Change log file for Exim from version 3.951
-------------------------------------------


Exim version 4.41
-----------------

 1. A reorganization of the code in order to implement 4.40/8 caused a daemon
    crash if the getsockname() call failed; this can happen if a connection is 
    closed very soon after it is established. The problem was simply in the 
    order in which certain operations were done, causing Exim to try to write 
    to the SMTP stream before it had set up the file descriptor. The bug has
    been fixed by making things happen in the correct order.


Exim version 4.40
-----------------

 1. If "drop" was used in a DATA ACL, the SMTP output buffer was not flushed
    before the connection was closed, thus losing the rejection response.

 2. Commented out the definition of SOCKLEN_T in os.h-SunOS5. It is needed for
    some early Solaris releases, but causes trouble in current releases where
    socklen_t is defined.

 3. When std{in,out,err} are closed, re-open them to /dev/null so that they
    always exist.

 4. Minor refactoring of os.c-Linux to avoid compiler warning when IPv6 is not
    configured.

 5. Refactoring in expand.c to improve memory usage. Pre-allocate a block so
    that releasing the top of it at the end releases what was used for sub-
    expansions (unless the block got too big). However, discard this block if
    the first thing is a variable or header, so that we can use its block when
    it is dynamic (useful for very large $message_headers, for example).

 6. Lookups now cache *every* query, not just the most recent. A new, separate
    store pool is used for this. It can be recovered when all lookup caches are
    flushed. Lookups now release memory at the end of their result strings.
    This has involved some general refactoring of the lookup sources.

 7. Some code has been added to the store_xxx() functions to reduce the amount
    of flapping under certain conditions.

 8. log_incoming_interface used to affect only the <= reception log lines. Now
    it causes the local interface and port to be added to several more SMTP log
    lines, for example "SMTP connection from", and rejection lines.

 9. The Sieve author supplied some patches for the doc/README.SIEVE file.

10. Added a conditional definition of _BSD_SOCKLEN_T to os.h-Darwin.

11. If $host_data was set by virtue of a hosts lookup in an ACL, its value
    could be overwritten at the end of the current message (or the start of a
    new message if it was set in a HELO ACL). The value is now preserved for
    the duration of the SMTP connection.

12. If a transport had a headers_rewrite setting, and a matching header line
    contained an unqualified address, that address was qualified, even if it
    did not match any rewriting rules. The underlying bug was that the values
    of the flags that permit the existence of unqualified sender and recipient
    addresses in header lines (set by {sender,recipient}_unqualified_hosts for
    non-local messages, and by -bnq for local messages) were not being
    preserved with the message after it was received.

13. When Exim was logging an SMTP synchronization error, it could sometimes log
    "next input=" as part of the text comprising the host identity instead of
    the correct text. The code was using the same buffer for two different
    strings. However, depending on which order the printing function evaluated
    its arguments, the bug did not always show up. Under Linux, for example, my
    test suite worked just fine.

14. Exigrep contained a use of Perl's "our" scoping after change 4.31/70. This
    doesn't work with some older versions of Perl. It has been changed to "my",
    which in any case is probably the better facility to use.

15. A really picky compiler found some instances of statements for creating
    error messages that either had too many or two few arguments for the format
    string.

16. The size of the buffer for calls to the DNS resolver has been increased
    from 1024 to 2048. A larger buffer is needed when performing PTR lookups
    for addresses that have a lot of PTR records. This alleviates a problem; it
    does not fully solve it.

17. A dnsdb lookup for PTR records that receives more data than will fit in the
    buffer now truncates the list and logs the incident, which is the same
    action as happens when Exim is looking up a host name and its aliases.
    Previously in this situation something unpredictable would happen;
    sometimes it was "internal error: store_reset failed".

18. If a server dropped the connection unexpectedly when an Exim client was
    using GnuTLS and trying to read a response, the client delivery process
    crashed while trying to generate an error log message.

19. If a "warn" verb in an ACL added multiple headers to a message in a single
    string, for example:

      warn message = H1: something\nH2: something

    the text was added as a single header line from Exim's point of view
    though it ended up OK in the delivered message. However, searching for the
    second and subsequent header lines using $h_h2: did not work. This has been
    fixed. Similarly, if a system filter added multiple headers in this way,
    the routers could not see them.

20. Expanded the error message when iplsearch is called with an invalid key to
    suggest using net-iplsearch in a host list.

21. When running tests using -bh, any delays imposed by "delay" modifiers in
    ACLs are no longer actually imposed (and a message to that effect is
    output).

22. If a "gecos" field in a passwd entry contained escaped characters, in
    particular, if it contained a \" sequence, Exim got it wrong when building
    a From: or a Sender: header from that name. A second bug also caused
    incorrect handling when an unquoted " was present following a character
    that needed quoting.

23. "{crypt}" as a password encryption mechanism for a "crypteq" expansion item
    was not being matched caselessly.

24. Arranged for all hyphens in the exim.8 source to be escaped with
    backslashes.

25. Change 16 of 4.32, which reversed 71 or 4.31 didn't quite do the job
    properly. Recipient callout cache records were still being keyed to include
    the sender, even when use_sender was set false. This led to far more
    callouts that were necessary. The sender is no longer included in the key
    when use_sender is false.

26. Added "control = submission" modifier to ACLs.

27. Added the ${base62d: operator to decode base 62 numbers.

28. dnsdb lookups can now access SRV records.

29. CONFIGURE_OWNER can be set at build time to define an alternative owner for
    the configuration file.

30. The debug message "delivering xxxxxx-xxxxxx-xx" is now output in verbose
    (-v) mode. This makes the output for a verbose queue run more intelligible.

31. Added a use_postmaster feature to recipient callouts.

32. Added the $body_zerocount variable, containing the number of binary zero
    bytes in the message body.

33. The time of last modification of the "new" subdirectory is now used as the
    "mailbox time last read" when there is a quota error for a maildir
    delivery.

34. Added string comparison operators lt, lti, le, lei, gt, gti, ge, gei.

35. Added +ignore_unknown as a special item in host lists.

36. Code for decoding IPv6 addresses in host lists is now included, even if
    IPv6 support is not being compiled. This fixes a bug in which an IPv6
    address was recognized as an IP address, but was then not correctly decoded
    into binary, causing unexpected and incorrect effects when compared with
    another IP address.


Exim version 4.34
-----------------

 1. Very minor rewording of debugging text in manualroute to say "list of
    hosts" instead of "hostlist".

 2. If verify=header_syntax was set, and a header line with an unqualified
    address (no domain) and a large number of spaces between the end of the
    name and the colon was received, the reception process suffered a buffer
    overflow, and (when I tested it) crashed. This was caused by some obsolete
    code that should have been removed. The fix is to remove it!

 3. When running in the test harness, delay a bit after writing a bounce
    message to get a bit more predictability in the log output.

 4. Added a call to search_tidyup() just before forking a reception process. In
    theory, someone could use a lookup in the expansion of smtp_accept_max_
    per_host which, without the tidyup, could leave open a database connection.

 5. Added the variables $recipient_data and $sender_data which get set from a
    lookup success in an ACL "recipients" or "senders" condition, or a router
    "senders" option, similar to $domain_data and $local_part_data.

 6. Moved the writing of debug_print from before to after the "senders" test
    for routers.

 7. Change 4.31/66 (moving the time when the Received: is generated) caused
    problems for message scanning, either using a data ACL, or using
    local_scan() because the Received: header was not generated till after they
    were called (in order to set the time as the time of reception completion).
    I have revised the way this works. The header is now generated after the
    body is received, but before the ACL or local_scan() are called. After they
    are run, the timestamp in the header is updated.


Exim version 4.33
-----------------

 1. Change 4.24/6 introduced a bug because the SIGALRM handler was disabled
    before starting a queue runner without re-exec. This happened only when
    deliver_drop_privilege was set or when the Exim user was set to root. The
    effect of the bug was that timeouts during subsequent deliveries caused
    crashes instead of being properly handled. The handler is now left at its
    default (and expected) setting.

 2. The other case in which a daemon avoids a re-exec is to deliver an incoming
    message, again when deliver_drop_privilege is set or Exim is run as root.
    The bug described in (1) was not present in this case, but the tidying up
    of the other signals was missing. I have made the two cases consistent.

 3. The ignore_target_hosts setting on a manualroute router was being ignored
    for hosts that were looked up using the /MX notation.

 4. Added /ignore=<ip list> feature to @mx_any, @mx_primary, and @mx_secondary
    in domain lists.

 5. Change 4.31/55 was buggy, and broke when there was a rewriting rule that
    operated on the sender address. After changing the $sender_address to <>
    for the sender address verify, Exim was re-instated it as the original
    (before rewriting) address, but remembering that it had rewritten it, so it
    wasn't rewriting it again. This bug also had the effect of breaking the
    sender address verification caching when the sender address was rewritten.

 6. The ignore_target_hosts option was being ignored by the ipliteral router.
    This has been changed so that if the ip literal address matches
    ignore_target_hosts, the router declines.

 7. Added expansion conditions match_domain, match_address, and match_local_
    part (NOT match_host).

 8. The placeholder for the Received: header didn't have a length field set.

 9. Added code to Exim itself and to exim_lock to test for a specific race
    condition that could lead to file corruption when using MBX delivery. The
    issue is with the lockfile that is created in /tmp. If this file is removed
    after a process has opened it but before that process has acquired a lock,
    there is the potential for a second process to recreate the file and also
    acquire a lock. This could lead to two Exim processes writing to the file
    at the same time. The added code performs the same test as UW imapd; it
    checks after acquiring the lock that its file descriptor still refers to
    the same named file.

10. The buffer for building added header lines was of fixed size, 8192 bytes.
    It is now parameterized by HEADER_ADD_BUFFER_SIZE and this can be adjusted
    when Exim is built.

11. Added the smtp_active_hostname option. If used, this will typically be made
    to depend on the incoming interface address. Because $interface_address is
    not set up until the daemon has forked a reception process, error responses
    that can happen earlier (such as "too many connections") no longer contain
    a host name.

12. If an expansion in a condition on a "warn" statement fails because a lookup
    defers, the "warn" statement is abandoned, and the next ACL statement is
    processed. Previously this caused the whole ACL to be aborted.

13. Added the iplsearch lookup type.

14. Added ident_timeout as a log selector.

15. Added tls_certificate_verified as a log selector.

16. Added a global option tls_require_ciphers (compare the smtp transport
    option of the same name). This controls incoming TLS connections.

17. I finally figured out how to make tls_require_ciphers do a similar thing
    in GNUtls to what it does in OpenSSL, that is, set up an appropriate list
    before starting the TLS session.

18. Tabs are now shown as \t in -bP output.

19. If the log selector return_path_on_delivery was set, Exim crashed when
    bouncing a message because it had too many Received: header lines.

20. If two routers both had headers_remove settings, and the first one included
    a superfluous trailing colon, the final name in the first list and the
    first name in the second list were incorrectly joined into one item (with a
    colon in the middle).


Exim version 4.32
-----------------

 1. Added -C and -D options to the exinext utility, mainly to make it easier
    to include in the automated testing, but these could be helpful when
    multiple configurations are in use.

 2. The exinext utility was not formatting the output nicely when there was
    an alternate port involved in the retry record key, nor when there was a
    message id as well (for retries that were specific to a specific message
    and a specific host). It was also confused by IPv6 addresses, because of
    the additional colons they contain. I have fixed the IPv4 problem, and
    patched it up to do a reasonable job for IPv6.

 3. When there is an error after a MAIL, RCPT, or DATA SMTP command during
    delivery, the log line now contains "pipelined" if PIPELINING was used.

 4. An SMTP transport process used to panic and die if the bind() call to set
    an explicit outgoing interface failed. This has been changed; it is now
    treated in the same way as a connect() failure.

 5. A reference to $sender_host_name in the part of a conditional expansion
    that was being skipped was still causing a DNS lookup. This no longer
    occurs.

