Changes from 4.0.4 to 4.0.5:
----------------------------
1. Add debug trace call with OpenSSL library version.
2. Added 'tls-options' configuration file option.
3. Added 'tls-workarounds' boolean option.
4. STLS errors (except for timeout) no longer fatal.
5. Added sample xinetd configuration file.
6. Additional checks for networking libraries.
7. Pick up LDFLAGS from environment, if set.
8. Added '--enable-32-bit' and '--enable-64-bit'
9. Applied patch from Jeremy Chadwick to fix pathname trimming in
standalone mode.
10. Fixed (non-root) buffer overflow.
11. Fixed '-no-mime' appended to user name (reported by Florian
Heinz).
12. Fixed response message when identical MDEFs defined multiple
times (reported by Florian Heinz).
have it be automatically included by bsd.pkg.mk if USE_PKGINSTALL is set
to "YES". This enforces the requirement that bsd.pkg.install.mk be
included at the end of a package Makefile. Idea suggested by Julio M.
Merino Vidal <jmmv at menta.net>.
- Remove extra rule line in install target. (It tried to do make on
password directory.)
- Solaris's /usr/ucb/install dosen't accept number with -g option.
* Pass the LDFLAGS through to the build process so that the final binaries
are built with the appropriate -Wl,-R flags. This should fix pkg/18054.
* Use ROOT_{USER,GROUP} instead of hardcoding "root" and "wheel" when
installing poppassd.
which the basesrc USE_KERBEROS variable. Discussed on packages@
This fixes PR#17182 from Takahiro Kambe. The problem was pointed out by
FUKAUMI Naoki on a Japanese NetBSD mailing list.
* Fixed DOS attack seen on some systems.
* Fixed "noop has null function" log entry.
* Allow '-p' to be used when APOP not defined (noted by Daniel Senie).
* Enforce ClearTextPassword even without APOP (noted by Daniel Senie).
* Restrict clear-text-password=never to APOP.
* Restrict clear-text-password=tls to QPOP_SSL.
* Fixed qpopper hanging on I/O error on some platforms.
It would never adds /usr/local/include to include path.
Address to pkg/13558. This change dosen't solve pkg/13558, but it solve
the problem when /usr/local/include/gdbm.h exists (by installing gdbm without
pkgsrc or with pkgsrc setting PREFIX=/usr/local.)
Release note.
4.0
Supports TLS/SSL security.
'-p' option now has value '4' to permit plain-text passwords
under TLS/SSL.
Now uses a cache file to retain spool index across sessions.
This dramatically speeds up session start when no new mail has
arrived.
'-l' option added to specify TLS/SSL support.
Lots of TLS/SSL options added. See the Administrator's Guide
for details.
'-v' option added to report current version and exit.
'make install' added.
Lots of compile-time options now available at run-time. See
the Administrator's Guide for details.
Integrated poppassd into build.
And here is changes from 4.0.
Changes from 4.0.2 to 4.0.3:
----------------------------
1. Don't call SSL_shutdown unless we tried to negotiate an
SSL session. (As suggested by Kenneth Porter.)
2. Fix buffer overflow (reported by Gustavo Viscaino).
3. Fixed empty password treated as empty command (patch
submitted by Michael Smith and others).
4. Added patch by Carles Xavier Munyoz to fix erroneous
scanning for \n in getline().
5. Fix from Arvin Schnell for warnings on 64-bit systems.
6. Added patch by Clifton Royston to change error message
for nonauthfile and authfile tests.
7. Added 'uw-kludge' as synonym for 'uw-kluge'.
Changes from 4.0.1 to 4.0.2:
----------------------------
1. Added fix for XTND XMIT (sent in by Jacques Distler and
others).
2. Fixed makefile problems with poppassd compile and install
(sent in by Steven Champeon).
3. Increased maximum spool path length from 64 to 256.
4. Added more debug code when genpath() runs out of room.
5. Changed C++ style comments to C style in poppassd.c
6. Changed poppassd's UID check to be the same as Qpopper's
(which is that if BLOCK_UID is defined we use that value,
otherwise it defaults to 10).
7. Added poppassd expect strings for DEC True 64 (sent in by
Andres Henckens).
