Change log file for Exim from version 3.01 ------------------------------------------ Version 3.35 ------------ 1. Accidentally omitted from the 3.34 ChangeLog: if a host list in a domainlist route rule was in quotes, but contained single quotes, it was broken. 2. Change 27 for 3.30 caused newlines in "freeze" texts from message filters to be sent as \n when freeze_tell_mailmaster was set. 3. Rename the macro DB_LOCK_TIMEOUT because it clashes with a macro in DB version 4. 4. Make Exim 3 capable of reading -H files written by Exim 4, which have a different format for the one_time data (extraneous other stuff removed.) 5. Eximstats: one line addition to reduce memory usage. 6. Exim crashed if called with -C followed by a ridiculously long string. 7. Some other potential points of trouble caused by pathological input data have been defended. Version 3.34 ------------ 1. Exim was failing to diagnose a lone \ at the end of an expansion string as an error (basically a typo in the code). 2. If logging was only to syslog, and Exim was trying to panic-die, it crashed instead of dying cleanly. 3. If an address was routed using a DNS lookup that found no MX records, but one or more A records, and fallback hosts were specified on the transport, the fallback hosts were ignored. 4. $message_body_size was set incorrectly (to zero) during filter testing. 5. Ensure the configuration file is closed before running the -bi command. 6. Reap all complete processes within the loop for accepting -bs or -bS messages, because it seems that not all OS do this automatically when SIGCHLD is set to SIG_IGN. 7. Reset SIGHUP to SIG_IGN before restarting a daemon, in case another SIGHUP arrives very quickly and kills the newly started Exim before it has a chance to get going. 8. After "452 space shortage", was not unsetting the sender address. Could lead to strange effects when the client was pipelining. 9. There was no check that getpeername() was giving a socket address when called on stdin passed from a previous delivery. 10. If a local part beginning with a pipe symbol was directed to a pipe transport, the transport got confused as to which command it should run. This could be a security exposure if unchecked local parts are directed or routed to pipe transports. Version 3.33 ------------ 1. The test for an unset system-specific ERRNO_QUOTA was happening _before_ the inclusion of config.h, where the system-specific setting happens. (I think it's only SCO, which has no quotas, that actually sets this.) This caused a warning about redefinition of the macro. 2. Change 3.32/7 broke IPv6 on Linux, which handles wildcard listening with a single IPv6 socket, and _forbids_ a second IPv4 socket. (But the USAGI IPv6 stack may be different.) The change also caused failures on systems that have IPv6 libraries, but no IPv6 support in the kernel. The IPv6 code has been reworked yet again, such that it should work on all the different variations, and just revert to IPv4 when there is no IPv6 support in the kernel. 3. Aliasing a local part to /dev/null without setting file_transport caused Exim to crash. Now it gives the same error as any other /file alias. 4. As the IETF looks to be about to demote A6 DNS records to "experimental" status, I have cut out their support, using a compile-time macro. This, of course, applies only when Exim is built with IPv6 support. 5. Expanded error message for unknown rewrite flag item to suggest it might be caused by missing quotes (because this is turning into a FAQ). Version 3.32 ------------ 1. Eximon's call to XawTextReplace to empty the queue display was using a very large number to indicate "end of text". This works with many X libraries, but it was failing on the library in the RedHat 7 systems. Wrote the proper code to maintain an accurate count of the number of characters displayed. However, it still doesn't seem to solve the original problem, but as it is "better" in some sense, I've left it in. 2. Added #define SIOCGIFCONF_GIVES_ADDR to the OpenBSD os.h file. 3. Arranged to give correct data length to bind() function for IPv4 sockets when compiled with IPv6 support. Some operating systems check. 4. Cleaning up the auths directory was omitted from "make clean". 5. Bodged a fix to pcre/pcretest.c so that it will compile with gcc 3, which doesn't like #ifdef in the middle of macro arguments - it has defined printf() as a macro. Sigh. 6. If a delivery in a subprocess (local or remote) opened a connection to (for example) an MySQL server, that connection never got properly closed because the cleanup function was called only in the main process. Calls to the tidyup function have been added to the subprocesses. 7. Reworked the way the daemon sets up to listen for IPv4 addresses on IPv6 systems, because on some systems the TCP/IP stack doesn't pass incoming IPv4 calls to listening IPv6 sockets because of security concerns. Using separate sockets should work in all cases. Also, for listening on explicit interfaces, IPv4 sockets are now used for IPv4 addresses, instead of mapped addresses on IPv6 sockets. 8. When any "Resent-" header existed, Exim was using "Resent-Subject:" as the Subject header for logging. This was a delusion on my part: RFC 822 never defined Resent-Subject: so the ordinary Subject: should always be used. 9. RFC 2822 has abolished Resent-Reply-To: as a header. Exim now just looks as the ordinary Reply-To: even when there are Resent- headers in the message. 10. OpenLDAP 2.0.6 represented an unset hostname as "" instead of NULL; Exim had code to cope with this. Later releases of OpenLDAP have reverted to NULL instead; unfortunately Exim's code, which was supposed to cope with either case, was broken. It has been fixed. 11. Drop an SMTP connection if more than 5 unrecognized commands are received. 12. Tab was not being counted as a printing character, so if it appeared in a a "fail" message (for example) it was printed as \t in log lines and in bounce messages. Now if you use a tab, you get a tab. Version 3.31 ------------ 1. An address longer than 256 bytes could cause Exim to crash. Change 38 for 3.30 limits local addresses to 512 bytes (the RFC limit is 64bytes@255bytes and SMTP addresses have always been limited), so the relevant vector has been increased to 512 bytes. 2. The return_path generic transport option was being ignored for MAIL FROM lines in BSMTP output in the appendfile and pipe transports. Version 3.30 ------------ 1. Check for string shorter than 2 chars for the second argument of crypteq, and force failure. Otherwise, with an empty string, it gives a false positive. 2. If ignore_target_hosts caused all hosts found from MX records to be discarded, and there was more than one of them, Exim crashed. 3. If there were several ignored hosts, the name of the first one was always output in the debug output. 