Exim version 4.14 ----------------- 1. Found another case where SIGCHLD is being ignored (a child process for handling a filter file) and so the wait() doesn't find the subprocess. This came to light as a result of extra logging introduced as part of the 4.12/14 fix. Now Exim is careful to set SIGCHLD handling to its default (i.e. to be noticed) for this particular subprocess. (It already has this code for other cases where it uses subprocesses.) 2. If ${run appeared in part of a conditional item that was being skipped, the actual running of the command was not being skipped. 3. A bit of code tidying (refactoring): there were two functions that built strings containing a host name and ident value for logging. There is now only one. It is called in some additional places where previously just the host name and address were given, so the wording of some log lines has changed slightly. 4. Added support for Unix domain socket connection to PostgreSQL. 5. The number of unknown SMTP commands that Exim will accept before dropping a connection can now be changed by smtp_max_unknown_commands. The default value is 3. Previously, a fixed value of 5 was used. The final command is now included in the log line. 6. The standard place for chown and chgrp in Linux is /bin, not /usr/bin, as assumed by the exicyclog script. I've implemented a "look for it" feature that makes exicyclog look in /bin, /usr/bin, /usr/sbin, and /usr/etc for the commands chown, chgrp, mv, and rm if configured, and turned on this feature for Linux. This should cope with old Linuxes that use /usr/bin. 7. Implemented .ifdef etc. 8. Installed signal handlers for SIGSEGV, SIGILL, SIGFPE, and SIGBUS while running local_scan(), so that crashes therein get caught. A temporary error response is sent for an SMTP message, and the spool is cleaned up. Previously, a -D file was left lying around if there was a crash in local_scan(). 9. The ${quote: operator has been changed so that it turns newline and carriage return characters into \n and \r, respectively. 10. Added support for crypt16(). 11. Some restrictions on the use of "verify" in ACLs were too restrictive, and have been relaxed. In particular, "verify = sender" is now permitted in the ACL for the MAIL command, as well as those for RCPT and DATA. 12. If local_scan() sets up recipient or errors_to addresses that are unqualified (local parts without a domain) Exim now qualifies them using the qualify_recipient domain. 13. White space at the start of continuation lines in -be input was not being ignored. 14. Previously, if a MySQL query was issued that did not request any data (an insert, update, or delete command), Exim gave a lookup error and deferred. This case is now recognized, and the result of the lookup is now the number of rows affected. 15. A configuration error is given if tls_try_verify_hosts is set and tls_verify_certificates is not set. (Exim already did this for tls_verify_hosts.) 16. Exim was trying to create a non-existent hints database even when it was just opening it for reading. It called the creating function with the O_RDONLY and O_CREAT flags. This works with many DB libraries, but it not with DB 1.85, where a subsequent attempt to use the database gave the error "Inappropriate file type or format". Exim now creates hints databases only when it wants to open them for writing. 17. If an ACL condition test set a default "message" value without a "log_message" value, and there were no overriding messages in the ACL itself, no message was logged. The user message is now logged. 18. If callout made a connection, but it was dropped before the initial welcome response was received, Exim logged "response to initial connection was" with no further text. It now logs that the connection was dropped. The wording of the logging for callout defers has been slightly changed so as to reduce duplication. 19. When multiple messages were sent using TLS over one connection, the additional required EHLO that follows STARTTLS was being counted as a nonmail command, and thus causing a problem if there were a lot of messages. Similarly, a new AUTH that followed STARTTLS was being counted. It is now possible to run with smtp_accept_max_nonmail set to zero in these and other "normal" circumstances. 20. During verify=sender, global rewriting rules are applied to the sender address, and if it changes, $sender_address becomes the rewritten version. Unfortunately, it was not getting updated until after the routers had been run, so that if a router referred to $sender_address while verifying a sender, the unrewritten value was used. 21. The "random address" callout test was being done after the other tests. This is silly, because if the host accepts all local parts, there isn't any point in doing the other, more specific, tests. I changed things around so that the "random" test (if configured) is done first. 