diff options
author | Philip Hazel <ph10@hermes.cam.ac.uk> | 2004-10-07 15:04:35 +0000 |
---|---|---|
committer | Philip Hazel <ph10@hermes.cam.ac.uk> | 2004-10-07 15:04:35 +0000 |
commit | 495ae4b01f36d0d8bb0e34a1d7263c2b8224aa4a (patch) | |
tree | fcfaa2c623d4f155eef907b50b950b602829a30b /doc/doc-txt/ChangeLog.0 | |
parent | 0756eb3cb50d73a77b486e47528f7cb1bffdb299 (diff) |
Start
Diffstat (limited to 'doc/doc-txt/ChangeLog.0')
-rw-r--r-- | doc/doc-txt/ChangeLog.0 | 2862 |
1 files changed, 2862 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog.0 b/doc/doc-txt/ChangeLog.0 new file mode 100644 index 000000000..a2377907c --- /dev/null +++ b/doc/doc-txt/ChangeLog.0 @@ -0,0 +1,2862 @@ +$Cambridge: exim/doc/doc-txt/ChangeLog.0,v 1.1 2004/10/07 15:04:35 ph10 Exp $ + +Change log file for Exim from version 3.951 to 4.20 +--------------------------------------------------- + + +Exim version 4.20 +----------------- + + 1. If data for an authentication interaction was just the string "=", + indicating an empty string, Exim was not setting up the numerical variable + correctly. In some situations, this could cause a crash - in others, it + might have passed unnoticed. + + 2. Changed signal(SIGTERM, command_sigterm_handler) in smtp_in.c to use + os_non_restarting_signal() for tidiness; in practice this doesn't actually + matter because the handler terminates the process. + + 3. Refactoring: + + (a) In some (but not all) places where Exim applies timers using alarm(), + it was resetting the SIGALRM handler afterwards, but sometimes to + SIG_IGN and sometimes to SIG_DFL. In other words, it was a mess. In + fact, this reset is not necessary, because after alarm(0) there is no + possibility of receiving a SIGLARM signal. So I've just removed them + all. + + (b) The daemon.c module had its own SIGALRM handler, which was unnecessary. + I changed it to use the handler that is used (almost) everywhere else. + + (c) Almost all uses of SIGALRM use the same handler, but it was being set + by signal() all over the place. Now it is set at the start, and it + resets itself every time it is called, so it remains enabled + throughout. The few places that use a different handler reset to the + "standard" one afterwards. + + (d) The setting of the SIGTERM handler while reading SMTP commands was done + somwhat untidily. I have re-arranged the code. + + 4. If the building process was interrupted during the MakeLinks script, a + subsequent run of 'make' gave misleading errors. I've made it a bit more + robust against this case. If there appears to be a half-made set of links, + an error message suggests that the user should remove the build directory + and start again. + + 5. For compatibility with other MTAs, -f "" is now accepted as synonymous with + -f "<>". + + 6. Upgraded to PCRE 4.1. + + 7. If a domain list contained @mx_any, or @mx_secondary, and the DNS contained + secondary MX records for a domain, but all the other MX (higher priority) + records pointed to non-existent hosts, Exim was behaving as if the domain + did not match the list item. This has been fixed. + + 8. Upgraded eximstats to 1.27. + + 9. It was reported that change 4.14/46(b) caused problems on some systems with + older libraries. There is now an option that can be set in Local/Makefile + (or in a operating system Makefile): + + IPV6_USE_INET_PTON=yes + + If this is done, Exim reverts to using inet_pton() to convert a textual + IPv6 address for actual use, instead of getaddrinfo(), as it did in + versions before 4.14. Of course, this means that the additional + functionality of getaddrinfo() - recognizing scoped addresses - is lost. + +10. Update for PostgreSQL to match 4.14/14: after an insert, delete, or update + command, the result is the number of rows affected. + +11. If smtp_banner expanded to an empty string, no greeting line was sent, thus + causing the client to time out. An empty 220 response is now sent. + +12. An empty argument was logged as a null string by the "arguments" log + selector. Now empty strings and arguments that contain whitespace are + surrounded by quotes. + +13. The "arguments" log selector now also logs the current working directory + when Exim is called. + +14. Added a couple more debugging calls to tls-openssl. + +15. Changed the name of the global variable ldap_version because some LDAP + library uses the same name, which causes a clash. It's now called + eldap_version. While I was at it, I changed the other two global variables, + ldap_default_servers and ldap_dn. + +16. If an address that is verified in an ACL is redirected to a single address, + Exim verifies the child (this is not new). However, the value of $address_ + data that was being returned was the value from the parent. It is now the + value from the child. + +17. Re-arranged the code for rda_is_filter() to make it easier to add other + filter types in future. + +18. Removed the filter test function from filter.c and put it into its own + source file, again to make things easier for multiple filter types. + +19. To help those people who are maintaining a patch for dynamically loaded + local_scan() functions, I have added + + #define LOCAL_SCAN_ABI_VERSION_MAJOR 1 + #define LOCAL_SCAN_ABI_VERSION_MINOR 0 + + to the local_scan.h file. + +20. The variables $tls_certificate_verified, $tls_cipher, and $tls_peerdn now + exist even when Exim is not compiled with TLS support. + +21. If an empty user name was sent by a client for a LOGIN authentication, it + was not put into $1; instead, the password ended up in $1 (instead of in + $2). + +22. When creating a temporary file in the appendfile transport for a per-file + delivery not in maildir or mailstore format (that is, in the old Smail + format - I wonder if anyone uses this?), Exim was opening the file without + O_EXCL, which is a bit unsafe. + +23. The output from the ${stat: expansion operator was being formatted using %d + which expects an integer; in many (most) systems size_t is off_t, which + is actually a long or even a longlong, and in some cases this caused + incorrect data to be output. The formatting is now done using %ld, with the + values all explicitly cast to (long). + +24. Callout caching was failing to cache a negative response to a "random" + address check. + +25. If a daemon was started with -qsomething and not -bd, and deliver_drop_ + privilege was set, and a pid file was specified with -oP, and the pid file + did not previously exist, it was created with owner exim instead of owner + root. + +26. verify=sender was not being allowed in a non-SMTP ACL. + +27. Under some error conditions, the socket used for ident calls could be left + open. + +28. Added acl_smtp_helo, because some people seem to want it. + +29. For hosts that match helo_verify_hosts, the error given when a MAIL command + is received without HELO or EHLO has been changed from 550 to 503 (which + means "bad sequence of commands"). + +30. Installed PCRE 4.2. + +31. The quota_size_regex option for the appendfile transport was broken in that + a terminating zero was omitted from the string that was extracted for the + size. If it happened that digits followed in the memory to which it was + copied, an incorrect (too large) size was then used. + +32. Change 4.14/32 (iv) introduced a bug in the case when the "phrase" part of + a rewritten address did *not* contain any special characters. The + generated address was mangled. + +33. Several items of refactoring from Michael Haardt: + + . Introduction of "const" in a number of places + . Use memcpy() instead of strncpy() in string_cat() + . Add HAVE_ICONV to Linux file, for external users (Exim doesn't use it) + [Later: From 4.21, Exim *does* use it.] + . Preparation for adding additional types of filter file + +34. Changed (incompatibly, but hopefully not so it affects anyone) the + appendfile transport in the case when it is called directly as a result of + a .forward or a filter file requesting a delivery to a file. Previously, + any settings of "file" or "directory" were ignored in this case. Now they + are used. The path received from the router is in $address_file (as + before) and can therefore be included in the expansion. + +35. If a "save" command in a filter specifies a non-absolute path, the value of + $home/ is pre-pended. This no longer happens if $home is unset or is an + empty string. It is expected that the transport will complete the path (see + 34 above). If there is an error before the path is complete, the local part + is logged as "save xxxx". + +36. If multiple "to file" deliveries are routed to the same transport, no + batching ever takes place, whatever the value of batch_max. + +37. If an address was redirected to an unqualified local part preceded by a + backslash, Exim was qualifying it with the qualify_domain, instead of with + the incoming domain. + +38. Minor rewording: header lines can be added by MAIL as well as RCPT: the + debug line mentioned only RCPT. + +39. DESTDIR is the more common variable that ROOT for use when installing + software under a different root filing system. The Exim install script now + recognizes DESTDIR first; if it is not set, ROOT is used. + +40. If DESTDIR is set when installing Exim, it no longer prepends its value to + the path of the system aliases file that appears in the default + configuration (when a default configuration is installed). If an aliases + file is actually created, its name *does* use the prefix. + +41. If an item in log_file_path was an empty string, Exim wrote the log to the + log directory in the spool directory. Now it takes notice of the + setting of LOG_FILE_PATH in Local/Makefile, and uses the first non-empty, + non-"syslog" item from that list. If there are none, it uses the ultimate + default of the spool directory. + +42. If there is a Reply-to: header line, but it is empty, $reply_address now + contains the From: address instead of being empty. + +43. Added -no-cpp-precomp to CFLAGS in OS/Makefile-Darwin. Without this, the + compiler provides a string for __DATE__ that does not conform to the + specification in the C standard. The option disables precompiled headers, + which should not have any bad effects, as pre-compiled headers are + supposedly just a performance enhancement at compile time. + +44. Refactoring: as there is now a flag that specifies whether or not a home + directory that is passed with an address is already expanded, we no longer + need the \N...\N fudge for home directories extracted from the password + data. + +45. Fixed an infelicity introduced by 4.14/71: The defaulting of the prefix, + suffix, and check string stuff in appendfile was happening when no + directory was supplied. Now it happens if no directory is supplied AND + maildir has not been specified. + +46. If expansion of the serverpassword in a spa authenticator or expansion of + server_condition in a plaintext authenticator is forced to fail, + authentication now fails (previously it gave a temporary error, which is + what happens for other expansion failures). This brings these + authenticators into line with cram_md5, where expansion of server_secret + has always behaved like this. + +46. Added new syslog facilities (courtesy Oliver Gorwits): + + (i) SYSLOG_LOGS_PID and LONG_SYSLOG_LINES in src/EDITME. + (ii) syslog_facility and syslog_processname main options. + +47. Callout was using only the hosts from the router, ignoring the transport. + This has been changed. If (a) the router does not set up hosts (e.g. it's + an accept router) or (b) the smtp transport that is routed to has + hosts_override set, then the transport's hosts are used for callout + checking. + +48. When named lists were nested, and an inner list was resolved by a lookup + that saved data for, e.g. $domain_data, the data was associated with just + the outer list, though both were cached, so if a subsequent test was done + for the inner list, there was no domain data. Example: + domainlist A = lsearch;/a/b + domainlist B = lsearch;/c/d + domainlist C = +A : +B + A test on +C that matched, followed by a test on +A or +B would provoke + this bug. Now the data is saved with both the inner and the outer lists. + +49. When the log selector +address_rewrite is turned on, the log lines now + show where the rewritten address came from (which header line, envelope + field, or an SMTP command). + +50. If an integer or fixed point configuration value is too big to fit in + a 32-bit int, Exim now writes an error to the panic log and dies. + +51. Unknown SMTP commands are now assumed to be ones that need synchronization; + this means that a packet that contains more than one of them will cause the + connection to be dropped as soon as the first one is encountered. + +52. The "control" feature of ACLs was not permitted for the MAIL ACL (an + oversight). It now is allowed. + +53. Added the "discard" verb to ACLs. + +54. Fixed a theoretical bug observed by reading the code: if local_scan() + changed the number of recipients, output from the received_recipients log + selector would be incorrect. + +55. Added HAVE_ICONV to the os.h files for Linux, Solaris, HP-UX. This is for + use in the forthcoming Sieve addition to Exim. + +56. The behaviour of -t in the presence of Resent- headers has been changed, + for compability with Sendmail and other MTAs. Previously, Exim gave an + error, because it is not clear from RFC 2822 how this might be handled. It + turns out that MUAs don't seem to follow what RFC 2822 says, and any MUA + that uses -t with Resent- ensures that there is only one set of Resent- + header lines (usually by renaming others to X-Resent-xxx). So now Exim will + take recipients from all the Resent- header lines instead of the usual + ones. + + +Exim version 4.14 +----------------- + + 1. Found another case where SIGCHLD is being ignored (a child process for + handling a filter file) and so the wait() doesn't find the subprocess. This + came to light as a result of extra logging introduced as part of the + 4.12/14 fix. Now Exim is careful to set SIGCHLD handling to its default + (i.e. to be noticed) for this particular subprocess. (It already has this + code for other cases where it uses subprocesses.) + + 2. If ${run appeared in part of a conditional item that was being skipped, the + actual running of the command was not being skipped. + + 3. A bit of code tidying (refactoring): there were two functions that built + strings containing a host name and ident value for logging. There is now + only one. It is called in some additional places where previously just the + host name and address were given, so the wording of some log lines has + changed slightly. + + 4. Added support for Unix domain socket connection to PostgreSQL. + + 5. The number of unknown SMTP commands that Exim will accept before dropping + a connection can now be changed by smtp_max_unknown_commands. The default + value is 3. Previously, a fixed value of 5 was used. The final command is + now included in the log line. + + 6. The standard place for chown and chgrp in Linux is /bin, not /usr/bin, as + assumed by the exicyclog script. I've implemented a "look for it" feature + that makes exicyclog look in /bin, /usr/bin, /usr/sbin, and /usr/etc for + the commands chown, chgrp, mv, and rm if configured, and turned on this + feature for Linux. This should cope with old Linuxes that use /usr/bin. + + 7. Implemented .ifdef etc. + + 8. Installed signal handlers for SIGSEGV, SIGILL, SIGFPE, and SIGBUS while + running local_scan(), so that crashes therein get caught. A temporary error + response is sent for an SMTP message, and the spool is cleaned up. + Previously, a -D file was left lying around if there was a crash in + local_scan(). + + 9. The ${quote: operator has been changed so that it turns newline and + carriage return characters into \n and \r, respectively. + +10. Added support for crypt16(). + +11. Some restrictions on the use of "verify" in ACLs were too restrictive, and + have been relaxed. In particular, "verify = sender" is now permitted in the + ACL for the MAIL command, as well as those for RCPT and DATA. + +12. If local_scan() sets up recipient or errors_to addresses that are + unqualified (local parts without a domain) Exim now qualifies them using + the qualify_recipient domain. + +13. White space at the start of continuation lines in -be input was not being + ignored. + +14. Previously, if a MySQL query was issued that did not request any data (an + insert, update, or delete command), Exim gave a lookup error and deferred. + This case is now recognized, and the result of the lookup is now the number + of rows affected. + +15. A configuration error is given if tls_try_verify_hosts is set and + tls_verify_certificates is not set. (Exim already did this for + tls_verify_hosts.) + +16. Exim was trying to create a non-existent hints database even when it was + just opening it for reading. It called the creating function with the + O_RDONLY and O_CREAT flags. This works with many DB libraries, but it + not with DB 1.85, where a subsequent attempt to use the database gave the + error "Inappropriate file type or format". Exim now creates hints databases + only when it wants to open them for writing. + +17. If an ACL condition test set a default "message" value without a + "log_message" value, and there were no overriding messages in the ACL + itself, no message was logged. The user message is now logged. + +18. If callout made a connection, but it was dropped before the initial + welcome response was received, Exim logged "response to initial connection + was" with no further text. It now logs that the connection was dropped. + The wording of the logging for callout defers has been slightly changed so + as to reduce duplication. + +19. When multiple messages were sent using TLS over one connection, the + additional required