* nearly 10 years forgotten to replace @x11prefix@ with @PREFIX@ in patch-at.
and no need to restrict to BSDs only in pkgsrc.
* regen patches with recent mkpatches(1).
* use SUBST to replace PREFIX.
* add user-destdir installation.
Bump PKGREVISION.
Mail::SPF is an object-oriented Perl implementation of the Sender Policy
Framework (SPF) e-mail sender authentication system.
See <http://www.openspf.org> for more information about SPF.
Postfix stable release 2.8.0 is available. This release continues the
move towards improving code and documentation, and making the system
better prepared for changes in the threat environment.
The postscreen daemon (a zombie blocker in front of Postfix) is now
included with the stable release. postscreen now supports TLS and can
log the rejected sender, recipient and helo information. See the
POSTSCREEN_README file for recommended usage scenarios.
Support for DNS whitelisting (permit_rhswl_client), and for pattern
matching to filter the responses from DNS white/blacklist servers
(e.g., reject_rhsbl_client zen.spamhaus.org=127.0.0.[1..10]).
Improved message tracking across SMTP-based content filters; the
after-filter SMTP server can log the before-filter queue ID (the
XCLIENT protocol was extended).
Read-only support for sqlite databases. See sqlite_table(5) and
SQLITE_README.
Support for 'footers' that are appended to SMTP server "reject"
responses. See "smtpd_reject_footer" in the postconf(5) manpage.
This update was tested by Takahiro Kambe.
Fix bug #SF2903325: Clean up numerous signed vs. unsigned warnings.
Fix bug #SF3095782: When VBR is enabled, only perform a query when
the "md" domain in the VBR-Info header field matches the
"d" field for any valid signature.
Fix bug #SF3105993: Better handling of missing records in Lua DB
lookups.
When reading keys, ensure what's being read is a regular file and
not something else.
Complain if TrustAnchorFile names something that can't be opened
for reading.
LIBOPENDKIM: Don't complain about multiple records returned if one
of them was an RRSIG.
LIBAR: Rework some I/O logic to avoid a deadlock when the nameserver
becomes unresponsive during response processing.
BUILD: Move all scripts and executables except opendkim to a bin
directory for adminstrator convenience. They were previously in
the sbin directory.
BUILD: Fix bug #SF3101842: Fix opendkim-genzone build when OpenDBX
is in use.
BUILD: opendkim-testkey can require SASL build information when used
with OpenLDAP, or Lua information when built with Lua.
BUILD: Dissociate libopendkim and libunbound, as this is now handled
through the application rather than the library.
BUILD: Convert to using git for source code management.
STATS: Additional reporting improvements.
STATS: Fix bug #SF3107659: Add additional diagnostic output to
opendkim-importstats when malformed input is found.
TOOLS: Handle input generated with and without the _FFR_STATS_I
extensions.
2.2.1 2010/10/25
Avoid assertion failures when using "-V" and arlib.
Fix "refile" loading.
Fix collision between "ReputationRoot" and "StatisticsName" in the
configuration file.
Convert sender's domain name to lowercase prior to doing any database
queries with it. This was done before, but lost during the
database overhaul in 1.2.0.
Fix up Authentication-Results header field generation for VBR.
Reported by Fredrik Pettai.
Add _FFR_STATS_I enabling statistics reporting of "i=" signature
properties.
LIBOPENDKIM: Fix bug #SF3081964: dkim.h requires <sys/time.h>.
LIBOPENDKIM: Fix bug #SF3087251: Use thread-safe resolver functions
when avaialble.
LIBOPENDKIM: Cancel completed reputation queries.
LIBOPENDKIM: Simplify DKIM_OPTS_ALWAYSHDRS handling.
LIBAR: Fix bug #SF3080720: Don't compute timeouts based on completed
or dead queries.
LIBVBR: Fix some pointer errors causing false negatives.
TOOLS: Write "v=" tags in key records output by opendkim-genzone.
2.2.0 2010/10/03
Feature request #SF2874043: Add _FFR_ADSP_LISTS allowing control over
action taken when mail is sent to known lists from
ADSP "discardable" sources.
Feature request #SF2964366: Allow arbitrary data set operations
from inside Lua script hooks.