 6. The def: expansion condition was not recognizing references to header lines
    that used bh_ and bheader_.

 7. Added the _cache feature to named lists.

 8. The code for checking quota_filecount in the appendfile transport was
    allowing one more file than it should have been.

 9. For compatibility with Sendmail, the command line option

      -prval:sval

    is equivalent to

      -oMr rval -oMs sval

    and sets the incoming protocol and host name (for trusted callers). The
    host name and its colon can be omitted when only the protocol is to be set.
    Note the Exim already has two private options, -pd and -ps, that refer to
    embedded Perl. It is therefore impossible to set a protocol value of "d" or
    "s", but I don't think that's a major issue.

10. A number of refactoring changes to the code, none of which should affect
    Exim's behaviour:

    (a) The number of logging options was getting close to filling up the
    32-bit word that was used as a bit map. I have split them into two classes:
    those that are passed in the argument to log_write(), and those that are
    only ever tested independently outside of that function. These are now in
    separate 32-bit words, so there is plenty of room for expansion again.
    There is no change in the user interface or the logging behaviour.

    (b) When building, for example, log lines, the code previously used a
    macro that called string_cat() twice, in order to add two strings. This is
    not really sufficiently general. Furthermore, there was one instance where
    it was actually wrong because one of the argument was used twice, and in
    one call a function was used. (As it happened, calling the function twice
    did not affect the overall behaviour.) The macro has been replaced by a
    function that can join an arbitrary number of extra strings onto a growing
    string.

    (c) The code for expansion conditions now uses a table and a binary chop
    instead of a serial search (which was left over from when there were very
    few conditions). Also, it now recognizes conditions like "pam" even when
    the relevant support is not compiled in: a suitably worded error message is
    given if an attempt is made to use such a condition.

11. Added ${time_interval:xxxxx}.

12. A bug was causing one of the ddress fields not to be passed back correctly
    from remote delivery subprocesses. The field in question was not being
    subsequently used, so this caused to problems in practice.

13. Added new log selectors queue_time and deliver_time.

14. Might have fixed a bug in maildirsizefile handling that threw up
    "unexpected character" debug warnings, and recalculated the data
    unnecessarily. In any case, I expanded the warning message to give more
    information.

15. Added the message "Restricted characters in address" to the statements in
    the default ACL that block characters like @ and % in local parts.

16. Change 71 for release 4.31 proved to be much less benign that I imagined.
    Three changes have been made:

    (a) There was a serious bug; a negative response to MAIL caused the whole
        recipient domain to be cached as invalid, thereby blocking all messages
        to all local parts at the same domain, from all senders. This bug has
        been fixed. The domain is no longer cached after a negative response to
        MAIL if the sender used is not empty.

    (b) The default behaviour of using MAIL FROM:<> for recipient callouts has
        been restored.

    (c) A new callout option, "use_sender" has been added for people who want
        the modified behaviour.


Exim version 4.31
-----------------

 1. Removed "EXTRALIBS=-lwrap" from OS/Makefile-Unixware7 on the advice of
    Larry Rosenman.

 2. Removed "LIBS = -lresolv" from OS/Makefile-Darwin as it is not needed, and
    indeed breaks things for older releases.

 3. Added additional logging to the case where there is a problem reading data
    from a filter that is running in a subprocess using a pipe, in order to
    try to track down a specific problem.

 4. Testing facility fudge: when running in the test harness and attempting
    to connect to 10.x.x.x (expecting a connection timeout) I'm now sometimes
    getting "No route to host". Convert this to a timeout.

 5. Define ICONV_ARG2_TYPE as "char **" for Unixware7 to avoid compiler
    warning.

 6. Some OS don't have socklen_t but use size_t instead. This affects the
    fifth argument of getsockopt() amongst other things. This is now
    configurable by a macro called SOCKLEN_T which defaults to socklen_t, but
    can be set for individual OS. I have set it for SunOS5, OSF1, and
    Unixware7. Current versions of SunOS5 (aka Solaris) do have socklen_t, but
    some earlier ones do not.

 7. Change 4.30/15 was not doing the test caselessly.

 8. The standard form for an IPv6 address literal was being rejected by address
    parsing in, for example, MAIL and RCPT commands. An example of this kind of
    address is [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts
    this, as well as the form without the "IPv6" on the front (but only when
    address literals are enabled, of course).

 9. Added some casts to avoid compiler warnings in OS/os.c-Linux.

10. Exim crashed if a message with an empty sender address specified by -f
    encountered a router with an errors_to setting. This could be provoked only
    by a command such as

      exim -f "" ...

    where an empty string was supplied; "<>" did not hit this bug.

11. Installed PCRE release 4.5.

12. If EHLO/HELO was rejected by an ACL, the value of $sender_helo_name
    remained set. It is now erased.

13. exiqgrep wasn't working on MacOS X because it didn't correctly compute
    times from message ids (which are base 36 rather than the normal 62).

14. "Expected" SMTP protocol errors that can arise when PIPELINING is in use
    were being counted as actual protocol errors, and logged if the log
    selector +smtp_protocol_error was set. One cannot be perfect in this test,
    but now, if PIPELINING has been advertised, RCPT following a rejected MAIL,
    and DATA following a set of rejected RCPTs do not count as protocol errors.
    In other words, Exim assumes they were pipelined, though this may not
    actually be the case. Of course, in all cases the client gets an
    appropriate error code.

15. If a lookup fails in an ACL condition, a message about the failure may
    be available; it is used if testing the ACL cannot continue, because most
    such messages specify what the cause of the deferral is. However, some
    messages (e.g. "MYSQL: no data found") do not cause a defer. There was bug
    that caused an old message to be retained and used if a later statement
    caused a defer, replacing the real cause of the deferral.

16. If an IP address had so many PTR records that the DNS lookup buffer
    was not large enough to hold them, Exim could crash while trying to process
    the truncated data. It now detects and logs this case.

17. Further to 4.21/58, another change has been made: if (and only if) the
    first line of a message (the first header line) ends with CRLF, a bare LF
    in a subsequent header line has a space inserted after it, so as not to
    terminate the header.

18. Refactoring: tidied an ugly bit of code in appendfile that copied data
    unnecessarily, used atoi() instead of strtol(), and didn't check the
    termination when getting file sizes from file names by regex.

19. Completely re-implemented the support for maildirsize files, in the light
    of a number of problems with the previous contributed implementation
    (4.30/29). In particular:

    . If the quota is zero, the maildirsize file is maintained, but no quota is
      imposed.

    . If the maildir directory does not exist, it is created before any attempt
      to write a maildirsize file.

    . The quota value in the file is just a cache; if the quota is changed in
      the transport, the new value overrides.

    . A regular expression is available for excluding directories from the
      count.

20. The autoreply transport checks the characters in options that define the
    message's headers; it allows continued headers, but it was checking with
    isspace() after an embedded newline instead of explicitly looking for a
    space or a tab.

21. If all the "regular" hosts to which an address was routed had passed their
    expiry times, and had not reached their retry times, the address was
    bounced, even if fallback hosts were defined. Now Exim should go on to try
    the fallback hosts.

22. Increased buffer sizes in the callout code from 1024 to 4096 to match the
    equivalent code in the SMTP transport. Some hosts send humungous responses
    to HELO/EHLO, more than 1024 it seems.

23. Refactoring: code in filter.c used (void *) for "any old type" but this
    gives compiler warnings in some environments. I've now done it "properly",
    using a union.

24. The replacement for inet_ntoa() that is used with gcc on IRIX systems
    (because of problems with the built-in one) was declared to return uschar *
    instead of char *, causing compiler failure.

25. Fixed a file descriptor leak when processing alias/forward files.

26. Fixed a minor format string issue in dbfn.c.

27. Typo in exim.c: ("dmbnz" for "dbmnz").

28. If a filter file refered to $h_xxx or $message_headers, and the headers
    contained RFC 2047 "words", Exim's memory could, under certain conditions,
    become corrupted.

29. When a sender address is verified, it is cached, to save repeating the test
    when there is more than one recipient in a message. However, when the
    verification involves a callout, it is possible for different callout
    options to be set for different recipients. It is too complicated to keep
    track of this in the cache, so now Exim always runs a verification when a
    callout is required, relying on the callout cache for the optimization.
    The overhead is duplication of the address routing, but this should not be
    too great.

30. Fixed a bug in callout caching. If a RCPT command caused the sender address
    to be verified with callout=postmaster, and the main callout worked but the
    postmaster check failed, the verification correctly failed. However, if a
    subsequent RCPT command asked for sender verification *without* the
    postmaster check, incorrect caching caused this verification also to fail,
    incorrectly.

31. Exim caches DNS lookup failures so as to avoid multiple timeouts; however,
    it was not caching the DNS options (qualify_single, search_parents) that
    were used when the lookup failed. A subsequent lookup with different
    options therefore always gave the same answer, though there were cases
    where it should not have. (Example: a "domains = !$mx_any" option on a
    dnslookup router: the "domains" option is always processed without any
    widening, but the router might have qualify_single set.) Now Exim uses the
    cached value only when the same options are set.

32. Added John Jetmore's "exipick" utility to the distribution.

33. GnuTLS: When an attempt to start a TLS session fails for any reason other
    than a timeout (e.g. a certificate is required, and is not provided), an
    Exim server now closes the connection immediately. Previously it waited for
    the client to close - but if the client is SSL, it seems that they each
    wait for each other, leading to a delay before one of them times out.

34: GnuTLS: Updated the code to use the new GnuTLS 1.0.0 API. I have not
    maintained 0.8.x compatibility because I don't think many are using it, and
    it is clearly obsolete.

35. Added TLS support for CRLs: a tls_crl global option and one for the smtp
    transport.

36. OpenSSL: $tls_certificate_verified was being set to 1 even if the
    client certificate was expired. A simple patch fixes this, though I don't
    understand the full logic of why the verify callback is called multiple
    times.

37. OpenSSL: a patch from Robert Roselius: "Enable client-bug workaround.
    Versions of OpenSSL as of 0.9.6d include a 'CBC countermeasure' feature,
    which causes problems with some clients (such as the Certicom SSL Plus
    library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
    disables the coutermeasure allowing Eudora to connect."

38. Exim was not checking that a write() to a log file succeeded. This could
    lead to Bad Things if a log got too big, in particular if it hit a file
    size limit. Exim now panics and dies if it cannot write to a log file, just
    as it does if it cannot open a log file.

39. Modified OS/Makefile-Linux so that it now contains

      CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE

    The two -D definitions ensure that Exim is compiled with large file
    support, which makes it possible to handle log files that are bigger than
    2^31.

40. Fixed a subtle caching bug: if (in an ACL or a set of routers, for
    instance) a domain was checked against a named list that involved a lookup,
    causing $domain_data to be set, then another domain was checked against the
    same list, then the first domain was re-checked, the value of $domain_data
    after the final check could be wrong. In particular, if the second check
    failed, it could be set empty. This bug probably also applied to
    $localpart_data.

41. The strip_trailing_dot option was not being applied to the address given
    with the -f command-line option.

42. The code for reading a message's header from the spool was incrementing
    $received_count, but never initializing it. This meant that the value was
    incorrect (doubled) while delivering a message in the same process in which
    it was received. In the most common configuration of Exim, this never
    happens - a fresh exec is done - but it can happen when
    deliver_drop_privilege is set.

43. When Exim logs an SMTP synchronization error - client data sent too soon -
    it now includes up to 150 characters of the unexpected data in the log
    line.

44. The exim_dbmbuild utility uses fixed size buffers for reading input lines
    and building data strings. The size of both of these buffers was 10 000
    bytes - far larger than anybody would *ever* want, thought I. Needless to
    say, somebody hit the limit. I have increased the maximum line length to
    20 000 and the maximum data length of concatenated lines to 100 000. I have
    also fixed two bugs, because there was no checking on these buffers. Tsk,
    tsk. Now exim_dbmbuild gives a message and exits with an error code if a
    buffer is too small.