4. If a local message was terminated by a line containing just "." while reading the header (unlikely except in test situations) it could cause Exim to crash, or to add some random data to the message's body. 5. Modified the system-dependent files for NetBSD to make it work on systems that use ELF binary format as well as those that use a.out. 6. The code in the libident library was stopping reading after reaching a CR. This left the LF which should follow the CR unread - causing trouble to some people. Exim now swallows the LF. 7. When the (esoteric) CONFIGURE_FILE_USE_NODE option was in use, the version of exicyclog that was built did not read the correct configuration file. The same applied to exinext, exiwhat, and eximon. 8. Added -oMas and -oMai to set authenticated_sender and authenticated_id, if the caller is trusted. 9. If a queue listing option (-bp, etc) is called by a non-admin user, and queue_list_requires_admin is true, Exim now gives "permission denied" instead of just listing the messages submitted by the caller. 10. If syslog_timestamp is set FALSE, the timestamps on Exim's log lines are omitted when these lines are sent to syslog. 11. The actions for one_time are disabled for the first pass when delivering a message in a -qq queue run. 12. Setting log_sender_on_delivery causes Exim to add an F= item to delivery and bounce log lines (F is for "envelope from" - the same letter as is used in rewriting rules). 13. When processing an "extract" expansion item, Exim was expanding both the "yes" and the "no" strings fully, when it should have been skipping lookups etc. in the one that it did not want. There was a similar problem when processing ${tr} and ${sg} in "unwanted" substrings. 14. Found another place where databases might not be tidied up on the way out of Exim (see 3.20/3 below). 15. Exim uses the O_NONBLOCK option for the pipes it uses to retrieve results from remote parallel deliveries, but if the OS doesn't have O_NONBLOCK, it uses O_NDELAY instead. At least, it is supposed to. There was a typo causing compilation failure on systems without O_NONBLOCK (clearly very few!). 16. If "=" was missing after an option name, the error was 'unexpected "x"' instead of 'missing "="'. 17. When reading addresses for the -t option, if an address contained a newline because of folding of the header line, a malformed address was read, leading to a malformed spool file. 18. If forbid_filter_lookup was set for a forwardfile director, this didn't stop lookups inside a file that was expanded in the autoreply transport as a result of a "mail expand file /foo/bar" command in the filter. Ditto for forbid_existstest and forbid_perl. 19. Fixed a programming infelicity in the interpretation of file type bits in appendfile and tls modules. 20. Added ignore_target_hosts = 127.0.0.0/8 to the default configuration. 21. Added alarm(0) just before re-exec of the daemon; there was a small window before the new daemon re-established the signal handler (yes, somebody did hit this). 22. If a message with an address that resolved to :blackhole: had several delivery attempts (because other addresses deferred), a log entry for :blackhole: was written for each delivery attempt, instead of just the first. 23. Appendfile uses a temporary file when doing MBX delivery; change from using tmpnam() to using tmpfile() because of worries over the security of tmpnam(). 24. Added system configuration files in the OS directory for Darwin (Mac OS X). 25. If a write error occurred when updating the -H file, an incorrect error message could be output (errno not preserved). This has been fixed, and more detail is now included in the message. 26. Add "could be header name not terminated by colon" to another case of expansion string syntax failure when a non-existent header name contains }. 27. The "freeze" or "fail" message in a system filter can become very large if long header lines are included: truncate it if it's over 1000 characters long. Also ensure that it contains only printing characters (by escaping if necessary) so as not to mess up the log. 28. Address rewriting was inadvertantly lower-casing local parts so that if they were used via numerical variables in the replacement string, the wrong case appeared. Matching addresses in rewriting rules is now done casefully, but with the domain in the incoming address forced to lower case (exactly as for an address list after a +caseful item, and as documented). 29. The checking of From: headers against a local login was happening after the headers had been rewritten; if logins were being rewritten to other names, this meant that Sender: headers were being added unnecessarily, often containing the same rewritten address as From: (which is what you are supposed not to do). As part of this fix, if Exim creates a From: header from an envelope sender, it does so with the unrewritten value. 30. If stdin was a socket, Exim was assuming it was an INET socket, implying a call from inetd. This caused problems if a UNIX domain socket was used. Exim now checks. 31. The expansion operator "md5" computes the MD5 hash of its argument. 32. If quota and quota_warn_threshold in appendfile were set big enough (e.g. 50M and 41%) there was a integer overflow during the calculation. 33. If an "unseen" director or router had an errors_to setting, it was erroneously passed on to the subsequent "seen" drivers for the address. 34. Fixed small security exposure caused by what is essentially typo. If an SMTP error message generated during batch SMTP input contained quoted external material (e.g. a bad header line), the inclusion of formatting characters (e.g. %s) in the quoted material could cause all sorts of problems. 35. If -Mrm was used on a non-existent message id, it still logged "removed by ". Now it writes this line only if it finds at least one file to remove. 36. Modified base make file so that setting STRIP_COMMAND causes all the binaries to be stripped. 37. Modified scripts/exim_install to change the code for installing the texinfo documentation (as requested by FreeBSD maintainer). 38. Give error if address on a command line is longer than 512 bytes (RFC 2821 limits local parts to 64 and domains to 255 - allow extra for escapes, the "@" and so on.) Previously Exim crashed if an address was longer than 1024. Version 3.22 ------------ 1. Fixed a crash in the following obscure circumstances: A system filter obeyed a "mail" command, then then froze the message. The message created by the "mail" command could not be passed to a nested Exim for some reason (e.g. system ran out of process ids). The failure to send the message was logged, but then the original Exim crashed. 2. Fixed a bug in the libident library (not my bug!). If a very long response was received, it could overrun the buffer by one byte. 3. There was no explicit checking for the length of message created for log_ip_options when a call with IP options was received. However, the length of the option string is limited to 40 on the systems I've looked at, so there wasn't a real problem. Nevertheless, I have added some paranoid length checking, just in case. 4. Change 10 of 3.166 introduced a bug; it continued trying to verify when the child was a pipe, file, or autoreply. This could cause crashes. 5. Added server_mail_auth_condition to authenticators. 6. xtext decoding for AUTH on MAIL commands wasn't adding a terminating zero. 7. There was a bug in the table for decoding data encoded in base 64 (authentication data). '/' was being turned into 73 instead of 63. 