -> 1.1.0
pkgsrc changes:
- Update patch-ca to avoid patching unused by pkgsrc `uninstall-*'
targets (not needed) and adjust `installdirs' target to create
`egdir' (`share/examples/nmh')
Changes:
1.7.1
-----
1.7.1 is a patch release for 1.7, and includes fixes to a number of
significant bugs we have discovered since releasing 1.7. Specifically,
this release includes the following bug fixes:
- A significant memory leak in scan(1)
- rcvdist(1) not passing arguments to post(8) correctly
- Number formatting functions in the format engine were not truncating
numbers correctly
- Various fixes to the test suite
Exim version 4.90.1
JH/03 Fix pgsql lookup for multiple result-tuples with a single column.
Previously only the last row was returned.
JH/04 Bug 2217: Tighten up the parsing of DKIM signature headers. Previously
we assumed that tags in the header were well-formed, and parsed the
element content after inspecting only the first char of the tag.
Assumptions at that stage could crash the receive process on malformed
input.
JH/05 Bug 2215: Fix crash associated with dnsdb lookup done from DKIM ACL.
While running the DKIM ACL we operate on the Permanent memory pool so that
variables created with "set" persist to the DATA ACL. Also (at any time)
DNS lookups that fail create cache records using the Permanent pool. But
expansions release any allocations made on the current pool - so a dnsdb
lookup expansion done in the DKIM ACL releases the memory used for the
DNS negative-cache, and bad things result. Solution is to switch to the
Main pool for expansions.
While we're in that code, add checks on the DNS cache during store_reset,
active in the testsuite.
Problem spotted, and debugging aided, by Wolfgang Breyha.
JH/06 Fix issue with continued-connections when the DNS shifts unreliably.
When none of the hosts presented to a transport match an already-open
connection, close it and proceed with the list. Previously we would
queue the message. Spotted by Lena with Yahoo, probably involving
round-robin DNS.
JH/07 Bug 2214: Fix SMTP responses resulting from non-accept result of MIME ACL.
Previously a spurious "250 OK id=" response was appended to the proper
failure response.
JH/10 Bug 2223: Fix mysql lookup returns for the no-data case (when the number of
rows affected is given instead).
JH/12 Bug 2230: Fix cutthrough routing for nonfirst messages in an initiating
SMTP connection. Previously, when one had more receipients than the
first, an abortive onward connection was made. Move to full support for
multiple onward connections in sequence, handling cutthrough connection
for all multi-message initiating connections.
JH/13 Bug 2229: Fix cutthrough routing for nonstandard port numbers defined by
routers. Previously, a multi-recipient message would fail to match the
onward-connection opened for the first recipient, and cause its closure.
JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
a timeout on read on a GnuTLS initiating connection, resulting in the
initiating connection being dropped. This mattered most when the callout
was marked defer_ok. Fix to keep the two timeout-detection methods
separate.
HS/01 Fix Buffer overflow in base64d() (CVE-2018-6789)
JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
metadata, resulting in a crash in free().
PP/01 Fix broken Heimdal GSSAPI authenticator integration.
Broken in f2ed27cf5, missing an equals sign for specified-initialisers.
Broken also in d185889f4, with init system revamp.
Changelog:
Fixed Searching message bodies of messages in local folders, including
filter and quick filter operations, not working reliably:
Content not found in base64-encode message parts, non-ASCII text
not found and false positives found.
Fixed Defective messages (without at least one expected header) not shown
in IMAP folders but shown on mobile devices
Fixed Calendar: Unintended task deletion if numlock is enabled
Fixed Various security fixes
Security fixes:
#CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
#CVE-2018-5096: Use-after-free while editing form elements
#CVE-2018-5097: Use-after-free when source document is manipulated during XSLT
#CVE-2018-5098: Use-after-free while manipulating form input elements
#CVE-2018-5099: Use-after-free with widget listener
#CVE-2018-5102: Use-after-free in HTML media elements
#CVE-2018-5103: Use-after-free during mouse event handling
#CVE-2018-5104: Use-after-free during font face manipulation
#CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
#CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
and Thunderbird 52.6
Small patch release to fix the worst bugs in v2.3.0. v2.3.1 is coming in about a month with a lot more changes.
* CVE-2017-15130: TLS SNI config lookups may lead to excessive
memory usage, causing imap-login/pop3-login VSZ limit to be reached
and the process restarted. This happens only if Dovecot config has
local_name { } or local { } configuration blocks and attacker uses
randomly generated SNI servernames.
* CVE-2017-14461: Parsing invalid email addresses may cause a crash or
leak memory contents to attacker. For example, these memory contents
might contain parts of an email from another user if the same imap
process is reused for multiple users. First discovered by Aleksandar
Nikolic of Cisco Talos. Independently also discovered by "flxflndy"
via HackerOne.
* CVE-2017-15132: Aborted SASL authentication leaks memory in login
process.
* Linux: Core dumping is no longer enabled by default via
PR_SET_DUMPABLE, because this may allow attackers to bypass
chroot/group restrictions. Found by cPanel Security Team. Nowadays
core dumps can be safely enabled by using "sysctl -w
fs.suid_dumpable=2". If the old behaviour is wanted, it can still be
enabled by setting:
import_environment=$import_environment PR_SET_DUMPABLE=1
- imap-login with SSL/TLS connections may end up in infinite loop
1.02 Sat Feb 03 13:41:38 2018
- add support for parsing and generating addresses with nul character
- fix function compose_address when both user and host contains non-ASCII 8bit characters
- fix possible memory leak in dovecot parser
Update mail/postfix to 3.2.5.
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.
Fixed in Postfix 3.1 and later:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
records associated with an intermediate CA certificate. Problem
report and initial fix by Erwan Legrand.
Fixed in Postfix 3.0 and later:
* Missing dynamicmaps support in the Postfix sendmail command.
This broke authorized_submit_users settings that use a
dynamically-loaded map type. Problem reported by Ulrich Zehl.
2018-02-23 Richard Russon <rich@flatcap.org>
* Features
- browser: `<goto-parent>` function bound to "p"
- editor: `<history-search>` function bound to "Ctrl-r"
- Cygwin support: https://www.neomutt.org/distro/cygwin
- OpenSUSE support: https://www.neomutt.org/distro/suse
- Upstream Homebrew support: Very soon - https://www.neomutt.org/distro/homebrew
* Bug Fixes
- gmail server-size search
- nested-if: correctly handle "<" and ">" with %?
- display of special chars
- lua: enable myvars
- for pgpewrap in default gpg.rc
- reply_regexp which wasn't formatted correctly.
- parsing of urls containing '?'
- out-of-bounds read in mutt_str_lws_len
* Translations
- Review fuzzy lt translations
- Updated French translation
* Website
- Installation guide for Cygwin
- Installation guide for OpenSUSE
- Installation guide for CRUX
* Build
- check that DTDs are installed
- autosetup improvements
- option for which version of bdb to use
- drop test for resizeterm -- it's always present
* Code
- split if's containing assignments
- doxygen: add/improve comments
- rename functions / parameters for consistency
- add missing {}s for clarity
- move functions to library
- reduce scope of variables
- boolify more variables
- iwyu: remove unnecessary headers
- name unicode chars
- tailq: migrate parameter api
- md5: refactor and tidy
- rfc2047: refactor and tidy
- buffer: improvements
- create unit test framework
- fix several coverity defects
* Upstream
- Fix s/mime certificate deletion bug
- Disable message security if the backend is not available
- Fix improper signed int conversion of IMAP uid and msn values
- Change imap literal counts to parse and store unsigned ints
- Fix imap status count range check
- cmd_handle_fatal: make error message a bit more descriptive
- Create pgp and s/mime default and sign_as key vars
- Add missing setup calls when resuming encrypted drafts
- mutt_pretty_size: show real number for small files
- examine_directory: set directory/symlink size to zero
- Add history-search function, bound to ctrl-r
- Avoid a potential integer overflow if a Content-Length value is huge
- Fix build issue with redefining the "accept" function.
- Added support for whitelists in the rbl plugin.
- Added option to skip the Received header for authenticated connections.