22. Expanded the wording for callout failures when MAIL FROM:<> or RCPT TO the a postmaster address are rejected. Also include these words when a rejection happens because of caching (when there isn't an actual SMTP command/result to reflect). 23. A new router condition called "address_test" (default true) can be used to skip routers when testing addresses using -bt (compare no_verify). This can be a convenience when your first router sends stuff to an external scanner. 24. Testing for deliver_queue_load_max was happening inside the delivery sub-process, when it could have happened outside, in the queue runner (thus saving one process). This was a hangover from Exim 3, where there were other load tests to be done. The code has been tidied. 25. Code tidy: the driver_info generic structure contained a field that might, on 64-bit systems, not have been compatible with the fields in the structures of which it is supposed to be a subset. It turns out that this field and another are not actually used generically, so removing them from the structure solves the problem. 26. Added server_advertise_condition to authenticators. 27. The exim_checkaccess utility wasn't sending a HELO command; this matters now that it's possible to have an ACL that checks HELO/EHLO. 27. Added the ldap_version option to force a specific LDAP version. 28. Renamed the variable verify_address in exim.c as verify_address_mode, because it had the same name as the verify_address() function, which was confusing. 29. Added authenticated_sender to the smtp transport. 30. When the skip_syntax_errors option is applied to a filter file, it covers all filtering errors, some of which may not be strictly "syntax" (for example, failure to open a log file). The wording of the message has been changed to use "error" instead of "syntax error", to reduce confusion. Also the subject of the message sent by syntax_errors_to is now "error(s) in forwarding or filtering" instead of "syntax error(s) in address expansion". 31. Added -restore-times to the exim_lock utility. 32. Changes to the handling of the "phrase" parts of email addresses: (i) Re-organized the code to use a supplied instead of an implied buffer, and a length instead of expecting a terminated string. (ii) Changed from using the macro mac_isprint() to an explicit test for ASCII non-printing characters, because the macro pays attention to print_topbitchars, which is not correct here. (iii) If a rewritten address contained a "phrase" (whether or not the "w" flag was present on the rewrite rule), but the actual address was unqualified (had no domain) and was expected to be qualified by the "Q" flag, Exim screwed up and created an illegal address. (iv) When a header address is rewritten by a rule that includes the "w" flag, the parts of the address outside <> are now encoded according to RFC 2047 if necessary (assuming ISO-8859-1 encoding). 33. Added the ${rfc2047 and ${from_utf8 expansion operators. 34. The file names used for maildir deliveries have been changed, to accomodate operating systems that may re-use a PID within one second. The file name now include the microsecond time fraction, and the delivery process does not exit until the clock is at least one microsecond after the time used in the file name. The code copes with the clock going backwards (it waits till time catches up). 35. The rules for creating message ids have been changed to allow for the fact that a PID may be re-used within one second. As part of this change, the range of localhost_number has been reduced to 0-16 for most systems, and 0-10 for those with case-insensitive file systems (Cygwin, Darwin). 36. Code tidy: there was a local count of non-TCP/IP messages that duplicated the global receive_messagecount (used for accept_queue_per_connection). 37. verify = header_syntax was allowing unqualified addresses in all cases. Now it allows them only for locally generated messages and from hosts that match sender_unqualified_hosts or recipient_unqualified_hosts, respectively. 38. If PAM was called with an empty first string, it called the data function to get the user name, thereby getting the second string by mistake. If this was also null (empty passwords are permitted), there was an infinite loop. An empty user name is not now passed to PAM; authentication is forcibly failed instead. Also, if the end of the list of strings is reached, an empty string is passed back just once; a subequent call for data provokes an error response. 