[exim] Exim 4.88 released

Top Page

Reply to this message
Author: Jeremy Harris
To: exim-announce, exim users
Subject: [exim] Exim 4.88 released
I have uploaded Exim 4.88 to:

The following features are REMOVED (configurations using them will
require updating):

- - The obsolete acl condition "demime" is removed (finally, after ten
years of being deprecated). The replacements are the ACLs
acl_smtp_mime and acl_not_smtp_mime.

- - Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
and logged a warning sing 4.83; now they are a configuration file

This release contains the following enhancements and bugfixes:

- The new perl_taintmode option allows to run the embedded perl
interpreter in taint mode.

- New log_selector: dnssec, adds a "DS" tag to acceptance and delivery

- Speculative debugging, via a "kill" option to the "control=debug" ACL

- New expansion item ${sha3:<string>} / ${sha3_<N>:<string>}.
N can be 224, 256 (default), 384, 512.
With GnuTLS 3.5.0 or later, only.

- Facility for named queues: A commandline argument can specify
the queue name for a queue operation, and an ACL modifier can set
the queue to be used for a message. A $queue_name variable gives

- New expansion operators base32/base32d.

- The CHUNKING ESMTP extension from RFC 3030. May give some slight
performance increase and network load decrease. Main config option
chunking_advertise_hosts, and smtp transport option
hosts_try_chunking for control.

- LMDB lookup support, as Experimental.

- Expansion operator escape8bit, like escape but not touching newline

- - Feature macros, generated from compile options.

- - Integer values for options can take a "G" multiplier.

- - defer=pass option for the ACL control cutthrough_delivery, to reflect
4xx returns from the target back to the initiator, rather than
spooling the message.

- - Use SIZE on MAIL FROM in a cutthrough connection, if the destination
supports it and a size is available (ie. the sending peer gave us

- - Upgrade security requirements imposed for hosts_try_dane

- - If main configuration option tls_certificate is unset, generate a
selfsigned certificate for inbound TLS connections.

- - Support ${sha256:} applied to a string (as well as the previous

- - Assorted fixes and enhancements to cutthrough delivery.

- - Fakereject: previously logged as a normal message arrival "<="; now
distinguished as "(=".

- - Support Radius libraries that return REJECT_RC.

- - Send DMARC forensic reports for reject and quarantine
results, even for a "none" policy.

- - Enable {spool,log} filesystem space and inode checks as default.
Main config options check_{log,spool}_{inodes,space} are now
100 inodes, 10MB unless set otherwise in the configuration.

- - A new transport, queuefile, for interfacing with some
types of external mail scanners

- - TCP Fast Open (RFC 7413) support

- - Speedups in main-process startup, and TCP connection startup.

- - New syslog_pid logging option

Security-related changes:

- - Fix CVE-2016-9963 - Info leak from DKIM. When signing DKIM, if either
LMTP or PRDR was used for delivery, the key could appear in logs.
Additionally, if the experimental feature "DSN_INFO" was used, it
could appear in DSN messages (and be sent offsite).

Packages for a patched 4.87.1 with just this fix have been placed in

- - Fix a possible security hole, wherein a process operating with the
Exim UID can gain a root shell. Credit to http://www.halfdog.net/ for
discovery and writeup. Ubuntu bug 1580454.

- - Changed default Diffie-Hellman parameters to be Exim-specific, created
by PDP. Added RFC7919 DH primes as an alternative.

- - Fix use of OCSP stapling with LetsEncrypt certificates

- - Build with OpenSSL 1.1 fixed (OCSP proof validation and DANE)

- - For builds with OpenSSL the tls_eccurve main option now defaults
to 'auto'. For OpenSSL versions at or newer than 1.0.2 this lets
the library choose. For older versions it selects 'prime256v1',
which was the previous default.

The ChangeLog/NewStuff are packaged with the exim
tarball or can be reviewed online at:


The release files for 4.88 are signed with the PGP key 0xE41F32DF,
which has a uid "Jeremy Harris (none) <jgh@???>". Please use
your own discretion in assessing what trust paths you might have to
this uid.

The release files for 4.87.1 are signed with the PGP key 0xF69376CE,
which has a uid "Heiko Schlittermann (HS12-RIPE)
<hs@???>". Please use your own discretion in assessing
what trust paths you might have to this uid.

Checksums are below. Detached PGP signatures in .asc files are available
alongside the tarballs.

Please report issues by replying to this email on exim-users.

Thank you for your patronage,
- --
Jeremy Harris, pp The Exim Maintainers