8. If a numeric variable in an expansion had a number so large that it overflowed, Exim crashed. Now it just inserts a null string, as for any other unset numeric variable. Version 3.21 ------------ 1. Verify callbacks crashed if any host on the list didn't have a known IP address. 2. Macro names longer than 23 characters were truncated when defined, but of course caused trouble when used. The limit has been raised to 63, and a configuration error occurs if it it exceeded. 3. Make dns_ipv4_lookup also apply to gethostbyname(), so that it looks only for IPv4 addresses. I forgot this when I invented the option. For tidyness, add a synonym ipv4_address_lookup. 4. Do not call gethostbyaddr() directly in appendfile when notify_comsat is set. Instead call host_bind_byname() to get all local addresses. However, for the moment, we continue to use 127.0.0.1 only, because (on some systems at least), comsat doesn't listen on the ::1 address. 5. In readconf.c, when making the result of uname() fully qualified, don't just call gethostbyname(). Call the appropriate function depending on IPv4/IPv6 settings. 6. If the expansion of require_files suffered a lookup defer, the correct error message wasn't being passed back with the DEFER status. 7. When an Envelope-To: header was added to a delivery, more than one instance of the same envelope address could appear if there were discarded duplicates that had the same original address. In other cases, different originals might not appear when they should. 8. If quota_warn_threshold was given as a percentage when quota was not set, Exim objected. Now it just ignores the setting. 9. The -Mmd (mark delivered) option now operates case-insensitively. 10. Give more information in syntax error messages for incorrect conditions in expansions. 11. When the daemon is SIGHUPped and re-execs itself, it used to go through the forking thing in order to get rid of the controlling terminal, even though in this case it was not needed. It no longer plays this game if its parent process is 1. This means that the pid no longer changes when the daemon is SIGHUPped. 12. Omit the reason for the delay in warning messages when it is "retry time not reached", because this doesn't convey much, and just confuses people. Unfortunately, it ain't easy to find the real reason at this stage. 13. When hide_child_in_errmsg was set, and a delivery to a pipe produced output to be sent back, the child was being shown at the head of the returned output. It now hides the address in the same was as it does for the list of failing addresses. 14. If the expansion of require_files fails, delivery is now deferred for all kinds of failure, not just forced ones. Previously Exim panicked. This change has also been made for file names that are not absolute. 15. When outputting a host list for -bv -v when an address is routed to a local transport, just give the host name, omitting "[unknown]" for the address. The detail of what was output when -v (or -d) was set for -bv and -bt has been changed. It now always gives the director, router, and transport names. 16. The -bpc option gives a count of messages on the queue. It is faster than processing the output of -bp because it doesn't open any of the files. 17. The smtp transport has a new option called helo_data which is expanded to give the text used as the argument for EHLO or HELO. The default setting is "$primary_hostname". 18. It appears that mkdir() ignores any mode bits other than 0777, at least on some OS. If such bits are set in (for example) directory_mode of appendfile, we now do an explicit chmod() to ensure they get set. 19. A way round the problems with gcc on IRIX systems has been found. A replacement function for inet_ntoa() is provided. This is now included by means of a macro switch which is set on IRIX systems when gcc is in use. Version 3.20 ------------ 1. The TLS close function is called on a number of paths through the code. It does nothing if TLS is not active, but it was logging this case at a low debug level, quite unnecessarily. No debug output is now produced. 2. I'd forgotten to add the details of callback verification failures to log lines. 3. Tidying up open database connections wasn't happening on all the ways out of Exim. Closed some holes. 4. In the daemon, move the setting up of the signal handler for SIGHUP to before writing the pid file in the spool (it was just after). This should be better behaved if some process is reading the pid file and sending SIGHUPs in quick succession. 5. Added the ldapdn lookup type, to return a DN from an entry. 6. When a size or time limit was not set in an LDAP query, Exim was doing nothing; this meant that if it re-used a cached connection, the limit from the previous query was used. It now sets the limits explicitly for every query, defaulting to "unlimited". Version 3.169 ------------- SMTP callback checking (3.168/13) was not working on little-endian hosts. Version 3.168 ------------- 1. When testing with -be, privilege is discarded, and Exim runs as the calling user. 2. Untrusted users may now be permitted to use -f with any value, by setting untrusted_set_sender=true. In implementing this, I had to do some tidying up of the way sender setting and various checks are implemented, including a revision of the previous facility, whereby only -f <> was permitted to untrusted callers. If an untrusted user uses -f, the user's login id is displayed in parentheses after the sender address in -bp and eximon displays. In the previous code that did this for eximon (for -f <>), there was a store bug; the code is replaced rather than fixed, but I log it for the record. 3. Added once_file_size to the autoreply transport. 4. Added support for the tdb DBM library. 5. Made consistent the handling of address listings in bounce and defer messages. Added hide_child_in_errmsg options to relevant directors. 6. Added support for the maildir++ "maildirfolder" feature. 7. If an address was passed to the directors by self=local, and then picked up by an "unseen" director, it reverted to the routers afterwards, instead of continuing with the directors. 8. The use of pipes and files in new_address in smartuser was supposed to be locked out. In fact, it caused segfaults. 9. Extended smartuser to allow the use of pipes and files in new_address; added appropriate options such as file_transport and forbid_file. 10. An incorrect message might have been logged when an attempt to open a hints file failed. 11. If self=send was activated on a domainlist router (i.e. the first host was the local host), but more than one local host address was in the list, all but the first were being removed (and any that followed a local host). This no longer happens. Also, if fallback hosts were set, they were not being used in this case (as if the local host had been removed from the list). 13. Added support for callback verification of senders. 14. Changes to the LDAP lookup: * Abandoned auto-guess of LDAP library (was in fact broken). * Added support for OpenLDAP 2.0.6 (changed API from 1.x release). * Use ldap_search and asynchronous ldap_result instead of ldap_url_search. * Changes to the way multiple values are returned. * Miscellaneous internal tidies. 