EHLO that follows STARTTLS was being counted as a + nonmail command, and thus causing a problem if there were a lot of + messages. Similarly, a new AUTH that followed STARTTLS was being counted. + It is now possible to run with smtp_accept_max_nonmail set to zero in these + and other "normal" circumstances. + +20. During verify=sender, global rewriting rules are applied to the sender + address, and if it changes, $sender_address becomes the rewritten version. + Unfortunately, it was not getting updated until after the routers had been + run, so that if a router referred to $sender_address while verifying a + sender, the unrewritten value was used. + +21. The "random address" callout test was being done after the other tests. + This is silly, because if the host accepts all local parts, there isn't any + point in doing the other, more specific, tests. I changed things around so + that the "random" test (if configured) is done first. + +22. Expanded the wording for callout failures when MAIL FROM:<> or RCPT TO the + a postmaster address are rejected. Also include these words when a + rejection happens because of caching (when there isn't an actual SMTP + command/result to reflect). + +23. A new router condition called "address_test" (default true) can be used to + skip routers when testing addresses using -bt (compare no_verify). This can + be a convenience when your first router sends stuff to an external scanner. + +24. Testing for deliver_queue_load_max was happening inside the delivery + sub-process, when it could have happened outside, in the queue runner (thus + saving one process). This was a hangover from Exim 3, where there were + other load tests to be done. The code has been tidied. + +25. Code tidy: the driver_info generic structure contained a field that + might, on 64-bit systems, not have been compatible with the fields in the + structures of which it is supposed to be a subset. It turns out that this + field and another are not actually used generically, so removing them from + the structure solves the problem. + +26. Added server_advertise_condition to authenticators. + +27. The exim_checkaccess utility wasn't sending a HELO command; this matters + now that it's possible to have an ACL that checks HELO/EHLO. + +27. Added the ldap_version option to force a specific LDAP version. + +28. Renamed the variable verify_address in exim.c as verify_address_mode, + because it had the same name as the verify_address() function, which was + confusing. + +29. Added authenticated_sender to the smtp transport. + +30. When the skip_syntax_errors option is applied to a filter file, it covers + all filtering errors, some of which may not be strictly "syntax" (for + example, failure to open a log file). The wording of the message has been + changed to use "error" instead of "syntax error", to reduce confusion. Also + the subject of the message sent by syntax_errors_to is now "error(s) in + forwarding or filtering" instead of "syntax error(s) in address expansion". + +31. Added -restore-times to the exim_lock utility. + +32. Changes to the handling of the "phrase" parts of email addresses: + + (i) Re-organized the code to use a supplied instead of an implied buffer, + and a length instead of expecting a terminated string. + + (ii) Changed from using the macro mac_isprint() to an explicit test for + ASCII non-printing characters, because the macro pays attention to + print_topbitchars, which is not correct here. + + (iii) If a rewritten address contained a "phrase" (whether or not the "w" + flag was present on the rewrite rule), but the actual address was + unqualified (had no domain) and was expected to be qualified by the + "Q" flag, Exim screwed up and created an illegal address. + + (iv) When a header address is rewritten by a rule that includes the "w" + flag, the parts of the address outside <> are now encoded according + to RFC 2047 if necessary (assuming ISO-8859-1 encoding). + +33. Added the ${rfc2047 and ${from_utf8 expansion operators. + +34. The file names used for maildir deliveries have been changed, to accomodate + operating systems that may re-use a PID within one second. The file name + now include the microsecond time fraction, and the delivery process does + not exit until the clock is at least one microsecond after the time used in + the file name. The code copes with the clock going backwards (it waits + till time catches up). + +35. The rules for creating message ids have been changed to allow for the fact + that a PID may be re-used within one second. As part of this change, the + range of localhost_number has been reduced to 0-16 for most systems, and + 0-10 for those with case-insensitive file systems (Cygwin, Darwin). + +36. Code tidy: there was a local count of non-TCP/IP messages that duplicated + the global receive_messagecount (used for accept_queue_per_connection). + +37. verify = header_syntax was allowing unqualified addresses in all cases. Now + it allows them only for locally generated messages and from hosts that + match sender_unqualified_hosts or recipient_unqualified_hosts, + respectively. + +38. If PAM was called with an empty first string, it called the data function + to get the user name, thereby getting the second string by mistake. If this + was also null (empty passwords are permitted), there was an infinite loop. + An empty user name is not now passed to PAM; authentication is forcibly + failed instead. Also, if the end of the list of strings is reached, an + empty string is passed back just once; a subequent call for data provokes + an error response. + +39. If a reverse DNS lookup yields an empty string, treat it as if the lookup + failed. (Apparently such records have been seen. Sigh.) + +40. Added the -bnq command line option to suppress automatic qualification of + addresses in locally submitted messages. + +41. Header texts supplied by options to the autoreply transport may now contain + newlines that are followed by whitespace. (This was allowed from a filter, + but not from the transport.) + +42. Patch for < > problems in eximstats 1.23. + +43. Re-arranged the code to make it easier in future to add additional filter + types. + +44. Added support for changing the connection timeout in LDAP; this is + something that's available in Netscape SDK 4.1. Exim uses the given value + if LDAP_X_OPT_CONNECT_TIMEOUT is defined. + +45. When Exim was setting a daemon listener on multiple interfaces, including + listening on "all IPv6" and "all IPv4" interfaces, it was binding all the + sockets, and then calling listen() for each of them. On some IP stacks, a + listen for "all IPv4" fails after listening for "all IPv6" because a single + socket catches both kinds of call. Exim coped with this, but it turns out + that on a USAGI-patched Linux, this logic doesn't work unless the "listen", + as well as the "bind" has been done for the IPv6 socket first. The order of + the functions has now been changed. Instead of "bind, bind ... listen, + listen..." it now does "bind, listen, bind, listen, ...". Also, the failure + happens in the bind() rather than in the listen(), so there are now two + checks, which hopefully will handle all kinds of IP stack. + +46. IPv6 addresses have "scopes", and a host with multiple interfaces can, in + principle, have the same link-local addresses on different interfaces. + Thus, they need to be distinguished, and a convention of using a percent + sign followed by something (often the interface name) is being used, for + example: 3ffe:2101:12:1:a00:20ff:fe86:a061%eth0. Two changes have been made + to accommodate this: + + (a) A percent sign followed by an arbitrary string is allowed at the end of + an IPv6 address. + + (b) Exim calls getaddrinfo() instead of inet_pton() to convert a textual + IPv6 address for actual use. This function recognizes the percent + convention in some operating systems. + +47. Additional debugging inserted for the case of forced failure when expanding + an item in a list. + +48. A new debugging selector +expand has been added. This is not included in + the default set of selectors. It requests detailed debugging information + for string expansions. + +49. Failure to open the main log results in a panic-die, but the original line + that was being logged could be lost. It is now output to stderr if there is + a stderr file. + +50. When Exim starts, it checks for the existence of its spool directory, and + creates it if necessary. Unfortunately, it was doing this after the code + for logging arguments. Thus, if the spool did not exist, trouble ensued. + +51. The log line for an ACL warning after a sender verify callout failure was + not showing the details, unlike the log line for a deny. They are now shown + in a similar way. + +52. For reasons lost in the mists of time, when a pipe transport was run, the + environment variable MESSAGE_ID was set to the message ID preceded by 'E' + (the form used in Message-ID: header lines). The 'E' has been removed. + +53. Updated the QNX configuration files for QNX 6.2.0. + +54. The "*@" type partial matching for single-key lookups was broken in + releases after 4.10. Exim looked for *@xxx but, if that failed, it wasn't + going on to look for "*". + +55. Included eximstats 1.25 in the source tree. + +56. Changed log wording from "Authentication failed" to "<name> authenticator + failed", where <name> is the name of the authenticator. + +57. gcc 3.2.2 warned about a selection of places where string casts were + needed. + +58. Exim monitor: the use of one_time redirection could cause addresses to be + displayed with incorrect "parent" addresses after the one_time + re-arrangement had taken place. They should be shown with no parents, + because the parentage has been removed. + +59. Arranged to keep independent timestamps for postmaster and random checks in + callouts, and not to do unnecessary tests for postmaster when testing + individual addresses. + +60. Incorporated PCRE release 4.0. + +61. Added ${hex2b64: operator. + +62. Added $tod_zulu. + +63. Added ${strlen: operator. + +64. Added ${stat: operator. + +65. When Exim is receiving multiple messages on a single connection, and + spinning off delivery processess, it sets the SIGCHLD signal handling to + SIG_IGN, because it doesn't want to wait for these processes. However, + because on some OS this didn't work, it also has a paranoid call to + waitpid() in the loop to reap any children that have finished. Some + versions of Linux now complain (to the system log) about this "illogical" + call to waitpid(). I have therefore put it inside a conditional + compilation, and arranged for it to be omitted for Linux. + +66. Added settable variables $acl_c0 - $acl_c9 and $acl_m0 - $acl_m9 for use + during ACL processing. + +67. Added "defer" command to system filter. + +68. X options such as -bg or -geometry that were added to an eximon command + were being lost as a result of a bug introduced by 4.12/6. + +69. The "more" and "unseen" generic router options can now be expanded strings. + +70. The "once_repeat" option in the autoreply tranport is now an expanded + string. + +71. If maildir_format is set on an appendfile transport that is referenced from + an file_transport setting in a redirect router, it forces maildir delivery, + even if the path given in the filter does not end with '/'. + +72. Fixed three bugs in ${readsocket: + (i) If the operation failed, and a failure string was given, "}}" was + erroroneously added to it. + (ii) If the operation succeeded, but a failure string was present, "}" was + added to the expanded data. + (iii) The alarm for the timeout was set with signal() instead of with + os_non_restarting_signal(), which meant that it only worked on those + OS whose default is not to restart an interrupted system call. + +73. A complete host name (no wildcards) in a host list causes a forward lookup + for the IP address. If this failed, Exim was behaving as if the host didn't + match the list, instead of giving an error (as it does when a reverse + lookup fails). + +74. If router_home_directory was passed on as a home directory for a local + transport, it was being re-expanded in the transport. This has been changed + so that the expanded value is passed from the router to the transport, and + no re-expansion takes place. + +75. When a redirect router generated a pipe, file, or autoreply, the values of + $domain_data and $localpart_data were not being propagated to the + transport. + +76. The macros MESSAGE_ID_LENGTH and SPOOL_DATA_START_OFFSET are now defined in + local_scan.h so that they are available to local_scan() functions. + +77. Changes to the SMTP PIPELINING support: + + (1) Exim used always to accept pipelined commands, even when it hadn't + advertised PIPELINING (i.e. when EHLO had not been received). Now it + objects unless PIPELINING has been advertised. + + (2) Advertising PIPELINING to specific hosts can be disabled via the new + option pipelining_advertise_hosts. + +78. The acl_smtp_connect ACL was not being run for -bs input when no IP address + was supplied via -oMa. + +79. A "mail" command in a filter could cause a crash if the list of recipients + for the "to:" line was excessively long - this showed up in a reply to + a message with a ridiculously long Reply_to: header line. + +80. Added allow_utf8_domains. + +81. Added $rh_ and $rheader for "raw" header expansion. + +82. Added smtp_accept_max_nonmail_hosts. + +83. Extended ${stat (see 64 above) to add smode=symbolic mode. + +84. Added default logging for host and IP lookup failures, with a log selector + called host_lookup_failed to turn it off. + +85. Added header_maxsize and header_line_maxsize. + +86. If a RCPT ACL made use of "verify = sender" without callout, followed by + another use with callout, and the callout failed, the caching was broken + such that for a subsequent RCPT command, the first callout failed + incorrectly. The caching of sender verification has been fixed so that it + now remembers that the routing succeeded even when the callout fails. + +87. Added errno and strerror(errno) to the log line for a failure to lock the + -D file when receiving a message. + +88. If router with check_local_user set up a local delivery, and no user was + specified on the transport, and errors_to on the router specified an + address whose verification also invoked check_local_user, the wrong uid/gid + was used for the transport. It used the uid/gid of the errors_to address + instead of the uid/gid of the original local part. + +89. If log_file_path=:syslog was set, to use the default log path and also + syslog, and check_log_space was also set, Exim was confused, and refused to + accept messages, giving the error "cannot find slash in ". + +90. If a router stripped a prefix or a suffix from a local part, and then + routed that address to an smtp or lmtp transport, the address that was + sent in the RCPT command did not have the affixes stripped. + +91. For BSMTP delivery by appendfile or pipe, the address given in the RCPT + command did not preserve the case of the envelope address, as it is + supposed to. + + +Exim version 4.13 +----------------- + +There was no 4.13. I accidentally put out a fixed version of 4.12 (a typo was +discovered very soon after release) that verified itself as 4.13. This too was +hastily fixed, but it seems best not to use the number, to avoid confusion. + + +Exim version 4.12 +----------------- + + 1. Update to change 4.11/82: for the max number of processes, set + RLIM_INFINITY if it is defined. + + 2. An expansion ${run{xxx}} where xxx was a successful command that produced + no output caused Exim to crash. + + 3. Some artificial delays of 1 second existed when running in the test + harness, to ensure repeatability of debugging output. Now that we have + the millisleep() function, these can be shorter. + + 4. Change 4.11/30 below overlooked the case when an address gets a 4xx + response from a server. Because this isn't a host problem, the host does + not get delayed, and it gets tried every time the address is OK'd for + routing, with the same reponse. However, if hosts_max_try is set, because + not all the hosts were tried, the address does not time out. I've changed + things so that if there is a 4xx response to a RCPT command, the host in + question does not count towards hosts_max_try if the message is older than + the host's maximum retry time. This means that other hosts are always tried + in this circumstance; if the address gets 4xx errors from all of them, it + will eventually time out. + + 5. If a retry rule for a host had no actual retry times specified, it could + cause a crash when checking the ultimate address timeout. (Very old bug, + spotted in passing, so probably never bothered anybody.) + + 6. Change 135 below broke the following scripts when a list of configuration + files was given: exicyclog, exim_checkaccess, eximon, exinext, and exiwhat. + In practice, if exim_path was not specified in the configuration file (a + common case), things would probably work OK. However, the use of + CONFIGURE_FILE_USE_NODE definitely did not work. These scripts have now + been updated to fix this problem. They now search for the configuration + file in the same way Exim itself does: for each name in the list, the + "noded" file is tried first, then the unsuffixed file. + + 7. If a WARN verb in an ACL did not specify an explicit "message" modifier, + and was triggered by a failing sender or recipient verification, the + response that would have been sent as an SMTP message for a DENY verb was + incorrectly being added to the message's headers. + + 8. I screwed up change 4.11/155. For lookup types whose names were prefixes of + other lookup types (e.g. nis and nisplus, dbm and dbmnz), the new search + function didn't do the correct comparison, meaning that