-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To kick off the run up to the next Exim release - the ftp site:
ftp://ftp.exim.org/pub/exim/exim4/test/ now has the initial release candidate build, RC1 of Exim 4.90 available. Built and signed by myself. Sha265 sums: 8f4cd256b389c3574c08ecd77e50d6a6d075424644214bcbdb3d95b53e4296c3 exim-4.90_RC1.tar.bz2 a9e7802dd27603b3c5e004ebc97e5eacaca2f453bd60fba66807e226dec06286 exim-4.90_RC1.tar.gz af1ee4f1a145a0e6d921a56f11ba3d2928e49a19002f8a6505efb5e9538cefaf exim-4.90_RC1.tar.xz 9fdb9fb01581a298bbb92c0c90a5ef8cd4556a127b9e82e0bf372132f4214854 exim-html-4.90_RC1.tar.bz2 a8fb545b855d5a9637a5c9ab7e153e52dc5aed0889a8afad43327c6b00043b94 exim-html-4.90_RC1.tar.gz b0b57d86cf1ff7010a4251d00f8cc9f4a9fcaeee3a295c145241b11342a5e2c4 exim-html-4.90_RC1.tar.xz 1980ec5f4c85473cf9b52f2e5121867b01530a49cfd6c92b4a33c167e11882b8 exim-pdf-4.90_RC1.tar.bz2 a3873c2a0df0d8ea9eae903d63399ea1fc960a916ebb1228dbf426b5e7cce637 exim-pdf-4.90_RC1.tar.gz 9174cb82ab1b26e3925fa97389ae5f6dc4c594d5f21dd41f255a66cab659059a exim-pdf-4.90_RC1.tar.xz c10172731ede3572092e71d7bad5d3dbe7fccac29e81106fc33095db34ce6839 exim-postscript-4.90_RC1.tar.bz2 620bc13e9cb8c6da97c2b945d953b2c20ce17c895aea78e1251afd8cbaadc041 exim-postscript-4.90_RC1.tar.gz ea24c5b5e27e3022c980328a4317dad7b8e49d4e2c71a76019225db39d4ebb47 exim-postscript-4.90_RC1.tar.xz New features since 4.89: 1. PKG_CONFIG_PATH can now be set in Local/Makefile; wildcards will be expanded, values are collapsed. 2. The ${readsocket } expansion now takes an option to not shutdown the connection after sending the query string. The default remains to do so. 3. An smtp transport option "hosts_noproxy_tls" to control whether multiple deliveries on a single TCP connection can maintain a TLS connection open. By default disabled for all hosts, doing so saves the cost of making new TLS sessions, at the cost of having to proxy the data via another process. Logging is also affected. 4. A malware connection type for the FPSCAND protocol. 5. An option for recipient verify callouts to hold the connection open for further recipients and for delivery. 6. The reproducible build $SOURCE_DATE_EPOCH environment variable is now supported. 7. Optionally, an alternate format for spool data-files which matches the wire format - meaning more efficient reception and transmission (at the cost of difficulty with standard Unix tools). Only used for messages received using the ESMTP CHUNKING option, and when a new main-section option "spool_wireformat" (false by default) is set. 8. New main configuration option "commandline_checks_require_admin" to restrict who can use various introspection options. 9. New option modifier "no_check" for quota and quota_filecount appendfile transport. 10. Variable $smtp_command_history returning a comma-sep list of recent SMTP commands. 11. Millisecond timetamps in logs, on log_selector "millisec". Also affects log elements QT, DT and D, and timstamps in debug output. 12. TCP Fast Open logging. As a server, logs when the SMTP banner was sent while still in SYN_RECV state; as a client logs when the connection is opened with a TFO cookie. 13. DKIM support for multiple signing, by domain and/or key-selector. DKIM support for multiple hashes, and for alternate-identity tags. Builtin macro with default list of signed headers. 14. Exipick understands -C|--config for an alternative Exim configuration file. 15. TCP Fast Open used, with data-on-SYN, for client SMTP via SOCKS5 proxy, for ${readsocket } expansions, and for ClamAV. Other changes of interest since 4.89: 01 Rework error string handling in TLS interface so that the caller in more cases is responsible for logging. This permits library-sourced string to be attached to addresses during delivery, and collapses pairs of long lines into single ones. 02 Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly during configuration. Wildcards are allowed and expanded. 03 Rework error string handling in DKIM to pass more info back to callers. This permits better logging. 