Feature request #SF2981598: Add "NoHeaderB" and "SingleAuthResult"
settings so that only one Authentication-Results header field
is added, and reduce its variability.
Feature request #SF3013084: Add "DomainKeysCompat" setting.
Feature request #SF3017358: Allow a token in the KeyTable that gets
replaced with the sender's domain name.
Feature request #SF3019876: Enable registration and use of generic
DNS functions.
Feature request #SF3021566: Change "ADSPDiscard" to "ADSPAction",
allowing selection of what action to take when a message is
determined by ADSP to be "discardable".
Feature request #SF3023232: Allow selection of a signer (for the
signature's "i=" tag) when calling odkim.sign() or via an
optional second parameter in the SigningTable.
Feature request #SF3024854: Always log a warning if a key file
has unsafe group/other read/write bits set. Further, if the
new "RequireSafeKeys" setting is true, refuse to use the data.
Feature request #SF3030548: Add _FFR_DEFAULT_SENDER, adding the
"DefaultSender" setting.
Feature request #SF3049483: Use ReportAddress for ADSP Reports and for
the sender envelope address.
Feature request #SF3056571: Extend signer selection in the SigningTable
to include a token that will be replaced by the From:
domain.
Feature request #SF3062077: Allow the specification of additional
recipients when delivering DKIM/ADSP failure reports through
a new ReportBccAddress configuration option.
Fix bug #SF3004995: Don't apply "SenderHeaders" to the library
as that impacts how ADSP works.
Fix bug #SF3025856: Fix "AllowSHA1Only", which was not working at all.
Fix bug #SF3037504: Rework database schema and tools to meet revised
reporting requirements.
Fix bug #SF3051536: Allow disabling of reputation queries.
Fix bug #SF3058204: Fix numerous possible double-free() incidents in
dkimf_config_free().
Fix PeerList to work with IPv6 addresses.
Fix loop boundary check in dkimf_db_close().
Fix assertion failure in dkimf_db_get() when used with a "match both"
operation.
Fix "LocalADSP", which was not working at all.
Fix some Lua test mode logic and a build issue that prevented
"ScreenPolicyScript" from working.
Added MTACommand for overriding default (mainly for testing).
Ignore "Domain" and "Selector" settings if "KeyTable" is set.
Add "On-PolicyError" to configuration tables.
Don't automatically temp-fail messages bearing signatures that
reference revoked keys.
Some fixes to the "final" Lua script self-test code.
Include libmilter version in "-V" output.
Single-thread DB queries done via OpenDBX handles as they can't be
used to do parallel queries.
Attempt to reconnect after SQL disconnections.
Revise text/plain portion of policy reports.
Fix up DSN parsing so that it is not needlessly restrictive.
Add _FFR_STATSEXT: Allows arbitrary local extensions to statistics
gathering via a fourth Lua script that can cause the
generation of additional SQL insertion operations.
LIBOPENDKIM: Feature request #SF3026287: Add dkim_getuser() function.
LIBOPENDKIM: Feature request #SF3065035: Apply library query
configuration to ADSP lookups as well, mainly to support
auotmated testing.
LIBOPENDKIM: Fix bug #SF3071368: Fix tiny memory leak in dkim_init().
LIBOPENDKIM: Fix bug #SF3051762: Don't error out of dkim_get_key()
when in test mode by testing signature-specific features when
against dummy data.
LIBOPENDKIM: Don't build against pthread libraries if not needed.
LIBOPENDKIM: Add dkim_get_signer(), dkim_policy_state_new() and
dkim_policy_state_free().
LIBOPENDKIM: Don't assert a "g=" default when processing keys so that
statistics reporting can tell whether or not it was originally
there.
LIBOPENDKIM: Minor fix to internal state machine when dealing with
unsigned messages.
LIBOPENDKIM: Rename DKIM_PRESULT_AUTHOR to DKIM_PRESULT_FOUND.
LIBOPENDKIM: Improved error reporting from dkim_ohdrs().
LIBOPENDKIM: Improved re-entrancy of dkim_eoh_verify().
LIBOPENDKIM: Undefine DKIM_FEATURE_ASYNC_DNS (obsolete).
MILTERTEST: Feature request #SF3005002: Enable testing of
"unspecified" protocol family connections.