the wrong lookup + type could be found. + + 9. Solaris seems to be one of the LDAPs that doesn't have the lud_scheme + member of the LDAPURLDesc structure. Since the check that is made on it + is only to double check that a path is given for ldapi, I've just removed + the test in the Solaris case. + +10. The modified TextPop.c source in the Exim monitor had declarations of errno + and sys_nerr which never were actually referenced. The second of these + caused trouble on Darwin, so I've removed both of them. Why were they + there? Who knows? This is ancient X code... + +11. The DEFER ACL verb crashed if no "message" modifier was set. + +12. The check on incoming messages that gives the error "too many non-mail + commands" was too strict. In the case of Exim sending to Exim, when the + client has queued messages for the server and is using TLS, it will close + and re-initialize TLS between messages (because the client has to hand the + SMTP connection to a new process). STARTTLS was being counted as a non-mail + command, and therefore could cause the limit to be hit. The revised code + now allows for one RSET, one HELO or EHLO, and one STARTTLS between each + message without counting them as non-mail commands. (One RSET was + previously allowed - I *had* spotted that case.) + +13. Some log lines for rejections by ACL were putting ident values in + parentheses instead of using U= after H=. (There are some other lines that + do use parens, typically when the host name appears without H= within a + message. This whole area could perhaps do with tidying up.) + +14. When processing a redirection file happens in a subprocess (typically so + that a .forward file is processed as the user), Exim was assuming that a + call to wait() would always reap the subprocess, and it was failing to + check the result. In theory, a signal of some sort occurring at the wrong + time could break this assumption - the process was then left unreaped, and + could possibly be picked up later during deliveries, thus confusing that + code ("processes got out of step"). This is conjecture - I haven't got a + definite test of this. However, I have fixed the code to repeat the wait + after a signal. + +15. When Exim was waiting for a remote delivery subprocess, and the waitpid() + call found a process that was not in the list of remote delivery processes, + Exim gave up waiting for remote processes. It is probably better just to + ignore the unexpected process (though, of course, write to the main and + panic logs) and to wait for another process, and so that is what now + happens. If the error situation is caused by failed waiting logic for + routing or local delivery processes, this approach will minimize bad + behaviour, I hope. + + +Exim version 4.11 +----------------- + + 1. Ignore trailing spaces after numbers in expansion comparisons such as + ${if > { 5 } { 4 } ... (leading spaces were already ignored). + + 2. Two variables, $warnmsg_delay, and $warnmsg_recipients, had got left with + their old Exim 3 names, when I meant to change to "warn_message", along + with the warn_message_file option. They have now been changed. The old + names remain as synonyms, but will be undocumented in due course. + + 3. The message "This message was created automatically by mail delivery + software (Exim)." still confuses people. If they are sufficiently Internet- + ignorant, they think the message has come from exim.org. At first, I + changed thw wording to "This message was created automatically by mail + delivery software (Exim) running on a mail server handling mail for <the + qualify domain>." in the hope that that might be better. However, in + testing that still proved confusing on servers handling multiple domains. + The message has now reverted to the original, simple wording: "This message + was created automatically by mail delivery software." + + 4. It has been discovered that, under Linux, when a process and its children + are being traced by "strace -f", the children are stolen from the parent + while they are being traced. A call to waitpid(-1,&x,NOHANG), which Exim + uses to test for the completion of "any of my children" in a non-blocking + manner, returns as if there are no children in existence. Exim used treat + this as a serious unexpected error state. What it does now is to use + kill(pid,0) to check explicitly for the continued existence of any of its + children. If it finds any, it assumes it is being traced, and proceeds as + if the return from waitpid() had been "none of your children have finished + yet". If it can't find any children, it gives the error as before. + + 5. When Exim creates hints databases and their lock files as root, it needs to + change their ownership to exim. In Exim 3, the function to open a hints + database wasn't called as root very often, and the check "are we running as + root?" would usually fail. However, because Exim 4 eschews the use of + seteuid(), it runs all its routing as root, and this always calls the hints + database opening function. It wasn't noticing when it was actually creating + the database, and so it was running chmod() on all the files in the db + directory every time. This does no harm, of course, but wastes resources. + Exim now detects when the database was already in existence by opening + without O_CREAT at first. If this succeeds, it doesn't do the root test. + + 6. The line in MakeLinks that creates a link for direct.c had been + accidentally left in (cf 4.03/6). + + 7. The value of $0 in the replacement in a rewriting rule was being corrupted, + leading to incorrect results or error diagnostics. + + 8. Added support for ldapi:// URLs to the LDAP lookups (OpenLDAP only). Also, + re-organized the code to use ldap_initialize() with OpenLDAP in all cases + (it seems to be preferred). + + 9. With OpenLDAP 2.0.25, ldaps:// doesn't seem to work unless the LDAP + protocol level is set to 3. This is now standard in the Exim code, as v3 + has been around for 5 years now. Testing ldaps:// is now included in the + Exim test suite. Although earlier versions claimed to support it, I rather + suspect that it never worked. + +10. Inserted some checking of the syntax of the IP address given as the first + argument to the exim_checkaccess utility. This gives a better error + message, especially in the case when somebody gets the arguments in the + wrong order. + +11. Improved the panic log entry if an unsupported format type is passed to + string_vformat() (now gives the whole format string, not just the little + bit that's wrong). + +12. Ever since its early days, Exim has checked the syntax of non-SMTP + addresses according to RFC [2]822 rules, rather than the stricter RFC + [2]821 rules that it uses for SMTP. This allows for a wider set of + characters in domains. This has now caused a problem, because I forgot + about it when making some changes to the format of spool files (see + 3.953/44, 4.03/10, and 4.04/1). I can't believe that anybody actually makes + use of this feature (which isn't documented), so I have removed it. All + domains must now conform to RFC [2]821 rules. A non-SMTP message with a + domain that would previously have been accepted will now be bounced. + +13. If widening a domain in a dnslookup router made it syntactically invalid, + the error message quoted the original domains instead of the widened + domain. + +14. During a queue run initiated by -R or -S (or by -i when the use of message + logs is disabled), if Exim encountered a message with certain + characteristics (including text for $local_scan_data, and the setting of + the "manually thawed" flag), this data was not correctly reset for + subsequent messages. So if they didn't have those settings themselves, + strange things could occur. + +15. With the "percent hack" enabled for percenthack.domain, if a message had + two addresses such as X%some.domain@percenthack.domain and X@some.domain, + Exim was not recognizing the duplication, and was making two deliveries + instead of one. + +16. The output from verification (for -bv and VRFY) used to list a child + address when verification was applied to children (this happens, for + example, for aliases that generate just a single child). Now it lists only + the original address. + +17. Changes 34 and 35 of 4.10 did not wholly solve problems with widened + domains. The following bug still existed: + + . A recipient address was abbreviated (e.g. one component). + . A dnslookup router caused it to be widened. + . The new domain was a local domain. + . The address was redirected to itself. + + At this point, Exim thought it was a duplicate, and discarded it. + + This whole thing turned out to be a large can of worms, so I have reworked + the address widening code. This should get rid of all these problems. + Widening now appears similar to redirection, with the unwidened address + becoming a proper parent address. As part of this, there has been some + general re-organization of the way addresses are handled. + +18. When a filter generated only "unseen" deliveries, the normal delivery that + happened subsequently lost any value of address_data that was previously + set. The handling of values like that that are propagated from parents to + children has been reworked. + +19. Added smtp_return_error_details and the check_postmaster option for address + verification callouts. + +20. Long SMTP responses (from ACL messages or wherever) are now automatically + split up into multi-line responses if possible. The split happens at an + occurrence of ": " if present after 40 characters. Otherwise it happens at + the last space before 75 characters. Existing newlines in the message are + taken into account. + +21. When verify = header_sender is set, a different error message is now given + if a syntax is detected, as opposed to failure to verify. + +22. Extended the general mechanism for ${quote_lookuptype:...} expansions by + allowing for an option to be given after the lookup name, for example + ${quote_ldap_dn:...}. Unrecognized options cause errors. + +23. Re-worked the quote_ldap expansion items to provide two different kinds of + quoting, since the requirements of filter strings and DNs are different. + Sigh. Arranged for the DN given in the USER= setting to be de-URL-quoted + because not all libraries do it themselves. + +24. The handling of responses from LDAP searches wasn't right. It was detecting + situations of the form "ldap_result failed internally or couldn't provide + you with a message" but not "the server has reported a problem with your + search". This has now been tidied up (thanks, Brian). Problems of the + latter kind are now handled as follows: + + (1) For LDAP_SIZELIMIT_EXCEEDED, the truncated list of results is + returned. This is what happened before. + + (2) For a small set of errors that, in effect, mean "that object does + not, or cannot, exist in the database", the lookup fails. This is + also as before. + + (3) For other problems, the lookup defers, giving the LDAP error. + +25. Added $ldap_dn to hold the DN of the last entry retrieved in the most + recent LDAP lookup. + +26. Exim was not checking for the LDAP_INVALID_CREDENTIALS error when + ldap_bind() failed during an ldapauth call. With (at least) OpenLDAP2, the + connection to the server doesn't happen until ldap_bind(), so failures to + connect were being treated as authentication failures, and given hard + errors. Now, all errors other than LDAP_INVALID_CREDENTIALS are treated the + same way for all calls to ldap_bind(), whether ldaputh or otherwise. They + lead to temporary errors - if there are more servers, they will be tried. + +27. If there was a reference to a non-existent named list, for example, a + setting such as "senders = +something", but no lists of that type were + actually defined, Exim misbehaved. For an address list, it treated the name + as a domain list. For a domain list, it just didn't match. Now it gives a + panic error about a non-existent named list (as it always did if there were + named lists of the appropriate type). The error now tells you what type of + list it thought it was looking for. + +28. When -bt or -bv is used by a non-admin user, and there is some kind of + DEFER (e.g. database unreachable), details of the failure are no longer + given, because they may include private data such as the password for an + LDAP lookup. + +29. The logic for using a remote host name as a key for looking up retry rules + in preference to the domain of the email address was broken. It wouldn't + find such retry rules. + +30. There were some problems with the action of hosts_max_try in the smtp + transport where there were indeed more hosts available than the limit. + + (a) Exim used to time out an address out if all the hosts that were tried + were past their retry limits, ignoring the state of any hosts that were + not tried because the hosts_max_try limit was reached. Now it won't + time out an address unless all its hosts are actually considered and + are past their retry limits. + + (b) Hosts that are past their retry limits are no longer counted for + hosts_max_try. This means that when some hosts are in this state, a + greater number of hosts are tried than before, but this is the only way + to ensure that all hosts are considered before timing out an address. + + (c) When the hosts_max_try limit is reached, Exim now looks down the host + list to see if there is a subsequent host with a different MX. If there + is, that host is used next, and the current host is not counted. More + details in NewStuff. + +31. The source for spa authentication (taken from the Samba project) used the + type "int16". This has caused compilation problems in some systems that + happen to have a different definition of it. (Naughty, naughty, non- + standard.) I've renamed all the defined types by adding "x" on the end. + +32. When a delivery that used authentication was run with -v (which an + unprivileged user can use) it included the authentication data when it + showed the SMTP transaction. Such data is now replaced by asterisks in any + reflection of the SMTP commands. This also applies if the command is logged + as a result of an error response. + +33. Some little problems in queue runs: + + (a) The reading end of the synchronising pipe was being left open in the + delivery subprocess. This caused no harm, but used up a file + descriptor till that series of deliveries was done. + + (b) If the load level got high enough to abandon a queue run, the + synchronizing pipe was accidentally not closed. Normally, this wouldn't + matter, because the queue runner process would finish any way, but... + + (c) If split_spool_directory was set without queue_run_in_order, the code + for abandoning a queue run because of too high load didn't stop + cleanly. Instead, it went on to look at the remaining subdirectories. + Each one would then notice the high load, and abort. Not only was this + a waste of time, but because of (b) above, it used up one file + descriptor per subdirectory. With up to 62 subdirectories, this could + hit the limit of file descriptors if it was as low as 64 (which it + sometimes is). + +34. Added SYSTEM_ALIASES_FILE to the build-time configuration, and the ability + to set ROOT= when installing. Removed installation instructions for the + info version of the overview document, because that document no longer + exists for Exim 4. + +35. Added a total line to exiqsumm. + +36. convert4r4 can now handle "optional" for single-key lookups in aliasfile + directors. + +37. Change 4.03/25 (making convert4r4 double colons in require_files lists) was + incomplete. It worked for routers, but not for directors. + +38. After verify=recipient in an ACL, the value of $address_data is the last + value that was set while routing the address. + +39. Included eximstats 1.22. + +40. If a delivery of another message over an existing SMTP connection yields + DEFER, we do NOT set up retry data for the host. This covers the case when + there are delays in routing the addresses in the second message that are so + long that the server times out. This is alleviated by not routing addresses + that previously had routing defers when handling an existing connection, + but even so, this case may occur (e.g. if a previously happily routed + address starts giving routing defers). If the host is genuinely down, + another non-continued message delivery will notice it soon enough. + +41. Added quota_directory to appendfile. + +42. Changed the order of processing configuration input lines. Previously, it + was comment, .include, continuation, macro expansion, comment again (in + case a macro turned a logical line into a comment). This meant that macros + could not be used in .include lines. The order is now macro, comment, + .include, continuation. That is, macro expansion is done on physical lines, + not on logical lines. + +43. Improved the error message if an option-setting line in the configuration + does not start with a letter. (It used to say 'option "" unknown'.) + +44. Allow -D to set a macro to the empty string. Previously it would have + moved on to the next commandline item. This seems pointless. Either -DXX or + -DXX= sets an empty string. + +45. Changed OS/Makefile-FreeBSD thus: + + EXIWHAT_MULTIKILL_CMD='killall -m' + EXIWHAT_MULTIKILL_ARG='^exim($$|-[0-9.]