04 Rework the transport continued-connection mechanism: when TLS is active, do not close it down and have the child transport start it up again on the passed-on TCP connection. Instead, proxy the child (and any subsequent ones) for TLS via a unix-domain socket channel. Logging is affected: the continued delivery log lines do not have any DNSSEC, TLS Certificate or OCSP information. TLS cipher information is still logged. 05 Shorten the log line for daemon startup by collapsing adjacent sets of identical IP addresses on different listening ports. Will also affect "exiwhat" output. 06 Bug 2070: uClibc defines __GLIBC__ without providing glibc headers; add noisy ifdef guards to special-case this sillyness. Patch from Bernd Kuhls. 07 Tighten up the checking in isip4 (et al): dotted-quad components larger than 255 are no longer allowed. 08 Default openssl_options to include +no_ticket, to reduce load on peers. Disable the session-cache too, which might reduce our load. Since we currrectly use a new context for every connection, both as server and client, there is no benefit for these. GnuTLS appears to not support tickets server-side by default (we don't call gnutls_session_ticket_enable_server()) but client side is enabled by default on recent versions (3.1.3 +) unless the PFS priority string is used (3.2.4 +). 09 Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at <https://reproducible-builds.org/specs/source-date-epoch/>. 10 Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously the check for any unsuccessful recipients did not notice the limit, and erroneously found still-pending ones. 11 Pipeline CHUNKING command and data together, on kernels that support MSG_MORE. Only in-clear (not on TLS connections). 12 Avoid using a temporary file during transport using dkim. Unless a transport-filter is involved we can buffer the headers in memory for creating the signature, and read the spool data file once for the signature and again for transmission. 13 Enable use of sendfile in Linux builds as default. It was disabled in 4.77 as the kernel support then wasn't solid, having issues in 64bit mode. Now, it's been long enough. Add support for FreeBSD also. 14 Bug 2104: Fix continued use of a transport connection with TLS. In the case where the routing stage had gathered several addresses to send to a host before calling the transport for the first, we previously failed to close down TLS in the old transport process before passing the TCP connection to the new process. The new one sent a STARTTLS command which naturally failed, giving a failed delivery and bloating the retry database. Investigation and fix prototype from Wolfgang Breyha. 15 Fix check on SMTP command input synchronisation. Previously there were false-negatives in the check that the sender had not preempted a response or prompt from Exim (running as a server), due to that code's lack of awareness of the SMTP input buffering. 16 Add commandline_checks_require_admin option. Exim drops privileges sanely, various checks such as -be aren't a security problem, as long as you trust local users with access to their own account. When invoked by services which pass untrusted data to Exim, this might be an issue. Set this option in main configuration AND make fixes to the calling application, such as using `--` to stop processing options. 17 Do pipelining under TLS. Previously, although safe, no advantage was taken. Now take care to pack both (client) MAIL,RCPT,DATA, and (server) responses to those, into a single TLS record each way (this usually means a single packet). As a side issue, smtp_enforce_sync now works on TLS connections. 08 OpenSSL/1.1: use DH_bits() for more accurate DH param sizes. This affects you only if you're dancing at the edge of the param size limits. If you are, and this message makes sense to you, then: raise the configured limit or use OpenSSL 1.1. Nothing we can do for older versions. 19 For the "sock" variant of the malware scanner interface, accept an empty cmdline element to get the documented default one. Previously it was inaccessible. 