MILTERTEST: Add "-u" option to report resource usage statistics on
completion.
MILTERTEST: Add mt.signal() to allow signaling of filters for things
like configuration file reloads.
MILTERTEST: Enhance mt.connect() to accept optional retry and interval
arguments.
MILTERTEST: Add "-w" option to request no waiting for the child process
to exit and report status.
MILTERTEST: Allow partial seconds argument to mt.sleep().
TOOLS: Feature request #SF3004335: Add support to opendkim-testkey
to get configuration file values and validate an entire
KeyTable.
TOOLS: Update opendkim-genkeys script to support
draft-ietf-marf-dkim-reporting.
TOOLS: Flip logic of "-a" flag to opendkim-stats.
TOOLS: Fix bug #SF3037452: Change owner/group/mode of stats database
when resetting it to whatever the replaced file had.
CONTRIB: Add opendkim-reportstats, contributed by John Wood.
BUILD: Fix --with-db.
Activate _FFR_ZTAGS.
This update release fixes some bugs discovered with the 0.5 stable version and
also improves security by preventing some possible CSRF attacks. IDNA support
has now been improved and some visual glitches in IE and Safari have been
resolved.
== [release-1-6-5] 1.6.5: 2011-01-26
A bug fix release of 1.6.4.
=== milter manager
==== Fixes
* Fixed a bug that "Sendmail Compatible" applicable
condition doesn't set applicable if_addr and id_name
macro value.
[Patch by Kenji Shiono]
* Fixed a crash bug that may be caused SMTP client
disconnection is detected.
[Reported by Kenji Shiono]
=== milter-manager-log-analyzer
==== Improvements
* Supported parsing Authentication-Results added by ENMA.
=== Ruby milter
==== Improvements
* Supported effective user and group change.
=== Thanks
* Kenji Shiono
Changed read_file() to return the number of usable lines read, instead of the
total number of lines (including comments and whitespace).
Fixed a huge thinko in many calls to read_file() -- when the function returns
0, the returned value is NULL. This was causing spamdyke to crash when no
content was read from files by "dns-blacklist-file", "dns-whitelist-file",
"rhs-blacklist-file", "rhs-whitelist-file" and "hostname-file". Thanks
to David Stiller for reporting this one and providing a lot of help in
tracking it down.
Added the option "tls-cipher-list" for specifying the list of ciphers to use
in SSL/TLS connections. This won't be an option many people will ever use,
but in specific setups it is required. Thanks to Chris Boulton for
suggesting this one and producing a patch to implement it.
Added a new value to "tls-level": "smtp-no-passthrough" to allow spamdyke to
offer TLS but prevent it from passing TLS through to qmail if the SSL
library cannot be initialized for some reason.
Fixed a bug in smtp_filter that allowed open relaying when spamdyke was
configured with "local-domains-entry" instead of "local-domains-file".
Moved code from do_spamdyke() that set stdin and stdout sockets to
non-blocking into tls_read() and tls_write() instead. Setting the sockets
to non-blocking through the entire run was causing some strange behavior
where logging would stop after a series of large inputs.
Refactored the address parser (yet again) to fix a bug that wasn't handling
routing addresses properly. Thanks to Chris Boulton for reporting this one.
Fixed process_config_file() to not reset a "multiple" value to default if it
was deliberately cleared during configuration.
Fixed prepare_settings() to initialize all default values before processing
the command line or configuration files so a "multiple" value can be cleared
during configuration.
Fixed configure.ac to use a gcc #pragma command to treat format warnings as
errors instead of relying on AC_LANG_WERROR (which doesn't always work).
Added the options "dns-query-type-a", "dns-query-type-mx",
"dns-query-type-ptr" and "dns-query-type-rbl" to limit the types of DNS
queries that can be sent for different purposes. Thanks to Teodor Milkov
for suggesting this one.
Fixed a bug that caused a timeout whenever a post-RCPT filter is triggered
on a non-local address. spamdyke is supposed to close the connection to
qmail and wait for its exit, but instead was just waiting for its exit,
leading to unnecessary timeouts. Thanks to Ulrich C. Manns for reporting
this one.
Fixed a typo in policy.php.example. Thanks to Richard Lamse for reporting
this one.
Fixed compiler warnings on Fedora 11. Thanks to Ertan Orhan for reporting
this one.