2.0.2 (2017-12-14)
* Fix treatment of No_Mail configuration parameter so that specifying
No_Mail = False (the default) does not cause incorrect results
* Conditionally import authres is Header_Type is AR and raise an error if it
is missing (sorry pep-8) to avoid cases where users change the config
and suddenly it doesn't work for an example, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1208876
* Update and correct Mail_From_pass_restriction description in
policyd-spf.conf(5 ()
* Update HELO checking default option in policyd-spf.conf(5)
* Note that SPF_Not_Pass is not consistent with RFC 7208 in the HELO
checking section of policyd-spf.conf(5) - already documented for Mail From
1.0.2:
+ Added DKIM 'a' property so signature algorithm can be reported as proposed
for inclusion in draft-ietf-dmarc-rfc7601bis (experimental)
+ Added match_signature_algorithm to the DKIMAuthenticationResult class to
make it easier to find the correct DKIM result based on both domain and
algorithm
+ Added DKIM 's' property so signature algorithm can be reported as proposed
for inclusion in draft-ietf-dmarc-rfc7601bis (experimental)
- [CritFix] Add sanity guards for badly broken HTML
- [CritFix] Another errors path handling fix
- [CritFix] Fix ARC chain verification
- [CritFix] Fix crash in milter errors handler
- [Feature] Allow to insert headers into specific position
- [Feature] Allow to receive signing keys from mempool vars
- [Feature] Authentication-Results: support hiding usernames
- [Fix] Another try to deal with #1998
- [Fix] Another try to fix#1998
- [Fix] Better handling of the legacy protocol
- [Fix] Check decoded headers sanity (e.g. by excluding \0)
- [Fix] Deal with nan and inf encoding in json/ucl
- [Fix] Deal with URLs wrapped in [] in text parts
- [Fix] DKIM signing: allow for auth_only to be false
- [Fix] Do not crash on empty subtype
- [Fix] Do not fail rbl plugin when there are no received or emails
- [Fix] Do not skip the last character
- [Fix] Do not try to dereference last character
- [Fix] Do not try to sign unknown domains
- [Fix] Exim Received header protocol parsing
- [Fix] First load selector_map and path_map. And only return false
when domain not found if try_fallback is false
- [Fix] Fix bad archive characters stripping
- [Fix] Fix comparision
- [Fix] Fix connecting to a unix socket in rspamadm statconvert
- [Fix] Fix empty headers simple canonicalization
- [Fix] Fix extra hits in PCRE mode for regular expressions
- [Fix] Fix parsing of the per-user script
- [Fix] Fix processing of skip-hashes in fuzzy storage
- [Fix] Fix Redis timeout setup
- [Fix] Fix sanity checks on macro value
- [Fix] Fix text splitting: stack overflow (too many captures)
- [Fix] Fix urls/emails distinguishing found in queries
- [Fix] F-PROT Antivirus: only check return code to determine
infection
- [Fix] Metadata exporter: check IP sanity
- [Fix] Multimap: received: filtering of artificial header
- [Fix] Plan new event on HTTP errors
- [Fix] Plug another possible memory leak
- [Fix] Remove hop-by-hop headers in proxy
- [Fix] Sanitize IP in history redis
- [Fix] Setting check_local / check_authed in plugins (#1954)
- [Fix] Settings: avoid checking invalid IP (#1981)
- [Fix] Try harder in passing IPv6 addresses
- [Fix] WebUI: use relative path for savemap (#1943)
- [WebUI] Fix message count in throughput summary (#1724)
- [WebUI] Fix NaNs display on Throughput graph
- [WebUI] Restore passwordless login support (#2003)
use same PKG_OPTIONS_VAR as imap-uw to determine whether the build
needs to include kerberos support; this makes this extension actually
build against such imap-uw
bump PKGREVISION
when EXTRAAUTHENTICATORS is passed as MAKE_FLAGS, it ends up being
doubled, mkauths then generates auths.c with doubled auth_gss.c and
auth_mit.c twice, triggering duplicate definition errors with clang
9.0.0; pass via MAKE_ENV instead
bump PKGREVISION
Upstream changes:
version 2.20: Mon 22 Jan 18:14:44 CET 2018
Improvements:
- rewrite doc syntax to my current standard style.
- text corrections rt.cpan.org#123823 [Ville Skytt瓣]
- text corrections rt.cpan.org#123824 [Ville Skytt瓣]
- convert to GIT
- move to GitHUB
1.6.5: 22 Oct 2017
- [CritFix] Another portion of tokenization fixes
- [CritFix] Fix memory leak in spf caching logic
- [CritFix] Fix milter commands pipelining
- [CritFix] Fix newlines detection
- [Feature] Filter nan and inf when adding scores
- [Feature] Implement headers flags in mime parser
- [Feature] Support Expires header when using HTTP maps
- [Fix] Actively load skip hashes map in fuzzy storage
- [Fix] Add workaround for IPv6 in sendmail
- [Fix] Authentication Results: Fix SPF smtp.mail_from
- [Fix] Check for magic when checking for an archive
- [Fix] Deal with another case when processing exceptions
- [Fix] Deal with URLs with no slashes after protocol
- [Fix] Do not allow garbadge when checking url domain
- [Fix] Do not ignore short words
- [Fix] Do not strip last character in the last word
- [Fix] Do not treat script content as text
- [Fix] Erase unknown HTML entities
- [Fix] Fix another tokenization issue
- [Fix] Fix DKIM forgeries via multiple headers
- [Fix] Fix emails detection
- [Fix] Fix empty threshold check in greylisting module
- [Fix] Fix enormous scores for R_WHITE_ON_WHITE
- [Fix] Fix loading of per-user redis backend for statistics
- [Fix] Fix multiple headers in DKIM headers list
- [Fix] Fix obscured url in format user@@example.com
- [Fix] Further tokenization fixes
- [Fix] Load skip map from all processes as shared cache is
unavailable
- [Fix] Lowercase words
- [Fix] Milter headers: skip_local / skip_authenticated settings
- [Fix] Milter headers: X-Spamd-Result header if X-Virus ran first
- [Fix] Ratelimit: fix whitelisted_rcpts matching
- [Fix] Some more fixes towards emails detection
- [Fix] SpamAssassin: Fail check_freemail_header if regexp didn't
match
- [Fix] Use greylisting threshold in greylisting module
1.6.4: 10 Sep 2017
- [Feature] Add method to get all content-type attributes in Lua
- [Feature] Add some sanity checks for actions and controller
- [Feature] Allow randomly select User-Agent from a list
- [Feature] Deal with obscured URLs with @ symbols
- [Feature] Milter headers: support adding/removing arbitrary headers
from config
- [Fix] Add another workaround to display history properly
- [Fix] Add missing rspamadm control options to help
- [Fix] Auth-Results: Multiple DKIM signatures
- [Fix] Crash in URL processing
- [Fix] Default monitoring domain for surbl plugin
- [Fix] Detection of maillist optimized and fixed
- [Fix] Do not cache SPF records with PTR elements
- [Fix] Fix blacklists and DMARC in whitelist
- [Fix] Fix exceptions list in surbl
- [Fix] Fix processing of closed tags
- [Fix] Fix PTR processing in SPF
- [Fix] Lowercase HTTP headers to make them searchable from Lua
- [Fix] options.local_networks setting
- [Fix] Ratelimit: lowercase email addresses
- [Fix] Rebalance and slightly rework MX check plugin
- [Fix] Redis script loading in DMARC; URL tags; URL reputation
- [Fix] Reject invalid bh for DKIM signatures earlier
- [Fix] Remove incorrect method `task:set_metric_subject`
- [Fix] Rewriting subjects via force actions module
- [Fix] RPM postinstall
- [Fix] Treat 'rewrite subject' as spam action
- [Fix] Try harder to find urls
- [Fix] Use full URL when making an HTTP request
- [Fix] Use raw urls when sending requests to redirector
- [Fix] Use weight from map for fuzzy scoring
- [Rules] Penalise R_BAD_CTE_7BIT for utf8 messages
1.6.3: 26 Jul 2017
- [CritFix] Fix semicolons parsing in the content type
- [Feature] Add EBL to the default config
- [Feature] Allow to configure monitored
- [Feature] Allow to skip specific hashes in fuzzy storage
- [Feature] Multimap: checking of symbol options
- [Feature] Redis settings: support checking multiple keys
- [Fix] ARC: Fix Lua 5.3 compatibility; timestamp should be integer
- [Fix] Avoid changing content-transfer-encoding header's value
- [Fix] Don't use whitelist/greylist maps as regexp, but as map
- [Fix] Fix get_content method
- [Fix] Header checks: Fix get_raw_header method
- [Fix] Header checks: REPLYTO_UNPARSEABLE rule
- [Fix] Lua_http: freeing
- [Fix] Milter headers: custom headers: removing headers
- [Fix] Parse HREF urls without explicit prefix
- [Fix] WHITE_ON_WHITE: Ensure score is matched to part that fired the
rule
- [WebUI] Escape strings inside HTML in history
1.6.2: 08 Jul 2017
- [Conf] Remove Rambler email bl for now
- [Conf] Switch RAMBLER_URIBL to a locally managed source
- [CritFix] Switch from ragel to C for Content-Type parsing
- [Feature] Add `-e` option for lua_repl
- [Feature] Add per-domain emails normalisation rules
- [Feature] Add sessions cache to debug dangling sessions
- [Feature] Add short_text_direct_hash for fuzzy check module
- [Feature] Add text_part:get_stats function
- [Feature] Allow to add custom processing script for surbl
- [Feature] Allow to check reply-to email
- [Feature] Allow to customize spam header, remove existing spam
headers
- [Feature] Allow to disable specific workers in the config
- [Feature] Allow to discard messages instead of rejection
- [Feature] Allow to specify custom delimiter in emails plugin
- [Feature] Allow to specify custom User-Agent for rspamc
- [Feature] Allow to store symbols data in Clickhouse
- [Feature] Allow to use HTTPS when connecting to Clickhouse
- [Feature] Enable sessions cache tracking for milter connections
- [Feature] Implement per-line mode in lua_repl (like `perl -p`)
- [Feature] Implement rdns-curve plugin based on rspamd cryptobox
- [Feature] Improve maps cached data lifetime
- [Feature] Improve maps checking frequency
- [Feature] Improve monitored timeouts logic
- [Feature] milter_headers: add `extended_headers_rcpt` option
- [Feature] Milter headers: Add X-Spam-Flag to rmilter-compatibility
headers
- [Feature] Milter headers: remove-header routine
- [Feature] Multimap: received filters for extracting TLDs from
hostnames
- [Feature] Normalize email aliases in emails module
- [Feature] Re-add rambler email bl (as hashed list)
- [Feature] Reload file maps more frequently
- [Feature] Rework newlines strip parser one more time
- [Feature] Skip updates for messages scanned via controller
- [Feature] Split long DKIM public keys
- [Feature] Store more data when stripping newlines
- [Feature] Support SPF macros transformations
- [Feature] Support suppressing DMARC reports for some domains
- [Fix] Add missing `break` statement
- [Fix] Allow modifiers in SPF macros
- [Fix] DKIM sign tools: edge-cases around use_esld
- [Fix] Do not cache SPF records with macros
- [Fix] Do not overwrite score when setting pre-action
- [Fix] Fix comparison logic
- [Fix] Fix DKIM base64 folding for milter flagged messages
- [Fix] Fix emails module configuration
- [Fix] Fix folding for arc headers when milter interface is used
- [Fix] Fix gmail dots removal
- [Fix] Fix rspamc detection in greylist module
- [Fix] Fix some more issues with HTTP maps
- [Fix] Milter sessions can live forever
- [Fix] Normalize fuzzy probability better
- [Fix] Plug memory leak
- [Fix] RBL: Fixed hashed email address lookups
- [Fix] Try to deal with brain-damaged milter behaviour
- [Fix] Use `\n` to fold headers for milter
- [Rework] Allow to use custom callback for monitored checks
- [Rework] Further steps towards one process monitoring
- [Rework] Send health checks from a single worker
- [WebUI] Round-up throughput summary values
Notmuch 0.26 (2018-01-09)
=========================
Command Line Interface
----------------------
Support for re-indexing existing messages
There is a new subcommand, `notmuch reindex`, which re-indexes all
messages matching supplied search terms. This permits users to
change the way specific messages are indexed.