+-[0-9]+$$)' + + This is because, with the Exim standard installation using a symbolic link, + the name of the running program is not "exim" but (e.g.) "exim-4.10-1". + +46. An Exim server now accepts AUTH or STARTTLS commands only if their + availability has been advertised in response to EHLO. + +47. A few source changes to avoid warnings from very picky compilers that don't + complain about unset variables when the only setting is by passing the + address to another function. + +48. Added -d+pid to force the adding of the pid to all debug lines. Default it + on when the daemon is run with any debugging turned on. (Pids are still + automatically added when multiple deliveries are run in parallel.) + +49. Included Matt Hubbard's exiqgrep utility. + +50. Give error for two routers, transports, or authenticators with the same + name. (It already caught duplicate ACLs.) + +51. If a host has more than MAX_INTERFACES interfaces (common for hosts with a + slew of virtual interfaces), and Exim had to find the list of local + interfaces, it ran off the end of the list that the ioctl returned. I had + assumed the length would be set to correspond to the amount of data + returned - but in at least one OS it is set to the actual number of + interfaces, even if they don't all fit in the buffer. + +52. Nit-picking changes to store.c. It was assuming the length of the + storeblock structure would be a multiple of the alignment, which is almost + certainly "always" true. However, just in case it might not be it is now + rounded up. For some long-forgotten reason, Exim was getting blocks of + store of the size (8192 - alignment), which seems strange. I've changed it + to plain 8192. + +53. Added functions to compute SHA-1 digests, added the ${sha1: expansion + operator, added support for {sha1} to crypteq. + +54. When local_scan() times out, include the message size in the log line. + +55. If a pipe transport had no command specified, and the address also had + no command associated with it, the transport process crashed. Now it defers + with a suitable message. + +56. An Exim server output mangled junk if it received a HELP command on an + TLS-encrypted session. + +57. The output from -bV (and at the start of debugging) now lists the optional + items included in the binary (which routers, etc). The debugging output now + includes the name of the configuration file at its start. + +58. Added support for GnuTLS as an alternative to OpenSSL. + +59. Give a configuration error if tls_verify_hosts is set, but tls_verify_ + certificates is not set. It doesn't make sense to require some hosts to + verify if there's nothing to verify against. + +60. A pipe transport may now have temp_errors = * to specify that all errors + are to be treated as temporary. + +61. The lmtp transport can now handle delivery to Unix domain sockets. + +62. Added support for flock() to appendfile, for those operating situations + that need it. Not all OS support flock(). + +63. It seems that host lists obtained from MX records often turn out to have + duplicate IP addresses, especially for large sites with many MXs and many + hosts. Exim now removes duplicate IP addresses. (Previously, it removed + only duplicate names.) + +64. If ${readfile was inside a substring that was not part of the final + expansion value (because its condition wasn't met), Exim still tried to + read the file. This made an "exists" test for the file useless. + +65. Added ${readsocket to the expansion facilities. + +66. It is now possible to set errors_to to the empty string in routers. + +67. Added disable_logging as a generic transport and a generic router option. + +68. Applied Stefan Traby's patch to support threaded Perl. As I don't have a + threaded Perl, I can't test that this fixed the problem, but it doesn't + appear to break the non-threaded case. + +69. For SPA (NTLM) client authentication, the options are now expanded. + +70. Added support for SPA server authentication, courtesy of Tom Kistner. + +71. Latest versions of TCPwrappers use the macro HAVE_IPV6 inside the tcpd.h + header, it appears, and this clashes with Exim's use of that macro. + Renaming it for Exim is an incompatible change, so instead I've just + arranged that HAVE_IPV6 is undefined while including the tcpd.h header. + +72. Mac OS 10.2 (Darwin) has IP option support that looks like the later + versions of glibc, but without the __GLIBC__ macro setting. I've added a + new macro called DARWIN_IP_OPTIONS, and tidied up the code in smtp_in.c to + simplify the handling of the three different ways of doing this. + +73. If no "subject" keyword is given for a "vacation" command in a filter, the + subject now defaults to "On vacation". + +74. Exim now counts the number of "non-mail" commands in an SMTP session, and + drops the connection if there are too many. The new option + smtp_accept_max_nonmail option defines "too many". This catches some DoS + attempts and things like repeated failing AUTHs. + +75. Installed configuration files for OpenUNIX. + +76. When a TLS session was started over a TCP/IP connection for LMTP, Exim was + sending EHLO instead of LHLO after the encrypted channel was established. + +77. When an address that was being verified routed to an smtp transport whose + protocol was set to LMTP, the SMTP callout used EHLO instead of LHLO. + +78. Installed eximstats 1.23 in the distribution. + +79. Installed a new set of Cygwin-specific files from Pierre Humblet. + +80. Added caching for callout verification. + +81. Added datestamped logs and $tod_logfile. + +82. When Exim starts up with root privilege, set a high limit (1000) for the + number of files that can be open and the number of processes that can be + created (on systems where this is possible), in case Exim is called from a + restricted environment. + +83. Minor bugfix in appendfile: when renaming failed for a file whose name was + extended with a tag, the untagged name was shown in the error message. + +84. If Exim's retry configuration was changed so as to bounce a certain + delivery failure immediately, for example to bounce quota errors: + + * quota + + and there were messages on the queue that had previously been deferred + because of this error, Exim crashed when trying to deliver them in a queue + run. Now it will make one more delivery attempt and bounce on failure. + +85. Fixed an obscure problem that arose when (a) an address was redirected + to itself, AND (b) the message was not delivered at the first attempt, AND + (c) the pattern of redirection was changed at the next delivery attempt. + When an address is redirected to the same address, Exim labels the new + address as "2nd generation", and so on, in order to distinguish these + homonym addresses from each other. Previously, it recorded the delivery of + a homonym address as a delivery of the appropriate generation. This does + not work if the generation numbers change at the next delivery attempt. The + symptoms can be either duplicated deliveries, or missing deliveries, + depending on the configuration. + + A real-life example is a configuration that takes "unseen" copies of + messages at certain times only, because an "unseen" router in effect does a + redirection to a modified address (the unseen delivery) and to the original + address (for normal delivery). Thus the normal delivery can be either the + 1st or 2nd generation, depending on whether or not the unseen router is + triggered at the time of delivery. + + The fix is not to record a delivery to a homonym address as such, but + instead to record a delivery to the original address by the final + transport. If the same address is subsequently routed to the same transport + (whichever generation it now is), the delivery is discarded because it has + already happened. Homonym addresses that are themselves redirected are now + never recorded as "done", but non-homonym addresses are unaffected, so they + are marked when all their children are complete (as before), thus saving + an unnecessary subsequent expansion. + + The fix causes more routing processing to be done when homonyms are in use + and a message is not delivered at the first attempt, but this is not + expected to be very common, and the extra processing isn't all that much. + +86. Make sure Exim doesn't overrun the buffer if an oversize packet is received + from a nameserver. + +87. Added argument-expanding versions of hash, length, nhash, and substr + expansions. + +88. The API for Berkeley DB changed at release 4.1. Exim now supports this + release. + +89. When a host was looked up using gethostbyname() (or the more recent + getipnodebyname() on IPv6 systems), Exim was not inspecting the error code + on failure. Thus, any failure was treated as "host not found". Exim now + checks for temporary errors, so the behaviour of "byname" and "bydns" + lookups in this respect should be the same. However, on some OS it has been + observed that getipnodebyname() gives HOST_NOT_FOUND for names for which a + DNS lookup gives TRY_AGAIN. See also change 125 below. + +90. Minor rewording of ACL error for attemted header check after RCPT. + +91. When USE_GDBM was set, exim_dbmbuild wasn't working properly (still assumed + NDBM compatibilify interface); similarly in dbmdb lookups when ownership + was being tested. + +92. If a Reply-To: header contained newlines and was used to generate + recipients for an autoreply, the log line for the autoreply "delivery" had + unwanted newlines. Such newlines are now turned into spaces. + +93. When a redirect router that has the "file" option set discovers that the + file does not exist (the ENOENT error), it tries to stat() the parent + directory, as a check against unmounted NFS directories. If the parent + can't be statted, delivery is deferred. However, it seems wrong to do this + check if ignore_enotdir is set, because that option tells Exim to ignore + the error "something on the path is not a directory" (the ENOTDIR error). + In fact, it seems that some operating systems give ENOENT where others give + ENOTDIR, so this is a confusing area. + +94. When the rejectlog was cycled, an existing Exim process was not noticing, + and was therefore not opening a new file. + +95. If expansion of an address_data setting was forced to fail, and debugging + was enabled, a debugging statement tried to print an undefined value + instead of the string that was being expanded. This could cause a crash. + +96. When Berkeley DB version 3 or higher is in use, a callback function is now + set up to log DB error messages that are passed back. + +97. The conditions in the Makefile for rebuilding the exim_dbmbuild utility + were wrong, leading to failures to rebuild when it should have done. + +98. Added -no_chown and -no_symlink options to the exim_install script. Also + arranged for the environment variable INSTALL_ARG to be passed over + from "make install". + +99. Exim sets the IPV6_V6ONLY option on IPv6 listening sockets on operating + systems that support it. The call to setsockopt() to do this had SOL_SOCKET + instead of IPPROTO_IPV6 as its second argument (and so wouldn't work). + +100. When a frozen message was timed out by timeout_frozen_after, the system + filter was incorrectly being run for the message before it was thrown + away. + +101. If a filter used $thisaddress in an argument to a pipe command, its value + was not inserted where expected, because the expansion of a pipe command + does not happen till transport time, and $thisaddress was not being saved. + It is now saved (along with $1, $2, etc, which were already being saved), + and reinstated at transport time. + +102. Added host grouping for randomizing to manualroute and smtp. A host list + that is randomized by manualroute is never re-randomized by smtp. Two + host lists that are randomized by manualroute are now treated as "the + same" when checking for possible multiple deliveries in one SMTP + transaction (this was always true for MX'd host lists). + +103. Added "randomize" and "no_randomize" options to manualroute. + +104. Added ${hmac expansion item. + +105. When compiling with gcc, make use of its facility for checking printf-like + function calls (debug_printf and smtp_printf). This would have found the + problem in 95 above. It actually found a number of missing casts to (int) + in debug lines, and one spurious additional argument. + +106. Created an ACKNOWLEDGEMENTS file, which I will endeavour to update in + future. + +107. Minor modification to Makefile: when a command that starts off "cd xxx;" + is followed by another command (on the next line), put the first one in + parentheses so that if a "clever" make program amalgamates them, the + change of directory is turned off when it should be. + +108. If log_timezone is set true, the timestamps in log files now include the + timezone offset. A new variable $tod_zone contains the offset. The exigrep + utility has been updated to handle timestamps with offsets. The eximstats + version included with this release (1.23) has been patched to handle + timestamps with offsets. There is also a new -utc option that specifies + the timestamps are in UTC. The Exim monitor has been modified so that it + omits the zone offset from its display. + +109. If the expansion of an errors_to option is forced to fail, the option is + ignored. + +110. Added $load_average. + +111. Added router_home_directory generic router option. + +112. Exim crashed on an attempt to check senders or sender domains in an ACL + other than after RCPT or DATA. It's now a temporary error. + +113. \r was omitted before \n in the SMTP failure response for EHLO/HELO + argument checking. + +114. On receiving EHLO or HELO, Exim was resetting its state before checking + the validity of the command. However, RFC 2821 says that the state should + not be changed if an invalid EHLO/HELO is received, so Exim has been + changed to conform. This applies mainly when there is more than one + EHLO/HELO command in a session. + +115. When an Exim root process wrote to a log file, and the log file did not + already exist, Exim used to create it as root, and then change its + ownership to exim:exim. This could lead to a race condition if several + processes were trying to log things at the same time; this happens + especially when the exiwhat utility is used. I've changed things so that, + if an Exim root process needs to create a log file, it does so in a + subprocess that is running as exim:exim. + +116. When running filter tests (-bf and -bF) Exim now changes the current + directory to "/" so that any assumptions about a particular current + directory are false. + +117. The appendfile transport was doing the quota_threshold check before + actually writing the message. However, the act of writing the message + could make it longer by the addition of prefix, suffix, or additional + headers. This meant that quota warning could be missed if the basic length + of a message kept the mailbox below the threshold, but the transport + additions took it over. The warning threshold check is now done after + writing the message, when an accurate size is known. + +118. If all verifications for verify = header_sender deferred, the log was + "temporarily rejected after DATA", without saying why. Now it adds "all + attempts to verify a sender in a header line deferred". + +119. Added message_id_header_domain option. + +120. Ignore message_id_header_text forced expansion failure. + +121. Typos: "uknown" in acl.c; missing NULL initialized in drtables.c. + +122. When return_size_limit was set greater than zero but smaller than an Exim + transport buffer size (so that only one buffer would be written), a + message that was longer than the limit could be omitted from the bounce + entirely under some circumstances. In other cases, the final buffer full + before truncation could be omitted. + +123. The inode variables in log.c were of type int with -1 for unset; they + have been changed to ino_t with 0 for unset. + +124. There are two Makefiles for NetBSD (for different object formats). They + were originally supplied in a format where one .included the other. The + problem with this has finally surfaced: when processing the Makefile to + build config.h, the inclusion isn't seen. The easy way out has been taken: + there are now two fully independent files. At the same time, HAVE_IPV6 has + been added to both of them. + +125. Changed the default way of finding an IP address in both the manualroute + and queryprogram routers. Exim now does a DNS lookup; if that yields + HOST_NOT_FOUND, it tries calling getipnodebyname() (or gethostbyname()). + See also change 89 above. + +126. Fixed a race bug in the loop that waits for a delivery subprocess to + complete. After reading all the data from, and then closing, the pipe, it + assumed that a call to waitpid() for the known pid would always return + status for that process. An unfortunately timed signal (e.g. SIGUSR1 from + exiwhat) could cause waitpid() to return -1/EINTR instead. The effect of + this was to remain in the loop and call FD_SET() with an argument of -1. + On Solaris it caused a crash; on other systems it might have looped. + +127. If an ACL that was read from a file was used in more than one message in a + single SMTP transaction, Exim could crash or misbehave in arbitrary ways. + The problem was that the ACL was remembered in memory that was thrown away + at the end of the first message. In fixing this, I've done a bit of + refactoring of the way memory allocation works, to provide a non-malloc + allocator for small blocks of data that must be kept for the life of the + process. There's a new function store_get_perm() and I've reintroduced a + second storage pool (previously dropped on the 3->4 conversion). A number + of instances of malloc calls for small amounts of memory have been changed + to use this instead. It might be a tad more efficient. Then again, it + might not... + +128. A similar problem to 127: memory corruption could occur for multiple + messages in one SMTP connection if the data from DNS black list lookups + was being used in log or user messages, e.g. references to $dnslists_text. + +129. Blanks lines and comments are now ignored in ACLs that are read from + files. + +130. Two instances of missing \n in debug output. + +131. The new debugging