[exim] Exim 4.90 released

Top Page

Reply to this message
Author: Jeremy Harris
Date:  
To: exim-announce, exim-maintainers, exim users
Subject: [exim] Exim 4.90 released
I have uploaded Exim 4.90 to:
ftp://ftp.exim.org/pub/exim/exim4/

There were no changes since the RC4 almost a week ago. The release
has been rebuilt and re-signed by me.

Sha256 checksums:

7dac6c6ad8cc1409065d54df472c1fed2bb9b0c6c74ffb2f61fac28f8811bdb2 exim-4.90.tar.bz2
005fe88e794d650b3497e592824e7d6d668030ccb6e35a807afcdd9ab2bd2200 exim-4.90.tar.gz
93548b529d0301629106001d73611c6098a676733f742f61ef626f1fb3f23a80 exim-4.90.tar.xz
6c8e2226ba00b2ca03fcce2cb47437a08e9d10dc0418d7ff8ddc970d28541140 exim-html-4.90.tar.bz2
edcd088fd31c9c0f9fffe7531f3edabcb7cbf87803b9ab83fc46fbb94dcfc1e8 exim-html-4.90.tar.gz
e4cb47c05c4747fc51c52a34f2e9ecd27cbb9c25a507e7bbc2eb060fdbfddbc9 exim-html-4.90.tar.xz
13860cfce38f03fef49fbe13f9ea5fc3be11a79860bd2cc41f33f11c06925bbf exim-pdf-4.90.tar.bz2
14ecc6b1e424dc6db70b38ffdc0b88a2d83be086b394ff516cf3acab81378a97 exim-pdf-4.90.tar.gz
a92bd59581f441f1f4000f0630a7bfdeae60fc0bf300f44f11c55d14c8a06fa3 exim-pdf-4.90.tar.xz
16d5ace4e734d7c477b51dbcad7c0e590a80a79aa21dc9fd1bb849380cff7403 exim-postscript-4.90.tar.bz2
874147361f292716cc277cacaa54e20ec221eafa4811a4b7e2e423d2e3ea7f75 exim-postscript-4.90.tar.gz
947de254a30e2c51e3251edeb1953b31488bdccca9f8cac44a88f6b07269030d exim-postscript-4.90.tar.xz



New features since the 4.89 release:

 1. PKG_CONFIG_PATH can now be set in Local/Makefile;
    wildcards will be expanded, values are collapsed.


 2. The ${readsocket } expansion now takes an option to not shutdown the
    connection after sending the query string.


 3. An smtp transport option "hosts_noproxy_tls" to control whether multiple
    deliveries on a single TCP connection can maintain a TLS connection
    open. 


4. A malware connection type for the FPSCAND protocol.

 5. An option for recipient verify callouts to hold the connection open for
    further recipients and for delivery.


 6. The reproducible build $SOURCE_DATE_EPOCH environment variable is now
    supported.


 7. Optionally, an alternate format for spool data-files which matches the
    wire format - meaning more efficient reception and transmission.


 8. New main configuration option "commandline_checks_require_admin" to
    restrict who can use various introspection options.


 9. New option modifier "no_check" for quota and quota_filecount
    appendfile transport.


10. Variable $smtp_command_history returning a list of recent SMTP commands.

11. Millisecond timestamps in logs, on log_selector "millisec".

12. TCP Fast Open logging.

13. DKIM support for multiple signing, by domain and/or key-selector.
    DKIM support for multiple hashes, and for alternate-identity tags.
    Builtin macro with default list of signed headers.
    Better syntax for specifying oversigning.
    The DKIM ACL can override verification status, and status is visible in
    the data ACL.


14. Exipick understands -C|--config for an alternative Exim
    configuration file.


15. TCP Fast Open used, with data-on-SYN, for client SMTP via SOCKS5 proxy,
    for ${readsocket } expansions, and for ClamAV.


16. The "-be" expansion test mode now supports macros.  Macros are expanded
    in test lines, and new macros can be defined.


17. Support for server-side dual-certificate-stacks (eg. RSA + ECDSA).




Bugfixes and other changes of note since the 4.89 release:

- - Rework error string handling in TLS interface so that the caller in
      more cases is responsible for logging.  This permits library-sourced
      string to be attached to addresses during delivery, and collapses
      pairs of long lines into single ones.