15. Only an admin user may now set a debug level greater than 1 (because passwords etc. may be shown in debugging output from lookups, and filter file processing can be seen). 16. The smtp transport now has an option called hosts_max_try, which limits the number of IP addresses that will be tried for a single delivery. The default is 5. 17. If log_incoming_port is set, the remote port number (separated by a dot) is added to the IP address of incoming calls in all log entries, and in Received: header lines. For example: 127.0.0.1.48433 ::1.48433 This is implemented by changing the value that is put in the $sender_fullhost and $sender_rcvhost variables, to include the port. There is also a separate variable called $sender_host_port which contains just the port number. This is available whether of not log_incoming_port is set. 18. A port number may be specified with the -oMa or -bh options. 19. Internal tidying of the function for formatting host names/addresses and ident data for logging. 20. Added the headers_rewrite transport option. 21. Error message when : omitted from header name in expansion now suggests this possibility. 22. $rbl_domain contains the RBL domain that failed during the expansion of $prohibition_message after an RBL rejection. 23. When the "domains", "local_parts", or "senders" options on directors and routers contain query-style lookups, they have to make use of $key, but because these options are pre-expanded, $key was getting replaced too early, with an empty string. The expansions of these options now replace $key with "$key", so that its expansion is delayed till later, when an individual query-style lookup item is expanded. 24. Extended the "extract" expansion item so as to have yes/no substrings, like if and lookup. As a side effect of backwards compatibility, "lookup" can now be given with no substitution strings - this behaves like {$value}{}. 25. If move_frozen_messages was set, Exim was trying to move messages that had completed as well, causing spurious log entries to be written when it failed. 26. Added dns_ipv4_lookup to enable people to turn off DNS lookups for AAAA and A6 records in versions of Exim compiled with IPv6 support. 27. Re-arranged code of aliasfile so the query/queries handling could be abstracted into a separate function. 28. Added new "data" option to forwardfile. 29. The use of authentication over TLS was broken for any authentication method that required prompting for data, that is, all except PLAIN. 30. Ignore -U; Sendmail uses this for initial message submission, apparently. Version 3.167 ------------- 1. Added support for outgoing pipelining to the SMTP transport. Crude tests indicate a definite benefit. 2. Added "(Exim)" after "This message was automatically created by mail delivery software" to make it clear which piece of software is doing it. 3. Fixed problem with protocol=lmtp in the smtp transport; it was assuming progress had been made on a message when it hadn't (change 3.166/5 wasn't working properly for LMTP). 4. If protocol=lmtp in the smtp transport, the port defaults to "lmtp" instead of "smtp". Version 3.166 ------------- 1. When the "percent hack" was in use, it didn't work if the domain of the new address was not local. 2. Added timeout_frozen_after, and changed ignore_errmsg_errors to check against the message's age, not the time since last freezing. 3. Included ignore_errmsg_errors and timeout_frozen_after in the default configuration. 4. Tidied up the code for logging deliveries, defers, and failures. It had got very messy. One consequence is that the text written to the message log is identical to that written to the main log in most cases (previously there were minor variations, mostly historical accidents). 5. If there were several messages queued for the same host, and at every attempt to deliver, all the addresses got 4xx errors, Exim could get into a loop trying to deliver the messages over the same SMTP channel, and cycling round the messages as it did so. Now, it won't pass the channel to another message unless at least one address was either successfully delivered, or rejected with a hard (5xx) error. In other words, unless there was some progress in delivering to that host. 6. As another safety precaution against the problem encountered in 5, the default value of the batch_max option in the SMTP transport has been changed from zero (unlimited) to 500. 7. The use of -f <> by an untrusted caller was ignored when delivery was by BSMTP (either file or pipe). 8. If -q was given with a second message id, to stop the queue run before the end, a message with that exactly id was not considered. 9. Exim was treating a 5xx response on connection to an SMTP server, or in response to HELO, in the same way as a connection failure - that is, as a temporary error, causing the message to be tried again later. It now bounces all the addresses in these situations. 10. When an incoming address is aliased to just one child address, in an aliasfile or in a smartuser director (but *not* for forwardfile), then verification now continues with the child address. Previously it stopped, as if it were a mailing list, but this isn't the best strategy. (As before, if -v is given with a -bv command, it verifies the complete tree; it's the default case that has changed.) 11. If a temporary SMTP error had a humungously long text string associated with it, this whole error string was included in the retry record. This is not sensible, and besides, some DBM libraries have limits on the data length. There is now a limit of 100 characters. 12. SMTP errors caused by headers_check_syntax could contain up to 1024 characters of an offending header (as in log lines). This is probably unreasonable; it has been reduced to 256. 13. Change 11 of 3.164 introduced a bug whereby if an incoming SMTP message was terminated by '.' before the blank line that ends the headers had been received, Exim saw an extra blank line at the end, and gave an SMTP 'unknown command' error. 14. Changed the setting of host_lookup in the default configuration from 0.0.0.0/0 to *, so that it catches IPv6 addresses too. 15. Re-organized the way SMTP responses were read for outgoing messages, in preparation for adding LMTP support over TCP/IP and outgoing PIPELINING support, both of which must accept multiple responses in single incoming packets. 16. Added protocol=lmtp to the smtp transport, to support LMTP over TCP/IP. 17. When an smtp transport is configured to use a non-standard port, the port number is now added to the host name and IP address to create the retry key. This means that failures to connect to one port do not cause delays on other ports. With the advent of support for LMTP over TCP/IP this became important. Version 3.165 ------------- 1. The re-arrangements for change 3.164/3 introduced a bug that could cause segmentation faults while looking up things in the DNS. 2. If there was an SMTP error in the 2nd or subsequent message sent down a single SMTP connection, it was always reported as "after initial connection" instead of after the actual command that provoked it. 3. If -oX was followed by something that wasn't a digit string, no error was diagnosed. 