Fixed a bug in sendrecv where an uninitialized variable was causing erroneous
stalls and timeouts in CentOS 5.5.
Changelog:
Version 1.4.23:
- Fix SCRAM-SHA-1 authentication via libgsasl. Reported and analyzed by
Steffen Lehmann for mpop.
Version 1.4.22:
- Update gnulib to 2010-12-23.
- Avoid different account selection behaviour in --pretend mode, and print more
informational messages about account selection in --pretend and --debug mode.
Suggested by Adam Spiers.
- Add a new passwordeval command and --passwordeval option, to set the password
from the output of a command. Written by Martin Stenberg.
- A few documentation improvements, suggested by Andries E. Brouwer.
default in mk/defaults/mk.conf
remove the non-shared defaults and put in the setting that actually gets
used by more than one package (namely, MAJORDOMO_HOMEDIR)
don't make the majordom user own more than it actually needs to
make resend, archive, request-answer and medit honor the MAJORDOMO_CF
environment variable over the command line option, so that someone calling
these via the wrapper (which sets the environment variable) can't make
the majordom user execute random perl code by specifying it as config file.
Thanks to salo for finding this issue.
== Wed 26 Jan 2011 02:23:09 UTC Mikel Lindsaar <mikel@rubyx.com>
* Update addresses passed into sendmail to escape them (Andy Lindeman)
* Version bump to 2.2.15 and gem release
2.70 (2010-12-21)
* Improved handling of given feed email addresses to prevent mail
servers rejecting poorly formed Froms
* Added X-RSS-TAGS header that lists any tags provided by an entry,
which will be helpful in filtering incoming messages
2.69 (2010-11-12)
* Added support for connecting to SMTP server via SSL, see SMTP_SSL option
* Improved backwards compatibility by fixing issue with listing
feeds when run with older Python versions
* Added selective feed email overrides through OVERRIDE_EMAIL and
DEFAULT_EMAIL options
* Added NO_FRIENDLY_NAME to from from address only without the friendly name
* Added X-RSS-URL header in each message with the link to the original item
2.68 (2010-10-01)
* Added ability to pause/resume checking of individual feeds through
pause and unpause commands
* Added ability to import and export OPML feed lists through
importopml and exportopml commands
2.67 (2010-09-21)
* Fixed entries that include an id which is blank (i.e., an empty
string) were being resent
* Fixed some entries not being sent by email because they had bad From headers
* Fixed From headers with HTML entities encoded twice
* Compatibility changes to support most recent development versions
of feedparser
* Compatibility changes to support Google Reader feeds
2.66 (2009-12-21)
* Complete packaging of all necessary source files (rss2email,
html2text, feedparser, r2e, etc.) into one bundle
* Included a more complete config.py with all options
* Default to HTML mail and CSS results
* Added 'reset' command to erase history of already seen entries
* Changed project email and homepage
* Made exception and error output text more useful
* Added X-RSS-Feed and X-RSS-ID headers to each email for easier filtering
* Improved enclosure handling
* Fixed MacOS compatibility issues
== [release-1-6-4] 1.6.4: 2011-01-21
A bug fix release of 1.6.3.
=== milter-client
==== Fixes
* Used event loop usage as before when event loop backend
is GLib.
== [release-1-6-3] 1.6.3: 2011-01-20
A performance improvement release. This release includes
a few performance improvement features but they are marked
'experimental'. They will be 'stable' feature in 1.8.0.
=== milter manager
==== Improvements
* Upgraded bundled Ruby/GLib2 to 0.90.5 from 0.19.4.
* Supported Ruby 1.9.2.
* Added
((<manager.fallback_status|configuration.rd.ja#manager.fallback_status>))
that specifies a status returned to SMTP server on
internal error.
* Added
((<manager.fallback_status_at_disconnect|configuration.rd.ja#manager.fallback_status_at_disconnect>))
that specifies a status returned to SMTP server when
disconnection is detected. [Suggested by Kenji Shiono]
* Added DATA event emuration that is enabled when SMTP
server uses milter protocol version 3 or smaller.
