1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
|
$Cambridge: exim/doc/doc-txt/NewStuff,v 1.117 2006/10/16 15:44:36 ph10 Exp $
New Features in Exim
--------------------
This file contains descriptions of new features that have been added to Exim.
Before a formal release, there may be quite a lot of detail so that people can
test from the snapshots or the CVS before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
Version 4.64
------------
1. ACL variables can now be given arbitrary names, as long as they start with
"acl_c" or "acl_m" (for connection variables and message variables), are
at least six characters long, with the sixth character being either a digit
or an underscore. The rest of the name can contain alphanumeric characters
and underscores. This is a compatible change because the old set of
variables such as acl_m12 are a subset of the allowed names. There may now
be any number of ACL variables. For example:
set acl_c13 = value for original ACL variable
set acl_c13b = whatever
set acl_m_foo = something
What happens if a syntactically valid but undefined ACL variable is
referenced depends on the setting of the strict_acl_vars option. If it is
false (the default), an empty string is substituted; if it is true, an error
is generated. This affects all ACL variables, including the "old" ones such
as acl_c4. (Previously there wasn't the concept of an undefined ACL
variable.)
The implementation has been done in such a way that spool files containing
ACL variable settings written by previous releases of Exim are compatible
and can be read by the new release. If only the original numeric names are
used, spool files written by the new release can be read by earlier
releases.
2. There is a new ACL modifier called log_reject_target. It makes it possible
to specify which logs are used for messages about ACL rejections. Its
argument is a list of words which can be "main", "reject", or "panic". The
default is "main:reject". The list may be empty, in which case a rejection
is not logged at all. For example, this ACL fragment writes no logging
information when access is denied:
deny <some conditions>
log_reject_target =
The modifier can be used in SMTP and non-SMTP ACLs. It applies to both
permanent and temporary rejections.
3. There is a new authenticator called "dovecot". This is an interface to the
authentication facility of the Dovecot POP/IMAP server, which can support a
number of authentication methods. If you are using Dovecot to authenticate
POP/IMAP clients, it might be helpful to use the same mechanisms for SMTP
authentication. This is a server authenticator only. The only option is
server_socket, which must specify the socket which is the interface to
Dovecot authentication. The public_name option must specify an
authentication mechanism that Dovecot is configured to support. You can have
several authenticators for different mechanisms. For example:
dovecot_plain:
driver = dovecot
public_name = PLAIN
server_name = /var/run/dovecot/auth-client
server_setid = $auth1
dovecot_ntlm:
driver = dovecot
public_name = NTLM
server_name = /var/run/dovecot/auth-client
server_setid = $auth1
If the SMTP connection is encrypted, or if $sender_host_address is equal to
$interface_address (that is, the connection is local), the "secured" option
is passed in the Dovecot authentication command. If, for a TLS connection, a
client certificate has been verified, the "valid-client-cert" option is
passed.
4. The variable $message_headers_raw provides a concatenation of all the
messages's headers without any decoding. This is in contrast to
$message_headers, which does RFC2047 decoding on the header contents.
5. In a DNS black list, when the facility for restricting the matching IP
values is used, the text from the TXT record that is set in $dnslist_text
may not reflect the true reason for rejection. This happens when lists are
merged and the IP address in the A record is used to distinguish them;
unfortunately there is only one TXT record. One way round this is not to use
merged lists, but that can be inefficient because it requires multiple DNS
lookups where one would do in the vast majority of cases when the host of
interest is not on any of the lists.
A less inefficient way of solving this problem has now been implemented. If
two domain names, comma-separated, are given, the second is used first to do
an initial check, making use of any IP value restrictions that are set. If
there is a match, the first domain is used, without any IP value
restrictions, to get the TXT record. As a byproduct of this, there is also a
check that the IP being tested is indeed on the first list. The first domain
is the one that is put in $dnslist_domain. For example:
reject message = rejected because $sender_ip_address is blacklisted \
at $dnslist_domain\n$dnslist_text
dnslists = sbl.spamhaus.org,sbl-xbl.spamhaus.org=127.0.0.2 : \
dul.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.10
For the first blacklist item, this starts by doing a lookup in
sbl-xbl.spamhaus.org and testing for a 127.0.0.2 return. If there is a
match, it then looks in sbl.spamhaus.org, without checking the return value,
and as long as something is found, it looks for the corresponding TXT
record. If there is no match in sbl-xbl.spamhaus.org, nothing more is done.