Note that for messages with multiple variants in the message
archive, the recorded Subject: of may change upon reindexing,
depending on the order in which the variants are indexed.
Improved error reporting in notmuch new
Give more details when reporting certain Xapian exceptions.
Support maildir synced tags in `new.tags`
Tags `draft`, `flagged`, `passed`, and `replied` are now supported
in `new.tags`. The tag `unread` is still special in the presence of
maildir syncing, and will be added for files in `new/` regardless of
the setting of `new.tags`.
Support /regex/ in new.ignore
Files and directories may be ignored based on regular expressions.
Allow `notmuch insert --folder=""`
This inserts into the top level folder.
Strip trailing '/' from folder path for notmuch insert
This prevents a potential problem with duplicated database records.
New option --output=address for notmuch address
Make `notmuch show` more robust against deleting duplicate files
The option --decrypt now takes an explicit argument
The --decrypt option to `notmuch show` and `notmuch reply` now takes
an explicit argument. If you were used to invoking `notmuch show
--decrypt`, you should switch to `notmuch show --decrypt=true`.
Boolean and keyword arguments now take a `--no-` prefix
Encrypted Mail
--------------
Indexing cleartext of encrypted e-mails
It's now possible to include the cleartext of encrypted e-mails in
the notmuch index. This makes it possible to search your encrypted
e-mails with the same ease as searching cleartext. This can be done
on a per-message basis by passing --decrypt=true to indexing
commands (new, insert, reindex), or by default by running "notmuch
config set index.decrypt true".
Encrypted messages whose cleartext is indexed will typically also
have their session keys stashed as properties associated with the
message. Stashed session keys permit rapid rendering of long
encrypted threads, and disposal of expired encryption-capable keys.
If for some reason you want cleartext indexing without stashed
session keys, use --decrypt=nostash for your indexing commands (or
run "notmuch config set index.decrypt nostash"). See `index.decrypt`
in notmuch-config(1) for more details.
Note that stashed session keys permit reconstruction of the
cleartext of the encrypted message itself, and the contents of the
index are roughly equivalent to the cleartext as well. DO NOT USE
this feature without considering the security of your index.
Emacs
-----
Guard against concurrent searches in notmuch-tree
Use make-process when available
This allows newer Emacs to separate stdout and stderr from the
notmuch command without using temporary files.
Library Changes
---------------
Indexing files with duplicate message-id
Files with duplicate message-id's are now indexed, and searchable
via terms and phrases. There are known issues related to
presentation of results and regular-expression search, but in
principle no mail file should be completely unsearchable now.
New functions to count files
Two new functions in the libnotmuch API:
`notmuch_message_count_files`, and `notmuch_thread_get_total_files`.
New function to remove properties
A new function was added to the libnotmuch API to make it easier to
drop all properties with a common pattern:
`notmuch_message_remove_all_properties_with_prefix`
Change of return value of `notmuch_thread_get_authors`
In certain corner cases, `notmuch_thread_get_authors` previously
returned NULL. This has been replaced by an empty string, since the
possibility of NULL was not documented.
Transition `notmuch_database_add_message` to `notmuch_database_index_file`
When indexing an e-mail message, the new
`notmuch_database_index_file` function is the preferred form, and
the old `notmuch_database_add_message` is deprecated. The new form
allows passing a set of options to the indexing engine, which the
operator may decide to change from message to message.
Test Suite
----------
Out-of-tree builds
The test suite now works properly with out-of-tree builds, i.e. with
separate source and build directories. The --root option to tests
has been dropped. The same can now be achieved more reliably using
out-of-tree builds.
Python Bindings
---------------
Python bindings specific Debian packaging is removed
The bindings have been build by the top level Debian packaging for a
long time, and `bindings/python/debian` has bit-rotted.
Open mail files in binary mode when using Python 3
This avoids certain encoding related crashes under Python 3.
Add python bindings for `notmuch_database_{get,set}_config*`
Optional `decrypt_policy` flag is available for notmuch.database().index_file()
nmbug
-----
nmbug's internal version increases to 0.3 in this notmuch release.
User-facing changes with this notmuch release:
* Accept failures to unset `core.worktree` in `clone`, which allows
nmbug to be used with Git 2.11.0 and later.
* Auto-checkout in `clone` if it wouldn't clobber existing content,
which makes the initial clone more convenient.
* Only error for invalid diff lines in `tags/`, which allows for
`README`s and similar in nmbug repositories.
Documentation
-------------
New man page: notmuch-properties(7)
This new page to the manual describes common conventions for how
properties are used by libnotmuch, the CLI, and associated programs.
External projects that use properties are encouraged to claim their
properties and conventions here to avoid collisions.
Upstream changes:
version 2.17: Fri Jan 26 23:42:01 CET 2018
Fixes:
- when picking a preferred type for an extension, do prefer the type
with the same minor-name. Issue triggered by [Henry van Styn]
- remove iana obsoleted types
version 2.16: Tue 23 Jan 12:14:39 CET 2018
Fixes:
- collecting of IANA info has stalled: logic rewritten
Discovered by [Julien Lüthi]
Improvements:
- move scripts and source files into MANIFEST.extra
- update types and extensions
version 2.15: Fri 19 Jan 17:23:56 CET 2018
Improvements:
- moved to GIT and GitHUB.
Changelog:
Fix
This releases fixes the "Mailsploit" vulnerability and other vulnerabilities
detected by the "Cure53" audit. For details and various other security
fixes see here.
CVE-2017-7845: Buffer overflow when drawing and validating elements with
ANGLE library using Direct 3D 9
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin
CVE-2017-7847: Local path string can be leaked from RSS feed
CVE-2017-7848: RSS Feed vulnerable to new line Injection
CVE-2017-7829: Mailsploit part 1: From address with encoded null character
is cut off in message header display
This library validates that address are of the form x@y.com. This is the sort
of validation you would want for a login form on a website.
Key features:
* Good for validating email addresses used for logins/identity.
* Friendly error messages when validation fails (appropriate to show to end
users).
* (optionally) Checks deliverability: Does the domain name resolve?
* Supports internationalized domain names and (optionally) internationalized
local parts.
* Normalizes email addresses (super important for internationalized addresses!).
Version 0.52
* Internet connection tests were declared in the wrong order
Version 0.51
* Fix for older versions of perl
* Tests no longer fail with no internet connection
Notmuch 0.25.3 (2017-12-08)
===========================
Emacs
-----
Extend mitigation (disabling handling x-display in text/enriched) for
Emacs bug #28350 to Emacs versions before 24.4 (i.e. without
`advice-add`).
Command Line Interface
----------------------
Correctly report userid validity. Fix test suite failure for GMime >=
3.0.3. This change raises the minimum supported version of GMime 3.x
to 3.0.3.
- feature request: added record_mailbox configuration parameter, to
allow turning off the header getmail adds with this information.
Thanks: Daniel Kahn Gillmor, Osamu Aoki, Josh Triplett.
Changelog v0.5.0.1:
- imap4flags extension: Fix binary corruption occurring when
setflag/addflag/removeflag flag-list is a variable.
- sieve-extprograms plugin: Fix segfault occurring when used in
IMAPSieve context.
The actual fix as been done by "pkglint -F */*/buildlink3.mk", and was
reviewed manually.
There are some .include lines that still are indented with zero spaces
although the surrounding .if is indented. This is existing practice.
* editheader extension: The implementation of header modifications is
heavily updated. Although the functionality has not changed, the
underlying code was updated to address several static analysis
warnings, runtime integer arithmetic warnings (Clang), and to match
updates in the Dovecot stream API.
+ variables extension: Made the maximum scope and variable size
configurable.
+ subaddress: Support multiple recipient_delimiters.
- enotify extension: mailto method: Fixed parsing of mailto URI with
only a header part.
- enotify plugin: mailto method: Make sure the "From:" header is set to
a usable address and not "(null)".
- Fixed writing address headers to outgoing messages. Sometimes headers
were MIME-encoded twice, yielding invalid results.
Some of the larger changes:
* Various setting changes, see https://wiki2.dovecot.org/Upgrading/2.3
* Logging rewrite started: Logging is now based on hierarchical events.
This makes it possible to do various things, like: 1) giving
consistent log prefixes, 2) enabling debug logging with finer
granularity, 3) provide logs in more machine readable formats
(e.g. json). Everything isn't finished yet, especially a lot of the
old logging code still needs to be translated to the new way.
* Statistics rewrite started: Stats are now based on (log) events.
It's possible to gather statistics about any event that is logged.
See http://wiki2.dovecot.org/Statistics for details
* ssl_dh setting replaces the old generated ssl-parameters.dat
* IMAP: When BINARY FETCH finds a broken mails, send [PARSE] error
instead of [UNKNOWNCTE]
* Linux: core dumping via PR_SET_DUMPABLE is no longer enabled by
default due to potential security reasons (found by cPanel Security
Team).
+ Added support for SMTP submission proxy server, which includes
support for BURL and CHUNKING extension.
+ LMTP rewrite. Supports now CHUNKING extension and mixing of
local/proxy recipients.
+ auth: Support libsodium to add support for ARGON2I and ARGON2ID
password schemes.
+ auth: Support BLF-CRYPT password scheme in all platforms
+ auth: Added LUA scripting support for passdb/userdb.
See https://wiki2.dovecot.org/AuthDatabase/Lua
- Input streams are more reliable now when there are errors or when
the maximum buffer size is reached. Previously in some situations
this could have caused Dovecot to try to read already freed memory.