* Added
((<manager.event_loop_backend|configuration.rd.ja#manager.event_loop_backend>))
that specifies event loop backend. (experimiental)
* Added
((<manager.n_workers|configuration.rd.ja#manager.n_workers>))
that specifies number of worker processes. (experimental)
* Added
((<manager.packet_buffer_size|configuration.rd.ja#manager.packet_buffer_sizea>))
that specifies buffer size for send packets. (experimental)
==== Fixes
* Fixed a bug that
((<manager.use_netstat_connection_checker|configuration.rd.ja#manager.use_netstat_connection-checker>))
doesn't work with Postfix 2.3. [Reported by Kenji Shiono]
* Fixed a DATA event timing when some child milters exist.
[Reported by Kenji Shiono]
=== Document
==== Improvements
* Described about Postfix's {client_addr}. [Reported by Kenji Shiono]
=== milter-client
==== Improvements
* Supported multi process. (experimental)
* Supported libev as event loop backend. (experimental)
* Bundled libev 4.03.
* Made write asyncronize.
* Supported send packets buffering. (experimental)
=== milter-server
==== Improvements
* Added more condition checks on evnets.
==== Fixes
* Fixed a bug that timeout detection doesn't work.
[Reported by Kenji Shiono]
=== Ruby milter
==== Improements
* Added ruby-milter.pc.
* Added --packet-buffer-size option that specifies send
packet buffer size. (experimental)
* Added --n-workers option thst specifies number of worker
processes. (epxerimental)
* Added --event-loop-backend option that specifies event
loop backend. (experimental)
=== milter-test-client
==== Improvements
* Added
((<--n-workers|milter-test-client#--n-workers>)) option
that specifies number of worker processes. (experimental)
* Added
((<--event-loop-backend|milter-test-client#--event-loop-backend>))
option that specifies event loop backend. (experimental)
* Added
((<--packet-buffer-size|milter-test-client#--packet-buffer-size>))
option that specifies send packets buffer size. (experimental)
=== milter-performance-check
==== Improvements
* Added
((<--n-additional-lines|milter-performance-check#--n-additional-lines>))
option that grows body size.
* Added
((<--report-failure-responses|milter-performance-check#--report-failure-responses>))
option that enables failure SMTP sesseion response
report on the last.
* Added
((<--report-periodically|milter-performance-check#--report-periodically>))
option that enables periodical statistics report.
* Added
((<--flood|milter-performance-check#--flood>))
option that enables flood mood that sends flood of mails
in specified period.
=== milter-report-statistics
==== Improvements
* Added: ((<milter-report-statistics.rd.ja>))
=== Packet
* Updated package repository RPM for CentOS: 1.0.0-0 -> 1.0.0-1.
=== Thanks
* Kenji Shiono
* Failure to get a lock on a hints database can have serious
consequences so log it to the panic log.
* Log LMTP confirmation messages in the same way as SMTP,
controlled using the smtp_confirmation log selector.
* Include the error message when we fail to unlink a spool file.
* Bugzilla 139: Support dynamically loaded lookups as modules.
* Bugzilla 139: Documentation and portability issues.
Avoid GNU Makefile-isms, let Exim continue to build on BSD.
Handle per-OS dynamic-module compilation flags.
* Let /dev/null have normal permissions.
The 4.73 fixes were a little too stringent and complained about the
permissions on /dev/null. Exempt it from some checks.
* Report version information for many libraries, including
Exim version information for dynamically loaded libraries. Created
version.h, now support a version extension string for distributors
who patch heavily. Dynamic module ABI change.
* CVE-2011-0017 - check return value of setuid/setgid. This is a
privilege escalation vulnerability whereby the Exim run-time user
can cause root to append content of the attacker's choosing to
arbitrary files.
* Bugzilla 1041: merged DCC maintainer's fixes for return code.
* Bugzilla 1071: fix delivery logging with untrusted macros.
If dropping privileges for untrusted macros, we disabled normal logging
on the basis that it would fail; for the Exim run-time user, this is not
the case, and it resulted in successful deliveries going unlogged.
* Linux: Fixed a high system CPU usage / high context switch count
performance problem
* Maildir: Avoid unnecessarily reading dovecot-uidlist while opening
mailbox.
* Maildir: Fixed renaming child mailboxes when namespace had a prefix.
* mdbox: Don't leave partially written messages to mdbox files when
aborting saving.