Changes from 4.0.1b1 to 4.0.1 (final):
--------------------------------------
1. Fixed typo in popper/pop_init.c if DONT_CHECK_HASH_SPOOL_DIR
defined.
Changes from 4.0 to 4.0.1b1:
----------------------------
1. Messages with lines longer than 512 characters are no longer
garbled when sent to the client.
2. Added patches from Michael C Tiernan to fix makefile problems.
any longer to 2.x.
NOTE: kerberos support is dropped, kerberos guru please re-do it...
from ftp://ftp.qualcomm.com/eudora/servers/unix/popper/Release.Notes
Release Notes:
3.1
Can now set server mode and kerberos service name using
run-time options.
Can now specify plain-text password handling when APOP is
available using '-p 0|1|2|3' run-time option. 0 is default;
1 means clear text passwords are never permitted for any user;
2 means they are always permitted (even if an APOP entry exists),
which allows them to be used as a fallback when clients don't
support APOP); 3 means they are permitted on the local interface
(127.*.*.*) only.
Added '-D drac-host' run-time option to specify the drac host.
Only valid if compiled with --enable-drac. The default is
localhost.
Added '-f config-file' run-time option. Additional run-time
options are read from the specified file. All current run-time
options can now be set this way. See INSTALL file for option
names and syntax.
Added '-u' run-time option to read '.qpopper-options' file in
user's home directory.
Added Kerberos V support.
BULLDB access now uses usleep(3C) if available, resulting in
many more access attempts with a shorter maximum delay.
Added run-time options 'bulldb-nonfatal' (-B) and
'bulldb-max-retries' to allow fine control over BULLDB access
behavior. 'bulldb-nonfatal' allows a session to continue if
the bulletin database can't be locked. 'bulldb-max-retries'
sets the maximum number of attempts to lock the database. This
value should only be changed if you know if your system has
usleep(3C) or not. On systems with usleep(3C), this can be a
large value (the default is 75). On systems without usleep(3C),
this should remain small (the default is 10).
Added new ./configure flags (see INSTALL for more details):
--enable-timing to write log records with elapsed time for
authentication, initialization, and cleanup.
--enable-old-uidl to generates UIDs using old (pre-3.x)
style encoding. This is only useful if you also set
NO_STATUS and have existing users with old (pre-3.x)
spool files and you want to keep the UIDs the same.
--disable-status to prevent Qpopper from writing 'Status'
or 'X-UIDL' headers (sets NO_STATUS). This forces
UIDs for each message to be recalculated in each
session.
--enable-keep-temp-drop to prevents Qpopper from deleting
the temp drop files.
--disable-check-pw-max to prevent Qpopper from checking
for expired passwords.
--disable-old-spool-loc to not check for old .user.pop
files in old locations when HASH_SPOOL or HOMEDIRMAIL
used.
--disable-check-hash-dir to not check for or create hash
spool directories. Use this if you pre-create the
directories.
--enable-server-mode-group-include=group to set server
mode for users in the specified group.
--enable-server-mode-group-exclude=group to set server
mode OFF for users in the specified group.
--enable-secure-nis-plus for use with secure NIS+.
--disable-optimizations to turn off compiler optimizations.
--with-kerberos5 for Kerberos V support (using patch from
Ken Hornstein).
--enable-any-kerberos-principal to accept any principal in
the client request.
--enable-kuserok to use kuserok() to vet users.
--enable-ksockinst to use getsockinst() for Kerberos
instance.
--enable-standalone to create standalone POP daemon instead
of being run out of inetd. Can specify IP address
and/or port number to bind to as parameter 1, e.g.,
'popper 199.46.50.7:8110 -S' or 'popper 8110 -S -T600'.
If not specified, IP address defaults to all available.
The default port is 110 except when _DEBUG (not simply
DEBUG) is defined, then it is 8765.
--enable-auth-file=path to permit access only to users listed
in the specified file. Format is one user per line.
--enable-nonauth-file=path to deny access to users listed in
the specified file. Format is one user per line.
--disable-update-abort to avoid the default behavior of going
into update mode if the session aborts (the default
behavior violates of RFC 1939, but was found to be
needed when noisy dialup lines otherwise prevented users
from ever deleting messages).