- Output streams weren't previously handling failures when writing a
trailer at the end of the stream. This mainly affected encrypt and
zlib compress ostreams, which could have silently written truncated
files if the last write happened to fail (which shouldn't normally
have ever happened).
- virtual plugin: Fixed panic when fetching mails from virtual
mailboxes with IMAP BINARY extension.
- doveadm-server: Fix potential hangs with SSL connections
- doveadm proxy: Reading commands' output from v2.2.33+ servers could
have caused the output to be corrupted or caused a crash.
- Many other smaller fixes
Unsorted entries in PLIST files have generated a pkglint warning for at
least 12 years. Somewhat more recently, pkglint has learned to sort
PLIST files automatically. Since pkglint 5.4.23, the sorting is only
done in obvious, simple cases. These have been applied by running:
pkglint -Cnone,PLIST -Wnone,plist-sort -r -F
This has been a pkglint warning for several years now, and pkglint can even
fix it automatically. And it did for this commit.
Only in lang/mercury, two passes of autofixing were necessary because there
were nested variables.
version 3.005: Fri 22 Dec 09:43:45 CET 2017
Fixes:
- repair loose dependency on Mail::Transport [cpantesters]
version 3.004: Thu 21 Dec 09:08:52 CET 2017
Fixes:
- field unfold replaces leading whitespace into blank. [Mark Nienberg]
Improvements:
- improve docs on $msg->send().
The previous release was the last one supporting autotools,
so switch to autosetup build. Adapt options.
2017-12-15 Richard Russon <rich@flatcap.org>
* Bug Fixes
- Fix some regressions in the previous release
2017-12-08 Richard Russon <rich@flatcap.org>
* Features
- Enhance ifdef feature to support my_ vars
- Add <edit-or-view-raw-message>
- Remove vim syntax file from the main repo
- Support reading FQDN from mailname files
* Bug Fixes
- Do not turn CRLF into LF when dealing with transfer-encoding=base64
- Cleanup "SSL is unavailable" error in mutt_conn_find
- Don't clear the macro buffer during startup
- Fixup smart modify-labels-then-hide for !tag case
- Add sleep after SMTP error
- Restore folder settings after folder-hook
- Fix segfault when pipe'ing a deleted message
* Docs
- Display_filter escape sequence
- Correct spelling mistakes
- Add a sentence to quasi-delete docs
- Modify gpg.rc to accommodate GPG 2.1 changes
* Build
- Fix build for RHEL6
- Define NCURSES_WIDECHAR to require wide-char support from ncurses
- Autosetup: fix check for missing sendmail
- Respect --with-ssl path
- Check that OpenSSL md5 supports -r before using it
- Autosetup: expand --everything in `neomutt -v`
- Make sure objects are not compiled before git_ver.h is generated
- Build: fix update-po target
- Fix out-of-tree builds
- Fix stdout + stderr redirection in hcachever.sh
- Build: moved the check for idn before the check for notmuch
- Define prefix in Makefile.autosetup
- Install stuff to $(PACKAGE) in $(libexecdir), not $(libdir)
- Update autosetup to latest master
* Code
- Rename files
- Rename functions
- Rename variables
- Rename constants
- Remove unused parameters
- Document functions
- Rearrange functions
- Move functions to libraries
- Add new library functions
- Rearrange switch statements
- Boolification
- Drop #ifdef DEBUG
- Fix Coverity defects
- Insert braces
- Split ifs
- Fallthrough
- Fix shadow variable
- Replace mutt_debug with a macro
- Return early where possible
* Upstream
- Note which ssl config vars are GnuTLS or OpenSSL only
- Add message count to $move quadoption prompt
- Add %R (number of read messages) for $status_format
- Add $change_folder_next option to control mailbox suggestion order
- Fix $smart_wrap to not be disabled by whitespace-prefixed lines
- Remove useless else branch in the $smart_wrap code
- Fix ansi escape sequences with both reset and color parameters
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.4.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.0 and later. Older supported releases are unaffected.
Fixed in Postfix 3.1 and later:
* DANE interoperability. Postfix builds with OpenSSL 1.0.0 or
1.0.1 failed to send email to some sites with "TLSA 2 X X" DNS
records associated with an intermediate CA certificate. Problem
report and initial fix by Erwan Legrand.
Fixed in Postfix 3.0 and later:
* Missing dynamicmaps support in the Postfix sendmail command.
This broke authorized_submit_users settings that use a
dynamically-loaded map type. Problem reported by Ulrich Zehl.
Tested by jcea, thanks!
2.1.25 (26-Oct-2017)
New Features
- The admindb held subscriptions listing now includes the date of the
most recent request from the address. (LP: #1697097)
Accessibility
- The admin Membership List now includes text for screen readers which
identifies the function of each checkbox. CSS is added to the page to
visually hide the text but still allow screen readers to read it.
Similar text has been added to some radio buttons on the admindb pages.
i18n
- The Russian translation has been updated by Sergey Matveev.
(LP:#1708016)
Bug fixes and other patches
- Thanks to Jim Popovitch, certain failures in DNS lookups of DMARC policy
will now result in mitigations being applied. (LP: #1722013)
- The default DMARC reject reason now properly replaces %(listowner)s.
(LP: #1718962)
- The web roster page now shows case preserved email addresses.
(LP: #1707447)
- Changed the SETGID wrappers to only pass those items in the environment
that are needed by the called scripts. (LP: #1705736)
- Fixed MTA/Postfix.py to ensure that created aliases(.db) and
virtual-mailman(.db) files are readable by Postfix and the .db files are
owned by the Mailman user. (LP: #1696066)
- Defended against certain web attacks that cause exceptions and "we hit
a bug" responses when POST data or query fragments contain multiple
values for the same parameter. (LP: #1695667)
- The fix for LP: #1614841 caused a regression in the options CGI. This
has been fixed. (LP: #1602608)
- Added a -a option to the (e)grep commands in contrib/mmdsr to account
for logs that may have non-ascii and be seen as binary.
- Fixed the -V option to bin/list_lists to not show lists whose host is a
subdomain of the given domain. (LP: #1695610)
2.1.24 (02-Jun-2017)
Security
- A most likely unexploitable XSS attach that relies on the Mailman web
server passing a crafted Host: header to the CGI environment has been
fixed. Apache for one is not vulnerable. Thanks to Alqnas Eslam.
New Features
- There is a new RCPT_BASE64_HEADER_NAME setting. If this is set to a
non-empty string, that string is the name of a header that will be added
to personalized and VERPed deliveries with value equal to the base64
encoding of the recipient's email address. This is intended to enable
identification of the recipient otherwise redacted from "spam report"
feedback loop messages.
- cron/senddigests has a new -e/--exceptlist option to send pending
digests for all but a named list. (LP: #1619770)
- The values for DEFAULT_DIGEST_FOOTER and DEFAULT_MSG_FOOTER have been
changed to use a standard signature separator for DEFAULT_MSG_FOOTER
and to remove the unneded line of underscores from DEFAULT_DIGEST_FOOTER.
(LP: #266269)
i18n
- The Polish html templates have been recoded to use html entities
instead of non-ascii characters.
- The Basque (Euskara) translation has been updated by Gari Araolaza.
- The German "details for personalize" page has been updated by
Christian F Buser.
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
Bug fixes and other patches
- The list-owner@virtual.domain addresses are now added to virtual-mailman
as they are exposed in 'list created' emails. (LP: 1694384)
- The 'list run by' addresses in web page footers are now just the
list-owner address. (LP: #1694384)
- Changed member_verbosity_threshold from a >= test to a strictly > test
to avoid the issue of moderating every post when the threshold = 1.
(LP: #1693366)
- Subject prefixing has been improved to always have a space between
the prefix and the subject even with non-ascii in the prefix. This
will sometimes result in two spaces when the prefix is non-ascii but
the subject is ascii, but this is the lesser evil. (LP: #1525954)
- Treat message and digest headers and footers as empty if they contain
only whitespace. (LP: #1673307)
- Ensured that added message and digest headers and footers always have
a terminating new-line. (LP: #1670033)
- Fixed an uncaught TypeError in the subscribe CGI. (LP: #1667215)
- Added recognition for a newly seen mailEnable bounce.
- Fixed an uncaught NotAMemberError when a member is removed before a
probe bounce for the member is returned. (LP: #1664729)
- Fixed a TypeError thrown in the roster CGI when called with a listname
containing a % character. (LP: #1661810)
- Fixed a NameError issue in bin/add_members with
DISABLE_COMMAND_LOCALE_CSET = yes. (LP: #1647450)
- The CleanseDKIM handler has been removed from OWNER_PIPELINE. It isn't
needed there and has adverse DMARC implications for messages to -owner
of an anonymous list. (LP: #1645901)
- Fixed an issue with properly RFC 2047 encoding the display name in the
From: header for messages with DMARC mitigations. (LP: #1643210)
- Fixed an issue causing UnicodeError in sending digests following a
change of a list's preferred_language. (LP: #1644356)
- Enhanced the fix for race conditions in MailList().Load(). (LP: #266464)
- Fixed a typo in Utils.py that could have resulted in a NameError in
logging an unlikely occurrence. (LP: #1637745)
- Fixed a bug which created incorrect "view more members" links at the
bottom of the admin Membership List pages. (LP: #1637061)
- The 2.1.23 fix for LP: #1604544 only fixed the letter links at the top
of the Membership List. The links at the bottom have now been fixed.
- paths.py now adds dist-packages as well as site-packages to sys.path.
(LP: #1621172)
- INIT INFO has been added to the sample init.d script. (LP: #1620121)
2.1.23 (27-Aug-2016)
Security
- CSRF protection has been extended to the user options page. This was
actually fixed by Tokio Kikuchi as part of the fix for LP: #775294 and
intended for Mailman 2.1.15, but that fix wasn't completely merged at the
time. The full fix also addresses the admindb, and edithtml pages as
well as the user options page and the previously fixed admin pages.
Thanks to Nishant Agarwala for reporting the issue. CVE-2016-6893
(LP: #1614841)
New Features
- For header_filter_rules matching, RFC 2047 encoded headers, non-encoded
headers and header_filter_rules patterns are now all decoded to unicode.