4. Ignore trailing spaces at the end of local_host_number. 5. Added debug message stating when the primary host name is added to local_domains as a result of local_domains_include_host. 6. The -N debugging option used to apply only to the run of Exim on which it was set. This could be embarrassing if a test message got deferred (for a routing reason or whatever) because it could then get delivered later by a queue runner. The way -N works has therefore been changed. It now sticks to a message, so that it can never actually be delivered. This applies to messages that are received with -N set, and also to existing messages that are the subject of manual delivery attempts with -N (a privileged action). 7. If /etc/aliases was not a regular file, the error message wittered on about bad mode bits and was confusing. It now says that it isn't a regular file. 8. Removed the Exim version number from exiwhat output. It doesn't seem to serve any really useful purpose. Version 3.164 ------------- 1. Changed default setting of tls_advertise_hosts from "*" to "". 2. Removed the code for checking that a host name obtained from gethostbyaddr() actually had a correct IP address, since gethostbyaddr() seems to do this check internally anyway (and Exim wasn't checking any aliases). 3. Added support for A6 DNS records (RFC 2874). 4. Changed what happens if a user or group name in a require_files list does not exist. Previously Exim panicked. Now it just fails the require_files condition. Change 15 of 3.161 made $local_part as a user name unusable in a localuser director, because it panicked for non-local-users. This change makes it useable again. 5. An x'ff' byte in a message transfered over TLS caused premature termination. This was a char * that should have been unsigned. Sigh. 6. prohibition_message wasn't being used after a receiver verify failure (it was after a sender verify failure). It now is, with reason "receiver_verify". 7. If an option setting is preceded by "hide", it is displayed by -bP only to admin users. 8. Obscure buglet: if routing an address changes the domain name, and finds the routing is local, the expanded domain name is re-processed from scratch. If the new name is not in local_domains it comes back to the routers. The loop- breaking code was causing the original router to be incorrectly skipped (since the name has changed, it should be re-run). 9. There was no timeout in the server on negotiation of a TLS session. If a client sent nothing after STARTTLS, the server waited for ever. 10. There was no timeout in the client on negotation of a TLS session. If a server sent nothing after the 220 following TLS, the client waited for ever. 11. In SMTP input, a line containing just .. before the end of the header lines terminated the message. It now turns into the first data line, as a line consisting of just a dot. Version 3.163 ------------- 1. In preparation for introducing support for A6 DNS records, re-arranged the DNS functions to use a passed control block instead of static variables. 2. I broke log_smtp_confirmation in 3.162/10(b). Fixed the typo. 3. Call RAND_status() to check up on random seeding for TLS. Gives a tidy error on failure. If OK at start, it must have seeded from /dev/urandom, and we don't do anything more. 4. Change 3.162/10(a) also broke something; with immediate delivery, Exim was sending two copies of the 250 OK message. The buffer is now flushed before forking a delivery process. 5. I broke something else in 3.162/10(b). If the contents of message-id: in an incoming message happened to contain %r, or some other unimplemented printing escape, Exim fell over. Another stupid error fixed. Version 3.162 ------------- 1. When refusing to run EXPN because not authenticated, the log message referred to VRFY rather than EXPN. 2. A "mailing list" type address that was expanded by a smartuser director missed off one of the addresses when tested using EXPN. 3. If EXPN when used via a daemon provoked any attempted logging (e.g. via log_rewrites), Exim crashed instead of just ignoring the logging. 4. If hosts_randomize was used in an smtp transport, and remote_max_parallel was also set, each parallel delivery sorted the hosts the same way, in a queue run, because the random number generator was already initialized before the forking took place. We now reset the generator after forking. 5. If freeze_tell_mailmaster was set and a message was frozen in a system filter, the text given with the freeze command was not included in the message that was sent (though it did appear in the log). 6. The size of the structure used for each address has been reduced by 72 bytes by changing to single-bit flags. This may matter when mailing lists have thousands of subscribers. 7. Added some missing paranoia checks on the results of setuid() and setgid(). 8. If an address given to EXPN had a domain not in local_domains, it got bounced as "Not a local domain", even though routing it might have turned it into a local domain. The routing is now done, and "Not a local domain" is given only if it really is a remote domain. 9. When routing fails because of a syntax error in a domain name, say so in the error message. 10. When tidying up for TLS/SSL support: (a) removed 3 redundant calls to fflush(). (b) changed the way log lines are generated in accept.c (it was getting far too messy). 11. Added missing -lcrypt to LIBS for GNU/Hurd. 12. For SMTP output, always try EHLO first now. Previously it did this only if the greeting contained "ESMTP", because some MTAs didn't grok EHLO. I think enough time has now passed. 13. In the Linux-specific module, replaced the lines #include #include with #include 14. Added support for TLS/SSL, using the OpenSSL library. Version 3.161 ------------- 1. Removed -lwrap from SCO_SV default configuration because not all systems have it installed. 2. Increase maximum size of string that a filter can handle in a condition from 256 to 1024 characters (regular expressions can get long). 3. On some operating systems, the SIOCGIFCONF ioctl returns the IP addresses with the list of interfaces, and there is no need to call SIOCGIFADDR for each individual address. Mostly, making the second call does no harm, but on Linux when there are IP aliases, it causes things to go wrong. This also seems to be the case on some BSD systems. Therefore, there is now a macro to cut it out, currently defined in os.h for Linux, Solaris, FreeBSD, NetBSD and BSDI. 4. Reorganized the code for finding local interface addresses, which is becoming more system-specific with the advent of IPv6. Moved the code into os.c for the common cases, with the IRIX code in OS/os.c-IRIX (all versions). 5. Used macros to recognize the Solaris way of finding IPv4 and IPv6 interfaces, which just re-defines the old way using new structures. If any other OS do the same thing, this will kick in automatically. 6. Added some contributed code for finding IPv6 interfaces in Linux by scanning /proc/net/if_inet6. 