45. The exim_dbmbuild utility did not support quoted keys, as Exim does in
    lsearch lookups. Now it does.

46. When parsing a route_list item in a manualroute router, a fixed-length
    buffer was used for the list of hosts. I made this 1024 bytes long,
    thinking that nobody would ever have a list of hosts that long. Wrong.
    Somebody had a whole pile of complicated expansion conditions, and the
    string was silently truncated, leading to an expansion error. It turns out
    that it is easier to change to an unlimited length (owing to other changes
    that have happened since this code was originally written) than to build
    structure for giving a limitation error. The length of the item that
    expands into the list of hosts is now unlimited.

47. The lsearch lookup could not handle data where the length of text line was
    more than 4095 characters. Such lines were truncated, leading to shortened
    data being returned. It should now handle lines of any length.

48. Minor wording revision: "cannot test xxx in yyy ACL" becomes "cannot test
    xxx condition in yyy ACL" (e.g. "cannot test domains condition in DATA
    ACL").

49. Cosmetic tidy to scripts like exicyclog that are generated by globally
    replacing strings such as BIN_DIRECTORY in a source file: the replacement
    no longer happens in comment lines. A list of replacements is now placed
    at the head of all of the source files, except those whose only change is
    to replace PERL_COMMAND in the very first #! line.

50. Replaced the slow insertion sort in queue.c, for sorting the list of
    messages on the queue, with a bottom-up merge sort, using code contributed
    by Michael Haardt. This should make operations like -bp somewhat faster on
    large queues. It won't affect queue runners, except when queue_run_in_order
    is set.

51. Installed eximstats 1.31 in the distribution.

52. Added support for SRV lookups to the dnslookup router.

53. If an ACL referred to $message_body or $message_body_end, the value was not
    reset for any messages that followed in the same SMTP session.

54. The store-handling optimization for building very long strings was not
    differentiating between the different store pools. I don't think this
    actually made any difference in practice, but I've tidied it.

55. While running the routers to verify a sender address, $sender_address
    was still set to the sender address. This is wrong, because when routing to
    send a bounce to the sender, it would be empty. Therefore, I have changed
    it so that, while verifying a sender address, $sender_address is set to <>.
    (There is no change to what happens when verifying a recipient address.)

56. After finding MX (or SRV) records, Exim was doing a DNS lookup for the
    target A or AAAA records (if not already returned) without resetting the
    qualify_single or search_parents options of the DNS resolver. These are
    inappropriate in this case because the targets of MX and SRV records must
    be FQDNs. A broken DNS record could cause trouble if it happened to have a
    target that, when qualified, matched something in the local domain. These
    two options are now turned off when doing these lookups.

57. It seems that at least some releases of Reiserfs (which does not have the
    concept of a fixed number of inodes) returns zero and not -1 for the
    number of available inodes. This interacted badly with check_spool_inodes,
    which assumed that -1 was the "no such thing" setting. What I have done is
    to check that the total number of inodes is greater than zero before doing
    the test of how many are available.

58. When a "warn" ACL statement has a log_message modifier, the message is
    remembered, and not repeated. This is to avoid a lot of repetition when a
    message has many recipients that cause the same warning to be written.
    Howewer, Exim was preserving the list of already written lines for an
    entire SMTP session, which doesn't seem right. The memory is now reset if a
    new message is started.

59. The "rewrite" debugging flag was not showing the result of rewriting in the
    debugging output unless log_rewrite was also set.

60. Avoid a compiler warning on 64-bit systems in dsearch.c by avoiding the use
    of (int)(handle) when we know that handle contains (void *)(-1).

61. The Exim daemon panic-logs an error return when it closes the incoming
    connection. However "connection reset by peer" seems to be common, and
    isn't really an error worthy of noting specially, so that particular error
    is no long logged.

62. When Exim is trying to find all the local interfaces, it used to panic and
    die if the ioctl to get the interface flags failed. However, it seems that
    on at least one OS (Solaris 9) it is possible to have an interface that is
    included in the list of interfaces, but for which you get a failure error
    for this call. This happens when the interface is not "plumbed" into a
    protocol (i.e. neither IPv4 nor IPv6). I've changed the code so that a
    failure of the "get flags" call assumes that the interface is down.

63. Added a ${eval10: operator, which assumes all numbers are decimal. This
    makes life easier for people who are doing arithmetic on fields extracted
    from dates, where you often get leading zeros that should not be
    interpreted as octal.

64. Added qualify_domain to the redirect router, to override the global
    setting.

65. If a pathologically long header line contained very many addresses (the
    report of this problem mentioned 10 000) and each of them was rewritten,
    Exim could use up a very large amount of memory. (It kept on making new
    copies of the header line as it rewrote, and never released the old ones.)
    At the expense of a bit more processing, the header rewriting function has
    been changed so that it no longer eats memory in this way.

66. The generation of the Received: header has been moved from the time that a
    message starts to be received, to the time that it finishes. The timestamp
    in the Received: header should now be very close to that of the <= log
    line. There are two side-effects of this change:

    (a) If a message is rejected by a DATA or non-SMTP ACL or local_scan(), the
        logged header lines no longer include the local Received: line, because
        it has not yet been created. The same applies to a copy of the message
        that is returned to a non-SMTP sender when a message is rejected.

    (b) When a filter file is tested using -bf, no additional Received: header
        is added to the test message. After some thought, I decided that this
        is a bug fix.

    This change does not affect the value of $received_for. It is still set
    after address rewriting, but before local_scan() is called.

67. Installed the latest Cygwin-specific files from the Cygwin maintainer.

68. GnuTLS: If an empty file is specified for tls_verify_certificates, GnuTLS
    gave an unhelpful panic error message, and a defer error. I have managed to
    change this behaviour so that it now rejects any supplied certificate,
    which seems right, as the list of acceptable certificates is empty.

69. OpenSSL: If an empty file is specified for tls_verify_certificates, OpenSSL
    gave an unhelpful defer error. I have not managed to make this reject any
    supplied certificates, but the error message it gives is "no certificate
    supplied", which is not helpful.

70. exigrep's output now also includes lines that are not associated with any
    message, but which match the given pattern. Implemented by a patch from
    Martin Sluka, which also tidied up the Perl a bit.

71. Recipient callout verification, like sender verification, was using <> in
    the MAIL FROM command. This isn't really the right thing, since the actual
    sender may affect whether the remote host accepts the recipient or not. I
    have changed it to use the actual sender in the callout; this means that
    the cache record is now keyed on a recipient/sender pair, not just the
    recipient address. There doesn't seem to be a real danger of callout loops,
    since a callout by the remote host to check the sender would use <>.
    [SEE ABOVE: changed after hitting problems.]

72. Exim treats illegal SMTP error codes that do not begin with 4 or 5 as
    temporary errors. However, in the case of such a code being given after
    the end of a data transmission (i.e. after ".") Exim was failing to write
    a retry record for the message. (Yes, there was some broken host that was
    actually sending 8xx at this point.)

73. An unknown lookup type in a host list could cause Exim to panic-die when
    the list was checked. (An example that provoked this was putting <; in the
    middle of a list instead of at the start.) If this happened during a DATA
    ACL check, a -D file could be left lying around. This kind of configuration
    error no longer causes Exim to die; instead it causes a defer errror. The
    incident is still logged to the main and panic logs.

74. Buglet left over from Exim 3 conversion. The message "too many messages
    in one connection" was written to the rejectlog but not the mainlog, except
    when address rewriting (yes!) was being logged.

75. Added write_rejectlog option.

76. When a system filter was run not as root (that is, when system_filter_user
    was set), the values of the $n variables were not being returned to the
    main process; thus, they were not subsequently available in the $sn
    variables.

77. Added +return_path_on_delivery log selector.

78. A connection timeout was being treated differently from recipients deferred
    when testing hosts_max_try with a message that was older than the host's
    retry timeout. (The host should not be counted, thus allowing all hosts to
    be tried at least once before bouncing.) This may have been the cause of an
    occasionally reported bug whereby a message would remain on the queue
    longer than the retry timeout, but would be bounced if a delivery was
    forced. I say "may" because I never totally pinned down the problem;
    setting up timeout/retry tests is difficult. See also the next item.

79. The ultimate address timeout was not being applied to errors that involved
    a combination of host plus message (for example, a timeout on a MAIL
    command). When an address resolved to a number of possible hosts, and they
    were not all tried for each delivery (e.g. because of hosts_max_try), a
    message could remain on the queue longer than the retry timeout.

80. Sieve bug: "stop" inside "elsif" was broken. Applied a patch from Michael
    Haardt.

81. Fixed an obscure SMTP outgoing bug which required at least the following
    conditions: (a) there was another message waiting for the same server;
    (b) the server returned 5xx to all RCPT commands in the first message so
    that the message was not completed; (c) the server dropped the connection
    or gave a negative response to the RSET that Exim sends to abort the
    transaction. The observed case was a dropped connection after DATA that had
    been sent in pipelining mode. That is, the server had advertised PIPELINING
    but was not implementing it correctly. The effect of the bug was incorrect
    behaviour, such as trying another host, and this could lead to a crash.


Exim version 4.30
-----------------

 1. The 3rd arguments to getsockname(), getpeername(), and accept() in exim.c
    and daemon.c were passed as pointers to ints; they should have been
    pointers to socklen_t variables (which are typically unsigned ints).

 2. Some signed/unsigned type warnings in the os.c file for Linux have been
    fixed.

 3. Fixed a really odd bug that affected only the testing scheme; patching a
    certain fixed string in the binary changed the value of another string that
    happened to be identical to the end of the original first string.

 4. When gethostbyname() (or equivalent) is passed an IP address as a "host
    name", it returns that address as the IP address. On some operating
    systems (e.g. Solaris), it also passes back the IP address string as the
    "host name". However, on others (e.g. Linux), it passes back an empty
    string. Exim wasn't checking for this, and was changing the host name to an
    empty string, assuming it had been canonicized.

 5. Although rare, it is permitted to have more than one PTR record for a given
    IP address. I thought that gethostbyaddr() or getipnodebyaddr() always gave
    all the names associated with an address, because they do in Solaris.
    However, it seems that they do not in Linux for data that comes from the
    DNS. If an address in /etc/hosts has multiple names, they _are_ all given.
    I found this out when I moved to a new Linux workstation and tried to run
    the Exim test suite.

    To get round this problem I have changed the code so that it now does its
    own call to the DNS to look up PTR records when searching for a host name.
    If nothing can be found in the DNS, it tries gethostbyaddr(), so that
    addresses that are only in /etc/hosts are still found.

    This behaviour is, however, controlled by an option called host_lookup_
    order, which defaults to "bydns:byaddr". If people want to use the other
    order, or indeed, just use one or the other means of lookup, they can
    specify it in this variable.

 6. If a PTR record yields an empty name, Exim treats it as non-existent. In
    some operating systems, this comes back from gethostbyaddr() as an empty
    string, and this is what Exim used to test for. However, it seems that in
    other systems, "." is yielded. Exim now tests for this case too.

 7. The values of check_spool_space and check_log_space are now held internally
    as a number of kilobytes instead of an absolute number of bytes. If a
    numbers is specified without 'K' or 'M', it is rounded up to the nearest
    kilobyte. This means that much larger values can be stored.

 8. Exim monitor: an attempt to get the action menu when not actually pointing
    at a message produces an empty menu entitled "No message selected". This
    works on Solaris (OpenWindows). However, XFree86 does not like a menu with
    no entries in it ("Shell widget menu has zero width and/or height"). So I
    have added a single, blank menu entry in this case.