Both XML character references of the form &#nnnn; and unicode escapes
of the form \Uxxxx in patterns are converted to unicodes as well. Both
headers and patterns are normalized to 'NFKC' normal form before
matching, but the normalization form can be set via a new NORMALIZE_FORM
mm_cfg setting. Also, the web UI has been updated to encode characters
in text fields that are invalid in the character set of the page's
language as XML character references instead of '?'. This should help
with entering header_filter_rules patterns to match 'odd' characters.
This feature is experimental and is problematic for some cases where it
is desired to have a header_filter_rules pattern with characters not in
the character set of the list's preferred language. For patterns
without such characters, the only change in behavior should be because
of unicode normalization which should improve matching. For other
situations such as trying to match a Subject: with CJK characters (range
U+4E00..U+9FFF) on an English language (ascii) list, one can enter a
pattern like '^subject:.*[一-鿿]' or
'^subject:.*[\u4e00;-\u9fff;]' to match a Subject with any character in
the range, and it will work, but depending on the actual characters and
the browser, submitting another, even unrelated change can garble the
original entry although this usually occurs only with ascii pages and
characters in the range \u0080-\u00ff. The \Uxxxx unicode escapes must
have exactly 4 hex digits, but they are case insensitive. (LP: #558155)
- Thanks to Jim Popovitch REMOVE_DKIM_HEADERS can now be set to 3 to
preserve the original headers as X-Mailman-Original-... before removing
them.
- Several additional templates have been added to those that can be edited
via the web admin GUI. (LP: #1583387)
- SMTPDirect.py can now do SASL authentication and STARTTLS security when
connecting to the outgoiung MTA. Associated with this are new
Defaults.py/mm_cfg.py settings SMTP_AUTH, SMTP_USER, SMTP_PASSWD and
SMTP_USE_TLS. (LP: #558281)
- There is a new Defaults.py/mm_cfg.py setting SMTPLIB_DEBUG_LEVEL which
can be set to 1 to enable verbose smtplib debugging to Mailman's error
log to help with debugging 'low level smtp failures'. (LP: #1573074)
- A list's nonmember_rejection_notice attribute will now be the default
rejection reason for a held non-member post in addition to it's prior
role as the reson for an automatically rejected non-member post.
(LP: #1572330)
i18n
- The French translation of 'Dutch' is changed from 'Hollandais' to
'Néerlandais' per Francis Jorissen.
- Some German language templates that were incorrectly utf-8 encoded have
been recoded as iso-8859-1. (LP: #1602779)
- Japanese translation and documentation in messages/ja has been updated by
Yasuhito FUTATSUKI.
Bug fixes and other patches
- The admin Membership List letter links could be incorrectly rendered as
Unicode strings following a search. (LP: #1604544)
- We no longer throw an uncaught TypeError with certain defective crafted
POST requests to Mailman's CGIs. (LP: #1602608)
- Scrubber links in archives are now in the list's preferred_language
rather than the poster's language. (LP: #1586505)
- Improved logging of banned subscription and address change attempts.
(LP: #1582856)
- In rare circumstances a list can be removed while the admin or listinfo
CGI or bin/list_lists is running causing an uncaught MMUnknownListError
to be thrown. The exception is now caught and handled. (LP: #1582532)
- Set the Date: header in the wrapper message when from_is_list or
dmarc_moderation_action is Wrap Message. (LP: #1581215)
- A site can now set DMARC_ORGANIZATIONAL_DOMAIN_DATA_URL to None or the
null string if it wants to avoid using this. (LP: #1578450)
- The white space to the left of the admindb Logout link is no longer
part of the link. (LP: #1573623)
2.1.22 (17-Apr-2016)
i18n
- Fixed a typo in the German options.html template. (LP: #1562408)
- An error in the Brazilian Portugese translation of Quarterly has been
fixed thanks to Kleber A. Benatti.
- The Brazilian Portugese translation has been updated by Emerson Ribeiro
de Mello.
Bug fixes and other patches
- All addresses in data/virtual-mailman are now properly appended with
VIRTUAL_MAILMAN_LOCAL_DOMAIN and duplicates are not generated if the
site list is in a virtual domain. (LP: #1570630)
- DMARC mitigations will now find the From: domain to the right of the
rightmost '@' rather than the leftmost '@'. (LP: #1568445)
- DMARC mitigations for a sub-domain of an organizational domain will now
use the organizational domain's sp= policy if any. (LP: #1568398)
- Modified NewsRunner.py to ensure that messages gated to Usenet have a
non-blank Subject: header and when munging the Message-ID to add the
original to References: to help with threading. (LP: #557955)
- Fixed the pipermail archiver to do a better job of figuring the date of
a post when its Date: header is missing, unparseable or has an obviously
out of range date. This should only affect bin/arch as ArchRunner has
code to fix dates at least if ARCHIVER_CLOBBER_DATE_POLICY has not been
set to 0 in mm_cfg.py. If posts have been added in the past to a list's
archive using bin/arch and an imported mbox, running bin/arch again could
result is some of those posts being archived with a different date.
(LP: #1555798)
- Fixed an issue with CommandRunner shunting a malformed message with a
null byte in the body. (LP: #1553888)
- Don't collapse multipart with a single sub-part inside multipart/signed
parts. (LP: #1551075)
2.1.21 (28-Feb-2016)
New Features
- There is a new dmarc_none_moderation_action list setting and a
DEFAULT_DMARC_NONE_MODERATION_ACTION mm_cfg.py setting to optionally
apply Munge From or Wrap Message actions to posts From: domains that
publish DMARC p=none. The intent is to eliminate failure reports to
the domain owner for messages that would be munged or wrapped if the
domain published a stronger DMARC policy. See the descriptions in
Defaults.py, the web UI and the bug report for more. (LP: #1539384)
- Thanks to Jim Popovitch there is now a feature to automatically turn
on moderation for a malicious list member who attempts to flood a list
with spam. See the details for the Privacy options ... -> Sender
filters -> member_verbosity_threshold and member_verbosity_interval
settings in the web admin UI and the documentation in Defaults.py for
the DEFAULT_MEMBER_VERBOSITY_* and VERBOSE_CLEAN_LIMIT settings for
information.
- bin/list_members now has options to display all moderated or all
non-moderated members.
- There is now a mm_cfg.py setting GLOBAL_BAN_LIST which is like the
individual list's ban_list but applies globally to all subscribe
requests. See the description in Defaults.py for more details.
i18n
- The Japanese translation has been updated by Yasuhito FUTATSUKI.
- Also thanks to Miloslav Trmac and Yasuhito FUTATSUKI, the l10n for
Mailman's bin/ commands has been fixed to display using the character
set of the user's work station even when Mailman's character set for
the language is different. Because this has not been tested over a
wide set of locales, there is an mm_cfg.py switch
DISABLE_COMMAND_LOCALE_CSET to disable it if it causes problems.
(LP: #558167)
- The Polish translation has been updated by Stefan Plewako.
- The German translation has been updated by Mirian Margiani and
Bernhard Schmidt.
- The Russian translation has been updated by Danil Smirnov.
- Several Galician templates that were improperly encoded as iso-8859-1
have been fixed. (LP: #1532504)
- The Brazilian Portugese translation has been updated by Emerson Ribeiro
de Mello.
Bug fixes and other patches
- If DMARC lookup fails to find a policy, also try the Organizational
Domain. Associated with this is a new mm_cfg.py setting
DMARC_ORGANIZATIONAL_DOMAIN_DATA_URL which sets the URL used to
retrieve the data for the algorithm that computes the Organizational
Domain. See https://publicsuffix.org/list/ for info. (LP: #1549420)
- Modified contrib/mmdsr to correctly report No such list names that
contain ".
- User's "Acknowledge" option will now be honored for posts to anonymous
lists. (LP: #1546679)
- Fixed a typo in the Non-digest options regular_exclude_ignore
description thanks to Yasuhito FUTATSUKI.
- DEFAULT_PASS_MIME_TYPES has been changed to accept text/plain sub-parts
from message/rfc822 parts and multipart parts other than mixed and
alternative and also accept pgp signatures. This only applies to newly
created lists and other than pgp signatures, still only accepts
text/plain. (LP: #1517446)
- Modified contrib/mmdsr to report held and banned subscriptions and DMARC
lookups in their own categories.
- Fixed a bug that could create a garbled From: header with certain DMARC
mitigation actions. (LP: #1536816)
- Treat a poster's address which matches an equivalent_domains address as
a list member for the regular_exclude_ignore check. (LP: #1526550)
- Fixed an issue that sometimes left no white space following
subject_prefix. (LP: #1525954)
- Vette log entries for banned subscriptions now include the source of
the request if available. (LP: #1525733)
- Submitting the user options form for a user who was asynchronously
unsubscribed would throw an uncaught NotAMemberError. (LP: #1523273)
- It was possible under some circumstances for a message to be shunted
after a handler rejected or discarded it, and the handler would be
skipped upon unshunting and the message accepted. (LP: #1519062)
- Posts gated to usenet will no longer have other than the target group
in the Newsgroups: header. (LP: #1512866)
- Invalid regexps in *_these_nonmembers, subscribe_auto_approval and
ban_list are now logged. (LP: #1507241)
- Refactored the GetPattern list method to simplify extending @listname
syntax to new attributes in the future. Changed Moderate.py to use the
GetPattern method to process the *_these_nonmembers lists.
- Changed CookHeaders to default to using space rather than tab as
continuation_ws when folding headers. (LP: #1505878)
- Fixed the 'pidfile' path in the sample init.d script. (LP: #1503422)
- Subject prefixing could fail to collapse multiple 'Re:' in an incomming
message if they all came after the list's subject_prefix. This is now
fixed. (LP: #1496620)
- Defended against a user submitting URLs with query fragments or POST
data containing multiple occurrences of the same variable.
(LP: #1496632)
- Fixed bin/mailmanctl to check its effective rather than real uid.