* Fixed master user logins when using userdb prefetch
* lda: Fixed a crash when trying to send "out of quota" reply
* lmtp: If delivering duplicate messages to same user's INBOX,
create different GUIDs for them. This helps to avoid duplicate
POP3 UIDLs when pop3_uidl_format=%g.
* virtual storage: Fixed saving multiple mails in a transaction
(e.g. copy multiple messages).
* dsync: Saved messages' save-date was set to 1970-01-01.
- Fix double-login/session issue
- Wrap HTML parts with <html><body> and add Doctype declaration
- Make rcube_autoload silently skip unknown classes
- Fix charset detection in vcards with encoded values
- Better CSS cursors for splitters
- Show the same message only once
- Fix namespaces handling
- Add handling of multifolder METADATA/ANNOTATION responses
- Fix handling of INBOX when personal namespace prefix is non-empty
- Fix handling square brackets in links
- Add description of 'use_https' option in main.inc.php.dist file
* Date: & Message-Id: revert to normally being appended to a message,
only prepend for the Resent-* case. Fixes regression introduced in
Exim 4.70 by NM/22 for Bugzilla 607.
* Include check_rfc2047_length in configure.default because we're seeing
increasing numbers of administrators be bitten by this.
* Added DISABLE_DKIM and comment to src/EDITME
* Bugzilla 994: added openssl_options main configuration option.
* Bugzilla 995: provide better SSL diagnostics on failed reads.
* Bugzilla 834: provide a permit_coredump option for pipe transports.
* Adjust NTLM authentication to handle SASL Initial Response.
* If TLS negotiated an anonymous cipher, we could end up with SSL but
without a peer certificate, leading to a segfault because of an
assumption that peers always have certificates. Be a little more paranoid.
* Bugzilla 926: switch ClamAV to use the new zINSTREAM API for content
filtering; old API available if built with WITH_OLD_CLAMAV_STREAM=yes
NB: ClamAV planning to remove STREAM in "middle of 2010".
CL also introduces -bmalware, various -d+acl logging additions and
more caution in buffer sizes.
* Implemented reverse_ip expansion operator.
* Bugzilla 937: provide a "debug" ACL control.
* Bugzilla 922: Documentation dusting, patch provided by John Horne.
* Bugzilla 973: Implement --version.
* Bugzilla 752: Refuse to build/run if Exim user is root/0.
* Build without WITH_CONTENT_SCAN. Path from Andreas Metzler.
* Bugzilla 816: support multiple condition rules on Routers.
* Add bool_lax{} expansion operator and use that for combining multiple
condition rules, instead of bool{}. Make both bool{} and bool_lax{}
ignore trailing whitespace.
* prevent non-panic DKIM error from being sent to paniclog
* added tcp_wrappers_daemon_name to allow host entries other than
"exim" to be used
* Fix malware regression for cmdline scanner introduced in PP/08.
Notification from Dr Andrew Aitchison.
* Change ClamAV response parsing to be more robust and to handle ClamAV's
ExtendedDetectionInfo response format.
* OpenSSL 1.0.0a compatibility const-ness change, should be backwards
compatible.
Problems fixed:
#32080 Specially crafted <base href> can lead to XSS exploit
#32032 TextEncode related resource information not saved correctly in db file
#32014 CVE-2010-1677: DoS when processing html messages with deep tag nesting
#32013 CVE-2010-4524: Improper escaping of certain HTML sequences (XSS)
#26577 Changed semantic for unpack breaks UTF-8
#25486 Resource FieldStore causes .mhonarc.db to grow over bounds.
#25225 dir_create() fails to make temporary directories (PATCH)
#24247 iso2022jp.pl: unneeded ESC ( B remains in message body
#23198 Incorrect Setting Installation Directory
#20142 strip backslash in rfc822 From: field
#20074 extra space in subject
#18908 X-Subject data get split in separate lines
#18113 inconsistant thread slices w/ poor man's windowing
#17904 FieldOrder affects AddressModifyCode
#17860 incorrect nested HTML Tags for references
#17660 Threaded index resource ordering doesn't allow well formed XML output
#15433 relative attachmentdir is relative to current working dir, not outdir
#14747 major (10X) memory savings possible in some situations
#13853 creation of archive with attachments writes over symlinks