7. The "new" way of getting the load average in Linux is apparently extremely slow. The code now tries the original way, using /proc (which is fast) and reverts to the "new" way if that doesn't work. 8. Installed PCRE 3.4 (latest release; bug fixes). 9. Added generic router option ignore_target_hosts. 10. Added #define HAVE_GETIPNODEBYNAME 1 to os.h for Tru64 Unix (aka OSF1), because it seems to have that kind of IPv6. 11. Change 16 of release 3.14 broke EXPN if called from a -bs session. 12. Allow negations in match_directory. 14. If smtp_etrn_command was set to a non-existent path, an extra SMTP response was sent in addition to the OK, because the forked process was still (incorrectly) connected to the SMTP session. 15. If a local part that was not a local user was passed to a localuser or forwardfile director which also had no_more and a "condition" setting that failed, the local part was not passed to subsequent directors as it should have been (because "condition" failures bypass no_more). 16. Added the phrase "mailbox is full" to quota errors, because not everybody realizes what "quota" refers to. 17. If the list separator for local_domains was changed, local_domains_include_ host_literals went wrong for IPv6 addresses. 18. Sender: headers were being removed from local messages that were submitted by trusted callers. 19. If randomize_hosts was set on an smtp transport, and the host list did not need to be expanded because it contained no "$" characters, it was not being re-randomized every time the transport was called. 20. Check that the output of a transport filter ends with NL when transporting over SMTP, and add one if it is missing. 21. If no_quota_is_inclusive is set in appendfile, the quota check does not include the current message. 22. When Exim builds a From: or Sender: line from the gecos name field, it now encodes it according to RFC 2047 if the user's name includes non-printing characters. Formerly, these were turned into question marks. 23. If a host list failed to expand in the smtp transport, and more than one address was being handled at once, only the first one got the correct error message. 24. Added support for LMTP. This has entailed a surprisingly large amount of internal re-arrangement of the local delivery logic. Batched local deliveries now treat each address independently. The retry_use_local_part option is no longer forced to be FALSE when batching (in retrospect, this was a bad idea, especially when multiple domains were involved). Version 3.16 ------------ 1. Debugging output listing the value of errors_to after forwarding, wasn't giving the right value when a filter file had changed it (change 9 of 3.14). 2. Add errors_to to debugging output that says "queued for xxx transport". 3. If a user filter changed the errors_to field, this wasn't getting put into the right storage pool, and might be corrupted. 4. Change 8 of 3.15 was bungled, leading to a message which had been frozen in a system filter being discarded when manually thawed instead of delivered, under some circumstances. 5. $value was being reset to empty at the start of a $lookup item. This has now been changed; it retains its former value except when processing the "success" string. This makes nested lookups, where the second is in the "success" string of the first, work. 6. A transport name given as the second field in the string returned by a queryprogram router was being ignored. 7. When a host that had no reverse DNS was RBL blacklisted, the two messages confused people. Cut out the comment about no reverse DNS when rejecting for RBL reasons. Instead, say explicitly, "host is blacklisted". 8. If a message was failed with \-Mg\ the system filter was still run before the addresses were failed. This no longer happens. 9. The handling of "freeze" and "fail" in system filters has been changed. Deliveries set up in the filter are honoured (previously they were discarded). The same is true for non-system filters that have allow_system_actions set. A consequence of this is that first_delivery now becomes false after freezing in a system filter, whereas previously it did not. 10. An explicit setting of "owners =" (i.e. explicitly unsetting it) on a forwardfile director was failing, and likewise for owngroups. 11. Added support for Berkeley DB version 3.1 (they changed the API again). Unknown if this works with 3.0. 12. Update OpenBSD Makefile to give location of chgrp command (/usr/sbin/chgrp). 13. Introduced LIBS_EXIM and EXTRALIBS_EXIM which are on the Exim binary only, to make it easier to avoid unwanted bits of the TCP wrappers library in the other binaries. 14. Arranged for the pcre documentation to be in the doc directory instead of being hidden away in src/pcre, and for pcretest to be put in the util directory after building. 15. Added the argument of MAIL FROM to the log line when rejecting because of lack of authentication. 16. When the /skiprelay option was set on an RBL domain, and a host that was not in host_accept_relay tried to relay, a segmentation fault could occur, or a screwed-up log message (the relay error message was not getting correctly set.) 17. The use of -N for testing by bypassing deliveries was not being logged with "*>" for local deliveries (it was OK for remote ones). 18. When log_subject was set, if the subject contained newlines they got logged as \\n instead of \n; and there was similar duplication for other non-printing characters that were escaped. 19. Removed the test_expand testing program; it is no longer needed now that we have exim -be. 20. -qqf was not working; deliveries were being done on the first scan if 'f' was present in the option. 21. The SIZE_STRIPCHART and SIZE_STRIPCHART_NAME settings for Eximon couldn't be overridden by EXIMON_SIZE_STRIPCHART[_NAME] at run time. 22. The exicyclog script was broken if the string "syslog" happened to occur in the path set in log_file_path, e.g. /var/syslog/exim-%s. (It is supposed to remove the item "syslog" from the value, and screwed up.) 23. Nothing was being logged when a message was rejected because SIZE was larger than the maximum permitted size. This case is now logged in the same way as rejection after an overlarge message has been received. 24. Added an in-memory cache of DNS lookups that fail or give DNS failures such as timeouts. This means that a message with many addresses at the same domain that times out won't take an excessively long time to route. There is no caching for successful lookups - we rely on resolver and name server caching in that case. 25. Improved one case when an overlong header could cause a bomb out if referenced via $h_ in a filter file. 26. Previously, only the current group was tested against trusted_groups. This has been changed so that the supplementary groups are tested as well. 27. Some file servers don't have the concept of inodes, and return -1 when asked how many are free. Don't check against check_spool_inodes when this is the case. 28. The use of IS NOT and DOES NOT (in caps) in filter files was not working, giving syntax errors. 