(LP: #1491187)
- Fixed cron/gate_news to catch EOFError on opening the newsgroup.
(LP: #1486263)
- Fixed a bug where a delayed probe bounce can throw an AttributeError.
(LP: #1482940)
- If a list is not digestable an the user is not currently set to
receive digests, the digest options will not be shown on the user's
options page. (LP: #1476298)
- Improved identification of remote clients for logging and subscribe
form checking in cases where access is via a proxy server. Thanks to
Jim Popovitch. Also updated contrib/mmdsr for log change.
- Fixed an issue with shunted messages on a list where the charset for
the list's preferred_language had been changed from iso-8859-1 to
utf-8 without recoding the list's description. (LP: #1462755)
- Mailman-Postfix integration will now add mailman@domain entries in
data/virtual-mailman for each domain in POSTFIX_STYLE_VIRTUAL_DOMAINS
which is a host_name of a list. This is so the addresses which are
exposed on admin and listinfo overview pages of virtual domains will
be deliverable. (LP: #1459236)
- The vette log entry for DMARC policy hits now contains the list name.
(LP: #1450826)
- If SUBSCRIBE_FORM_SECRET is enabled and a user's network has a load
balancer or similar in use the POSTing IP might not exactly match the
GETting IP. This is now accounted for by not requiring the last
octet (16 bits for ipV6) to match. (LP: #1447445)
- DKIM-Signature:, DomainKey-Signature: and Authentication-Results:
headers are now removed by default from posts to anonymous lists.
(LP: #1444673)
- The list admin web UI Mambership List search function often doesn't
return correct results for search strings (regexps) that contain
non-ascii characters. This is partially fixed. (LP: #1442298)
Changelog:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in use.
This results in a potentially exploitable crash during these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for data
theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David Keeler,
Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp,
Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and
Thunderbird 52.4. Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of these could be
exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5,
and Thunderbird 52.5
Notmuch 0.25.2 (2017-11-05)
===========================
Command Line Interface
----------------------
Fix segfault in notmuch-show crypto handling when compiled against
GMime 2.6; this was a regression in 0.25.
General
-------
Support for GMime before 3.0 is now deprecated, and will be removed in
a future release.
GMime is a C library which may be used for the creation and parsing
of messages using the Multipurpose Internet Mail Extension (MIME),
as defined by numerous IETF specifications.
GMime features an extremely robust high-performance parser designed
to be able to preserve byte-for-byte information allowing developers
to re-seralize the parsed messages back to a stream exactly as the
parser found them. It also features integrated GnuPG and S/MIME
v3.2 support.
Built on top of GObject (the object system used by the GNOME
desktop), many developers should find its API design and memory
management very familiar.
This package contains v3 of the gmime API.
(Previosly if selected or not *always* `--with-tls' was accidently passed to the
CONFIGURE_ARGS for the `tls' PKG_OPTION)
Pointed out by Joyent SmartOS bulk builds.
pkgsrc changes:
- Update MASTER_SITES (use https:// and avoid redirects)
- Delete (a bit outdated) comment about locking mechanisms
Since 02 Feb 2014 (post-1.6) the default locking mechanisms are
(directly from m4/locking.m4):
- aix*|cygwin*|linux*: fcntl
- freebsd*|*netbsd*|openbsd*|darwin*: flock
- everything else: dot
The original comment was probably about just NetBSD and maybe Solaris
(it's dated 1999). Solaris still uses the `dot' mechanisms by default
but we no longer have any local patches about locking.
- Delete (no more needed) `-O1' hack to CFLAGS
mh_strcasecmp() was completely replaced by strcasecmp() on 24 Mar 2013, and
hence present in 1.6. Forcing `-O1' for gcc is no longer needed.
- Adjust --sysconfdir CONFIGURE_ARGS per-upstream change, now the nmh
directory is created by nmh's configure so pass PKG_SYSCONFBASE instead of
PKG_SYSCONFDIR.
- Add support for the `test' phase
Add support for nmh tests. Modify patches/patch-ca accordingly in order to
adjust TEST_ENVIRONMENT to use the configuration files in $egdir instead of the
ones in $nmhetcdir.
Actually all tests are passed except an mhparam test that sposts the
$egdir/$nmetcdir kludge.
- Do not include bsd.prefs.mk two times (NFC)
- Add `oauth' PKG_OPTIONS (disabled by default) to enable OAuth2 support in
SMTP and POP auth via curl
Changes:
Release notes for nmh 1.7
=========================
Welcome to nmh, the new version of the classic MH mail handling system.
It's been over three years since the last release of nmh, and there have
been a number of significant changes since the last release. Long-time
MH and nmh uses should read careful the NOTEABLE CHANGES section, as there
are some significant changes to nmh behavior. Otherwise, please see the
README and INSTALL files for help on getting started with nmh.
For news of future releases, subscribe to the low-volume
https://lists.nongnu.org/mailman/listinfo/nmh-announce
---------------
NOTABLE CHANGES
---------------
The largest notable changes in the 1.7 release are:
- Complete unification of network security support. All network protocols
(currently, POP and SMTP) have been refactored to use a common set of
security routines. This means all protocols support all SASL mechanisms
(via the Cyrus-SASL library) and TLS. TLS support has been strengthened
to perform certificate name validation and to require TLS 1.1 as a
minimum protocol. Also, all protocols can make use of the OAuth2/XOAUTH
SASL mechanism, which is supported by Gmail.
- send(1) now supports adding switches to post(8) based on the address or
domain of the email address in the From: header; this more easily allows
users to support multiple identities.
- A generic facility for passing arguments to filter programs in repl(1)
by use of the -convertargs switch.
- Native support for the manipulation of iCalendar requests; see mhical(1)
for more details.
------------
NEW FEATURES
------------
The following are new features for the 1.7 release of nmh:
- When building from source, configure will derive ${prefix} from an existing
nmh installation if it finds one in your $PATH.
- Added welcome message when nmh detects that its version changed.
- The default locations for configuration files and support binaries
have been changed. Configuration files now install into ${sysconfdir}/nmh,
and support binaries are placed in ${libexecdir}/nmh. If you are upgrading
an existing installation you should look for old configuration files in
${sysconfdir} and merge any local customizations into the new files in
${sysconfdir}/nmh, then remove the old files. ${libdir} will also contain
obsolete support programs that should be removed.
- All TLS connections now perform certificate validation (including hostname
matching) by default; can be disabled on a per-application basis.
- post now defaults to port 587 on 'smtp' message submission.
- A value of 0 for the width switch of scan(1), inc(1), ap(1), dp(1),
fmttest(1), and mhl(1) now means as many characters as the format
engine can produce [Bug #15274]. That amount is limited by internal
buffers.
- If a component has trailing whitespace, e.g., body:component="> ",
mhl now trims that whitespace off when filtering blank text lines.
- An "rtrim" flag has been added to mhl to remove any trailing
whitespace from filtered text lines. A corresponding "nortrim" flag
has also been added.
- Added getmymbox and getmyaddr mh-format(5) function escapes.
- New -[no]changecur, -fixtype, -decodetypes, and -[no]crlflinebreaks switches
have been added to mhfixmsg(1).
- mhfixmsg now removes an extraneous trailing semicolon from header
parameter lists.
- Added -convertargs switch to repl(1), to pass arguments to programs
specified in the user's profile or mhn.defaults to convert message
content.
- Added mhical(1), to display, reply to, and cancel iCalendar (RFC 5545)
event requests.
- Added multiply mh-format(5) function.
- "mhparam bindir" prints the path to the directory containing the public
executables (${bindir}).
- New "-prefer" switch for mhshow (and mhlist and mhshow), to allow specifying
the preferred content types to show, if present in a multipart alternative.
- mh-format now has %(kilo) and %(kibi) functions, to allow printing
numbers with SI or IEC quantities, e.g. "10K", "2.3Mi".
- Support for the -sendmail flag to send/post to change the sendmail
binary when using the sendmail/pipe MTS.
- Added support to send(1) to specify switches to post(1) based on address or
domain name in From: header line in message draft.
- post(8) -snoop now attempts to decode base64-encoded SMTP traffic.
- folder(1) -nocreate now prints a warning message for a non-existent folder.
- mhfixmsg(1) now allows -decodetext binary, though 8bit is still the default.
- inc(1) and msgchk(1) now support TLS encryption natively.
- All network protocols support the XOAUTH authentication mechanism.
- Support for SMTPUTF8 (RFC 6531) has been added. mhshow(1) already supported
RFC 6532, assuming all 8-bit message header field bodies are UTF-8 and use
of a UTF-8 locale.
- mhfixmsg now replaces RFC 2047 encoding with RFC 2231 encoding of name and
filename parameters in Content-Type and Content-Disposition headers,
respectively.
- If a message body contains 8-bit bytes, post(8) uses SMTP 8BITMIME if the
server supports it. If not, post fails with a message to the user to
encode the message for 7-bit transport.
- Fewer lseek(2)s will be used when reading headers in the common case.
- ./configure's --enable-debug has been removed; it did nothing.
- configure now defaults to enabling each of TLS and Cyrus SASL if the
necessary headers and libraries are found.
- Moved build_nmh to top-level directory.
- Better error reporting for connections to network services.
---------
BUG FIXES
---------
- The format scanner no longer subtracts 1 from the width. This has the
effect of no longer counting the trailing newline in the output of
scan(1), inc(1), and the other programs that rely on the format scanner.
- The first character of some very short (less than 4 characters) message
bodies is no longer dropped.
- Single-character headers can be reliably formatted, etc., instead of
apparently being missing.
- mhfixmsg now adds a Content-Transfer-Encoding header at the message level,
if needed after decoding text parts.
- mhbuild now checks whether all text parts need a Content-Transfer-Encoding
header, not just those with a character set not specified.
- mhbuild no longer parses lines that start with # as directives with
-nodirectives.
- repl now makes sure that any Fcc header in a replied-to message is not
copied into the outgoing draft by default, and that the -fcc switch
actually works in the absence of a Fcc header in the replied-to message.