39. If a reverse DNS lookup yields an empty string, treat it as if the lookup failed. (Apparently such records have been seen. Sigh.) 40. Added the -bnq command line option to suppress automatic qualification of addresses in locally submitted messages. 41. Header texts supplied by options to the autoreply transport may now contain newlines that are followed by whitespace. (This was allowed from a filter, but not from the transport.) 42. Patch for < > problems in eximstats 1.23. 43. Re-arranged the code to make it easier in future to add additional filter types. 44. Added support for changing the connection timeout in LDAP; this is something that's available in Netscape SDK 4.1. Exim uses the given value if LDAP_X_OPT_CONNECT_TIMEOUT is defined. 45. When Exim was setting a daemon listener on multiple interfaces, including listening on "all IPv6" and "all IPv4" interfaces, it was binding all the sockets, and then calling listen() for each of them. On some IP stacks, a listen for "all IPv4" fails after listening for "all IPv6" because a single socket catches both kinds of call. Exim coped with this, but it turns out that on a USAGI-patched Linux, this logic doesn't work unless the "listen", as well as the "bind" has been done for the IPv6 socket first. The order of the functions has now been changed. Instead of "bind, bind ... listen, listen..." it now does "bind, listen, bind, listen, ...". Also, the failure happens in the bind() rather than in the listen(), so there are now two checks, which hopefully will handle all kinds of IP stack. 46. IPv6 addresses have "scopes", and a host with multiple interfaces can, in principle, have the same link-local addresses on different interfaces. Thus, they need to be distinguished, and a convention of using a percent sign followed by something (often the interface name) is being used, for example: 3ffe:2101:12:1:a00:20ff:fe86:a061%eth0. Two changes have been made to accommodate this: (a) A percent sign followed by an arbitrary string is allowed at the end of an IPv6 address. (b) Exim calls getaddrinfo() instead of inet_pton() to convert a textual IPv6 address for actual use. This function recognizes the percent convention in some operating systems. 47. Additional debugging inserted for the case of forced failure when expanding an item in a list. 48. A new debugging selector +expand has been added. This is not included in the default set of selectors. It requests detailed debugging information for string expansions. 49. Failure to open the main log results in a panic-die, but the original line that was being logged could be lost. It is now output to stderr if there is a stderr file. 50. When Exim starts, it checks for the existence of its spool directory, and creates it if necessary. Unfortunately, it was doing this after the code for logging arguments. Thus, if the spool did not exist, trouble ensued. 51. The log line for an ACL warning after a sender verify callout failure was not showing the details, unlike the log line for a deny. They are now shown in a similar way. 52. For reasons lost in the mists of time, when a pipe transport was run, the environment variable MESSAGE_ID was set to the message ID preceded by 'E' (the form used in Message-ID: header lines). The 'E' has been removed. 53. Updated the QNX configuration files for QNX 6.2.0. 54. The "*@" type partial matching for single-key lookups was broken in releases after 4.10. Exim looked for *@xxx but, if that failed, it wasn't going on to look for "*". 55. Included eximstats 1.25 in the source tree. 56. Changed log wording from "Authentication failed" to " authenticator failed", where is the name of the authenticator. 57. gcc 3.2.2 warned about a selection of places where string casts were needed. 58. Exim monitor: the use of one_time redirection could cause addresses to be displayed with incorrect "parent" addresses after the one_time re-arrangement had taken place. They should be shown with no parents, because the parentage has been removed. 59. Arranged to keep independent timestamps for postmaster and random checks in callouts, and not to do unnecessary tests for postmaster when testing individual addresses. 60. Incorporated PCRE release 4.0. 61. Added ${hex2b64: operator. 62. Added $tod_zulu. 63. Added ${strlen: operator. 64. Added ${stat: operator. 