29. If one_time was set on an alias or forward file, and one of the generated addresses then passed through a smartuser director with a new_address and a transport, and got deferred, the generated address was incorrectly marked "delivered" (instead of the parent address). 30. Added $body_linecount for Mutt users (data was there, just the variable needed adding). 31. Minor wording change to bounce messages. Discussions on the mailing list are continuing... Version 3.15 ------------ 1. The "belowhome" test in appendfile used realpath() to get rid of any symbolic links in the file being created, before comparing against the home directory. However, it wasn't using realpath() on the home directory, which could cause false failures if the home directory had symbolic links in it. 2. With headers_check_syntax, a missing double quote in a header line containing very many addresses could cause a very long "address" to be created. This could push the error message over 4096 bytes, which caused trouble in an SMTP response. The amount of address quoted is now limited - the whole address that follows was already limited for this very reason. 3. Changes in support of terminology change from "fail" to "decline": (a) Generic router synonyms: "pass" for "fail_soft", "fail" for "fail_hard". (b) Ditto for host_find_failed in domainlist. (c) Queryprogram: "decline" for "fail". (d) Routers that definitely pass the domain on to the next router always override no_more. (e) Changed return values in code from FAIL to DECLINE and FAILMORE to PASS. (f) Wording of debugging messages changed from "failed" to "declined". 4. Installed PCRE release 3.2 (bug fix). 5. If local_interfaces contained an IPv4 address on an IPv6 system, the daemon failed to set up the listening socket correctly. 6. Flattening the environment (3.14/40) turns out to be a *very* bad idea. Apart from anything else, it makes -Meb fail to work. This change has been backed off. 7. Revised time zone handling implemented: added timezone option to set what is required. 8. When testing a system filter with -bF, if "freeze" or "fail" was encountered, it was not treated as a significant delivery, leading to a misleading message about normal delivery. 9. System filter files do not in fact need #Exim filter at the start; they are always interpreted as filter files. However, -bF didn't know this. 10. $recipients was accepted in a pipe command in a system filter if the transport did not have use_shell set, but was rejected if it did. 11. If an address passed through several directors, added headers were eventually added in reverse order. Change this to output them in the order that is probably expected. 12. Permit envelope sender addresses to be rewritten to <>. 13. The default connect_timeout in the smtp transport has been changed from zero (use system default) to 5 minutes because on some systems, the system default doesn't always seem to work. The value of 5 minutes is as recommended by RFC 1123. 14. The error message for freeze/fail in a system filter was sometimes getting lost or mangled. 15. If a system filter generated a pipe, file, or autoreply delivery, and no transport was set, the unhelpful message was "No transport set by director". This has been improved. 16. A better error message is given if a closing brace is omitted after a variable name. 17. If the closing brace was omitted after a nested expansion, for example, if a string was ${expand:abcd no error was diagnosed, and a garbled result could be given. Version 3.14 ------------ 1. Allow any user to specify -oMa etc when testing a filter. 2. $recipients wasn't getting set when testing a filter - only relevant to system filters of course. However, only a single recipient can be set when testing any kind of filter. 3. Transport filters were not working for SMTP output. This has been broken since the reorganization of release 3.033. 4. Instead of importing the entire PCRE distribution, just import the files needed for PCRE, excluding the POSIX interface and the test data, and all the autoconf support material. Import the latest release of PCRE (3.0). 5. Eximon was mis-aligning the "..." at the end of a list of recipients. 6. Changed ${quote_mysql: so that it no longer quotes % and _ because these must be quoted only when they are part of a pattern, *and not otherwise*. If they are quoted in error, it doesn't work. 7. If an appendfile transport was set up with mbx_format but no file name, it got the default locking wrong (i.e. didn't default to MBX locking). 8. $domain_data and $local_part_data were previously available only during the running of directors and routers, but this caused confusion: (a) There was a bug that meant they never got cleared - so *sometimes* were still set when a transport was run; and (b) people expected them to be set in the transport, especially if they set home_directory in a director/router (this doesn't expand till transport time). The values are now preserved with the address and made available at transport time. 9. Allow errors_to on deliver commands in user filters, provided that the given address is the address that is causing the filter to run. 10. In the old days of IPv4, failure to create a socket usually meant things were dire, and so Exim used to panic and die. However, with the arrival of IPv6 there are circumstances where IPv6 sockets fail, but IPv4 ones work, and if a domain is routed to a mixture of IPv4 and IPv6 addresses, the right thing to do is to let it try them all. Consequently, this error no longer causes a panic, but instead gives an error return, and the smtp transport will carry on to the next host, if there is one. 11. Added lock_fcntl_timeout to appendfile, to allow for blocking fcntl() locking. The default remains blocking, however. 12. Updated exim_lock to allow for non-blocking fcntl() locking by specifying a timeout. 13. Extended RBL handling, adding /accept, /skiprelay, and the facility to check for specific IP addresses. 14. When autoreply complains about non-printing characters, give the character number. Relax the rules, and allow any characters in the "text" option. 15. Ignore an ENOPROTOOPT error from the getsockopt() call for checking IP options, instead of rejecting the call. This allows for OS such as GNU/Hurd, which have the interface but not the underlying code. 16. Add "to " to 550 EXPN not available, because the host check isn't done till EXPN time (it's advertised if the list is not empty). 17. Don't suppress -oMr etc. values for non-trusted users when testing addresses with -bv, -bvs, or -bt. 18. Include details of delivery errors in warning messages. 19. Gcc -Wall now gives a warning for subscripts of type "char" on machines where "char" is signed. The source of Exim now has explicit casts in these cases, which are entirely calls to isspace() etc. [I have learned my lesson. The next program I write will explicitly use unsigned chars everywhere.] 20. Tweaked a couple of function definitions in the modified Athena widgets code from old-style to standard C, to stop gcc giving warnings. 21. Sun's cc compiler gives warnings if an initializing value for an automatic variable contains an operator that modifies something else, e.g. ++ or +=. The few places in Exim where this was used have been changed. 