([RCG])
3.0
Both dot-locking and flock() now used on all platforms. (On some
systems we emulate flock() using fcntl).
Added POP3 extensions(CAPA). The extensions added so far are
X-MANGLE, LOGIN-DELAY and EXPIRE.
X-MANGLE condenses Mime messages into a single part for ease of
use by lightweight clients. The transformations supported through
X-MANGLE are to and from text/plain, format=flowed, and text/html.
As a way to enable MIME-mangling with clients that do not
support XMANGLE, add "-no-mime" to the user name. For example,
if the userid is"mary", enter it in the client as "mary-no-mime".
The optional LOGIN-DELAY and EXPIRE values are only announced
through the CAPA command. The values to announce are passed as
command line switches. Actual enforcement of minimum login delay
and message expiration is up to the site by some other means.
(For example, a simple script run from crontab could be used for
message expiration.) Qpopper does support automatic deletion of
downloaded messages through the --enable-auto-delete configure
flag. This can be used to effect EXPIRE 0 (no retention).
Added new run-time options: -R to disable reverse-lookups on client
IP addresses; -c to downcase user name.
A failure at some point in a transaction now releases all locks
explicitly. Certain paths do not release locks where SysV .lock files
are created.
Fixed bugs with Bulletin Services and Server mode.
DEBUGn macros for debug and trace messages.
Added new ./configure flags (see INSTALL for more details):
--with-warnings for extra compiler warnings.
--enable-shy to hide qpopper's version number in the
banner and CAPA IMPLEMENTATION tag.
--enable-auto-delete to automatically mark for deletion
all messages downloaded with RETR.
--enable-hash-spool=1|2 to use hashed spool directories.
--enable-home-dir-mail=file to use a spool file in the
user's home directory.
--enable-bulldb=path to enable bulletins and set the path
for the bulletin directory.
--with-new-bulls=number to specify the maximum number
of bulletins for new users (default is 10).
--enable-popbulldir=path to specify an alternate location
for users' popbull files.
--enable-log-login to log successful user logins. This
can be used, for example, to validate subsequent
SMTP sessions from the same IP address within a
short time period, in the absence of SMTP AUTH
support by client and server. (Suggested by Andy
Harper et al).
--with-pam=service-name to authenticate using PAM (based
on patch contributed by German Poo).
--with-log-facility=name to specify the log facility.
Default is LOG_LOCAL1 or LOG_MAIL, depending on the
OS.
--enable-uw-kludge to check for and hide a UW IMAP status
message.
--enable-group-bulls to show bulletins by groups (group
name is second element in bulletin name). Based on
patch by Mikolaj Rydzewski.
--enable-timing to report timing information in the log.
--enable-drac to use DRAC. Based on patches by Mike
McHenry, Forrest Aldrich, Steven Champeon, and others.
Added file popper/banner.h -- modify this file to add a custom
banner and CAPA IMPLEMENTATION tag suffix. Note that if you modify
qpopper you should indicate this using banner.h.
Improved error messages and warnings: warning "Unable to get
canonical name of client" now includes IP address of client; logging
added for I/O errors and discarded input (line too long); added errno
to POP EOF -ERR message; "Possible probe of account" warning now logged
as WARNING, not CRITICAL.
RESTRICTED= variables that were predicated on former U.S. export
regulations. Add CRYPTO=, as necessary, so it's still possible to
exclude all crypto packages from a build by setting MKCRYPTO=no
(but "lintpkgsrc -R" will no longer catch them).
Specifically,
- - All packages which set USE_SSL just lose their RESTRICTED
variable, since MKCRYPTO responds to USE_SSL directly.
- - realplayer7 and ns-flash keep their RESTRICTED, which is based
on license terms, but also gain the CRYPTO variable.
- - srp-client is now marked broken, since the distfile is evidently
no longer available. On this, we're no worse off than before.
[We haven't been mirroring the distfile, or testing the build!]
- - isakmpd gets CRYPTO for RESTRICTED, but remains broken.
- - crack loses all restrictions, as it does not evidently empower
a user to utilize strong encryption (working definition: ability
to encode a message that requires a secret key plus big number
arithmetic to decode).