tag +timestamp causes a timestamp to be added to each + debug output line. + +132. Some debug information is written in multiple calls to debug_printf(), + with a newline only on the last one. When debugging multiple simultaneous + processes, the pid was added to each debug text, and for this reason, a + newline was always forced. Now Exim buffers up debug output until the + newline is reached, which makes things look much tidier. Also, if there + are internal newlines and prefix data such as a pid or timestamp are being + added, the prefix is inserted at the internal newlines. + +133. When running in the test harness, arrange to overwrite all memory that + is released or freed, so that bugs are more easily found. This picked up + the following bug: + +134. Expansion error messages were left in released store, so could have been + overwritten - but in fact most are used immediately, before this happened. + +135. A list of configuration files can be given; the first one that exists is + used. + +136. Moved the code that ensures that newly-created hints databases and their + lockfiles are owned by exim:exim so that it runs before the test for + successful opening, because a case was reported where the file itself was + created, but the DBM library returned an opening error. + +137. If an address is redirected to just one child address, verification + continues with the child address. However, if verification of the child + failed because of (for example) a :fail: redirection, the error message + did not get passed back as it would have been had the original address + failed. The error information is now passed back for both fail and defer + responses. + +138. Added $rcpt_defer_count and $rcpt_fail_count. + +139. Added "rejected_header" log selector. + +140. Added the cannot_route_message generic router option. + +141. Change 87 above introduced a bug in the expansion of substrings when the + offset was greater than the length of the string, for example + ${substr_1:}. Exim crashed instead of returning an empty string. + +142. Added extra features to ACLs: the "drop" and "defer" verbs, and the + "delay" and "control" modifiers (the latter with "freeze" and + "queue_only"). + +143. If Exim failed to create a log file, it used to try to create the superior + directories only if the logs were being written in the spool directory. + Now it tries in all cases, but always from a process running as the exim + user. + +144. Added $authentication_failed. + +145. Added $host_data for use in ACLs. + +146. Added new ACLs for non-SMTP messages, SMTP connection, MAIL, and STARTTLS. + +147. Added a number of new features to the local_scan() API: + Access to debug_printf() and the local_scan debug selector + Direct access to the message_id variable + LOCAL_SCAN_REJECT_NOLOGHDR and LOCAL_SCAN_TEMPREJECT_NOLOGHDR + Access to store_get_perm() and store_pool (see 127 above) + Access to expand_string_message + Option settings in the main configuration file + LOCAL_SCAN_ACCEPT_FREEZE and LOCAL_SCAN_ACCEPT_QUEUE + LOG_PANIC to write to the panic log + Access to host_checking + Supporting functions lss_match_xxx() for matching lists + +148. Minor security problem involving pid_file_path (admin user could get root) + has been fixed. + +149. When an ACL contained a sender_domains condition with a reference to a + named domain list, the result of the check was not being cached (an + oversight). + +150. Allowed for quoted keys in lsearch lookups; this makes it possible to have + whitespace and colons in keys. + +151. Added wildlsearch lookup. + +152. Yet another new set of configuration files for Cygwin from Pierre Humblet. + +153. Ensure that log_file_path contains at most one instance of %s and one + instance of %D and no other % characters. + +154. Added $tls_certificate_verified. + +155. Now that the list of lookup types has got so long (and more are in + prospect) arrange to search it by binary chop instead of linear search. + +156. Added passwd lookup. + +157. Added simple arithmetic in expansion strings. + +158. Added the ability to vary what is appended for partial lookups. + +159. Made base 64 encode/decode functions available to local_scan. + + +Exim version 4.10 +----------------- + + 1. Added HAVE_SA_LEN=YES to the OS/Makefile-Darwin file, because it needs it + (unsurprising, as it's based on FreeBSD). + + 2. Removed the HTML versions of the PCRE and pcretest documentation from the + distribution tarbundle, and instead included them in the HTML tarbundle, + linked to the overall index file. + + 3. The code for computing load averages was broken in 64-bit Solaris. + + 4. Make the default ACL refuse local parts that start with a dot. + + 5. LDAP binds with an empty password are considered anonymous regardless of + the username and will succeed in most configurations. Exim has been changed + so that the LDAP authentication (the ${if ldapauth... condition) always + fails when an empty password is used. + + 6. Remove quoting from rbl_domains when used in an ACL by the convert4r4 + script. + + 7. A lookup entry in a list that had spaces after the lookup type, e.g. + "lsearch; /etc/relaydomains" was including the space as part of the file + name. + + 8. Give an error if EXIM_USER or EXIM_GROUP contains control characters (it + happened when somebody had CRLF terminations in Local/Makefile, which + messed up the "unknown user" error message). + + 9. Ensure recipient address appears in log line for internal pipe problems + during redirection. + +10. Tidies to code for calls to fork(): (a) 3 typos of "<=" that should have + been "<" (but would have no actual effect). (b) 2 cases of fork() failures + not being logged: during -M for multiple messages, and for auto-delivery + of incoming messages. + +11. A reference to any header line that contains addresses (e.g. $h_to:) caused + a crash if the header was empty. Change 46 for 4.05 introduced this bug. + +12. If a system filter file was defined as a non-absolute path, but system_ + filter_user was undefined, Exim's behaviour was undefined. It could, for + example, discard all deliveries, thinking the system filter had overridden + them all. Delivery is now deferred, with a message written to the panic + log. + +13. If a redirection file (or system filter file when system_filter_user was + set) was defined as a non-absolute path containing no slash characters, + Exim crashed. + +14. Added $rcpt_count, containing the number of RCPT commands received during + an SMTP transaction. This differs from $recipients_count when some of the + RCPTs are rejected. + +15. Added $pid, containing the pid of the current process. + +16. Fixed uninitialized variable warning in eximstats for relayed messages when + there was no sending host name (logged as H=[n.n.n.n]). There's no change + of output. + +17. The exiqusumm script failed horribly if it encountered a message that had + been on the queue for 100 days or more. + +18. Added the message_logs option for suppressing the writing of message logs. + +19. Allow local_scan() to change the errors_to setting on recipient addresses. + (This was made trivially possible because of change 10 in 4.03.) + +20. Convert4r4 changed: if forbid_pipe is set on a forwardfile director, also + set forbid_filter_run on the generated redirect router. + +21. In the Makefile, $(INCLUDE) was preceding the -I. item that refers to + Exim's own include files. This caused a conflict with an external library + that also happened to have a config.h file. Exim saw the wrong file, and + chaos ensued. I've moved the -I. item in the relevant lines so that it + comes before $(INCLUDE). + +22. Added $acl_verify_message to contain any existing user message when + expanding the "message" modifier in an ACL. + +23. Changed the default argument for egrep when called in exiwhat to find + Exim processes. It is now ' exim( |$$|-)' instead of ' exim( |$$)' so that + it works on OS where the true file name appears. + +24. In the plaintext authenticator, server_prompts was not being expanded, as + documented. It now is. + +25. The exinext script was outputting in an incorrect format for routing + delays. It said "deliver" when it should have said "route", and the layout + of the text was screwed up. In fact, "deliver" is not the right word + anyway. I've changed it to "transport". Also removed redundant code for + "directing" delays, because these can't occur in Exim 4. + +26. Fixed some problems concerned with retrying address errors in remote + deliveries: + + (a) I'd overlooked temporary address errors, and assumed that all the + retry items would be for host errors, and therefore on the first + address when multiple RCPTs were involved. Consequently, no retry + record was written for second and subsequent addresses if they + received a 4xx error. Thus, these addresses wouldn't be delayed + after such a delivery failure. + + (b) A temporary address error causes a routing delay; when the address + is eventually tried again, and routing succeeds, the retry record is + flagged for deletion. If the address gets another temporary error, + the retry record got updated, and then deleted. Thus, temporary + address errors were not being delayed and would be tried on every + queue run. + +27. A minor code tidy for the CRAM-MD5 authenticator. + +28. Some OS have a command to select processes by the name of the command they + are running, and send a signal to them. Linux and FreeBSD have "killall"; + Solaris has "pkill" (it also has "killall", but that does something + disastrously different). Using such a command makes "exiwhat" more + efficient, and reduces the chances of it trying to signal a non-existent + process. There are now two build-time parameters, EXIWHAT_MULTIKILL_CMD and + EXIWHAT_MULTIKILL_ARG, which can be set to enable this feature to be used. + They are defined in the OS-specific files for Linux, FreeBSD, and Solaris. + See OS/Makefile-Default for more details. + +29. As part of tidying up for 28, changed the name of the build-time parameter + EXIWHAT_KILL_ARG to EXIWHAT_KILL_SIGNAL so that its name makes more sense + when used in both kinds of exiwhat processing. + +30. By default, the daemon doesn't write a pid file if -bd is not used (i.e. if + only -q is used). The -oP didn't override this - it was ignored. It now + overrides the default and causes a pid file to be written. + +31. The values of $local_part, $domain, etc. were not being set during the + expansion of shadow_condition in a local transport. + +32. The convert4r4 script failed when macros that had continuation lines were + present in the Exim 3 configuration file. It inserted junk lines into the + output and gave uninitialized variable errors. + +33. The convert4r4 script discards (with a comment) a setting of "rewrite" on + a smartuser director that has no setting of new_address when it turns it + into an "accept" router. + +34. When an alias generated an address with a single-component domain, and + routing that domain caused it to be widened, Exim remembered only that it + had delivered to the widened domain. If any other addresses were deferred, + so that another delivery attempt happened later, Exim re-delivered to the + widened address, because it checked only the original address. When this + kind of widening happens, Exim now checks for previous delivery. + +35. A delivery was silently discarded under the following specific + circumstances: + . The original address is x@a.b.c, where a.b.c is the local host; + . a.b.c is recognized as a local domain, and the address is redirected + to x@a; + . a is not recognized as a local domain, causing the address to be + processed by a dnslookup router; + . the router widens the address to a.b.c, routes it, and discovers it + is the local host. + Exim realized that because the domain had been widened, it might have + become a local domain, so it arranged to re-route from scratch, using the + new domain. However, because the original address was the same address, + it thought it had already dealt with it. + +36. A space at the start of an LDAP query in an expansion (after the opening + curly) was provoking a syntax error. + +37. A syntax error in the data of an ldapauth expansion caused the condition to + be false without an LDAP query even being tried. Now it causes the + expansion to fail. + +38. Ensure that an incomplete config.h is removed when the buildconfig program + gives an error. Otherwise, if the error is a non-existent Exim user, and + the admin fixes this by creating the user (and not modifying any files), + Exim will try to use the broken config.h next time. + +39. A call with an argument of the form "-D=xxxx" (i.e. omitting the macro + name) caused Exim to loop. It now reports an error. + +40. If an ACL tested an address for being in a named domain list (e.g. + +relay_domains) and then called for recipient verification, and the + recipient was rewritten, the cache for remembering matching domain lists + was not being cleared after the rewrite, leading to potential routing (and + therefore verification) errors. Furthermore, the rewritten address would + (incorrectly) have been used for any subsequent address checking within + the ACL. + +41. If an address such as a%b@c was processed using the "percent hack" and then + transmitted over SMTP, Exim was sending "RCPT TO:<a%b@c>" instead of + "RCPT TO:<a@b>". + +42. A revised Makefile-CYGWIN file from Pierre Humblet. + +43. If local_scan() rejected a -bS message, it wasn't handling the error in the + way -bS errors should be handled. + + +Exim version 4.05 +----------------- + + 1. In the log display in Eximon, put the insert point (caret) at the start of + the last line instead of at the end, because this stops unwanted horizontal + scrolling when certain X libraries are used. + + 2. A malformed spool file with an incorrect number of recipients (which + should never occur, of course) could cause eximon (and probably exim) to + crash. + + 3. Updated Cygwin Makefile and os.h (minor tweaks). + + 4. Setting allow_domain_literals=true was not allowing domain literal + addresses in the -f command line option. + + 5. Added debugging output for removing and adding header lines at transport + time. + + 6. On systems where SA_NOCLDWAIT is defined, changed from using signal( + SIGCHLD, SIG_DFL) to using sigaction(), with flags explicitly set zero, to + ensure that SA_NOCLDWAIT is definitely off. This fixes a bug in AIX where + subprocesses were disappearing without being turned into zombies for Exim + to reap. There was a previous report of the error "remote delivery process + count got out of step" on a Linux box that was never resolved. It is + possible that this change fixes that too. + + 7. Other applications that support IPv6 have been coded to choose IPv6 + addresses in preference to IPv4 addresses where possible. This is + encouraged, in order to speed up the use of IPv6. Exim has now been changed + to do likewise when it looks up IP addresses from host names. This applies + both to hosts that have more than one IP address, and to MX records with + equal preference values when the hosts they point to have both IPv4 and + IPv6 addresses. Within one preference value, Exim will try all the IPv6 + addresses before any IPv4 addresses, even when some of the IPv4 addresses + belong to hosts that also have IPv6 addresses. + + 8. When Exim sent HELO after EHLO was rejected, or when it sent a second EHLO + after starting a TLS session, it used the primary host name as the + argument, instead of the expansion of the helo_data option. + + 9. Exim was failing to batch addresses for local delivery when errors_to was + set on the router to the same string for each address, in the case when the + string involved some kind of expansion (that ended up with the same value + each time). If the string was fixed (i.e. no expansion) the batching was + not blocked. In other words, I was testing the addresses of the strings but + forgetting to compare the content. The same problem was not present for + remote deliveries, but the code was written out instead of using a + subroutine that now exists for this purpose, so I tidied that code. + +10. When Exim passes a connected TCP/IP socket to a new Exim process in order + to deliver another message on the same connection, it closes down TLS, + because it can't pass on the state information that is required by the + OpenSSL package. The new process then tries to start up TLS again. + Unfortunately, not all servers handle this - and, it has to be said, it is + a bit of a dubious interpretation of the RFC. (Exim as a server copes OK, + needless to say.) The problem is that the server may just die or give an + invalid response, causing a retry delay to occur. The option + hosts_nopass_tls was invented to help with this, but an automatic way of + testing has been invented. What now happens is that Exim sends a new EHLO + after shutting down TLS, before passing the socket on. This in itself + reduces the dubiousness of the procedure. If there isn't an OK response, + Exim doesn't try to pass the socket on. + +11. There was inconsistency in the way failures to set up TLS sessions in the + smtp transport were handled when the host was not in hosts_require_tls. + It deferred for 4xx responses to STARTTLS, but tried in clear if the actual + TLS negotiation failed. It now does the same thing in both cases, and what + this is can be controlled by the new option tls_tempfail_tryclear. This + defaults true, causing a retry in clear to occur. If it is set false, these + kinds of temporary failure cause a defer (for that host; if there are + other hosts, they are tried). + +12. Tidying. When starting up a new delivery process to deliver another message + over an existing SMTP connection, pass over the IP address as well as the + host name. This saves