 9. Added ${quote_local_part.

10. MIME decoding is now applied to the contents of Subject: header lines when
    they are logged.

11. Now that a reference to $sender_host_address automatically causes a reverse
    lookup to occur if necessary (4.13/18), there is no need to arrange for a
    host lookup before query-style lookups in lists that might use this
    variable. This has therefore been abolished, and the "net-" prefix is no
    longer necessary for query-style lookups.

12. The Makefile for SCO_SV contained a setting of LDFLAGS. This appears to
    have been a typo for LFLAGS, so it has been changed.

13. The install script calls Exim with "-C /dev/null" in order to find the
    version number. If ALT_CONFIG_PREFIX was set, this caused an error message
    to be output. Howeve, since Exim outputs its version number before the
    error, it didn't break the script. It just looked ugly. I fixed this by
    always allowing "-C /dev/null" if the caller is root.

14. Ignore overlarge ACL variable number when reading spool file - insurance
    against a later release with more variables having written the file.

15. The standard form for an IPv6 address literal was being rejected by EHLO.
    Example: [IPv6:2002:c1ed:8229:10:202:2dff:fe07:a42a]. Exim now accepts
    this, as well as the form without the "IPv6" on the front.

16. Added CHOWN_COMMAND=/usr/sbin/chown and LIBS=-lresolv to the
    OS/Makefile-Darwin file.

17. Fixed typo in lookups/ldap.c: D_LOOKUP should be D_lookup. This applied
    only to LDAP libraries that do not have LDAP_OPT_DEREF.

18. After change 4.21/52, "%ld" was used to format the contents of the $inode
    variable. However, some OS use ints for inodes. I've added cast to long int
    to get rid of the compiler warning.

19. I had forgotten to lock out "/../" in configuration file names when
    ALT_CONFIG_PREFIX was set.

20. Routers used for verification do not need to specify transports. However,
    if such a router generated a host list, and callout was configured, Exim
    crashed, because it could not find a port number from the (non-existent)
    transport. It now assumes port 25 in this circumstance.

21. Added the -t option to exigrep.

22. If LOOKUP_LSEARCH is defined, all three linear search methods (lsearch,
    wildlsearch, nwildlsearch) are compiled. LOOKUP_WILDLSEARCH and LOOKUP_
    NWILDLSEARCH are now obsolete, but retained for compatibility. If either of
    them is set, LOOKUP_LSEARCH is forced.

23. "exim -bV" now outputs a list of lookups that are included in the binary.

24. Added sender and host information to the "rejected by local_scan()" log
    line; previously there was no indication of these.

25. Added .include_if_exists.

26. Change 3.952/11 added an explicit directory sync on top of a file sync for
    Linux. It turns out that not all file systems support this. Apparently some
    versions of NFS do not. (It's rare to put Exim's spool on NFS, but people
    do it.) To cope with this, the error EINVAL, which means that sync-ing is
    not supported on the file descriptor, is now ignored when Exim is trying to
    sync a directory. This applies only to Linux.

27. Added -DBIND_8_COMPAT to the CLFAGS setting for Darwin.

28. In Darwin (MacOS X), the PAM headers are in /usr/include/pam and not in
    /usr/include/security. There's now a flag in OS/os.h-Darwin to cope with
    this.

29. Added support for maildirsize files from supplied patch (modified a bit).

30. The use of :fail: followed by an empty string could lead Exim to respond to
    sender verification failures with (e.g.):

      550 Verification failed for <xxx>
      550 Sender verify failed

    where the first response line was missing the '-' that indicates it is not
    the final line of the response.

31. The loop for finding the name of the user that called Exim had a hardwired
    limit of 10; it now uses the value of finduser_retries, which is used for
    all other user lookups.

32. Added $received_count variable, available in data and not_smtp ACLs, and at
    delivery time.

33. Exim was neglecting to zero errno before one call of strtol() when
    expanding a string and expecting an integer value. On some systems this
    resulted in spurious "integer overflow" errors. Also, it was casting the
    result into an int without checking.

34. Testing for a connection timeout using "timeout_connect" in the retry rules
    did not work. The code looks as if it has *never* worked, though it appears
    to have been documented since at least releast 1.62. I have made it work.

35. The "timeout_DNS" error in retry rules, also documented since at least
    1.62, also never worked. As it isn't clear exactly what this means, and
    clearly it isn't a major issue, I have abolished the feature by treating it
    as "timeout", and writing a warning to the main and panic logs.

36. The display of retry rules for -brt wasn't always showing the error code
    correctly.

37. Added new error conditions to retry rules: timeout_A, timeout_MX,
    timeout_connect_A, timeout_connect_MX.

38. Rewriting the envelope sender at SMTP time did not allow it to be rewritten
    to the empty sender.

39. The daemon was not analysing the content of -oX till after it had closed
    stderr and disconnected from the controlling terminal. This meant that any
    syntax errors were only noted on the panic log, and the return code from
    the command was 0. By re-arranging the code a little, I've made the
    decoding happen first, so such errors now appear on stderr, and the return
    code is 1. However, the actual setting up of the sockets still happens in
    the disconnected process, so errors there are still only recorded on the
    panic log.

40. A daemon listener on a wildcard IPv6 socket that also accepts IPv4
    connections (as happens on some IP stacks) was logged at start up time as
    just listening for IPv6. It now logs "IPv6 with IPv4". This differentiates
    it from "IPv6 and IPv4", which means that two separate sockets are being
    used.

41. The debug output for gethostbyname2() or getipnodebyname() failures now
    says whether AF_INET or AF_INET6 was passed as an argument.

42. Exiwhat output was messed up when time zones were included in log
    timestamps.

43. Exiwhat now gives more information about the daemon's listening ports,
    and whether -tls-on-connect was used.

44. The "port" option of the smtp transport is now expanded.

45. A "message" modifier in a "warn" statement in a non-message ACL was being
    silently ignored. Now an error message is written to the main and panic
    logs.

46. There's a new ACL modifier called "logwrite" which writes to a log file
    as soon as it is encountered.

47. Added $local_user_uid and $local_user_gid at routing time.

48. Exim crashed when trying to verify a sender address that was being
    rewritten to "<>".

49. Exim was recognizing only a space character after ".include". It now also
    recognizes a tab character.

50. Fixed several bugs in the Perl script that creates the exim.8 man page by
    extracting the relevant information from the specification. The man page no
    longer contains scrambled data for the -d option, and I've added a section
    at the front about calling Exim under different names.

51. Added "extra_headers" argument to the "mail" command in filter files.

52. Redirecting mail to an unqualified address in a Sieve filter caused Exim to
    crash.

53. Installed eximstats 1.29.

54. Added transport_filter_timeout as a generic transport option.

55. Exim no longer adds an empty Bcc: header to messages that have no To: or
    Cc: header lines. This was required by RFC 822, but it not required by RFC
    2822.

56. Exim used to add From:, Date:, and Message-Id: header lines to any
    incoming messages that did not have them. Now it does so only if the
    message originates locally, that is, if there is no associated remote host
    address. When Resent- header lines are present, this applies to the Resent-
    lines rather than the non-Resent- lines.

57. Drop incoming SMTP connection after too many syntax or protocol errors. The
    limit is controlled by smtp_max_synprot_errors, defaulting to 3.

58. Messages for configuration errors now include the name of the main
    configuration file - useful now that there may be more than one file in a
    list (.included file names were always shown).

59. Change 4.21/82 (run initgroups() when starting the daemon) causes problems
    for those rare installations that do not start the daemon as root or run it
    setuid root. I've cut out the call to initgroups() if the daemon is not
    root at that time.

60. The Exim user and group can now be bound into the binary as text strings
    that are looked up at the start of Exim's processing.

61. Applied a small patch for the Interbase code, supplied by Ard Biesheuvel.

62. Added $mailstore_basename variable.

63. Installed patch to sieve.c from Michael Haardt.

64. When Exim failed to open the panic log after failing to open the main log,
    the original message it was trying to log was written to stderr and debug
    output, but if they were not available (the usual case in production), it
    was lost. Now it is written to syslog before the two lines that record the
    failures to open the logs.

65. Users' Exim filters run in subprocesses under the user's uid. It is
    possible for a "deliver" command or an alias in a "personal" command to
    provoke an address rewrite. If logging of address rewriting is configured,
    this fails because the process is not running as root or exim. There may be
    a better way of dealing with this, but for the moment (because 4.30 needs
    to be released), I have disabled address rewrite logging when running a
    filter in a non-root, non-exim process.


Exim version 4.24
-----------------

 1. The buildconfig auxiliary program wasn't quoting the value set for
    HEADERS_CHARSET. This caused a compilation error complaining that 'ISO' was
    not defined. This bug was masked in 4.22 by the effect that was fixed in
    change 4.23/1.

 2. Some messages that were rejected after a message id was allocated were
    shown as "incomplete" by exigrep. It no longer does this for messages that
    are rejected by local_scan() or the DATA or non-SMTP ACLs.

 3. If a Message-ID: header used a domain literal in the ID, and Exim did not
    have allow_domain_literals set, the ID did not get logged in the <= line.
    Domain literals are now always recognized in Message-ID: header lines.

 4. The first argument for a ${extract expansion item is the key name or field
    number. Leading and trailing spaces in this item were not being ignored,
    causing some misleading effects.

 5. When deliver_drop_privilege was set, single queue runner processes started
    manually (i.e. by the command "exim -q") or by the daemon (which uses the
    same command in the process it spins off) were not dropping privilege.

 6. When the daemon running as "exim" started a queue runner, it always
    re-executed Exim in the spun-off process. This is a waste of effort when
    deliver_drop_privilege is set. The new process now just calls the
    queue-runner function directly.


Exim version 4.23
-----------------

 1. Typo in the src/EDITME file: it referred to HEADERS_DECODE_TO instead of
    HEADERS_CHARSET.

 2. Change 4.21/73 introduced a bug. The pid file path set by -oP was being
    ignored. Though the use of -oP was forcing the writing of a pid file, it
    was always written to the default place.

 3. If the message "no IP address found for host xxxx" is generated during
    incoming verification, it is now followed by identification of the incoming
    connection (so you can more easily find what provoked it).

 4. Bug fix for Sieve filters: "stop" inside a block was not working properly.

 5. Added some features to "harden" Exim a bit more against certain attacks:

    (a) There is now a build-time option called FIXED_NEVER_USERS that can
        be put in Local/Makefile. This is like the never_users runtime option,
        but it cannot be overridden. The default setting is "root".

    (b) If ALT_CONFIG_PREFIX is defined in Local/Makefile, it specifies a
        prefix string with which any file named in a -C command line option
        must start.

    (c) If ALT_CONFIG_ROOT_ONLY is defined in Local/Makefile, root privilege
        is retained for -C and -D only if the caller of Exim is root. Without
        it, the exim user may also use -C and -D and retain privilege.

    (d) If DISABLE_D_OPTION is defined in Local/Makefile, the use of the -D
        command line option is disabled.

 6. Macro names set by the -D option must start with an upper case letter, just
    like macro names defined in the configuration file.

 7. Added "dereference=" facility to LDAP.

 8. Two instances of the typo "uknown" in the source files are fixed.

 9. If a PERL_COMMAND setting in Local/Makefile was not at the start of a line,
    the Configure-Makefile script screwed up while processing it.

10. Incorporated PCRE 4.4.

11. The SMTP synchronization check was not operating right at the start of an
    SMTP session. For example, it could not catch a HELO sent before the client
    waited for the greeting. There is now a check for outstanding input at the
    point when the greeting is written. Because of the duplex, asynchronous
    nature of TCP/IP, it cannot be perfect - the incorrect input may be on its
    way, but not yet received, when the check is performed.

12. Added tcp_nodelay to make it possible to turn of the setting of TCP_NODELAY
    on TCP/IP sockets, because this apparently causes some broken clients to
    timeout.

13. Installed revised OS/Makefile-CYGWIN and OS/os.c-cygwin (the .h file was
    unchanged) from the Cygwin maintainer.

14. The code for -bV that shows what is in the binary showed "mbx" when maildir
    was supported instead of testing for mbx. Effectively a typo.