- A Content-ID is generated for message/external-body entities as required
by RFC 2045, even if -nocontentid is supplied to mhbuild.
- post will now expand aliases on a "From" line when doing a BCC [Bug #51098].
- scan can now handle empty files without violating an assert [Bug #51693].
- An error when writing an error message, e.g. EPIPE, no longer causes
recursion until the stack is exhausted.
-------------------
DEPRECATED FEATURES
-------------------
- Support for the MHPDEBUG environment variable is deprecated and will be
removed from a future nmh release. Instead, use the -debug switch to pick.
- With the move of support binaries from ${libdir} to ${libexecdir}/nmh, the
mostly undocumented 'libdir' mhparam(1) component has been replaced by a
new 'libexecdir' component. 'libdir' will be removed in a future release.
-----------------
OBSOLETE FEATURES
-----------------
- The undocumented -queue switch to post was deprecated in nmh 1.6, and was
removed in this release.
- conflict(8) was deprecated in nmh 1.6, and was removed in this release.
- mhtest(8) was deprecated in nmh 1.6, and was removed in this release.
- msh(1) was deprecated in nmh 1.6, and was removed in this release.
- Support in alias files for the the "*" address-group (everyone) was
deprecated in nmh 1.6, and was removed in this release.
- Support for multiple hostnames in the "servers" entry of mts.conf has
been removed.
- Support in alias files for expanding aliases based on group membership
(=) and primary group (+) has been removed.
As always, feedback is welcome.
Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
neomutt is now called 'neomutt' instead of 'mutt'. Remove conflict
with mutt.
2017-10-27 Richard Russon <rich@flatcap.org>
* Bug Fixes
- variable type when using fread
- prevent timezone overflow
- tags: Show fake header for all backends
- notmuch: virtual-mailboxes should accept a limit
- Issue 888: Fix imap mailbox flag logging
- fix actions on tagged messages
- call the folder-hook before saving to $record
- Fix smart wrap in pager without breaking header
- Add polling for the IDLE command
* Docs
- imap/notmuch tags: Add some documentation
- English and other cleanups
- compressed and nntp features are now always built
* Website
- Update Arch instructions
* Build
- Fix update-po
- Fix neomutt.pot location, remove from git
- Allow to specify --docdir at configure time
- Generate neomuttrc even if configured with --disable-doc
- Let autosetup define PWD, do not unnecessarily try to create hcache dir
- Use bundled wcscasecmp if an implementation is not found in libc
- Use host compiler to build the documentation
- Update autosetup to latest master branch
- autosetup: delete makedoc on 'make clean'
- Fixes for endianness detection
- Update autosetup to latest master branch
- Do not use CPPFLAGS / CFLAGS together with CC_FOR_BUILD
- --enable-everything includes lua
- autosetup: check for sys_siglist[]
* Code
- move functions to library
- lib: move MIN/MAX macros
- simplify null checks
- kill preproc expansion laziness
- reduce scope of variables
- merge: minor code cleanups
- split up 'if' statements that assign and test
- Refactor: Remove unused return type
- Bool: change functions in mx.h
- bool: convert function parameters in nntp.h
- add extra checks to mutt_pattern_exec()
- Use safe_calloc to initialize memory, simplify size_t overflow check
- Move mutt_rename_file to lib/file.[hc]
- doxygen: fix a few warnings
- minor code fixes
- use mutt_array_size()
- refactor out O_NOFOLLOW
- initialise variables
- lib: move List and Queue into library
- url: make notmuch query string parser generic
- Wrap dirname(3) inside a mutt_dirname() function
2017-10-13 Richard Russon <rich@flatcap.org>
* Bug Fixes
- crash using uncolor
- Sort the folders list when browsing an IMAP server
- Prefer a helpful error message over a BEEP
* Build
- Do not fail if deflate is not in libz
- Support EXTRA_CFLAGS and EXTRA_LDFLAGS, kill unused variable
2017-10-06 Richard Russon <rich@flatcap.org>
* Features
- Add IMAP keywords support
* Bug Fixes
- set mbox_type
- %{fmt} date format
- Fix off-by-one buffer overflow in add_index_color
- crash in mbox_to_udomain
- crash in mutt_substrdup
- crash looking up mime body type
- digest_collapse was broken
- crash using notmuch expando with imap
- imap: Fix mx.mbox leak in imap_get_parent_path
- overflow in mutt_mktime()
- add more range-checking on dates/times
- Remove spurious error message
- Unsubscribe after deleting an imap folder
- Do not pop from MuttrcStack what wasn't pushed
* Docs
- replace mutt refs with neomutt
- drop old vim syntax file
* Code
- convert functions to use 'bool'
- convert structs to use STAILQ
* Build
- Autosetup-based configuration
- drop upstream mutt references
- rename everything 'mutt' to 'neomutt'
- move helper programs to lib dir
- rename regexp to regex
- expand buffers to avoid gcc7 warnings
* Upstream
- Remove \Seen flag setting for imap trash
- Change imap copy/save and trash to sync flags, excluding deleted
- Improve imap fetch handler to accept an initial UID
- Display an error message when delete mailbox fails
- Updated French translation
- Fix imap sync segfault due to inactive headers during an expunge
- Close the imap socket for the selected mailbox on error
- Add missing IMAP_CMD_POLL flag in imap buffy check
- Change maildir and mh check_mailbox to use dynamic sized hash
- Fix uses of context->changed as a counter
- Make cmd_parse_fetch() more precise about setting reopen/check flags
- Enable $reply_self for group-reply, even with $metoo unset
Security fix for CVE-2017-16651.
RELEASE 1.2.7
-------------
- Fix rewind(): stream does not support seeking (#5950)
- Fix bug where HTML messages could have been rendered empty on some systems
(#5957)
- Fix (again) bug where image data URIs in css style were treated as
evil/remote in mail preview (#5580)
- Managesieve: Fix parsing dot-staffed lines in multiline text (#5838, #5959)
- Fix file disclosure vulnerability caused by insufficient input validation
[CVE-2017-16651] (#6026)
- Added support for TLS anonymous authentication.
Thanks Uffe Jakobsen.
- Fixed sendmail wrapper handling of empty sender on command line.
Thanks Sebastian Wiedenroth.
- Fixed handling of quoted strings in the "remotes" file.
Thanks Mihai Moldovan.
- Fixed nullmailer-inject handling of leading "From " lines.
- Some build fixes.
- Fixed bogus temporary gethostbyname error message when the protocol
source address was incorrect.
- Fixed potential race condition in tests.
Thanks Felix Lechner.
- Fixed handling of time values on 32-bit big-endian systems.
Thanks Felix Lechner.
- Added support to nullmailer-send to move permanently failing messages
out of the queue, and to generate bounce messages.
- Added support for IPv6.
- Added program to generate bounce/delay messages.
- Added an "allmailfrom" control file to nullmailer-queue, causing all
messages to share a hard-coded envelope sender.
- Added logging the message sender/recipient in nullmailer-send.
- Improved handling of system errors when reading config files.
- Secured handling of password options for protocol modules.
- Support standard shell quoting for options in the "remotes" file.
- Added protocol option to set a separate TLS client private key file.
- Added protocol option to bind the source address on connections.
- Fixed nullmailer-inject to report errors to stderr.
- Fixed gnutls cast to pointer from integer of different size warning.
- Fixed nullmailer-inject and -queue to handle the null (empty) sender
address. Needed for RFC 3798 (Message Disposition Notification).
- Moved spool directory to /var/spool/nullmailer like other MTAs.
2.2.33.2:
- doveadm: Fix crash in proxying (or dsync replication) if remote is
running older than v2.2.33
- auth: Fix memory leak in %{ldap_dn}
- dict-sql: Fix data types to work correctly with Cassandra
Changes in 2.4.19:
* Complete backport of the new (2.5 and later) IMAP IDLE implementation
(thanks Thomas Jarosh). This fixes a bunch of bugs and race conditions
that were inherent to the older implementation
* New option "imapidletimeout" overrides "timeout" specifically for
connections in IDLE state
* OpenSSL 1.1.0 is now supported
* Fixed: imap ENABLED doesn't print * ENABLED when nothing new enabled
* Fixed: mailbox lock management over rename (thanks Thomas Jarosh)
* Fixed: added overflow protection to urlfetch range checks
* Fixed: lmtpd can now deliver when mupdate server isn't available
(thanks Michael Menge)
* Fixed task 227: service processes no longer divide by zero when
invoked with -T 0 argument (thanks Ian Batten and Jens Erat)
* Fixed task 229: ctl_cyrusdb now uses database paths from imapd.conf
(thanks Simon Matter)
* Fixed bug #3862: mailbox database changes now rolled back on mupdate
failure during rename (thanks Michael Menge)
* Fixed: XFER to 2.5 and later no longer downgrades index to oldest version
* Fixed: nonsensical "TEXT.MIME" section now handled as "HEADER"
* Fixed: added missing 'auditlog: ' prefix to backend connections
(thanks Wolfgang Breyha)
* Fixed: IMAP SEARCH crash on some platforms
* Fixed: memory leaks in IMAP SEARCH and IMAP APPEND
* Fixed Issue #1967: EXISTS count reported earlier if fetching past size
of previous message set
Changes in 2.4.20:
* Fixed: lmtpd crash
* Fixed: auth_pts will now error if its configured socket path is too
long for its buffer
[An on-line version of this announcement will be available at
http://www.postfix.org/announcements/postfix-3.2.3.html]
This announcement concerns fixes for problems that were introduced
with Postfix 3.2. Older releases are unaffected.
Fixed in Postfix 3.2 and later:
* Extension propagation was broken with "recipient_delimiter = .".
This change reverts a change that was trying to be too clever.
* The postqueue command would abort with a panic message after it
experienced an output write error while listing the mail queue.
This change restores a write error check that was lost with the
Postfix 3.2 rewrite of the vbuf_print formatter.