having to get the IP address from the socket. + +13. Added "#define base_62 36" to OS/os.h-Darwin because the MacOS X operating + system has case-insensitive file names. + +14. Tidies to rewriting code: (1) It was getting an unnecessarily large block + of memory for a rewritten header. (2) Removed some unnecessary debugging + code that just duplicated log output. + +15. In an expansion like "${if <condition> {${mask:xxxx}}{yyyy}}" Exim still + tried to perform the masking operation even when the condition was false + and the yield was "yyyy". This could fail when "xxxx" wasn't a valid string + for the masking operation. Some other operators (e.g. base62) could fail in + a similar way. All string operations are now skipped when processing the + unused substring of a condition. + +16. If a verification of a sender address in a header (caused by verify = + header_sender in an ACL) caused the address in the header to be rewritten + (typically because a DNS lookup had widened the domain), the newline at the + end of the header got lost, thereby causing two headers to be run together. + Sometimes, but not always, this caused a "spool format error". + +17. A user wanted to use "save" in a filter file with a non-absolute path, and + to set file_transport to a non-appendfile transport that made use of + $address_file for its own purposes. This didn't work because Exim was + distinguishing between file and autoreplies by the leading '/' of the + former. It now checks for the leading '>' of the latter instead. + +18. The "accept" router was forcing log_as_local instead of just defaulting it. + +19. Exim crashed while verifying a recipient in an ACL if the address was + verified by a dnslookup router that widened the domain. + +20. When checking the parameters returned from an ident call, Exim was assuming + that the format would be textually identical to the values it sent, + including the white space. This is not always the case, causing Exim to + discard returned ident data that it should have been accepting. + +21. Typo (space missing) in "failed to expand condition" error message. + +22. The option of specifying an individual transport in a route_data or + route_list option of the manualroute router wasn't working. Such settings + were being completely ignored. + +23. The memory management was poor when building up a string from a lookup that + retrieved a large number of data items that had to be concatenated, for + example, an alias lookup in a database that returned thousands of + addresses. In extreme cases, this could grind the host to a halt. (Compare + change 8 for 4.00, which was a similar effect.) Two changes have been made + to improve matters: (a) For longer strings, it extends them in bigger + chunks, thus requiring fewer extensions. (b) It is now able to release some + unwanted memory when a string is copied out of it into a larger block. + +24. There was a small error in the memory sizes quoted when -d+memory was used + and emptied memory blocks were released. + +25. When helo[_try]_verify was set, Exim crashed if the reverse DNS lookup gave + a temporary error when trying to look up the host name. It now tries to + check with a forward DNS lookup (as it does when the reverse lookup can't + find a name). For helo_verify, a temporary error is now given if + verification failed, but the host name lookup gave a temporary error. (As + before, a permanent error is given if there is no host name available.) + +26. When checking quotes for maildir++ format, if the directory name was given + with a trailing slash in the "directory" option of the appendfile + transport, Exim got the quota calculation wrong because it scanned the + final directory instead of the parent directory. + +27. The "quota_xxx" error facility for retry rules was broken in Exim 4 if + the mailbox had not been read for more than approximately 10 hours. + +28. If a router with "unseen" had a setting of address_data, the value was not + passed on to subsequent routers for the continuing processing of the + address. It now is. + +29. If a daemon was started with (e.g.) -qff15m, it omitted the second 'f' when + starting queue runners. Likewise, if the flags included 'i', this was + omitted. + +30. Some operating systems log warnings if exec() happens without the standard + input, output, and error file descriptors existing. The worry is that the + called program will open some file which will be allocated one of these + fds. Another bit of code might assume it can write an error message to + stderr, or whatever. Exim was calling itself to regain privilege for + delivery without these fds set, thus provoking the warning. Of course, it + didn't make use of them itself, but the exposure was there for libraries it + might be using. The code has been changed to ensure that, if any of the + file descriptors 0, 1, or 2 does not exist at the time of a call to exec(), + they are opened to /dev/null. + +31. A delivery process could loop under the unusual combination of the + following circumstances: + (1) A delivery process had envelope_to_add set for its transport. + (2) The delivery was for a child address of an envelope address that + also had another child. + (3) This other child had been discarded because it was a duplicate of a + second envelope address. + (4) The second envelope address had generated a child that was discarded + because it was a duplicate of the first envelope address. + +32. The -bp option was failing to notice delivered addresses that were in the + -J file but had not yet made it into the -H file. (This got broken between + Exim 3 and Exim 4.) + +33. If "query" or "queries" in aliasfile director, or "route_query" or + "route_queries" in a domainlist router were enclosed in quotes, the + convert4r4 script was not removing the quotes before inserting the query + into an expansion string, leading to invalid queries within the string. + +34. If more than two addresses were being delivered in a batch (either local or + remote deliveries), and they all had the same, non-empty value for + $self_hostname, but had different domains, Exim crashed. (This is rare, + because the use of "self=pass", which is the only way $self_hostname gets + set, is rare.) + +35. If $message_headers was used in a context where there were no headers (e.g. + while verifying an address before receiving a message), it caused an + "unknown variable" error. Now it just returns an empty string. + +36. Exim was not diagnosing missing time units letters in times on retry + rules. It was treating such malformed times as "-1", which caused the rules + to misbehave. + +37. Added some debugging output to the CRAM-MD5 server code. + +38. In the appendfile transport, check for a file name supplied by redirection + by checking for "not pipe and not autoreply" instead of looking for a + leading '/' in the "address". + +39. The os.h file for Darwin defined CRYPT_H, which apparently is wrong. + +40. The "condition" condition in ACLs has been tightened up. Formerly, anything + other than an empty string, "0", "no" or "false" was treated as "true". Now + it insists on "yes", "true", or a non-zero number. + +41. Change 22 of 4.02 has been improved; somebody mailed me the correct code + to get an error message when ldap_result() doesn't set a result. + +42. Update convert4r4 to recognize "ldap:" in require_files, and double the + colon. + +43. Added "protocol violation" to the "SMTP synchronization" error message, to + make it clearer what it is complaining about. + +44. Change 26 of 4.03 was incomplete. The same problem could arise if a lookup + failed while checking the pre-conditions of a router that was subsequently + run. This can happen for negated conditions such as "domains = !<lookup>". + +45. Somebody managed to set up a configuration that crashed buildconfig such + that it left a half-built config.h but did not stop the build process. I + can't reproduce it, but I have added a check after building config.h to + test for the presence of its last line ("/* End of config.h */"). + +46. Added a .PHONY target to the Makefile to be tidy for GNU make. (It should + be ignored by other versions). + +45. When Exim uses Berkeley DB version 3 or 4 to create a DBM file, it creates + it in hashed format. Previously, it opened these files for reading in the + same format. Now it opens them as "unknown", which means that other formats + can be accommodated when using DB files for auxiliary data. + +46. When concatenating header lines that may contain lists of addresses (From:, + To:, etc.) as a result of references to $h_from: etc., a comma is now + inserted at the concatenation point. Without it, the use of "if + foranyaddress" fails on such headers, which is dangerous. + +47. The code for ratelimiting MAIL commands was triggering on the count of + messages received, instead of the number of MAIL commands (which is not the + same thing if no message is accepted in a transaction). The smtp_accept_ + max_per_connection limit has also been changed to use the count of MAIL + commands instead of the count of messages accepted. + +48. There was a typo in the exiwhat script which broke it if the esoteric + CONFIGURE_FILE_USE_NODE option was in use. + + +Exim version 4.04 +----------------- + + 1. Fix 10 for 4.03 had a bug in it, which could cause problems when converting + from an earlier 4.xx release with delayed "one_time" messages on the spool. + 4.03 incorrectly complains about spool format errors (and refuses to + process these messages). + + 2. Changed the status of the text widgets in the monitor from Append to Edit, + because this matters on some versions of X. + + 3. Change 22 for 4.03 turns out to be misguided. Luckily it is controlled by + a compile-time macro. I have removed the settings from OS/os.h-Linux that + made it try to use these functions. + + +Exim version 4.03 +----------------- + + 1. Change 12 for 4.02 overlooked one case where 256 should have been replaced + by MAX_LOCALHOST_NUMBER. + + 2. Timeouts (etc) in dnslist lookups were not behaving as documented; they + were deferring (causing 4xx errors) instead of behaving as if the host was + not in the list. This has been fixed. In addition, some new special items + may appear in dns lists, to control what happens in this case. The items + are +include_unknown, +exclude_unknown, and +defer_unknown. + + 3. Added #include <unix.h> to OS/os.h-QNX because it was reported that this + was needed, in order to get O_NDELAY. + + 4. Added #define BASE_62 36 to OS/os.h-Cygwin. + + 5. Change 8 for 4.02 overlooked the fact that "directory" need not be set if + the directory name is coming from a filter or forwarding file. The check + has now been moved from initialization time to run time. Thus, it happens + later, but it still helps to diagnose the problem. + + 6. The file direct.c had been accidentally left in the distribution. + + 7. When a new process was forked to deliver another message down an existing + SMTP connection, a pipe file descriptor was accidentally left open. This + meant that if there was a long chain of such processes, the number of open + file descriptors increased by one for each process, and if there were + sufficent, the limit of open descriptors could be reached, causing various + problems. + + 8. When an address was being checked with -bt and the routing involved an + errors_to setting whose address verification also involved an errors_to + setting, Exim got into a verifying loop. It shouldn't verify an errors_to + setting when already verifying, but got this wrong if it started from -bt. + + 9. Tidied up some compiler warnings when compiling with TCP wrappers. + +10. When a child address was promoted to a toplevel address by "one_time" after + a deferred delivery, it was not remembering any "errors_to" address that + was set by the routers that processed the original address. Consequently, + the subsequent delivery had (incorrectly) the original sender address in + the envelope. Exim now remembers the "errors_to" address with the new + toplevel address and reinstates it for the next delivery. + +11. When Exim received a message other than from the daemon, there were two + situations in which it did not re-exec itself for delivery: when it was + running as root, or when it was running in an unprivileged mode. This was + an attempt to save some resources (very early Exims ran as root more often) + but has turned out to be pretty rare. A bug has been discovered in this + case: if the incoming message was on a TLS session (from inetd, for + example), but the outgoing delivery was on an unencrypted SMTP connection, + Exim got confused. The effect was minimal: it sent two EHLO commands, but + otherwise worked. Multiple EHLOs are not an error, according to the RFCs, + but there was at least one broken MTA that objected. This error would have + occurred only when synchronous delivery (-odi or -odf) was specified. + + While sorting this out, I have abandoned the logic that did a delivery + without forking in the interests of simplicity. This was an even rarer + case: it only happened when Exim was running as root or in an unprivileged + mode AND synchronous delivery was specified. + +12. Change references to /bin/rm in the Makefile to plain rm. + +13. If EXIM_PERL was set in Local/Makefile, but PERL_COMMAND was set to a + command that was not a file, or if it was set to a non-existent file, + the build process carried on trying to build Perl support, but without the + relevant variables for the Perl libraries, etc., which is disastrous. In + fact, the build process shouldn't have been using PERL_COMMAND; that is a + value for screwing into utility scripts. The build process assumes a + suitable PATH for things like rm, mv, etc., which have xxx_COMMAND + variables for scripts. So I've changed it to use just "perl". It now bombs + out if "perl --version" doesn't produce some output. + +14. Changed the #includes in perl.c for the Perl headers to use <> instead of + "" because this is apparently better usage. + +15. Added local_scan_timeout to apply a timeout to local_scan(). + +16. Recognize IPv6 addresses as IP addresses, even when Exim is not compiled + with IPv6 support. + +17. When verifying a HELO/EHLO name, Exim was not checking the alias host names + it obtained from calling gethostbyaddr(). In many cases, this didn't cause + any unwanted rejections because as a last resort Exim does a forward lookup + on the HELO name to see if any of its IP addresses matches. But it fixing + the bug saves the unnecessary additional lookup. + +18. Added "domains = ! +local_domains" to the commented-out ipliteral router in + the default configuration. + +19. Default sender_host_aliases to an empty alias list, instead of NULL. This + is just for tidiness; the way it was coded, it didn't cause any problems. + +20. Added -tls-on-connect, which starts a TLS session without waiting for + STARTTLS. This supports older clients that used a different port. + +21. Added support for the Cyrus pwcheck daemon. + +22. Arranged to use getipnodebyaddr() instead of gethostbyaddr() in systems + with IPv6 support that have this function, because gethostbyaddr() doesn't + work for IPv6 addresses on all systems (it does on some). + +23. Header lines added by "warn" statements in the ACL for RCPT are saved up to + be added after the message's header has been received. Previously, Exim was + saving up all added headers, from both RCPT and DATA, until the very end. + Now it adds those from RCPT before the DATA ACL is obeyed, so that they can + be accessed from within the DATA ACL. + +24. Changed TLS initialization to use SSL_CTX_use_certificate_chain_file() + instead of SSL_CTX_use_certificate_file(). This means that the file can + contain the whole chain of certificates that authenticate the server. + +25. Updated convert4r4 to check for colons that look as if they are part of + expansion items in require_files lists (e.g. ${lc:xxxx}). In Exim 3, the + whole list was expanded before splitting up, but in Exim 4, the splitting + happens first, so such colons must be doubled. The conversion script now + doubles such colons, and outputs a warning message. The test for one of + these colons is a match against "\$\{\w+:". + +26. If, while verifying a recipient address, a router was skipped because a + lookup did not succeed, and the following router suffered a temporary + failure (e.g. a timeout), the log line for the temporary rejection showed + the error from the first router instead of from the second. + +27. Exim crashed if a dnslists test was obeyed in an ACL for an SMTP message + from the local host. Now it just fails to match the list. + + +Exim version 4.02 +----------------- + + 1. Bug in string expansion: if a "fail" substring of a conditional contained + another conditional that used the "fail" facility, Exim didn't swallow the + right number of closing parentheses in the case when the original condition + succeeded (i.e. when the condition containing the "fail" should be + skipped). + + 2. helo_verify_hosts wasn't working when comparing host names. + + 3. When delivering down an existing SMTP connection, the error "Unexpectedly + no free subprocess slot" was sometimes given for other addresses in the + message. + + 4. Binary zeroes in the message body are now turned into spaces in the + contents of $message_body and $message_body_end. + + 5. If the value of a field in a MySQL result was SQL NULL, and more than one + field was selected, Exim crashed. + + 6. It seems that many OS treat 0.0.0.0 as meaning the local host, typically + making it behave like 127.0.0.1. Since there have been incidents where this + was found in the DNS, two changes have been made: + (a) Added 0.0.0.0 to the ignore_target_hosts setting in the default + configuration. + (b) Unconditionally recognize 