20 Fix a crash in the smtp transport caused when two hosts in succession are unsuable for non-message-specific reasons - eg. connection timeout, banner-time rejection. 21 Fix logging of delivery remote port, when specified by router, under callout/hold. 22 Repair manualroute's ability to take options in any order, even if one is the name of a transport. Fixes bug 2140. 23 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369) 24 Change the list-building routines interface to use the expanding-string triplet model, for better allocation and copying behaviour. 25 Prebuild the data-structure for "builtin" macros, for faster startup. Previously it was constructed the first time a possibly-matching string was met in the configuration file input during startup; now it is done during compilation. 26 Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy- compatible one, to avoid the (poorly documented) possibility of a config file in the working directory redirecting the DB files, possibly correpting some existing file. CVE-2017-10140 assigned for BDB. 27 Bug 2147: Do not defer for a verify-with-callout-and-random which is not cache-hot. Previously, although the result was properly cached, the initial verify call returned a defer. 28 Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but the main verify for receipient in uncached-mode. 29 Retire historical build files to an "unsupported" subdir. These are defined as "ones for which we have no current evidence of testing". 30 DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field, if present. Previously it was ignored. 31 Start using specified-initialisers in C structure init coding. This is a C99 feature (it's 2017, so now considered safe). 32 Use one-bit bitfields for flags in the "addr" data structure. Previously if was a fixed-sized field and bitmask ops via macros; it is now more extensible. 33 GitHub PR 56: Apply MariaDB build fix. Patch provided by Jaroslav Škarvada. 34 Bug 2161: Fix regression in sieve quoted-printable handling introduced during Coverity cleanups [4.87 JH/47] Diagnosis and fix provided by Michael Fischer v. Mollard. 35 Fix DKIM bug: when the pseudoheader generated for signing was exactly the right size to place the terminating semicolon on its own folded line, the header hash was calculated to an incorrect value thanks to the (relaxed) space the fold became. 36 Fix Bug 2130: large writes from the transport subprocess where chunked and confused the parent. 37 Fix SOCKS bug: an unitialized pointer was deref'd by the transport process which could crash as a result. This could lead to undeliverable messages. 38 Logging: "next input sent too soon" now shows where input was truncated for log purposes. 39 Fix queue_run_in_order to ignore the PID portion of the message ID. This matters on fast-turnover and PID-randomising systems, which were getting out-of-order delivery. 40 Fix a logging bug on aarch64: an unsafe routine was previously used for a possibly-overlapping copy. The symptom was that "Remote host closed connection in response to HELO" was logged instead of the actual 4xx error for the HELO. 41 Fix CHUNKING code to properly flush the unwanted chunk after an error. Previously only that bufferd was discarded, resulting in SYMTP command desynchronisation. There will be further RC builds before 4.90 is released. Both feature-additions and bug-fixes are acceptable for the forthcoming RC2. Please report issues here in the exim-dev or exim-users mailinglist, or by raising bugs on http://bugs.exim/org - -- Cheers, Jeremy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZ8lzqAAoJELzljIzkHzLfvDMIAIOXJGBWX8A5Gq4mqjdOj13a MirhdA1j8XEGTlePnQDVmgCX4RRXw3xrKx5anWegl7sFbydUh6nZRD+T+HN8i6qa A/eRWW1Ie7EbWPXiwZ7hd2URiSbOjXzUMyEYzh1ADrhDInJXCMzRpTPw0Bwu78sb N3Q8kQe9XFqTge0qg2EUcXb6bN4X4+cFmuSg1qNGXyA6xRoaRB653445x5IMOiJt e6KdNszWLWvGZy0DyyddGBdWAaOtvReE4bRuraJUC5AA2D/bTt6r2MmbI5zz4L0h 3743FvMgd42yrdWngLb1XqGTnkFmQPO5RYNZZYPMVOg1oPvCPAihASqcsjkMwGQ= =tD6X -----END PGP SIGNATURE----- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