15. The spa authenticator server code was not checking that the input it
    received was valid base64.

16. The debug output line for the "set" modifier in ACLs was not showing the
    name of the variable that was being set.

17. Code tidy: the variable type "vtype_string" was never used. Removed it.

18. Previously, a reference to $sender_host_name did not cause a DNS reverse
    lookup on its own. Something else was needed to trigger the lookup. For
    example, a match in host_lookup or the need for a host name in a host list.
    Now, if $sender_host_name is referenced and the host name has not yet been
    looked up, a lookup is performed. If the lookup fails, the variable remains
    empty, and $host_lookup_failed is set to "1".

19. Added "eqi" as a case-independent comparison operator.

20. The saslauthd authentication condition could segfault if neither service
    nor realm was specified.

21. If an overflowing value such as "2048M" was set for message_size_limit, the
    error message that was logged was misleading, and incoming SMTP
    connections were dropped. The message is now more accurate, and temporary
    errors are given to SMTP connections.

22. In some error situations (such as 21 above) Exim rejects all SMTP commands
    (except RSET) with a 421 error, until QUIT is received. However, it was
    failing to send a response to QUIT.

23. The HELO ACL was being run before the code for helo_try_verify_hosts,
    which made it impossible to use "verify = helo" in the HELO ACL. The HELO
    ACL is now run after the helo_try_verify_hosts code.

24. "{MD5}" and "{SHA1}" are now recognized as equivalent to "{md5"} and
    "{sha1}" in the "crypteq" expansion condition (in fact the comparison is
    case-independent, so other case variants are also recognized). Apparently
    some systems use these upper case variants.

25. If more than two messages were waiting for the same host, and a transport
    filter was specified for the transport, Exim sent two messages over the
    same TCP/IP connection, and then failed with "socket operation on non-
    socket" when it tried to send the third.

26. Added Exim::debug_write and Exim::log_write for embedded Perl use.

27. The extern definition of crypt16() in expand.c was not being excluded when
    the OS had its own crypt16() function.

28. Added bounce_return_body as a new option, and bounce_return_size_limit
    as a preferred synonym for return_size_limit, both as an option and as an
    expansion variable.

29. Added LIBS=-liconv to OS/Makefile-OSF1.

30. Changed the default configuration ACL to relax the local part checking rule
    for addresses that are not in any local domains. For these addresses,
    slashes and pipe symbols are allowed within local parts, but the sequence
    /../ is explicitly forbidden.

31. SPA server authentication was not clearing the challenge buffer before
    using it.

32. log_message in a "warn" ACL statement was writing to the reject log as
    well as to the main log, which contradicts the documentation and doesn't
    seem right (because no rejection is happening). So I have stopped it.

33. Added Ard Biesheuvel's lookup code for accessing an Interbase database.
    However, I am unable to do any testing of this.

34. Fixed an infelicity in the appendfile transport. When checking directories
    for a mailbox, to see if any needed to be created, it was accidentally
    using path names with one or more superfluous leading slashes; tracing
    would show up entries such as stat("///home/ph10", 0xFFBEEA48).

35. If log_message is set on a "discard" verb in a MAIL or RCPT ACL, its
    contents are added to the log line that is written for every discarded
    recipient. (Previously a log_message setting was ignored.)

36. The ${quote: operator now quotes the string if it is empty.

37. The install script runs exim in order to find its version number. If for
    some reason other than non-existence or emptiness, which it checks, it
    could not run './exim', it was installing it with an empty version number,
    i.e. as "exim-". This error state is now caught, and the installation is
    aborted.

38. An argument was missing from the function that creates an error message
    when Exim fails to connect to the socket for saslauthd authentication.
    This could cause Exim to crash, or give a corrupted message.

39. Added isip, isip4, and isip6 to ${if conditions.

40. The ACL variables $acl_xx are now saved with the message, and can be
    accessed later in routers, transports, and filters.

41. The new lookup type nwildlsearch is like wildlsearch, except that the key
    strings in the file are not string-expanded.

42. If a MAIL command specified a SIZE value that was too large to fit into an
    int variable, the check against message_size_limit failed. Such values are
    now forced to INT_MAX, which is around 2Gb for a 32-bit variable. Maybe one
    day this will have to be increased, but I don't think I want to be around
    when emails are that large.



Exim version 4.22
-----------------

 1. Removed HAVE_ICONV=yes from OS/Makefile-FreeBSD, since it seems that
    iconv() is not standard in FreeBSD.

 2. Change 4.21/17 was buggy and could cause stack overwriting on a system with
    IPv6 enabled. The observed symptom was a segmentation fault on return from
    the function os_common_find_running_interfaces() in src/os.c.

 3. In the check_special_case() function in daemon.c I had used "errno" as an
    argument name, which causes warnings on some systems. This was basically a
    typo, since it was named "eno" in the comments!

 4. The code that waits for the clock to tick (at a resolution of some fraction
    of a second) so as to ensure message-id uniqueness was always waiting for
    at least one whole tick, when it could have waited for less. [This is
    almost certainly not relevant at current processor speeds, where it is
    unlikely to ever wait at all. But we try to future-proof.]

 5. The function that sleeps for a time interval that includes fractions of a
    second contained a race. It did not block SIGALRM between setting the
    timer, and suspending (a couple of lines later). If the interval was short
    and the sigsuspend() was delayed until after it had expired, the suspension
    never ended. On busy systems this could lead to processes getting stuck for
    ever.

 6. Some uncommon configurations may cause a lookup to happen in a queue runner
    process, before it forks any delivery processes. The open lookup caching
    mechanism meant that the open file or database connection was passed into
    the delivery process. The problem was that delivery processes always tidy
    up cached lookup data. This could cause a problem for the next delivery
    process started by the queue runner, because the external queue runner
    process does not know about the closure. So the next delivery process
    still has data in the lookup cache. In the case of a file lookup, there was
    no problem because closing a file descriptor in a subprocess doesn't affect
    the parent. However, if the lookup was caching a connection to a database,
    the connection was closed, and the second delivery process was likely to
    see errors such as "PGSQL: query failed: server closed the connection
    unexpectedly". The problem has been fixed by closing all cached lookups
    in a queue runner before running a delivery process.

 7. Compiler warning on Linux for the second argument of iconv(), which doesn't
    seem to have the "const" qualifier which it has on other OS. I've
    parameterised it.

 8. Change 4.21/2 was too strict. It is only if there are two authenticators
    *of the same type* (client or server) with the same public name that an
    error should be diagnosed.

 9. When Exim looked up a host name for an IP address, but failed to find the
    original IP address when looking up the host name (a safety check), it
    output the message "<ip address> does not match any IP for NULL", which was
    confusing, to say the least. The bug was that the host name should have
    appeared instead of "NULL".

10. Since release 3.03, if Exim is called by a uid other than root or the Exim
    user that is built into the binary, and the -C or -D options is used, root
    privilege is dropped before the configuration file is read. In addition,
    logging is switched to stderr instead of the normal log files. If the
    configuration then re-defines the Exim user, the unprivileged environment
    is probably not what is expected, so Exim logs a panic warning message (but
    proceeds).

    However, if deliver_drop_privilege is set, the unprivileged state may well
    be exactly what is intended, so the warning has been cut out in that case,
    and Exim is allowed to try to write to its normal log files.


Exim version 4.21
-----------------

 1. smtp_return_error_details was not giving details for temporary sender
    or receiver verification errors.

 2. Diagnose a configuration error if two authenticators have the same public
    name.

 3. Exim used not to create the message log file for a message until the first
    delivery attempt. This could be confusing when incoming messages were held
    for policy or load reasons. The message log file is now created at the time
    the message is received, and an initial "Received" line is written to it.

 4. The automatically generated man page for command line options had a minor
    bug that caused no ill effects; however, a more serious problem was that
    the procedure for building the man page automatically didn't always
    operate. Consequently, release 4.20 contains an out-of-date version. This
    shouldn't happen again.

 5. When building Exim with embedded Perl support, the script that builds the
    Makefile was calling 'perl' to find its compile-time parameters, ignoring
    any setting of PERL_COMMAND in Local/Makefile. This is now fixed.

 6. The freeze_tell option was not being used for messages that were frozen on
    arrival, either by an ACL or by local_scan().

 7. Added the smtp_incomplete_transaction log selector.

 8. After STARTTLS, Exim was not forgetting that it had advertised AUTH, so it
    was accepting AUTH without a new EHLO.

 9. Added tls_remember_esmtp to cope with YAEB. This allows AUTH and other
    ESMTP extensions after STARTTLS without a new EHLO, in contravention of the
    RFC.

10. Logging of TCP/IP connections (when configured) now happens in the main
    daemon process instead of the child process, so that the TCP/IP connection
    count is more accurate (but it can never be perfect).

11. The use of "drop" in a nested ACL was not being handled correctly in the
    outer ACL. Now, if condition failure induced by the nested "drop" causes
    the outer ACL verb to deny access ("accept" or "discard" after "endpass",
    or "require"), the connection is dropped.

12. Similarly, "discard" in a nested ACL wasn't being handled. A nested ACL
    that yield "discard" can now be used with an "accept" or a "discard" verb,
    but an error is generated for any others (because I can't see a useful way
    to define what should happen).

13. When an ACL is read dynamically from a file (or anywhere else), the lines
    are now processed in the same way as lines in the Exim configuration file.
    In particular, continuation lines are supported.

14. Added the "dnslists = a.b.c!=n.n.n.n" feature.

15. Added -ti meaning -t -i.

16. Check for letters, digits, hyphens, and dots in the names of dnslist
    domains, and warn by logging if others are found.

17. At least on BSD, alignment is not guarenteed for the array of ifreq's
    returned from GIFCONF when Exim is trying to find the list of interfaces on
    a host. The code in os.c has been modified to copy each ifreq to an aligned
    structure in all cases.

    Also, in some cases, the returned ifreq's were being copied to a 'struct
    ifreq' on the stack, which was subsequently passed to host_ntoa(). That
    means the last couple of bytes of an IPv6 address could be chopped if the
    ifreq contained only a normal sockaddr (14 bytes storage).

18. Named domain lists were not supported in the hosts_treat_as_local option.
    An entry such as +xxxx was not recognized, and was treated as a literal
    domain name.

19. Ensure that header lines added by a DATA ACL are included in the reject log
    if the ACL subsequently rejects the message.

20. Upgrade the cramtest.pl utility script to use Digest::MD5 instead of just
    MD5 (which is deprecated).

21. When testing a filter file using -bf, Exim was writing a message when it
    took the sender from a "From " line in the message, but it was not doing so
    when it took $return_path from a Return-Path: header line. It now does.

22. If the contents of a "message" modifier for a "warn" ACL verb do not begin
    with a valid header line field name (a series of printing characters
    terminated by a colon, Exim now inserts X-ACL-Warn: at the beginning.

23. Changed "disc" in the source to "disk" to conform to the documentation and
    the book and for uniformity.

24. Ignore Sendmail's -Ooption=value command line item.

25. When execve() failed while trying to run a command in a pipe transport,
    Exim was returning EX_UNAVAILBLE (69) from the subprocess. However, this
    could be confused with a return value of 69 from the command itself. This
    has been changed to 127, the value the shell returns if it is asked to run
    a non-existent command. The wording for the related log line suggests a
    non-existent command as the problem.

26. If received_header_text expands to an empty string, do not add a Received:
    header line to the message. (Well, it adds a token one on the spool, but
    marks it "old" so that it doesn't get used or transmitted.)

27. Installed eximstats 1.28 (addition of -nt option).

28. There was no check for failure on the call to getsockname() in the daemon
    code. This can fail if there is a shortage of resources on the system, with
    ENOMEM, for example. A temporary error is now given on failure.