The second blacklist item is processed similarly.
If you are interested in more than one merged list, the same list must be
given several times, but because the results of the DNS lookups are cached,
the DNS calls themselves are not repeated. For example:
reject dnslists = http.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.2 : \
socks.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.3 : \
misc.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.4 : \
dul.dnsbl.sorbs.net,dnsbl.sorbs.net=127.0.0.10
In this case there is a lookup in dnsbl.sorbs.net, and if none of the IP
values matches (or if no record is found), this is the only lookup that is
done. Only if there is a match is one of the more specific lists consulted.
6. All authenticators now have a server_condition option. Previously, only
plaintext had this, and this has not changed: it must be set to the
authenticator as a server. For the others, if server_condition is set, it is
expanded if authentication is successful, and treated exactly as it is in
plaintext. This can serve as a means of adding authorization to an
authenticator.
Version 4.63
------------
1. There is a new Boolean option called filter_prepend_home for the redirect
router.
2. There is a new acl, set by acl_not_smtp_start, which is run right at the
start of receiving a non-SMTP message, before any of the message has been
read.
3. When an SMTP error message is specified in a "message" modifier in an ACL,
or in a :fail: or :defer: message in a redirect router, Exim now checks the
start of the message for an SMTP error code.
4. There is a new parameter for LDAP lookups called "referrals", which takes
one of the settings "follow" (the default) or "nofollow".
5. Version 20070721.2 of exipick now included, offering these new options:
--reverse
After all other sorting options have bee processed, reverse order
before displaying messages (-R is synonym).
--random
Randomize order of matching messages before displaying.
--size
Instead of displaying the matching messages, display the sum
of their sizes.
--sort <variable>[,<variable>...]
Before displaying matching messages, sort the messages according to
each messages value for each variable.
--not
Negate the value for every test (returns inverse output from the
same criteria without --not).
Version 4.62
------------
1. The ${readsocket expansion item now supports Internet domain sockets as well
as Unix domain sockets. If the first argument begins "inet:", it must be of
the form "inet:host:port". The port is mandatory; it may be a number or the
name of a TCP port in /etc/services. The host may be a name, or it may be an
IP address. An ip address may optionally be enclosed in square brackets.
This is best for IPv6 addresses. For example:
${readsocket{inet:[::1]:1234}{<request data>}...
Only a single host name may be given, but if looking it up yield more than
one IP address, they are each tried in turn until a connection is made. Once
a connection has been made, the behaviour is as for ${readsocket with a Unix
domain socket.
2. If a redirect router sets up file or pipe deliveries for more than one
incoming address, and the relevant transport has batch_max set greater than
one, a batch delivery now occurs.
3. The appendfile transport has a new option called maildirfolder_create_regex.
Its value is a regular expression. For a maildir delivery, this is matched
against the maildir directory; if it matches, Exim ensures that a
maildirfolder file is created alongside the new, cur, and tmp directories.
Version 4.61
------------
The documentation is up-to-date for the 4.61 release. Major new features since
the 4.60 release are:
. An option called disable_ipv6, to disable the use of IPv6 completely.
. An increase in the number of ACL variables to 20 of each type.
. A change to use $auth1, $auth2, and $auth3 in authenticators instead of $1,
$2, $3, (though those are still set) because the numeric variables get used
for other things in complicated expansions.
. The default for rfc1413_query_timeout has been changed from 30s to 5s.
. It is possible to use setclassresources() on some BSD OS to control the
resources used in pipe deliveries.
. A new ACL modifier called add_header, which can be used with any verb.
. More errors are detectable in retry rules.
There are a number of other additions too.
Version 4.60
------------
The documentation is up-to-date for the 4.60 release. Major new features since
the 4.50 release are:
. Support for SQLite.
. Support for IGNOREQUOTA in LMTP.
. Extensions to the "submission mode" features.
. Support for Client SMTP Authorization (CSA).
. Support for ratelimiting hosts and users.
. New expansion items to help with the BATV "prvs" scheme.
. A "match_ip" condition, that matches an IP address against a list.
There are many more minor changes.
****
|