0.0.0.0 as the local host while routing. + + 7. Added helo_allow_chars so people can let in underscores if they really + have to. Sigh. + + 8. Give configuration error if "maildir_format" or "mailstore_format" is + specified for appendfile without specifying "directory". + + 9. When return_path was expanded in an smtp transport, the values of + $local_part and $domain were not set up. + +10. The optimization for sending multiple copies of a single message over one + SMTP connection when there are lots of recipients (but too many for one + copy of the message) was messing up in the case when max_rcpt was set to 1 + (for VERP). It would send lots of copies with one RCPT each, correctly, but + because the transport was passed more than one address, $local_part and + $domain weren't set. Since setting max_rcpt to 1 is almost always + associated with VERP (or at least, you do it because you want to use + $domain or $local_part), I've made that a special case where the + optimization is disabled. + +11. Cygwin has case-insensitive file names. Therefore, we can't use base 62 + numbers for Exim's identifiers. We have to use base 36 instead. Luckily 6 + base 36 digits are still plenty enough to hold the time for some years to + come. There's now a macro that is set either to 62 or 36, but the names and + documentation still talk about "base 62". + +12. Added build-time variable MAX_LOCALHOST_NUMBER (default 256) to allow the + localhost number to be traded off against the maximum number of messages + one process can receive in one second. This is relevant only when + localhost_number is set. It may be useful for Cygwin, where the maximum + sequence number is much less when up to 256 hosts are allowed. + +13. Extended MySQL server data to allow for the specification of an alternate + Unix domain socket. + +14. Give error if too many slashes in mysql_servers or pgsql_servers item. + +15. Changed the wording "debug string overflowed buffer" to "debug string too + long - truncated" to make it clearer that it's not a big disaster. + +16. Now that I finally understand the difference between the resolver's returns + HOST_NOT_FOUND and NO_DATA, I've optimized Exim's DNS lookup so that if an + MX lookup gets HOST_NOT_FOUND, it doesn't bother to try to look up an + address record. Only if it gets NO_DATA does it do that. + +17. The contents of Envelope-To: were not correct in cases when more than one + envelope address was redirected to a single delivery address via an + intermediate address, because the duplication was detected at the + intermediate stage, but the checking for Envelope-To: only looked at + duplicates of the final address. + +18. If a message with the -N flag was on the spool, and was selected during a + queue run by -R or -S, the -N flag was incorrectly passed on to all + subsequent messages, leading to their being thrown away. + +19. Remove unnecessary check for the local host when looking up host names in + host lists. + +20. If tls_certificate is supplied, but tls_privatekey is not, assume that both + are in the tls_certificate file. + +21. If a router set transport_current_directory or transport_home_directory + to something that involved an LDAP lookup, and there was more than one + local delivery to be done for a single message, all but the first got + deferred because the LDAP connection for those variables got opened in the + superior process, but closed in the first subprocess. The second subprocess + then assumed it was still open. We now ensure that each subprocess starts + with a clean slate (everything closed down) so that it can open and close + its own connections as needed. + +22. After a failure of ldap_result(), Exim was calling ldap_result2error() in + order to get an error message. However, it appears that it shouldn't do + this if the value of result variable is NULL. As I can't find any way of + getting an error message out of LDAP in this circumstance, Exim now just + gives says "ldap_result failed and result is NULL". + +23. If a message arrives over a TLS connection via inetd, close down the SSL + library in the subprocess for message delivery (but don't molest the + parent's SSL connection). + + +Exim version 4.01 +----------------- + + 1. When setting TCP_NODELAY, the call to setsockopt() was using SOL_SOCKET + instead of IPPROTO_TCP, which caused excessive logging on some systems. + + 2. Changed the Makefile for Cygwin to set EXIM_USER and EXIM_GROUP to 0. + + 3. The SMTP rewriting facility was broken. + + 4. There was some malformatting in the spec.txt file (the other formats were + OK). + + 5. Made convert4r4 change "bydns_a" into "bydns" in route_list options, and + to do the same for "bydns_mx", but in this case to comment that it won't + work the same (and to suggest a workaround). + + 6. Removed redundant code in deliver.c for indicating when a reused SMTP + connection had been closed in a subprocess - this was being done twice. + + 7. Change 2 of 3.164 removed Exim's explicit checking that a reverse DNS + lookup yielded a name whose forwarded lookup gave the original IP address, + because I thought that gethostbyaddr() did this automatically (it seems to + on some systems). There is hard evidence that I was wrong, so this test has + been put back, and in a better form, because it now checks alias names. + This means that the verify=reverse_host_lookup condition in an ACL reduces + to requiring that the host name has been looked up, since the checks it + previously did are not always applied. + + 8. When sender verification fails, the error associated with it is given by + default before the 550 error for the first RCPT command. Not everybody + wants to see this. There is now an option (no_details) that suppresses it. + + 9. The patterns in rewriting rules with the 'S' flag were not being expanded. + For consistency with other patterns (and the documentation), this has been + changed. + +10. "domainlist", "hostlist", and "addresslist" weren't recognized if the + immediately following character was a tab rather than a space. + +11. The rules for writing daemon pid files have changed. A new option -oP has + been added to provide a way of specifying a pid file path on the command + line. Exim now writes a pid file when -bd is used, unless -oX is specified + without -oP. + +12. The version number of OpenSSL was included in the response to the STARTTLS + command - a legacy from the original contributed code that doesn't seem + sensible. It no longer appears, and I took it out of the debug output as + well because that was the only place left, and the code to compute it was + "mysterious magic" that didn't seem worth keeping. + +13. When another message was processed in order to send it down an existing + SMTP connection, Exim was doing the routing for all the addresses. Even if + called from a delivery from a queue runner, this doesn't count as "in a + queue run", so retry times were not being inspected. If the message had a + large number of recipients, and several of them timed out while routing, + the delay could be so large that the server at the other end of the SMTP + connection would time out. To avoid this happening, Exim now skips routing + for any addresses that have a domain retry time set for routing, whether or + not that retry time has arrived, when dealing with a pre-existing SMTP + connection. This will be "right" pretty well all of the time, and even + when it is "wrong", the only consequence will be some delay. (This doesn't + apply to "address" retry times, because those are usually the result of 4xx + errors, not timeouts.) + +14. Added words to the initial output from -bh pointing out that no ident + callback is done. + +15. The convert4r4 script wasn't getting it quite right with an aliasfile + director that had a "transport" setting. It was missing the "yes/no" in the + "condition" setting. + + +Exim version 4.00 +----------------- + + 1. Changed the name of debug_print for authenticators (3.953/38) to + server_debug_print because it applies only when the authenticator is + running as a server. + + 2. Forgot to change DB_ to EXIMDB_ in the Cygwin Makefile. + + 3. There were still a couple of uses of vfork() when passing a socket to a + new delivery process. The use of vfork() is not recommended these days, + so I changed them to fork(). + + 4. Added the spa authentication mechanism, using the code contributed by Marc + Prud'hommeaux (and mostly taken from the Samba project). This supports + Microsoft's "Secure Password Authentication", but only as a client. + + 5. queryprogram had current_directory unset, but used "/" when it was unset. + It is tidier just to make the default "/" and have done with it. + + 6. When a delivery is run with -v, the -v flag is no longer passed on to new + processes that are started in order to send other messages on existing + SMTP connections. This prevents non-admin users from seeing these other + deliveries. Admin users can specify a higher level of debugging, and when + this is done, the debugging selection is passed on. + + 7. Increased the increment for dynamic strings from 50 to 100. + + 8. When Exim was building a dynamic string for $header_xxx from a number of + headers of the same name, or for $message_headers, it was using the dynamic + string function which is designed for use with relatively short strings. If + a pathological message had an enormous header, it chewed up memory at a + ridiculous rate. The code has been rewritten so that it does not do this. + With a 64K header string (there's a limit set at 64K) it now just gets one + 64K buffer. Previously it used a large number of megabytes to build such a + string, and some system filter processing ran machines into the ground on + messages with huge headers. + + 9. The work for 8 involved a small amount of other "refactoring" in the + expansion functions. + +10. If "headers add" or "headers remove" were used in a system filter, the + headers didn't actually get changed when testing with -bF. This could + affect later commands in the filter that referred to the headers. + +11. Two system filter bugs: (a) The system filter was always being run as root, + even if system_filter_user was set. (b) When the system filter was not run + as root, changes to the header lines by "headers add" or "headers remove" + were being lost. Because of (a), (b) would never have bitten. + +12. Some "refactoring" in the daemon: + (a) Removed redundant statement smtp_in=NULL. + (b) The test for fork failure for a delivery process was not quite in the + right place. + (c) Added main and panic logging for receive and delivery fork failures. + (d) Check for fdopen() failure, and don't try to continue, but ensure + the sockets get closed. + (e) Log fclose() failures. + +13. Added the "/data" facility to ACL dnslists so as to make it easy to use, + for example, the domain lookup of rfc-ignorant.org. + +14. Refactored the code in the daemon to use a vector of structures instead of + two separate vectors for storing the pid of a spawned accepting process and + the corresponding IP address of the client. (This is to make it easier to + add other things.) + +15. If EXIM_USER or EXIM_GROUP were set to the empty string in Local/Makefile, + the uid or gid were set to zero, which is unsafe. These settings now cause + an error message at build time. + +16. check_ancestor was doing its check case-sensitively, which meant that it + did not work with some configurations when redirecting changed the case of + the local part. Now check_ancestor respects the setting of + caseful_local_part on the router which routed the ancestor address. + +17. The check for router looping (whether the current router had previously + routed the same address) was always being done case-insensitively. It + should do the local part check case-sensitively when caseful_local_part is + set for that router. + +18. Added helo_try_verify_hosts, which is like helo_verify_hosts except that + it doesn't reject failing HELO/EHLO. Instead the verification state can be + testing in an ACL by verify=helo. + +19. When echoing log writes from a parallel remote delivery process to the + debug output, the pid of the parallel process was being omitted. + +20. In an ACL run for a RCPT command, the values of $domain and $local_part + were becoming unset after a sender or recipient verification. + +21. Exim crashed if called with -C followed by a ridiculously long string. + +22. Some other potential points of trouble caused by pathological input data + have been defended. + +23. If hosts_randomize was set on an smtp transport, the randomizing code had + a bug which could put the delivery process into a tight loop. + + + +Exim version 3.953 +------------------ + + 1. Exim was not terminating the names of named lists in memory. It got away + with this on systems where newly malloc()d store is zeroed (always a bad + practice). When running in its test harness, Exim now ensures that all + new memory from malloc is filled with a non-zero value. This will help + pick up bugs like this in future. (I haven't made it do it always, for + performance reasons.) + + 2. When skip_syntax_errors was set on a redirect router, and a forward file + (NOT a filter file) contained only invalid addresses, the message was + discarded. The router now declines, as it does for invalid filter files. + Thus, the address is passed on unless no_more is set. + + 3. When an address containing upper case letters in the local part was + deferred, eximon showed the lowercased version with the caseful version + as a "parent", as well as the original caseful version in its queue list. + + 4. When hide_child_in_errmsg was set on a redirect router, bounce messages + still showed the failed addresses in the X-Failed-Recipients: header line. + + 5. Change 6 for 3.952 should also have included SIGTERM. + + 6. exim -bP +something was searching only the domain lists. It now searches + all lists for a matching name. + + 7. If Local/Makefile contains more than one of USE_DB, USE_GDBM, or USE_TDB, + give a build-time error. When it does contain one of them, arrange for any + OS default for any other one to be overridden. (The code expects at most + one of these to be defined.) + + 8. When a value for transport_home_directory is taken from the password + information, wrap it in \N...\N so that it isn't expanded in the transport. + This affects Cygwin, where home directories may contain $ characters. + + 9. Fixed an occasional crash when autoreply was sending a message created by + a user's filter file. It was referencing uninitialized memory. (The + prophylactic mentioned in 1 above made it a hard error.) + +10. The "run" and "readfile" expansion items could sometimes return extra junk + characters (yet another uninitialized memory bug). + +11. The lockout options forbid_filter_existstest etc. were not propagating to + the expansion of files sent as part of "mail" messages from users' filter + files. + +12. Another unterminated string bug: when an ACL was read from a file + dynamically it wasn't properly terminated. + +13. Cached pgsql connections weren't being re-used, leading to a potential + build-up of open connections. + +14. $message_headers is supposed to be limited to 64K in length, but it wasn't + so limited if an individual header line was longer than 64K. + +15. An individual header line, or concatenation of multiple identically- + named header lines, inserted by $h_xxxx is supposed to be limited to 64K in + length, but it wasn't so limited if the only header line was longer than + 64K. + +16. A syntactically incorrect setting of -d... is now treated as a command line + syntax error (message to stderr, return code 1), without any entry on the + log. + +17. Modifications to the exim_install script: + (a) Scan the combined Makefile in the build directory instead of messing + around scanning its individual constituent files. + (b) Use sed instead of a pipe of grep, tail and cuts. This allows better + control, but has to be very simple sed in order to work on Solaris. + (c) Allow for the setting of EXE to add a subscript to executables for + the benefit of Cygwin. + (d) Use -c instead of -b with "cut" because the "cut" in BSD/OS doesn't + grok -b. + +18. Changes for Cygwin: + (a) Update scripts/os-type to recognize CYGWIN. + (b) Arrange (via the Uopen() macro) for all calls to open() to have + the O_BINARY flag, to avoid CRLF problems. + (c) If OS_INIT is defined, call it at the very start of Exim's execution. + (d) When resolver debugging is enabled, set _res.options |= RES_DEBUG + before calling res_init() as well as after, because that generates + some debugging info during initialization. + +19. Make the initial call to os_getloadavg() in exim.c conditional on + LOAD_AVG_NEEDS_ROOT because it is done just to initialize os_getloadavg() + on systems that require the first call to be done as root. It should be + called only when messages are being received; it was being called + unnecessarily in some cases. + +20. If Exim failed to open its retry hints database at routing time, it crashed + during a subsequent local delivery. + +21. If Exim is neither setuid root nor called by root, there is no need to + attempt to drop root privilege when it is not needed. + +22. I'd forgotten to remove the check for the presence of %s in pid_file_path + when it was set at run time. + +23. If a transport filter crashed, or yielded a non-zero return code during an + SMTP delivery, Exim was not aborting the delivery. This led to multiple + partial deliveries of the message until the transport filter was fixed. + +24. Do not try alternate hosts if a transport filter crashes or yields a + non-zero return during an SMTP delivery. + +25. When exim -be is reading input lines from stdin, backslash can now be used + for continuations. This makes