29. Contrary to the C standard, it seems that in some environments, the
    equivalent of setlocale(LC_ALL, "C") is not obeyed at the start of a C
    program. Exim now does this explicitly; it affects the formatting of
    timestamps using strftime().

30. If exiqsumm was given junk data, it threw up some uninitialized variable
    complaints. I've now initialized all the variables, to avoid this.

32. Header lines added by a system filter were not being "seen" during
    transport-time rewrites.

33. The info_callback() function passed to OpenSSL is set up with type void
    (*)(SSL *, int, int), as described somewhere. However, when calling the
    function (actually a macro) that sets it up, the type void(*)() is
    expected. I've put in a cast to prevent warnings from picky compilers.

34. If a DNS black list lookup found a CNAME record, but there were no A
    records associated with the domain it pointed at, Exim crashed.

35. If a DNS black list lookup returned more than one A record, Exim ignored
    all but the first. It now scans all returned addresses if a particular IP
    value is being sought. In this situation, the contents of the
    $dnslist_value variable are a list of all the addresses, separated by a
    comma and a space.

36. Tightened up the rules for host name lookups using reverse DNS. Exim used
    to accept a host name and all its aliases if the forward lookup for any of
    them yielded the IP address of the incoming connection. Now it accepts only
    those names whose forward lookup yields the correct IP address. Any other
    names are discarded. This closes a loophole whereby a rogue DNS
    administrator could create reverse DNS records to break through a
    wildcarded host restriction in an ACL.

37. If a user filter or a system filter that ran in a subprocess used any of
    the numerical variables ($1, $2 etc), or $thisaddress, in a pipe command,
    the wrong values were passed to the pipe command ($thisaddress had the
    value of $0, $0 had the value of $1, etc). This bug was introduced by
    change 4.11/101, and not discovered because I wrote an inadequate test. :-(

38. Improved the line breaking for long SMTP error messages from ACLs.
    Previously, if there was no break point between 40 and 75 characters, Exim
    left the rest of the message alone. Two changes have been made: (a) I've
    reduced the minimum length to 35 characters; (b) if it can't find a break
    point between 35 and 75 characters, it looks ahead and uses the first one
    that it finds. This may give the occasional overlong line, but at least the
    remaining text gets split now.

39. Change 82 of 4.11 was unimaginative. It assumed the limit on the number of
    file descriptors might be low, and that setting 1000 would always raise it.
    It turns out that in some environments, the limit is already over 1000 and
    that lowering it causes trouble. So now Exim takes care not to decrease it.

40. When delivering a message, the value of $return_path is set to $sender_
    address at the start of routing (routers may change the value). By an
    oversight, this default was not being set up when an address was tested by
    -bt or -bv, which affected the outcome if any router or filter referred to
    $return_path.

41. The idea of the "warn" ACL verb is that it adds a header or writes to the
    log only when "message" or "log_message" are set. However, if one of the
    conditions was an address verification, or a call to a nested ACL, the
    messages generated by the underlying test were being passed through. This
    no longer happens. The underlying message is available in $acl_verify_
    message for both "message" and "log_message" expansions, so it can be
    passed through if needed.

42. Added RFC 2047 interpretation of header lines for $h_ expansions, with a
    new expansion $bh_ to give the encoded byte string without charset
    translation. Translation happens only if iconv() is available; HAVE_ICONV
    indicates this at build time. HEADERS_CHARSET gives the charset to
    translate to; headers_charset can change it in the configuration, and
    "headers charset" can change it in an individual filter file.

43. Now that we have a default RFC 2047 charset (see above), the code in Exim
    that creates RFC 2047 encoded "words" labels them as that charset instead
    of always using iso-8859-1. The cases are (i) the explicit ${rfc2047:
    expansion operator; (ii) when Exim creates a From: line for a local
    message; (iii) when a header line is rewritten to include a "phrase" part.

44. Nasty bug in exiqsumm: the regex to skip already-delivered addresses was
    buggy, causing it to skip the first lines of messages whose message ID
    ended in 'D'. This would not have bitten before Exim release 4.14, because
    message IDs were unlikely to end in 'D' before then. The effect was to have
    incorrect size information for certain domains.

45. #include "config.h" was missing at the start of the crypt16.c module. This
    caused trouble on Tru64 (aka OSF1) systems, because HAVE_CRYPT16 was not
    noticed.

46. If there was a timeout during a "random" callout check, Exim treated it as
    a failure of the random address, and carried on sending RSET and the real
    address. If the delay was just some slowness somewhere, the response to the
    original RCPT would be taken as a response to RSET and so on, causing
    mayhem of various kinds.

47. Change 50 for 4.20 was a heap of junk. I don't know what I was thinking
    when I implemented it. It didn't allow for the fact that some option values
    may legitimatetly be negative (e.g. size_addition), and it didn't even do
    the right test for positive values.

48. Domain names in DNS records are case-independent. Exim always looks them up
    in lower case. Some resolvers return domain names in exactly the case they
    appear in the zone file, that is, they may contain uppercase letters. Not
    all resolvers do this - some return always lower case. Exim was treating a
    change of case by a resolver as a change of domain, similar to a widening
    of a domain abbreviation. This triggered its re-routing code and so it was
    trying to route what was effectively the same domain again. This normally
    caused routing to fail (because the router wouldn't handle the domain
    twice). Now Exim checks for this case specially, and just changes the
    casing of the domain that it ultimately uses when it transmits the message
    envelope.

49. Added Sieve (RFC 3028) support, courtesy of Michael Haardt's contributed
    module.

50. If a filter generated a file delivery with a non-absolute name (possible if
    no home directory exists for the router), the forbid_file option was not
    forbidding it.

51. Added '&' feature to dnslists, to provide bit mask matching in addition to
    the existing equality matching.

52. Exim was using ints instead of ino_t variables in some places where it was
    dealing with inode numbers.

53. If TMPDIR is defined in Local/Makefile (default in src/EDITME is
    TMPDIR="/tmp"), Exim checks for the presence of an environment variable
    called TMPDIR, and if it finds it is different, it changes its value.

54. The smtp_printf() function is now made available to local_scan() so
    additional output lines can be written before returning. There is also an
    smtp_fflush() function to enable the detection of a dropped connection.
    The variables smtp_input and smtp_batched_input are exported to
    local_scan().

55. Changed the default runtime configuration: the message "Unknown user"
    has been removed from the ACL, and instead placed on the localuser router,
    using the cannot_route_message feature. This means that any verification
    failures that generate their own messages won't get overridden. Similarly,
    the "Unrouteable address" message that was in the ACL for unverifiable
    relay addresses has also been removed.

56. Added hosts_avoid_esmtp to the smtp transport.

57. The exicyclog script was not checking for the esoteric option
    CONFIGURE_FILE_USE_EUID in the Local/Makefile. It now does this, but it
    will work only if exicyclog is run under the appropriate euid.

58. Following a discussion on the list, the rules by which Exim recognises line
    endings on incoming messages have been changed. The -dropcr and drop_cr
    options are now no-ops, retained only for backwards compatibility. The
    following line terminators are recognized: LF CRLF CR. However, special
    processing applies to CR:

    (i)  The sequence CR . CR does *not* terminate an incoming SMTP message,
         nor a local message in the state where . is a terminator.

    (ii) If a bare CR is encountered in a header line, an extra space is added
         after the line terminator so as not to end the header. The reasoning
         behind this is that bare CRs in header lines are most likely either
         to be mistakes, or people trying to play silly games.

59. The size of a message, as listed by "-bp" or in the Exim monitor window,
    was being incorrectly given as 18 bytes larger than it should have been.
    This is a VOB (very old bug).

60. This may never have affected anything current, but just in case it has:
    When the local host is found other than at the start of a list of hosts,
    the local host, those with the same MX, and any that follow, are discarded.
    When the list in question was part of a longer list of hosts, the following
    hosts (not currently being processed) were also being discarded. This no
    longer happens. I'm not sure if this situation could ever has previously
    arisen.

61. Added the "/MX" feature to lists of hosts in the manualroute and query
    program routers.

62. Whenever Exim generates a new message, it now adds an Auto-Submitted:
    header. This is something that is recommended in a new Internet Draft, and
    is something that is documented as being done by Sendmail. There are two
    possible values. For messages generated by the autoreply transport, Exim
    adds:

      Auto-Submitted: auto-replied

    whereas for all other generated messages (e.g. bounces) it adds

      Auto-Submitted: auto-generated

63. The "personal" condition in filters now includes a test for the
    Auto-Submitted: header. If it contains the string "auto-" the message it
    not considered personal.

64. Added rcpt_include_affixes as a generic transport option.

65. Added queue_only_override (default true).

66. Added the syslog_duplication option.

67. If what should have been the first header line of a message consisted of
    a space followed by a colon, Exim was mis-interpreting it as a header line.
    It isn't of course - it is syntactically invalid and should therefore be
    treated as the start of the message body. The misbehaviour could have
    caused a number of strange effects, including loss of data in subsequent
    header lines, and spool format errors.

68. Formerly, the AUTH parameter on a MAIL command was trusted only if the
    client host had authenticated. This control can now be exercised by an ACL
    for more flexibility.

69. By default, callouts do not happen when testing with -bh. There is now a
    variant, -bhc, which does actually run the callout code, including
    consulting and updating the callout cache.

70. Added support for saslauthd authentication, courtesy of Alexander
    Sabourenkov.

71. If statvfs() failed on the spool or log directories while checking their
    size for availability, Exim confusingly gave the error "space shortage".
    Furthermore, in debugging mode it crashed with a floating point exception.
    These checks are done if check_{spool,log}_{space,inodes} are set, and when
    an SMTP message arrives with SIZE= on the MAIL command. As this is a really
    serious problem, Exim now writes to the main and panic logs when this
    happens, with details of the failure. It then refuses to accept the
    incoming message, giving the message "spool directory problem" or "log
    directory problem" with a 421 code for SMTP messages.

72. When Exim is about to re-exec itself, it ensures that the file descriptors
    0, 1, and 2 exist, because some OS complain for execs without them (see
    ChangeLog 4.05/30). If necessary, Exim opens /dev/null to use for these
    descriptors. However, the code omitted to check that the open succeeded,
    causing mysterious errors if for some reason the permissions on /dev/null
    got screwed. Now Exim writes a message to the main and panic logs, and
    bombs out if it can't open /dev/null.

73. Re-vamped the way daemon_smtp_port, local_interfaces, and -oX work and
    interact so that it is all more flexible. It is supposed to remain
    backwards compatible. Also added extra_local_interfaces.

74. Invalid data sent to a SPA (NTLM) server authenticator could cause the code
    to bomb out with an assertion failure - to the client this appears as a
    connection drop. This problem occurs in the part of the code that was taken
    from the Samba project. Fortunately, the assertion is in a very simple
    function, so I have fixed this by reproducing the function inline in the
    one place where it is called, and arranging for authentication to fail
    instead of killing the process with assert().

75. The SPA client code was not working when the server requested OEM rather
    than Unicode encoding.

76. Added code to make require_files with a specific uid setting more usable in
    the case where statting the file as root fails - usually a non-root-mounted
    NFS file system. When this happens and the failure is EACCES, Exim now
    forks a subprocess and does the per-uid checking as the relevant uid.

77. Added process_log_path.

78. If log_file_path was not explicitly set, a setting of check_log_space or
    check_log_inodes was ignored.

79. If a space check for the spool or log partitions fails, the incident is now
    logged. Of course, in the latter case the data may get lost...

80. Added the %p formatting code to string_format() so that it can be used to
    print addresses in debug_print(). Adjusted all the address printing in the
    debugging in store.c to use %p rather than %d.

81. There was a concern that a line of code in smtp_in.c could overflow a
    buffer if a HELO/EHLO command was given followed by 500 or so spaces. As
    initially expressed, the concern was not well-founded, because trailing
    spaces are removed early. However, if the trailing spaces were followed by
    a NULL, they did not get removed, so the overflow was possible. Two fixes
    were applied:

    (a) I re-wrote the offending code in a cleaner fashion.
    (b) If an incoming SMTP command contains a NULL character, it is rejected
        as invalid.

