- update to 4.80
  - Bugzilla 949 - Documentation tweak.
  - Bugzilla 1093 - eximstats DATA reject detection regexps improved.
  - Bugzilla 1169 - primary_hostname spelling was incorrect in docs.
  - Implemented gsasl authenticator.
  - Implemented heimdal_gssapi authenticator with "server_keytab" option.
  - Local/Makefile support for (AUTH|LOOKUP)_*_PC=foo to use
    `pkg-config foo` for cflags/libs.
  - Swapped $auth1/$auth2 for gsasl GSSAPI mechanism, to be more consistent
    with rest of GSASL and with heimdal_gssapi.
  - Local/Makefile support for USE_(GNUTLS|OPENSSL)_PC=foo to use
    `pkg-config foo` for cflags/libs for the TLS implementation.
  - New expansion variable $tls_bits; Cyrus SASL server connection
    properties get this fed in as external SSF.  A number of robustness
    and debugging improvements to the cyrus_sasl authenticator.
  - cyrus_sasl server now expands the server_realm option.
  - Bugzilla 1214 - Log authentication information in reject log.
  - Added dbmjz lookup type.
  - Let heimdal_gssapi authenticator take a SASL message without an authzid.
  - MAIL args handles TAB as well as SP, for better interop with
    non-compliant senders.
  - Bugzilla 1237 - fix cases where printf format usage not indicated.
  - tls_peerdn now print-escaped for spool files.
    Observed some $tls_peerdn in wild which contained \n, which resulted
    in spool file corruption.
  - TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options"
    values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read
    or write after TLS renegotiation, which otherwise led to messages
    "Got SSL error 2".
  - Bugzilla 1239 - fix DKIM verification when signature was not inserted
    as a tracking header (ie: a signed header comes before the signature).
  - Bugzilla 660 - Multi-valued attributes from ldap now parseable as a
    comma-sep list; embedded commas doubled.
  - Refactored ACL "verify =" logic to table-driven dispatch.
  - LDAP: Check for errors of TLS initialisation, to give correct diagnostics.
  - Removed "dont_insert_empty_fragments" fron "openssl_options".
    Removed SSL_clear() after SSL_new() which led to protocol negotiation
    failures.  We appear to now support TLS1.1+ with Exim.
  - OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
    lets Exim select keys and certificates based upon TLS SNI from client.
    Also option tls_sni on SMTP Transports.  Also clear $tls_bits correctly
    before an outbound SMTP session.  New log_selector, +tls_sni.
  - Bugzilla 1122 - check localhost_number expansion for failure, avoid
    NULL dereference.
  - Revert part of NM/04, it broke log_path containing %D expansions.
    Left warnings.  Added "eximon gdb" invocation mode.
  - Defaulting "accept_8bitmime" to true, not false.
  - Added -bw for inetd wait mode support.
  - Added PCRE_CONFIG=yes support to Makefile for using pcre-config to
    locate the relevant includes and libraries.  Made this the default.
  - Fixed headers_only on smtp transports (was not sending trailing dot).
    Bugzilla 1246, report and most of solution from Tomasz Kusy.
  - ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m").
    This may cause build issues on older platforms.
  - Revamped GnuTLS support, passing tls_require_ciphers to
    gnutls_priority_init, ignoring Exim options gnutls_require_kx,
    gnutls_require_mac & gnutls_require_protocols (no longer supported).
    Added SNI support via GnuTLS too.
    Made ${randint:..} supplier available, if using not-too-old GnuTLS.
  - Added EXPERIMENTAL_OCSP for OpenSSL.
  - Applied dnsdb SPF support patch from Janne Snabb.
    Applied second patch from Janne, implementing suggestion to default
    multiple-strings-in-record handling to match SPF spec.
  - Added expansion variable $tod_epoch_l for a higher-precision time.
  - Fix DCC dcc_header content corruption (stack memory referenced,
    read-only, out of scope).
    Patch from Wolfgang Breyha, report from Stuart Northfield.
  - Fix three issues highlighted by clang analyser static analysis.
    Only crash-plausible issue would require the Cambridge-specific
    iplookup router and a misconfiguration.
    Report from Marcin Mirosław.
  - Another attempt to deal with PCRE_PRERELEASE, this one less buggy.
  - %D in printf continues to cause issues (-Wformat=security), so for
    now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS.
    As part of this, removing so much warning spew let me fix some minor
    real issues in debug logging.
  - GnuTLS was always using default tls_require_ciphers, due to a missing
    assignment on my part.  Fixed.
  - Added tls_dh_max_bits option, defaulting to current hard-coded limit
    of NSS, for GnuTLS/NSS interop.
  - Validate tls_require_ciphers on startup, since debugging an invalid
    string otherwise requires a connection and a bunch more work and it's
    relatively easy to get wrong.  Should also expose TLS library linkage
    problems.
  - Pull in <features.h> on Linux, for some portability edge-cases of
    64-bit ${eval} (JH/03).
  - Define _GNU_SOURCE in exim.h; it's needed for some releases of
    protection layer was required, which is not implemented.  Bugzilla 1254
  - Overhaul DH prime handling, supply RFC-specified DH primes as built
    into Exim, default to IKE id 23 from RFC 5114 (2048 bit).  Make
    tls_dhparam take prime identifiers.  Also unbreak combination of
    OpenSSL+DH_params+TLSSNI.
  - Disable SSLv2 by default in OpenSSL support.

• Files Changed
• Browse Source