65. When Exim is receiving multiple messages on a single connection, and spinning off delivery processess, it sets the SIGCHLD signal handling to SIG_IGN, because it doesn't want to wait for these processes. However, because on some OS this didn't work, it also has a paranoid call to waitpid() in the loop to reap any children that have finished. Some versions of Linux now complain (to the system log) about this "illogical" call to waitpid(). I have therefore put it inside a conditional compilation, and arranged for it to be omitted for Linux. 66. Added settable variables $acl_c0 - $acl_c9 and $acl_m0 - $acl_m9 for use during ACL processing. 67. Added "defer" command to system filter. 68. X options such as -bg or -geometry that were added to an eximon command were being lost as a result of a bug introduced by 4.12/6. 69. The "more" and "unseen" generic router options can now be expanded strings. 70. The "once_repeat" option in the autoreply tranport is now an expanded string. 71. If maildir_format is set on an appendfile transport that is referenced from an file_transport setting in a redirect router, it forces maildir delivery, even if the path given in the filter does not end with '/'. 72. Fixed three bugs in ${readsocket: (i) If the operation failed, and a failure string was given, "}}" was erroroneously added to it. (ii) If the operation succeeded, but a failure string was present, "}" was added to the expanded data. (iii) The alarm for the timeout was set with signal() instead of with os_non_restarting_signal(), which meant that it only worked on those OS whose default is not to restart an interrupted system call. 73. A complete host name (no wildcards) in a host list causes a forward lookup for the IP address. If this failed, Exim was behaving as if the host didn't match the list, instead of giving an error (as it does when a reverse lookup fails). 74. If router_home_directory was passed on as a home directory for a local transport, it was being re-expanded in the transport. This has been changed so that the expanded value is passed from the router to the transport, and no re-expansion takes place. 75. When a redirect router generated a pipe, file, or autoreply, the values of $domain_data and $localpart_data were not being propagated to the transport. 76. The macros MESSAGE_ID_LENGTH and SPOOL_DATA_START_OFFSET are now defined in local_scan.h so that they are available to local_scan() functions. 77. Changes to the SMTP PIPELINING support: (1) Exim used always to accept pipelined commands, even when it hadn't advertised PIPELINING (i.e. when EHLO had not been received). Now it objects unless PIPELINING has been advertised. (2) Advertising PIPELINING to specific hosts can be disabled via the new option pipelining_advertise_hosts. 78. The acl_smtp_connect ACL was not being run for -bs input when no IP address was supplied via -oMa. 79. A "mail" command in a filter could cause a crash if the list of recipients for the "to:" line was excessively long - this showed up in a reply to a message with a ridiculously long Reply_to: header line. 80. Added allow_utf8_domains. 81. Added $rh_ and $rheader for "raw" header expansion. 82. Added smtp_accept_max_nonmail_hosts. 83. Extended ${stat (see 64 above) to add smode=symbolic mode. 84. Added default logging for host and IP lookup failures, with a log selector called host_lookup_failed to turn it off. 85. Added header_maxsize and header_line_maxsize. 86. If a RCPT ACL made use of "verify = sender" without callout, followed by another use with callout, and the callout failed, the caching was broken such that for a subsequent RCPT command, the first callout failed incorrectly. The caching of sender verification has been fixed so that it now remembers that the routing succeeded even when the callout fails. 87. Added errno and strerror(errno) to the log line for a failure to lock the -D file when receiving a message. 88. If router with check_local_user set up a local delivery, and no user was specified on the transport, and errors_to on the router specified an address whose verification also invoked check_local_user, the wrong uid/gid was used for the transport. It used the uid/gid of the errors_to address instead of the uid/gid of the original local part. 89. If log_file_path=:syslog was set, to use the default log path and also syslog, and check_log_space was also set, Exim was confused, and refused to accept messages, giving the error "cannot find slash in ". 90. If a router stripped a prefix or a suffix from a local part, and then routed that address to an smtp or lmtp transport, the address that was sent in the RCPT command did not have the affixes stripped. 91. For BSMTP delivery by appendfile or pipe, the address given in the RCPT command did not preserve the case of the envelope address, as it is supposed to. ****