82. When Exim changes uid/gid to the Exim user at daemon start time, it now
    runs initgroups(), so that if the Exim user is in any additional groups,
    they will be used during message reception.


Exim version 4.20
-----------------

 1. If data for an authentication interaction was just the string "=",
    indicating an empty string, Exim was not setting up the numerical variable
    correctly. In some situations, this could cause a crash - in others, it
    might have passed unnoticed.

 2. Changed signal(SIGTERM, command_sigterm_handler) in smtp_in.c to use
    os_non_restarting_signal() for tidiness; in practice this doesn't actually
    matter because the handler terminates the process.

 3. Refactoring:

    (a) In some (but not all) places where Exim applies timers using alarm(),
        it was resetting the SIGALRM handler afterwards, but sometimes to
        SIG_IGN and sometimes to SIG_DFL. In other words, it was a mess. In
        fact, this reset is not necessary, because after alarm(0) there is no
        possibility of receiving a SIGLARM signal. So I've just removed them
        all.

    (b) The daemon.c module had its own SIGALRM handler, which was unnecessary.
        I changed it to use the handler that is used (almost) everywhere else.

    (c) Almost all uses of SIGALRM use the same handler, but it was being set
        by signal() all over the place. Now it is set at the start, and it
        resets itself every time it is called, so it remains enabled
        throughout. The few places that use a different handler reset to the
        "standard" one afterwards.

    (d) The setting of the SIGTERM handler while reading SMTP commands was done
        somwhat untidily. I have re-arranged the code.

 4. If the building process was interrupted during the MakeLinks script, a
    subsequent run of 'make' gave misleading errors. I've made it a bit more
    robust against this case. If there appears to be a half-made set of links,
    an error message suggests that the user should remove the build directory
    and start again.

 5. For compatibility with other MTAs, -f "" is now accepted as synonymous with
    -f "<>".

 6. Upgraded to PCRE 4.1.

 7. If a domain list contained @mx_any, or @mx_secondary, and the DNS contained
    secondary MX records for a domain, but all the other MX (higher priority)
    records pointed to non-existent hosts, Exim was behaving as if the domain
    did not match the list item. This has been fixed.

 8. Upgraded eximstats to 1.27.

 9. It was reported that change 4.14/46(b) caused problems on some systems with
    older libraries. There is now an option that can be set in Local/Makefile
    (or in a operating system Makefile):

      IPV6_USE_INET_PTON=yes

    If this is done, Exim reverts to using inet_pton() to convert a textual
    IPv6 address for actual use, instead of getaddrinfo(), as it did in
    versions before 4.14. Of course, this means that the additional
    functionality of getaddrinfo() - recognizing scoped addresses - is lost.

10. Update for PostgreSQL to match 4.14/14: after an insert, delete, or update
    command, the result is the number of rows affected.

11. If smtp_banner expanded to an empty string, no greeting line was sent, thus
    causing the client to time out. An empty 220 response is now sent.

12. An empty argument was logged as a null string by the "arguments" log
    selector. Now empty strings and arguments that contain whitespace are
    surrounded by quotes.

13. The "arguments" log selector now also logs the current working directory
    when Exim is called.

14. Added a couple more debugging calls to tls-openssl.

15. Changed the name of the global variable ldap_version because some LDAP
    library uses the same name, which causes a clash. It's now called
    eldap_version. While I was at it, I changed the other two global variables,
    ldap_default_servers and ldap_dn.

16. If an address that is verified in an ACL is redirected to a single address,
    Exim verifies the child (this is not new). However, the value of $address_
    data that was being returned was the value from the parent. It is now the
    value from the child.

17. Re-arranged the code for rda_is_filter() to make it easier to add other
    filter types in future.

18. Removed the filter test function from filter.c and put it into its own
    source file, again to make things easier for multiple filter types.

19. To help those people who are maintaining a patch for dynamically loaded
    local_scan() functions, I have added

      #define LOCAL_SCAN_ABI_VERSION_MAJOR 1
      #define LOCAL_SCAN_ABI_VERSION_MINOR 0

    to the local_scan.h file.

20. The variables $tls_certificate_verified, $tls_cipher, and $tls_peerdn now
    exist even when Exim is not compiled with TLS support.

21. If an empty user name was sent by a client for a LOGIN authentication, it
    was not put into $1; instead, the password ended up in $1 (instead of in
    $2).

22. When creating a temporary file in the appendfile transport for a per-file
    delivery not in maildir or mailstore format (that is, in the old Smail
    format - I wonder if anyone uses this?), Exim was opening the file without
    O_EXCL, which is a bit unsafe.

23. The output from the ${stat: expansion operator was being formatted using %d
    which expects an integer; in many (most) systems size_t is off_t, which
    is actually a long or even a longlong, and in some cases this caused
    incorrect data to be output. The formatting is now done using %ld, with the
    values all explicitly cast to (long).

24. Callout caching was failing to cache a negative response to a "random"
    address check.

25. If a daemon was started with -qsomething and not -bd, and deliver_drop_
    privilege was set, and a pid file was specified with -oP, and the pid file
    did not previously exist, it was created with owner exim instead of owner
    root.

26. verify=sender was not being allowed in a non-SMTP ACL.

27. Under some error conditions, the socket used for ident calls could be left
    open.

28. Added acl_smtp_helo, because some people seem to want it.

29. For hosts that match helo_verify_hosts, the error given when a MAIL command
    is received without HELO or EHLO has been changed from 550 to 503 (which
    means "bad sequence of commands").

30. Installed PCRE 4.2.

31. The quota_size_regex option for the appendfile transport was broken in that
    a terminating zero was omitted from the string that was extracted for the
    size. If it happened that digits followed in the memory to which it was
    copied, an incorrect (too large) size was then used.

32. Change 4.14/32 (iv) introduced a bug in the case when the "phrase" part of
    a rewritten address did *not* contain any special characters. The
    generated address was mangled.

33. Several items of refactoring from Michael Haardt:

     . Introduction of "const" in a number of places
     . Use memcpy() instead of strncpy() in string_cat()
     . Add HAVE_ICONV to Linux file, for external users (Exim doesn't use it)
       [Later: From 4.21, Exim *does* use it.]
     . Preparation for adding additional types of filter file

34. Changed (incompatibly, but hopefully not so it affects anyone) the
    appendfile transport in the case when it is called directly as a result of
    a .forward or a filter file requesting a delivery to a file. Previously,
    any settings of "file" or "directory" were ignored in this case. Now they
    are used. The path received from the router is in $address_file (as
    before) and can therefore be included in the expansion.

35. If a "save" command in a filter specifies a non-absolute path, the value of
    $home/ is pre-pended. This no longer happens if $home is unset or is an
    empty string. It is expected that the transport will complete the path (see
    34 above). If there is an error before the path is complete, the local part
    is logged as "save xxxx".

36. If multiple "to file" deliveries are routed to the same transport, no
    batching ever takes place, whatever the value of batch_max.

37. If an address was redirected to an unqualified local part preceded by a
    backslash, Exim was qualifying it with the qualify_domain, instead of with
    the incoming domain.

38. Minor rewording: header lines can be added by MAIL as well as RCPT: the
    debug line mentioned only RCPT.

39. DESTDIR is the more common variable that ROOT for use when installing
    software under a different root filing system. The Exim install script now
    recognizes DESTDIR first; if it is not set, ROOT is used.

40. If DESTDIR is set when installing Exim, it no longer prepends its value to
    the path of the system aliases file that appears in the default
    configuration (when a default configuration is installed). If an aliases
    file is actually created, its name *does* use the prefix.

41. If an item in log_file_path was an empty string, Exim wrote the log to the
    log directory in the spool directory. Now it takes notice of the
    setting of LOG_FILE_PATH in Local/Makefile, and uses the first non-empty,
    non-"syslog" item from that list. If there are none, it uses the ultimate
    default of the spool directory.

42. If there is a Reply-to: header line, but it is empty, $reply_address now
    contains the From: address instead of being empty.

43. Added -no-cpp-precomp to CFLAGS in OS/Makefile-Darwin. Without this, the
    compiler provides a string for __DATE__ that does not conform to the
    specification in the C standard. The option disables precompiled headers,
    which should not have any bad effects, as pre-compiled headers are
    supposedly just a performance enhancement at compile time.

44. Refactoring: as there is now a flag that specifies whether or not a home
    directory that is passed with an address is already expanded, we no longer
    need the \N...\N fudge for home directories extracted from the password
    data.

45. Fixed an infelicity introduced by 4.14/71: The defaulting of the prefix,
    suffix, and check string stuff in appendfile was happening when no
    directory was supplied. Now it happens if no directory is supplied AND
    maildir has not been specified.

46. If expansion of the serverpassword in a spa authenticator or expansion of
    server_condition in a plaintext authenticator is forced to fail,
    authentication now fails (previously it gave a temporary error, which is
    what happens for other expansion failures). This brings these
    authenticators into line with cram_md5, where expansion of server_secret
    has always behaved like this.

46. Added new syslog facilities (courtesy Oliver Gorwits):

    (i)  SYSLOG_LOGS_PID and LONG_SYSLOG_LINES in src/EDITME.
    (ii) syslog_facility and syslog_processname main options.

47. Callout was using only the hosts from the router, ignoring the transport.
    This has been changed. If (a) the router does not set up hosts (e.g. it's
    an accept router) or (b) the smtp transport that is routed to has
    hosts_override set, then the transport's hosts are used for callout
    checking.

48. When named lists were nested, and an inner list was resolved by a lookup
    that saved data for, e.g. $domain_data, the data was associated with just
    the outer list, though both were cached, so if a subsequent test was done
    for the inner list, there was no domain data. Example:
       domainlist A = lsearch;/a/b
       domainlist B = lsearch;/c/d
       domainlist C = +A : +B
    A test on +C that matched, followed by a test on +A or +B would provoke
    this bug. Now the data is saved with both the inner and the outer lists.

49. When the log selector +address_rewrite is turned on, the log lines now
    show where the rewritten address came from (which header line, envelope
    field, or an SMTP command).

50. If an integer or fixed point configuration value is too big to fit in
    a 32-bit int, Exim now writes an error to the panic log and dies.

51. Unknown SMTP commands are now assumed to be ones that need synchronization;
    this means that a packet that contains more than one of them will cause the
    connection to be dropped as soon as the first one is encountered.

52. The "control" feature of ACLs was not permitted for the MAIL ACL (an
    oversight). It now is allowed.

53. Added the "discard" verb to ACLs.

54. Fixed a theoretical bug observed by reading the code: if local_scan()
    changed the number of recipients, output from the received_recipients log
    selector would be incorrect.

55. Added HAVE_ICONV to the os.h files for Linux, Solaris, HP-UX. This is for
    use in the forthcoming Sieve addition to Exim.

56. The behaviour of -t in the presence of Resent- headers has been changed,
    for compability with Sendmail and other MTAs. Previously, Exim gave an
    error, because it is not clear from RFC 2822 how this might be handled. It
    turns out that MUAs don't seem to follow what RFC 2822 says, and any MUA
    that uses -t with Resent- ensures that there is only one set of Resent-
    header lines (usually by renaming others to X-Resent-xxx). So now Exim will
    take recipients from all the Resent- header lines instead of the usual
    ones.


Exim version 4.14
-----------------

 1. Found another case where SIGCHLD is being ignored (a child process for
    handling a filter file) and so the wait() doesn't find the subprocess. This
    came to light as a result of extra logging introduced as part of the
    4.12/14 fix. Now Exim is careful to set SIGCHLD handling to its default
    (i.e. to be noticed) for this particular subprocess. (It already has this
    code for other cases where it uses subprocesses.)

 2. If ${run appeared in part of a conditional item that was being skipped, the
    actual running of the command was not being skipped.