22. Some cases of failing to close a file have been fixed: after reading an interpolated file in a list, and after reading a header or body or message log with -Mvh/-Mvb/-Mvl 23. The GNU Hurd allows a maximum of 2^31 open file descriptors, so Exim's crude sledgehammer of closing all fd's before execve() calls, and when starting up the daemon, caused a problem. This machinery has been revised. It now uses FD_CLOEXEC on files that should not survive an exec. There has also been a general tidying of the way it handles subprocesses with pipes. In the daemon, explicit closing of stdin/stdout/stderr is used. 24. Relaxed restrictions on contents of maildir_tag to allow any graphic characters, and only insert the initial colon if the first character is alphanumeric. The expansion of the tag value now takes place after the file has been written, and $message_size is updated to the accurate value of the file before this expansion. 25. If quota is set on an appendfile transport, and one of the delivery modes that writes a separate file for each message is being used, then when Exim wants to find the size of a file, it first checks quota_size_regex. If this is set to a regular expression that matches the file name, and it captures one string, then that string is interpreted as a representation of the file's size. 26. Don't advertise AUTH if host in host_accept_relay, even if it is in host_auth_accept_relay (unless "always advertise", of course). 27. Fixed some IPv6 buglets: (a) IN6ADDR_ANY_INIT doesn't need braces round it; (b) reworked the code for outgoing calls so as to use entirely separate structures for IPv4 and IPv6 addresses instead of trying to overlay them. 28. The "ultimate address timeout" only kicks in after a failed delivery attempt. This means that if there are lot of messages and the destination is going up and down, some never get tried, and so never hit this timeout. The "ultimate message timeout" finally gets them, but in some configurations it may be considerably longer than the address' maximum timeout. The rules for retrying have now been changed: if a retry time has not been reached, but the message has been on the queue for longer than the address' maximum timeout, a delivery is attempted - if this fails, the ultimate address timeout will be invoked. Thus the "ultimate message timeout" is no longer needed, and has been removed from the code. 29. quota_warn_threshold was sending its message even if the actual delivery failed because it completely overshot the quota. 30. Previously, if a lookup defered during a search of a host, or domain list, Exim panicked and died. Now it takes less serious action (e.g. during delivery, if this is in local_domains, it just defers the address it is checking.) 31. When displaying an IPv6 address, if it is a mapped IPv4 address, show it as a plain V4 address without the preceding "::ffff:". 32. If a domainlist router encountered a DNS timeout (or other temporary error) while looking up a host in a route list, it deferred (correctly), but did not set up an appropriate message for the log. 33. It appears that more and more DNS zones are breaking the rules and putting IP addresses on the RHS of MX records. Exim follows the rules and rejects this, but other MTAs do support it, so allow_mx_to_ip has been added to permit this heinous activity. 34. All configuration lines may now be continued by ending them with backslash (ignoring trailing spaces), not just those in quotes. 35. Fixed problem in perl.c which was causing compilation failure with the developer version of Perl (use of variable 'na'). 36. Added support for Postgres SQL, analagous to MySQL. 37. Renamed forbid_reply in forwardfile as forbid_filter_reply, to go along with other forbid_filter_xxx options, keeping the old name as a synonym. 38. All lists except log_file_path can not use an alternative separator to colon by starting the list with FAIL, "1"; "yes", "true" => OK; anything else defers, text is message). 4. Added ${mask:} expansion operator. 5. Added translate_ip_address. Version 3.034 ------------- 1. When a header syntax check failed, a humungously long address that was too much for string_sprintf to fit in the error message caused a panic exit. This could happen, for example, if a double quote was omitted in a very long list of addresses in a header. It now reflects just the first 1K of the address. Put a similar limit on sender addresses in verify failed messages. Version 3.033 ------------- 1. Arrange for crypt.h to be included only on those OS that have it (Solaris, IRIX 6, modern Linux), and for -lcrypt to be set up for those OS that need it (FreeBSD, NetBSD, modern Linux). 2. Made MAXINTERFACES changeable in Local/Makefile. 3. When sending a delay warning message, quote the top-level original address only, saying "an address generated from" if the actual problem is with a child. 4. Set a default for delay_warning_condition to skip precedence bulk/list/junk. 5. Allow for spaces around colons in temp_errors setting in smtp transport. 6. The "personal" test in filter files now checks for "list" and "junk" as well as "bulk" in the Precedence: header. 7. Added retry_data_expire. 8. If a key in a partial match was very long (longer than the buffer for string_sprintf()), Exim couldn't handle it. 9. Added expansion operator ${quote_xxx:} where xxx is a search type. Each search type has its own (optional) quoting function. Added suitable functions for NIS+, LDAP, and MYSQL. 10. Internal revision of the way the "From hack" and SMTP dot escaping is done in preparation for extending appendfile. They are now unified, and are therefore mutually exclusive. 11. The "From hack" was failing if the string "From " happened to be split between two buffers when transporting the message. 12. If a non-SMTP message that was being read without -oi ended with "\n." (no following NL) then the "." got lost. 13. Ensure that all non-SMTP messages have a final NL at input time, instead of testing at delivery time. This simplifies the delivery code. 14. Replaced from_hack in appendfile and pipe by check_string and escape_string. 15. Added file_format to appendfile. Version 3.032 ------------- 1. If remove_headers contained a "fail" expansion, it caused a crash. 2. The generic headers_remove option in transports is now expanded. (Seems to have been an oversight.) 3. Changed $host_authenticated to $sender_host_authenticated (oversight). 4. Added server_set_id generic option to authenticators and $authenticated_id for accessing it. Version 3.031 ------------- 1. Removed unnecessary #ifdefs from lookups which don't have private header files. 2. Added crypteq as a new expansion condition. 3. Make it recognise "netbsd" as equivalent to "NetBSD". 4. Updated the FSF's address in LICENCE and NOTICE files. 5. Code tidies for SMTP input to remove repetition of real and debugging output by using a subroutine. 6. Added support for AUTH. 7. Source tidies of a lot of unnecessarily complicated calls to string_nextinlist(). 8. Source tidies in lookup handling. 9. Set XLFLAGS empty for IRIX6 as it doesn't seem to need anything. 10. Typo in code for decoding quota_