it easier to test expansions from a + configuration file by cut and paste, and long expansions in general. + +26. The file src/auths/xtextdecode.c was incorrectly named xtestdecode.c, but + because the MakeLinks script built a symbolic link that worked, this + mistake didn't actually show up. + +27. When Exim is delivering another message down an existing connection, + remote_max_parallel should be forced to 1; this wasn't happening, though + it would have caused a problem only if a message had more than 100 + recipients routed to the host. + +28. When there was a problem while delivering down an existing connection, such + that the transport process closed the connection, this fact wasn't getting + communicated to the calling delivery process, which might have tried to do + more deliveries on the same connection. This would only have caused a + problem if there were more than 100 recipients to the same host. + +29. The ${extract} action, with a negative field number that selected the first + field in a string, could return junk characters at the start of the + extracted field. + +30. When Exim is acting as a client, if an attempt to start a TLS session fails + during the TLS negotiation phase (i.e. STARTTLS is accepted, but there's a + problem such as an unrecognized certificate during TLS session startup), + Exim used always to defer delivery. Now, unless the host is in + hosts_require_tls, Exim makes a new connection to the host and attempts to + send the message unencrypted. This avoids stuck messages for servers that + advertise STARTTLS but don't actually support it properly. + +31. Added ${address:xxx} to go with ${domain:xxx} and ${local_part:xxx} which + extract from RFC 2822 addresses. + +32. The rules for recognizing when Exim is being called from inetd have + changed. Previously Exim required SMTP input, stdin to be a TCP/IP socket, + and the caller to be root or the Exim user. This left a gaping hole if the + caller was not root or the Exim user, because then it wouldn't do the + policy checking for a remote host, because it didn't realize it was being + called from inetd. (This was seen on Debian configurations). Exim now + behaves as follows: if the input is SMTP and stdin is a TCP/IP socket, a + call from inetd is assumed. This is allowed to proceed either if the caller + is root or the Exim user, or if the port used is privileged (less than + 1024). Otherwise (a different user passing an unprivileged port) Exim gives + a "Permission denied" error. + +33. Removed $compile_number from the default SMTP banner line (after discussion + on the mailing list). Also removed it from the default $Received: header. + +34. # is documented as a comment character in the run time configuration only + when it appears at the start of a line. In the case of boolean values, + extra characters after "= true" or "= false" were being ignored, leading to + a false impression that comments could appear there. This is now diagnosed + as an error. + +35. If a boolean option without a following "=" was followed by # (in the + mistaken belief that this would be a comment), the error was "missing =", + which was confusing. Exim now complains about extra characters. + +36. When Exim complains about extra characters following an option setting, it + now adds a comment about comments if the first extra character is #. + +37. Output debug_print strings when testing a host using -bh. + +38. Added server_debug_print to authenticators (compare routers and + transports). This outputs when an authenticator is called as a server. It + can be helpful while testing with -bh. + +39. Added debugging output to the crypteq condition. + +40. If a named domain or local part list used in a "domains" or "local_parts" + option on a router matched by means of a lookup, the $domain_data and + $local_part_data variables were set for the first router that did this, but + were not set for any subsequent routers that used the same named list. The + same was true for multiple tests of named domain or local parts lists in an + ACL. + +41. If the variable "build" is set when the top-level Makefile is run, the + variable now propagates from the top-level Makefile to subsidiary ones. + In addition, Local/Makefile-$(build) is added to the list of concatenated + files that go at the start of the Makefile in the build directory. + +42. If NO_SYMLINK is defined in Local/Makefile, the exim_install script just + copies the Exim binary in with its unique name, without moving the "exim" + symbolic link to it. + +43. Added BSDI 4.2 as a BSDI variant in scripts/os-type. + +44. The spool file format for remembering a "one_time" redirection has changed; + I had forgotten to make Exim 4 capable of reading Exim 3 spool files. + +45. Address lists are now permitted to include items of the form *@+name where + "name" is a named domain list. (Note that an item of the form +name is + taken as a named _address_ list.) + +46. When Exim gives up privilege and reverts to the calling user because it was + called with the -C, -D, -be, or -bi options, it now reinstates the + supplementary group list as well as the uid and gid. + +47. The crypteq condition has been extended. When the encrypted string begins + with "{md5}" Exim used to assume that the digest was encoded as a base64 + string. Now it assumes this only if its length is 24 bytes. If the length + is 32 bytes, Exim assumes a digest expressed in hex characters. If the + length is neither 24 nor 32, the comparison always fails. + +48. Updated the convert4r4 script: + + (a) Some typos in the comments. + (b) Remove kill_ip_options, log_ip_options, and refuse_ip_options, which + no longer exist. + (c) Move all macro definitions to the top of the output, to ensure that + they precede any references to them. + (d) If tls_verify_ciphers was set without tls_verify_hosts, the generated + new configuration insisted on encryption ("these ciphers must be + used for all connections") instead of just checking the cipher when + encryption happened ("if encrypted, these ciphers must be used"). + (e) Address lists are now checked to see if they contain any bare lookup + items and if they do, these are converted to two items, the first + preceded by "*@" and the second with "partial-" removed. This makes + Exim 4 behave in the way that Exim 3 used to. An explanatory comment + is output. + (f) Put more explanation in above the "hosts = :" test. + +49. Write a main and panic log entry when "partial-" is ignored in a lookup + that is part of an address list. (Applies when the item is a lookup for + which the whole address is the key.) + +50. Two changes to the way $original_local_part and $parent_local_part work: + + (a) When an address that had a prefix or suffix was redirected to another + address, the value of $original_local_part and $parent_local_part + had the prefix or suffix stripped when referred to during the + processing of the child address. This doesn't seem right, so it has + been changed. + (b) When an address that had a prefix or suffix was being processed, + $local_part had the affix stripped, and if it was a top-level + address, $original_local_part also has the affix stripped. This has + been changed. Now $original_local_part contains the same value at all + levels. ($parent_local_part remains empty at top level.) + +51. A number of macros in the Exim source began with "DB_". When compiling + with Berkeley DB version 4, DB_LOCK_TIMEOUT clashed with a macro set by + that package. The Exim macros now all start with "EXIMDB_", and Exim + therefore now supports DB version 4. + +52. Newlines in a "freeze" text from a system filter were being sent as \n + in messages created by the "freeze_tell" option. They are now converted + back to newlines (in the log line they continue to appear as \n). + +53. Added a new ACL condition "verify = reverse_host_lookup". This does a + reverse lookup of the client host's IP address, then does a forward lookup + for all the names it receives, and checks that at least one of the IP + addresses obtained from the forward lookup matches the incoming IP address. + The lookups are done with gethostbyaddr() and gethostbyname(), + respectively. + +54. A small fix to eximstats reduces its store usage substantially when it is + processing very large log files: when a message's "completed" line is + reached, discard the memory of the message's size. + +55. If an address was redirected to itself more than once (e.g. by two + different "redirect" routers, or because of the use of "unseen", it was + incorrectly discarded as a duplicate address. + +56. For a rewrite pattern of the form *@something, if an actual address + contained @ in the local part (e.g. "a@b"@x.y), the value of $1 was set + incorrectly during expansion of the replacement address (it stopped at the + first @ instead of at the last one). + +57. Added hosts_nopass_tls to the smtp transport. For any host that matches + this list, a connection on which a TLS session has been started will not be + passed to a new delivery process for sending another message on the same + connection. + +58. The -dropcr command line option now turns CRLF into LF, while leaving + isolated CR characters alone. (Previously it removed _all_ CR characters.) + There is now also a drop_cr main option which has the effect of -dropcr for + all incoming non-SMTP messages. + +59. If a configuration file macro expanded into a boolean option which was not + followed by = and a value, Exim gave a spurious error for an "unknown" + value for the option (typically a string from the previous line). + + +Exim version 3.952 +------------------ + + 1. convert4r4 had an incorrect file name in its comment output. + + 2. convert4r4 was looking up $local_part instead of $domain in its generated + manualroute output. + + 3. There was no check that getpeername() was giving a socket address when + called on stdin passed from a previous delivery. + + 4. Fixed an old bug whereby Exim could segfault if debugging was turned on and + a DNS lookup found MX records for hosts whose A records had to be looked up + separately, and some of them pointed to the local host (pretty rare). + + 5. The debugging output for log writes now shows the names of any log selectors + instead of the hex value of the selector word. + + 6. If a delivery subprocess is terminated by SIGKILL or SIGQUIT, do not freeze + the message. This can happen during system shutdown. Other kinds of process + failure indicate problems. + + 7. If a sender verification did not complete (e.g. DNS lookup timed out), the + log line for the temporary RCPT rejection did not always say why (it lost + the message if there had been a previous call to any lookup). + + 8. The special message about MX records that point to IP addresses instead of + host names was not getting returned in the SMTP response when a + verification failed. This has been fixed, and the message that is logged in + this circumstance has been made less verbose. + + 9. When an SMTP callout is done, Exim tries to use the interface and port + number from the transport that the address was routed to during the prior + verification. If it wasn't routed to a remote transport, or if there's a + problem expanding the relevant options, Exim does not use a specific + interface, and it connects to port 25. + +10. If the string "syslog" happened to occur in the log file path, eximon was + failing to extract the name of the main log file correctly. + +11. Unlike other operating systems, Linux does not sync a directory after a + rename. However, we need this to happen to be sure an incoming message has + been safely recorded after it has been received. I have therefore added a + macro called NEED_SYNC_DIRECTORY (which is set in OS/os.h_Linux) to request + Exim to do an explicit sync on the directory after the rename. If + O_DIRECTORY is defined, it is used when opening the directory. + +12. When a system filter creates any new deliveries, they are given a fake + "parent" address which appears on the logs, and is necessary for pipes, + files, and autoreplies, which cannot be toplevel addresses. This fake was + set up with the text "system filter". It's been changed to "system-filter" + because the space in the previous text could cause trouble. + +13. The new option local_sender_retain suppresses the removal of Sender: header + lines in locally-submited (non-TCP/IP) messages from untrusted users. It is + required that no_local_from_check be set with local_sender_retain. + +14. In a file interpolated into an address list, if a local part contained a + # character and there was also a following comment (introduced by a # + preceded by white space), the comment was not recognized. + +15. Local part lists are now handled as address lists as far as recognition of + comments in interpolated files and the processing of +caseful at the top + level are concerned. In the local_parts option of a router, +caseful will + restore case-sensitive matching, even when the router does not have + caseful_local_part set (the default). + +16. The key used for a dsearch lookup may not contain '/'. If it does, the + lookup defers. + +17. When starting a delivery process after receiving a message locally, discard + the controlling terminal unless debugging is turned on. + +18. The exim group was automatically trusted; this was not correct because it + meant that admin users who were in the exim group were automatically + trusted. If you want the exim group to be trusted, it must now be + explicitly configured. + +19. The default configuration mentioned "dns_lists" instead of "dnslists" in a + comment. + +20. Minor corrections and changes to the Exim4.upgrade document and to the + OptionLists.txt document. + +21. If a local part beginning with a pipe symbol was routed to a pipe + transport, the transport got confused as to which command it should run. + This could be a security exposure if unchecked local parts are routed to + pipe transports. + +22. When logging SMTP connections to the daemon from other hosts, include the + connection count in the log line. Tidied up the identification of SMTP + sources in logging lines. + +23. Added "sender_domains" as a new ACL condition so that the Exim 3 setting + of sender_verify_callback_domains can easily be replicated. Corrected + convert4r4, which was incorrectly converting this to a "domains" setting. + +24. The code for reading ident values was not discarding leading spaces, which + some hosts seem to send. + +25. The building process was still insisting that PID_FILE_PATH contained %s, + but this is not required for Exim 4. + +26. The logging of ETRN commands had got lost. It has been restored, and the + log selector "etrn" (on by default) added to control it. + +27. IPv6 reverse DNS lookups were originally specified as happening in the + ip6.int domain, but this is being changed to ip6.arpa (and they've changed + the meaning of "arpa" to "Address and Routing Parameters Area"). The only + time Exim does reverse lookups directly (as opposed to calling + gethostbyaddress()) is in the code for the dnsdb lookup type. This has been + changed to use ip6.arpa. + +28. Made the test programs (test_dbfn for testing DBM files, and some others) + compile! Updated the help output from test_dbfn. + +29. Changed all occurrences of "r" and "w" in fopen() fdopen() calls to "rb" + and "wb". This makes no difference in Unix systems, but is apparently + necessary for running Exim under Cygwin. + +30. Three changes that make virtually no difference when Exim is run on a real + Unix system, but which were asked for to make life easier when porting it + to run under Cygwin: + + (a) Changed the logic for locking a message when an Exim process is + handling it. Previously, the entire -D file was locked to indicate + this. Now Exim locks only the first line, which contains the name of + the file. Apparently, in the Cygwin environment, a subprocess cannot + read locked parts of a file, even when it is passed an open file + descriptor to that file from the process that did the locking. By + locking only the first line, which the subprocess does not want to read + (it just needs to read the data that follows), we can get round this + restriction with minimal effort. + + (b) Added support for native gdbm function calls. GDBM is apparently the + only DBM library that is currently available Cygwin, and only with its + native API. + + (c) The default modes for files, directories, and lock files in the + appendfile transport can now be set in Local/Makefile at build time. + +31. When transmitting a message using SMTP with PIPELINING, if the server gave + a malformed SMTP response, the message logged by Exim didn't associate it + with the pipelined SMTP command to which it referred. For example it logged + "after DATA" if all the recipients had been sent. Also, if the response + was an empty line (illegal), it didn't show up very clearly. The error + messages are now more accurate, and point out empty lines. + +32. Minor corrections and changes to src/configure.default. + +33. When a host list in a route_list item that was enclosed in double quotes + contained single quotes within it, the quoting was incorrectly terminated. + Both the pattern and the host list in route_list items are now handled by + the standard quote-processing function. + +34. Corrected the EDITME file for eximon so that the default stripchart + patterns work with the default runtime configuration for local deliveries. + (Previously it matched a delivery via a director - not possible in Exim 4.) + + +Exim version 3.951 +------------------ + +Exim 3.951 is the first alpha testing release for Exim 4. A list the many +individual changes to the code made between Exim 3.33 and Exim 3.951 was not +kept. The functional changes are listed in the Exim4.upgrade file. + +**** |