* Restored sanity checks for dynamically-specified width and precision
in format strings (%*, %.*, and %*.*). These checks were lost with
the Postfix 3.2 rewrite of the vbuf_print formatter.
v0.4.21:
* redirect action: Always set the X-Sieve-Redirected-From header to
sieve_user_email if configured. Before, it would use the envelope recipient
instead if available, which makes no sense if the primary e-mail address is
available.
+ vacation extension: Allow ignoring the envelope sender while composing the
"To:" header for the reply. Normally, the "To:" header is composed from
the address found in the "Sender", "Resent-From" or "From" headers that is
equal to the envelope sender. If none is then found, the bare envelope
sender is used. This change adds a new setting
"sieve_vacation_to_header_ignore_envelope". With this setting enabled, the
"To:" header is always composed from those headers in the source message.
The new setting thus allows ignoring the envelope, which is useful e.g.
when SRS is used.
+ vacation extension: Compose the "To:" header from the full sender address
found in the first "Sender:", "From:" or "Resent-From:" header. Before, it
would create a "To:" header without a phrase part. The new behavior is
nicer, since the reply will be addressed to the sender by name if possible.
- LDA Sieve plugin: Fixed sequential execution of LDAP-based scripts. A
missing LDAP-based script could cause the script sequence to exit earlier.
- sieve-filter: Removed the (now) duplicate utf8 to mutf7 mailbox name
conversion. This caused problems with mailbox names containing UTF-8
characters. The Dovecot API was changed years ago, but apparently
sieve-filter was never updated.
v2.2.33.1:
- dovecot-lda was logging to stderr instead of to the log file.
v2.2.33:
* doveadm director commands wait for the changes to be visible in the
whole ring before they return. This is especially useful in testing.
* Environments listed in import_environment setting are now set or
preserved when executing standalone commands (e.g. doveadm)
+ doveadm proxy: Support proxying logs. Previously the logs were
visible only in the backend's logs.
+ Added %{if}, see https://wiki2.dovecot.org/Variables#Conditionals
+ Added a new notify_status plugin, which can be used to update dict
with current status of a mailbox when it changes. See
https://wiki2.dovecot.org/Plugins/NotifyStatus
+ Mailbox list index can be disabled for a namespace by appending
":LISTINDEX=" to location setting.
+ dsync/imapc: Added dsync_hashed_headers setting to specify which
headers are used to match emails.
+ pop3-migration: Add pop3_migration_ignore_extra_uidls=yes to ignore
mails that are visible in POP3 but not IMAP. This could happen if
new mails were delivered during the migration run.
+ pop3-migration: Further improvements to help with Zimbra
+ pop3-migration: Cache POP3 UIDLs in imapc's dovecot.index.cache
if indexes are enabled. These are used to optimize incremental syncs.
+ cassandra, dict-sql: Use prepared statements if protocol version>3.
+ auth: Added %{ldap_dn} variable for passdb/userdb ldap
- acl: The "create" (k) permission in global acl-file was sometimes
ignored, allowing users to create mailboxes when they shouldn't have.
- sdbox: Mails were always opened when expunging, unless
mail_attachment_fs was explicitly set to empty.
- lmtp/doveadm proxy: hostip passdb field was ignored, which caused
unnecessary DNS lookups if host field wasn't an IP
- lmtp proxy: Fix crash when receiving unexpected reply in RCPT TO
- quota_clone: Update also when quota is unlimited (broken in v2.2.31)
- mbox, zlib: Fix assert-crash when accessing compressed mbox
- doveadm director kick -f parameter didn't work
- doveadm director flush <host> resulted flushing all hosts, if <host>
wasn't an IP address.
- director: Various fixes to handling backend/director changes at
abnormal times, especially while ring was unsynced. These could have
resulted in crashes, non-optimal behavior or ignoring some of the
changes.
- director: Use less CPU in imap-login processes when moving/kicking
many users.
- lmtp: Session IDs were duplicated/confusing with multiple RCPT TOs
when lmtp_rcpt_check_quota=yes
- doveadm sync -1 fails when local mailboxes exist that do not exist
remotely. This commonly happened when lazy_expunge mailbox was
autocreated when incremental sync expunged mails.
- pop3: rawlog_dir setting didn't work
1.0.1:
+ Extended experimental support for ARC results
1.0.0:
+ Added initial experimental support for ARC results
+ Swith to sematic versioning scheme and only set version in setup.py and
__init__
1.1:
Drop support for Python 3.4.
As per RFC 5321, §4.1.4, multiple HELO / EHLO commands in the same session are semantically equivalent to RSET.
As per RFC 5321, $4.1.1.9, NOOP takes an optional argument, which is ignored. API BREAK If you have a handler that implements handle_NOOP(), it previously took zero arguments but now requires a single argument.
The command line options --version / -v has been added to print the package’s current version number.
General improvements in the Controller class.
When aiosmtpd handles a STARTTLS it must arrange for the original transport to be closed when the wrapped transport is closed. This fixes a hidden exception which occurs when an EOF is received on the original tranport after the connection is lost.
Widen the catch of ConnectionResetError and CancelledError to also catch such errors from handler methods.
Added a manpage for the aiosmtpd command line script.
Added much better support for the HELP. There’s a new decorator called @syntax() which you can use in derived classes to decorate smtp_*() methods. These then show up in HELP responses. This also fixes HELP responses for the LMTP subclass.
The Controller class now takes an optional keyword argument ssl_context which is passed directly to the asyncio create_server() call.
Features:
- Limits rate of automatic responses (defaults to a maximum of one
message every hour).
- Will not respond to nearly every type of mailing list or bulk email.
- Will not respond to bounce messages or MAILER-DAEMON.
- Bounces looping messages.
- Can insert the original subject into the response.
- Can copy original message into response.
- Can use links in the rate-limiting data directory to limit inode usage
to a single inode.
- Can limit responses to a certain date/time range.
Changes since version 1.9.0:
This is a bug fix release, coming shortly after the last release due to
a possible segfault fix with IMAP. There are also fixes for the trash
folder, imap_poll_timeout, and GMail flags notifications.
version 0.97: Thu 2 Feb 15:52:27 CET 2017
Improvements:
- spell checks from Debian.
rt.cpan.org#118328 [Angel Abad]
- share podtail with MailBox
version 0.96: Mon Sep 19 23:15:07 CEST 2016
Fixes:
- include examples in the manual-pages
version 0.95:
Improvements:
- move t/99pod.t to xt/ and remove dependency on Test::Pod
- spell checks from Debian.
rt.cpan.org#92483 [Salvatore Bonaccorso]
0.13 Mon Jan 4 11:44:52 CET 2016
-fix: Escape braces in regexp / Debian bug#809102 / CPAN bug #110664
Unescaped braces in regexp are deprecated and issue a warning when used in Perl 5.22.
-fix: typo CPAN bug #110668 Debian
--- 1.999.1 (2006-02-26 18:00)
Mail::SPF::Query:
* Do not use \p{} named properties in the "a" and "mx" mechanisms' argument
validation code, since Perl 5.6 requires (flaky) "use utf8" for them to
work, and [a-z]/[a-z0-9] should work just as well (closes rt.cpan.org bug
#17815).
* Some minor documentation formatting improvements.
Debian:
+ Added watch file.
0.80 2017-08-20 NEILB
- NEILB got co-maint to do a release that includes META.yml and META.json.
- Switched to Dist::Zilla.
- Added COPYRIGHT section to pod.
- Fixed the NAME section in pod to follow expected format.
- Added "use warnings" and fixed all the warnings.
- Manually set $VERSION, as it's used in the code
0.79_16 2006-07-08 MIVKOVIC
- experimental SMTP AUTH support (LOGIN PLAIN CRAM-MD5 DIGEST-MD5)
- Fix bug where one refused RCPT TO: would abort everything
- send EHLO, and parse response (for later AUTH implementation)
- better handling of multi-line responses, and better error-messages
- Also normalize line endings in headers
- Now keeps the Sender header if it was used. Previous versions
only used it for the MAIL FROM: command and deleted it.
- No space between "MAIL FROM:" or "RCPT TO:" and address.
version 3.003: Thu 29 Jun 15:18:15 CEST 2017
Fixes:
- change license back to "perl" after accidental change
rt.cpan.org#120319 [Jitka Plesnikova]
version 3.002: Fri 31 Mar 14:22:17 CEST 2017
Fixes:
- repair test on Windows again :(
- error while global destruction of locker
- show installed version of POP3, not POP4 (of course)
rt.cpan.org#120651 [Kent Fredric]
version 3.001: Mon 6 Feb 17:07:53 CET 2017
Fixes:
- test on windows, cause the path syntax differences
- posix lock on BSD [Slaven Rezic]
- SEE ALSO links broken.
rt.cpan.org#120119 [Christophe Deroulers]
- do not test multi-lock on BSDs
Improvements:
- Mail::Box::Locker* cleaner OO
- ::Locker::Multi uses FcntlLock, not POSIX by default
version 3.000: Thu 2 Feb 15:50:36 CET 2017
Changes:
- split Mail::Box 2* into separate distributions:
Mail::Box basic and simple mail folders
Mail::Message only message handling
Mail::Transport sending messages
Mail::Box::IMAP4 net-imap folders
Mail::Box::POP3 pop3(s) folders
Mail::Box::Dbx Outlook express folders (unpublished)
- simplify structure of tests
- do not ask questions during installation
- shared footer
1.946 2017-08-31 09:29:41-04:00 America/New_York
- propagate encode_check to subparts (thanks, Michael McClimon)
- use the new parse_content_disposition function in
Email::MIME::ContentType (thanks, Pali Rohár)
- fix a bug in AddressList handling (thanks, Pali Rohár)
This module implements RFC 2822 parser and formatter of email
addresses and groups. It parses an input string from email headers
which contain a list of email addresses or a groups of email addresses
(like From, To, Cc, Bcc, Reply-To, Sender, ...). Also it can generate
a string value for those headers from a list of email addresses
objects.
Parser and formatter functionality is implemented in XS and uses
shared code from Dovecot IMAP server.
