Version 4.03 ------------ 1. If there is a DNS timeout (or other temporary error) while looking up a host in a DNS list during RBL processing, Exim by default behaves as if the host is not in the list. This is the best behaviour for the common "deny" statements, to prevent the failure of a DNS name server from blocking all mail. It is now possible to change the behaviour by putting one of the following special items in the list: +include_unknown behave as if the item is on the list +exclude_unknown behave as if the item is not on the list (default) +defer_unknown give a temporary error Each of these applies to any subsequent items on the list. For example: deny dnslists = +defer_unknown : foo.bar.example 2. Exim now applies a timeout to calls of the local_scan() function, and there is an option called local_scan_timeout which sets it. The default is 5 minutes. Zero means "no timeout". If the timeout is exceeded, the incoming message is rejected with a temporary error if it is an SMTP message. For a non-smtp message, the message is dropped and Exim ends with a non-zero code. The incident is logged on the main and reject logs. 3. IPv6 addresses are now recognized as IP addresses, even when Exim is not compiled with IPv6 support. This means that if they appear in (for example) a host list on an IPv4-only host, Exim won't treat them as host names. They'll just be addresses that can never match an incoming address. 4. There is now a command line option called -tls-on-connect, which is available when Exim is compiled with TLS support. It makes it possible to support legacy clients that do not support the STARTTLS command, but instead expect to start up a TLS session as soon as a connection to the server is established. These clients use a special port (usually called the "ssmtp" port) instead of the normal SMTP port 25. The -tls-on-connect option can be used to run Exim in this way from inetd, and it can also be used to run a special daemon that operates in this manner (use -oX to specify the port). However, although it is possible to run one daemon that listens on several ports, it is not possible to have some of them operate one way and some the other. With only a few clients that need the legacy support, a convenient approach is to use a daemon for normal SMTP (with or without STARTTLS) and inetd for the legacy clients. 5. There is now support for authentication using the Cyrus pwcheck daemon. This is one way of making it possible for passwords to be checked by a process that is not running as root. Exim normally runs as "exim" when it is handling incoming SMTP connections, and it needs to check passwords when the AUTH command is used. When passwords are kept in "shadow" files for security purposes, non-root users such as exim cannot access them. Using the pwcheck daemon is one way of getting round this restriction. The pwcheck support is not included in Exim by default. You need to specify the location of the pwcheck daemon's socket in Local/Makefile before building Exim. For example: CYRUS_PWCHECK_SOCKET=/var/pwcheck/pwcheck You do not need to install the full Cyrus software suite in order to use the pwcheck daemon. You can compile and install just the daemon alone from the Cyrus SASL library. Ensure that "exim" is the only user that has access to the /var/pwcheck directory. Access to the daemon from Exim is implemented as a condition called "pwcheck" in a string expansion. It takes one argument, which must be the user name and password, separated by a colon. For example, in a LOGIN authenticator configuration, you might have this: server_condition = ${if pwcheck{$1:$2}{1}{0}} 6. Header lines that are added from an ACL run at RCPT time are now visible to the ACL that is run at DATA time. ****