- - Allow PKG_CONFIG_PATH to be set in Local/Makefile and use it correctly
      during configuration.  Wildcards are allowed and expanded.


- - Rework error string handling in DKIM to pass more info back to callers.
      This permits better logging.


- - Rework the transport continued-connection mechanism: when TLS is active,
      do not close it down and have the child transport start it up again on
      the passed-on TCP connection.  Instead, proxy the child (and any
      subsequent ones) for TLS via a unix-domain socket channel.  Logging is
      affected: the continued delivery log lines do not have any DNSSEC, TLS
      Certificate or OCSP information.  TLS cipher information is still logged.


- - Shorten the log line for daemon startup by collapsing adjacent sets of
      identical IP addresses on different listening ports.  Will also affect
      "exiwhat" output.


- - Bug 2070: uClibc defines __GLIBC__ without providing glibc headers;
      add noisy ifdef guards to special-case this sillyness.
      Patch from Bernd Kuhls.


- - Tighten up the checking in isip4 (et al): dotted-quad components larger
      than 255 are no longer allowed.


- - Default openssl_options to include +no_ticket, to reduce load on peers.
      Disable the session-cache too, which might reduce our load.  Since we
      currrectly use a new context for every connection, both as server and
      client, there is no benefit for these.
      GnuTLS appears to not support tickets server-side by default (we don't
      call gnutls_session_ticket_enable_server()) but client side is enabled
      by default on recent versions (3.1.3 +) unless the PFS priority string
      is used (3.2.4 +).


- - Add $SOURCE_DATE_EPOCH support for reproducible builds, per spec at
      <https://reproducible-builds.org/specs/source-date-epoch/>.


- - Fix smtp transport use of limited max_rcpt under mua_wrapper. Previously
      the check for any unsuccessful recipients did not notice the limit, and
      erroneously found still-pending ones.


- - Pipeline CHUNKING command and data together, on kernels that support
      MSG_MORE.  Only in-clear (not on TLS connections).


- - Avoid using a temporary file during transport using dkim.  Unless a
      transport-filter is involved we can buffer the headers in memory for
      creating the signature, and read the spool data file once for the
      signature and again for transmission.


- - Enable use of sendfile in Linux builds as default.  It was disabled in
      4.77 as the kernel support then wasn't solid, having issues in 64bit
      mode.  Now, it's been long enough.  Add support for FreeBSD also.


- - Bug 2104: Fix continued use of a transport connection with TLS.  In the
      case where the routing stage had gathered several addresses to send to
      a host before calling the transport for the first, we previously failed
      to close down TLS in the old transport process before passing the TCP
      connection to the new process.  The new one sent a STARTTLS command
      which naturally failed, giving a failed delivery and bloating the retry
      database.  Investigation and fix prototype from Wolfgang Breyha.


- - Fix check on SMTP command input synchronisation.  Previously there were
      false-negatives in the check that the sender had not preempted a response
      or prompt from Exim (running as a server), due to that code's lack of
      awareness of the SMTP input buffering.


- - Add commandline_checks_require_admin option.
      Exim drops privileges sanely, various checks such as -be aren't a
      security problem, as long as you trust local users with access to their
      own account.  When invoked by services which pass untrusted data to
      Exim, this might be an issue.  Set this option in main configuration
      AND make fixes to the calling application, such as using `--` to stop
      processing options.


- - Do pipelining under TLS.  Previously, although safe, no advantage was
      taken.  Now take care to pack both (client) MAIL,RCPT,DATA, and (server)
      responses to those, into a single TLS record each way (this usually means
      a single packet).  As a side issue, smtp_enforce_sync now works on TLS
      connections.


- - OpenSSL/1.1: use DH_bits() for more accurate DH param sizes.  This
      affects you only if you're dancing at the edge of the param size limits.
      If you are, and this message makes sense to you, then: raise the
      configured limit or use OpenSSL 1.1.  Nothing we can do for older
      versions.


- - For the "sock" variant of the malware scanner interface, accept an empty
      cmdline element to get the documented default one.  Previously it was
      inaccessible.


