To kick off the run up to the next Exim release -
the ftp site:
ftp://ftp.exim.org/pub/exim/exim4/test/
now has the initial release candidate build, RC1 of Exim 4.88
available. Built and signed by myself.
Sha265 sums:
025362da42722a6f67204afc042641085ee17c5aee75ea06cc2f8c1e072e8630 exim-4.88_RC1.tar.bz2
76689b11b8e6d450e9a1eeba5b8542e59cd9daf3f1593ae2560c9ae9309d4cdc exim-pdf-4.88_RC1.tar.bz2
c639ae65da6e4c6867cb1e526577d8fbffd22be120e05be908db7bd76cde7db1 exim-postscript-4.88_RC1.tar.bz2
62d36611a6d0df932ab27742b1de9457d1c99937adb93d8813b012e316c7f4a6 exim-4.88_RC1.tar.gz
fb7d48a964d3c0c92a0f4ec8a44ab581e4ee83e4beb8ae9a5f7dfe6e8ddcc478 exim-pdf-4.88_RC1.tar.gz
2b54762fdec415f2fe6fcb3d3b9e4428f1b411469ebd0b89247338935555e00b exim-postscript-4.88_RC1.tar.gz
New features since 4.87:
1. The new perl_taintmode option allows to run the embedded perl
interpreter in taint mode.
2. New log_selector: dnssec, adds a "DS" tag to acceptance and delivery lines.
3. Speculative debugging, via a "kill" option to the "control=debug" ACL
modifier.
4. New expansion item ${sha3:<string>} / ${sha3_<N>:<string>}.
N can be 224, 256 (default), 384, 512.
With GnuTLS 3.5.0 or later, only.
5. Facility for named queues: A commandline argument can specify
the queue name for a queue operation, and an ACL modifier can set
the queue to be used for a message. A $queue_name variable gives
visibility.
6. New expansion operators base32/base32d.
7. The CHUNKING ESMTP extension from RFC 3030. May give some slight
performance increase and network load decrease. Main config option
chunking_advertise_hosts, and smtp transport option hosts_try_chunking
for control.
8. LMDB lookup support, as Experimental.
9. Expansion operator escape8bit, like escape but not touching newline etc..
10. Feature macros, generated from compile options. All start with "_HAVE_"
and go on with some roughly recognisable name. Use the "-bP macros"
command-line option to see what is present.
11. Integer values for options can take a "G" multiplier.
12. defer=pass option for the ACL control cutthrough_delivery, to reflect 4xx
returns from the target back to the initiator, rather than spooling the
message.
Other changes of interest since 4.87:
01 Use SIZE on MAIL FROM in a cutthrough connection, if the destination
supports it and a size is available (ie. the sending peer gave us one).
02 The obsolete acl condition "demime" is removed (finally, after ten
years of being deprecated). The replacements are the ACLs
acl_smtp_mime and acl_not_smtp_mime.
03 Upgrade security requirements imposed for hosts_try_dane: previously
a downgraded non-dane trust-anchor for the TLS connection (CA-style)
or even an in-clear connection were permitted. Now, if the host lookup
was dnssec and dane was requested then the host is only used if the
TLSA lookup succeeds and is dnssec. Further hosts (eg. lower priority
MXs) will be tried (for hosts_try_dane though not for hosts_require_dane)
if one fails this test.
This means that a poorly-configured remote DNS will make it incommunicado;
but it protects against a DNS-interception attack on it.
04 Bug 1810: make continued-use of an open smtp transport connection
non-noisy when a race steals the message being considered.
05 If main configuration option tls_certificate is unset, generate a
selfsigned certificate for inbound TLS connections.
06 Bug 165: hide more cases of password exposure - this time in expansions
in rewrites and routers.
07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
and logged a warning sing 4.83; now they are a configuration file error.
08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name
(lacking @domain). Apply the same qualification processing as RCPT.
09 Bug 1804: Avoid writing msglog files when in -bh or -bhc mode.
10 Support ${sha256:} applied to a string (as well as the previous
certificate).
11 Cutthrough: avoid using the callout hints db on a verify callout when
a cutthrough deliver is pending, as we always want to make a connection.
This also avoids re-routing the message when later placing the cutthrough
connection after a verify cache hit.
Do not update it with the verify result either.
12 Cutthrough: disable when verify option success_on_redirect is used, and
when routing results in more than one destination address.
13 Cutthrough: expand transport dkim_domain option when testing for dkim
signing (which inhibits the cutthrough capability). Previously only
the presence of an option was tested; now an expansion evaluating as
empty is permissible (obviously it should depend only on data available
when the cutthrough connection is made).
14 Fix logging of errors under PIPELINING. Previously the log line giving
the relevant preceding SMTP command did not note the pipelining mode.
15 Fix counting of empty lines in $body_linecount and $message_linecount.
Previously they were not counted.
16 DANE: treat a TLSA lookup response having all non-TLSA RRs, the same
as one having no matching records. Previously we deferred the message
that needed the lookup.
17 Fakereject: previously logged as a normal message arrival "<="; now
distinguished as "(=".
18 Bug 1867: make the fail_defer_domains option on a dnslookup router work
for missing MX records. Previously it only worked for missing A records.
19 Bug 1850: support Radius libraries that return REJECT_RC.
20 Bug 1872: Ensure that acl_smtp_notquit is run when the connection drops
after the data-go-ahead and data-ack.
21 Bug 1846: Send DMARC forensic reports for reject and quaratine results,
even for a "none" policy.
22 Fix continued use of a connection for further deliveries. If a port was
specified by a router, it must also match for the delivery to be
compatible.
23 Bug 1874: fix continued use of a connection for further deliveries.
When one of the recipients of a message was unsuitable for the connection
(has no matching addresses), we lost track of needing to mark it
deferred. As a result mail would be lost.
24 Bug 1832: Log EHLO response on getting conn-close response for HELO.
25 Decoding ACL controls is now done using a binary search; the sourcecode
takes up less space and should be simpler to maintain. Merge the ACL
condition decode tables also, with similar effect.
26 Fix problem with one_time used on a redirect router which returned the
parent address unchanged. A retry would see the parent address marked as
delivered, so not attempt the (identical) child. As a result mail would
be lost.
27 Fix a possible security hole, wherein a process operating with the Exim
UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454.
There will be further RC builds before 4.88 is released.
Both feature-additions and bug-fixes are acceptable for
the forthcoming RC2.
Please report issues here in the exim-dev or
exim-users mailinglist, or by raising bugs
on
http://bugs.exim/org
- --
Cheers,
Jeremy