- - Fix a crash in the smtp transport caused when two hosts in succession
      are unusable for non-message-specific reasons - eg. connection timeout,
      banner-time rejection.


- - Fix logging of delivery remote port, when specified by router, under
      callout/hold.


- - Repair manualroute's ability to take options in any order, even if one
      is the name of a transport.
      Fixes bug 2140.


- - Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369)

- - Change the list-building routines interface to use the expanding-string
      triplet model, for better allocation and copying behaviour.


- - Prebuild the data-structure for "builtin" macros, for faster startup.
      Previously it was constructed the first time a possibly-matching string
      was met in the configuration file input during startup; now it is done
      during compilation.


- - Bug 2141: Use the full-complex API for Berkeley DB rather than the legacy-
      compatible one, to avoid the (poorly documented) possibility of a config
      file in the working directory redirecting the DB files, possibly correpting
      some existing file.  CVE-2017-10140 assigned for BDB.


- - Bug 2147: Do not defer for a verify-with-callout-and-random which is not
      cache-hot.  Previously, although the result was properly cached, the
      initial verify call returned a defer.


- - Bug 2151: Avoid using SIZE on the MAIL for a callout verify, on any but
      the main verify for receipient in uncached-mode.


- - Retire historical build files to an "unsupported" subdir.  These are
      defined as "ones for which we have no current evidence of testing".


- - DKIM: enforce the DNS pubkey record "h" permitted-hashes optional field,
      if present.  Previously it was ignored.


- - Start using specified-initialisers in C structure init coding.  This is
      a C99 feature (it's 2017, so now considered safe).


- - Use one-bit bitfields for flags in the "addr" data structure.  Previously
      if was a fixed-sized field and bitmask ops via macros; it is now more
      extensible.


- - GitHub PR 56: Apply MariaDB build fix.
      Patch provided by Jaroslav Škarvada.


- - Bug 2161: Fix regression in sieve quoted-printable handling introduced
      during Coverity cleanups [4.87 JH/47]
      Diagnosis and fix provided by Michael Fischer v. Mollard.


- - Fix DKIM bug: when the pseudoheader generated for signing was exactly
      the right size to place the terminating semicolon on its own folded
      line, the header hash was calculated to an incorrect value thanks to
      the (relaxed) space the fold became.


- - Fix Bug 2130: large writes from the transport subprocess where chunked
      and confused the parent.


- - Fix SOCKS bug: an unitialized pointer was deref'd by the transport process
      which could crash as a result.  This could lead to undeliverable messages.


- - Logging: "next input sent too soon" now shows where input was truncated
      for log purposes.


- - Fix queue_run_in_order to ignore the PID portion of the message ID.  This
      matters on fast-turnover and PID-randomising systems, which were getting
      out-of-order delivery.


- - Fix a logging bug on aarch64: an unsafe routine was previously used for
      a possibly-overlapping copy.  The symptom was that "Remote host closed
      connection in response to HELO" was logged instead of the actual 4xx
      error for the HELO.


- - Fix CHUNKING code to properly flush the unwanted chunk after an error.
      Previously only that buffered was discarded, resulting in SYMTP command
      desynchronisation.


- - DKIM: when a message has multiple signatures matching an identity given
      in dkim_verify_signers, run the dkim acl once for each.  Previously only
      one run was done.  Bug 2189.


- - Downgrade an unfound-list name (usually a typo in the config file) from
      "panic the current process" to "deliberately defer".  The panic log is
      still written with the problem list name; the mail and reject logs now
      get a temp-reject line for the message that was being handled, saying
      something like "domains check lookup or other defer".  The SMTP 451
      message is still "Temporary local problem".


- - Bug 2199: Fix a use-after-free while reading smtp input for header lines.
      A crafted sequence of BDAT commands could result in in-use memory beeing
      freed.  CVE-2017-16943.


- - Bug 2201: Fix checking for leading-dot on a line during headers reading
      from SMTP input.  Previously it was always done; now only done for DATA
      and not BDAT commands.  CVE-2017-16944.


- - Bug 2201: Flush received data in BDAT mode after detecting an error fatal
      to the message (such as an overlong header line).  Previously this was
      not done and we did not exit BDAT mode.  Followon from the previous item
      though a different problem.