 3. A bit of code tidying (refactoring): there were two functions that built
    strings containing a host name and ident value for logging. There is now
    only one. It is called in some additional places where previously just the
    host name and address were given, so the wording of some log lines has
    changed slightly.

 4. Added support for Unix domain socket connection to PostgreSQL.

 5. The number of unknown SMTP commands that Exim will accept before dropping
    a connection can now be changed by smtp_max_unknown_commands. The default
    value is 3. Previously, a fixed value of 5 was used. The final command is
    now included in the log line.

 6. The standard place for chown and chgrp in Linux is /bin, not /usr/bin, as
    assumed by the exicyclog script. I've implemented a "look for it" feature
    that makes exicyclog look in /bin, /usr/bin, /usr/sbin, and /usr/etc for
    the commands chown, chgrp, mv, and rm if configured, and turned on this
    feature for Linux. This should cope with old Linuxes that use /usr/bin.

 7. Implemented .ifdef etc.

 8. Installed signal handlers for SIGSEGV, SIGILL, SIGFPE, and SIGBUS while
    running local_scan(), so that crashes therein get caught. A temporary error
    response is sent for an SMTP message, and the spool is cleaned up.
    Previously, a -D file was left lying around if there was a crash in
    local_scan().

 9. The ${quote: operator has been changed so that it turns newline and
    carriage return characters into \n and \r, respectively.

10. Added support for crypt16().

11. Some restrictions on the use of "verify" in ACLs were too restrictive, and
    have been relaxed. In particular, "verify = sender" is now permitted in the
    ACL for the MAIL command, as well as those for RCPT and DATA.

12. If local_scan() sets up recipient or errors_to addresses that are
    unqualified (local parts without a domain) Exim now qualifies them using
    the qualify_recipient domain.

13. White space at the start of continuation lines in -be input was not being
    ignored.

14. Previously, if a MySQL query was issued that did not request any data (an
    insert, update, or delete command), Exim gave a lookup error and deferred.
    This case is now recognized, and the result of the lookup is now the number
    of rows affected.

15. A configuration error is given if tls_try_verify_hosts is set and
    tls_verify_certificates is not set. (Exim already did this for
    tls_verify_hosts.)

16. Exim was trying to create a non-existent hints database even when it was
    just opening it for reading. It called the creating function with the
    O_RDONLY and O_CREAT flags. This works with many DB libraries, but it
    not with DB 1.85, where a subsequent attempt to use the database gave the
    error "Inappropriate file type or format". Exim now creates hints databases
    only when it wants to open them for writing.

17. If an ACL condition test set a default "message" value without a
    "log_message" value, and there were no overriding messages in the ACL
    itself, no message was logged. The user message is now logged.

18. If callout made a connection, but it was dropped before the initial
    welcome response was received, Exim logged "response to initial connection
    was" with no further text. It now logs that the connection was dropped.
    The wording of the logging for callout defers has been slightly changed so
    as to reduce duplication.

19. When multiple messages were sent using TLS over one connection, the
    additional required EHLO that follows STARTTLS was being counted as a
    nonmail command, and thus causing a problem if there were a lot of
    messages. Similarly, a new AUTH that followed STARTTLS was being counted.
    It is now possible to run with smtp_accept_max_nonmail set to zero in these
    and other "normal" circumstances.

20. During verify=sender, global rewriting rules are applied to the sender
    address, and if it changes, $sender_address becomes the rewritten version.
    Unfortunately, it was not getting updated until after the routers had been
    run, so that if a router referred to $sender_address while verifying a
    sender, the unrewritten value was used.

21. The "random address" callout test was being done after the other tests.
    This is silly, because if the host accepts all local parts, there isn't any
    point in doing the other, more specific, tests. I changed things around so
    that the "random" test (if configured) is done first.

22. Expanded the wording for callout failures when MAIL FROM:<> or RCPT TO the
    a postmaster address are rejected. Also include these words when a
    rejection happens because of caching (when there isn't an actual SMTP
    command/result to reflect).

23. A new router condition called "address_test" (default true) can be used to
    skip routers when testing addresses using -bt (compare no_verify). This can
    be a convenience when your first router sends stuff to an external scanner.

24. Testing for deliver_queue_load_max was happening inside the delivery
    sub-process, when it could have happened outside, in the queue runner (thus
    saving one process). This was a hangover from Exim 3, where there were
    other load tests to be done. The code has been tidied.

25. Code tidy: the driver_info generic structure contained a field that
    might, on 64-bit systems, not have been compatible with the fields in the
    structures of which it is supposed to be a subset. It turns out that this
    field and another are not actually used generically, so removing them from
    the structure solves the problem.

26. Added server_advertise_condition to authenticators.

27. The exim_checkaccess utility wasn't sending a HELO command; this matters
    now that it's possible to have an ACL that checks HELO/EHLO.

27. Added the ldap_version option to force a specific LDAP version.

28. Renamed the variable verify_address in exim.c as verify_address_mode,
    because it had the same name as the verify_address() function, which was
    confusing.

29. Added authenticated_sender to the smtp transport.

30. When the skip_syntax_errors option is applied to a filter file, it covers
    all filtering errors, some of which may not be strictly "syntax" (for
    example, failure to open a log file). The wording of the message has been
    changed to use "error" instead of "syntax error", to reduce confusion. Also
    the subject of the message sent by syntax_errors_to is now "error(s) in
    forwarding or filtering" instead of "syntax error(s) in address expansion".

31. Added -restore-times to the exim_lock utility.

32. Changes to the handling of the "phrase" parts of email addresses:

      (i) Re-organized the code to use a supplied instead of an implied buffer,
          and a length instead of expecting a terminated string.

     (ii) Changed from using the macro mac_isprint() to an explicit test for
          ASCII non-printing characters, because the macro pays attention to
          print_topbitchars, which is not correct here.

    (iii) If a rewritten address contained a "phrase" (whether or not the "w"
          flag was present on the rewrite rule), but the actual address was
          unqualified (had no domain) and was expected to be qualified by the
          "Q" flag, Exim screwed up and created an illegal address.

     (iv) When a header address is rewritten by a rule that includes the "w"
          flag, the parts of the address outside <> are now encoded according
          to RFC 2047 if necessary (assuming ISO-8859-1 encoding).

33. Added the ${rfc2047 and ${from_utf8 expansion operators.

34. The file names used for maildir deliveries have been changed, to accomodate
    operating systems that may re-use a PID within one second. The file name
    now include the microsecond time fraction, and the delivery process does
    not exit until the clock is at least one microsecond after the time used in
    the file name. The code copes with the clock going backwards (it waits
    till time catches up).

35. The rules for creating message ids have been changed to allow for the fact
    that a PID may be re-used within one second. As part of this change, the
    range of localhost_number has been reduced to 0-16 for most systems, and
    0-10 for those with case-insensitive file systems (Cygwin, Darwin).

36. Code tidy: there was a local count of non-TCP/IP messages that duplicated
    the global receive_messagecount (used for accept_queue_per_connection).

37. verify = header_syntax was allowing unqualified addresses in all cases. Now
    it allows them only for locally generated messages and from hosts that
    match sender_unqualified_hosts or recipient_unqualified_hosts,
    respectively.

38. If PAM was called with an empty first string, it called the data function
    to get the user name, thereby getting the second string by mistake. If this
    was also null (empty passwords are permitted), there was an infinite loop.
    An empty user name is not now passed to PAM; authentication is forcibly
    failed instead. Also, if the end of the list of strings is reached, an
    empty string is passed back just once; a subequent call for data provokes
    an error response.

39. If a reverse DNS lookup yields an empty string, treat it as if the lookup
    failed. (Apparently such records have been seen. Sigh.)

40. Added the -bnq command line option to suppress automatic qualification of
    addresses in locally submitted messages.

41. Header texts supplied by options to the autoreply transport may now contain
    newlines that are followed by whitespace. (This was allowed from a filter,
    but not from the transport.)

42. Patch for < > problems in eximstats 1.23.

43. Re-arranged the code to make it easier in future to add additional filter
    types.

44. Added support for changing the connection timeout in LDAP; this is
    something that's available in Netscape SDK 4.1. Exim uses the given value
    if LDAP_X_OPT_CONNECT_TIMEOUT is defined.

45. When Exim was setting a daemon listener on multiple interfaces, including
    listening on "all IPv6" and "all IPv4" interfaces, it was binding all the
    sockets, and then calling listen() for each of them. On some IP stacks, a
    listen for "all IPv4" fails after listening for "all IPv6" because a single
    socket catches both kinds of call. Exim coped with this, but it turns out
    that on a USAGI-patched Linux, this logic doesn't work unless the "listen",
    as well as the "bind" has been done for the IPv6 socket first. The order of
    the functions has now been changed. Instead of "bind, bind ... listen,
    listen..." it now does "bind, listen, bind, listen, ...". Also, the failure
    happens in the bind() rather than in the listen(), so there are now two
    checks, which hopefully will handle all kinds of IP stack.

46. IPv6 addresses have "scopes", and a host with multiple interfaces can, in
    principle, have the same link-local addresses on different interfaces.
    Thus, they need to be distinguished, and a convention of using a percent
    sign followed by something (often the interface name) is being used, for
    example: 3ffe:2101:12:1:a00:20ff:fe86:a061%eth0. Two changes have been made
    to accommodate this:

    (a) A percent sign followed by an arbitrary string is allowed at the end of
        an IPv6 address.

    (b) Exim calls getaddrinfo() instead of inet_pton() to convert a textual
        IPv6 address for actual use. This function recognizes the percent
        convention in some operating systems.

47. Additional debugging inserted for the case of forced failure when expanding
    an item in a list.

48. A new debugging selector +expand has been added. This is not included in
    the default set of selectors. It requests detailed debugging information
    for string expansions.

49. Failure to open the main log results in a panic-die, but the original line
    that was being logged could be lost. It is now output to stderr if there is
    a stderr file.

50. When Exim starts, it checks for the existence of its spool directory, and
    creates it if necessary. Unfortunately, it was doing this after the code
    for logging arguments. Thus, if the spool did not exist, trouble ensued.

51. The log line for an ACL warning after a sender verify callout failure was
    not showing the details, unlike the log line for a deny. They are now shown
    in a similar way.

52. For reasons lost in the mists of time, when a pipe transport was run, the
    environment variable MESSAGE_ID was set to the message ID preceded by 'E'
    (the form used in Message-ID: header lines). The 'E' has been removed.

53. Updated the QNX configuration files for QNX 6.2.0.

54. The "*@" type partial matching for single-key lookups was broken in
    releases after 4.10. Exim looked for *@xxx but, if that failed, it wasn't
    going on to look for "*".

55. Included eximstats 1.25 in the source tree.

56. Changed log wording from "Authentication failed" to "<name> authenticator
    failed", where <name> is the name of the authenticator.

57. gcc 3.2.2 warned about a selection of places where string casts were
    needed.

58. Exim monitor: the use of one_time redirection could cause addresses to be
    displayed with incorrect "parent" addresses after the one_time
    re-arrangement had taken place. They should be shown with no parents,
    because the parentage has been removed.

59. Arranged to keep independent timestamps for postmaster and random checks in
    callouts, and not to do unnecessary tests for postmaster when testing
    individual addresses.

60. Incorporated PCRE release 4.0.

61. Added ${hex2b64: operator.

62. Added $tod_zulu.

63. Added ${strlen: operator.

64. Added ${stat: operator.

65. When Exim is receiving multiple messages on a single connection, and
    spinning off delivery processess, it sets the SIGCHLD signal handling to
    SIG_IGN, because it doesn't want to wait for these processes. However,
    because on some OS this didn't work, it also has a paranoid call to
    waitpid() in the loop to reap any children that have finished. Some
    versions of Linux now complain (to the system log) about this "illogical"
    call to waitpid(). I have therefore put it inside a conditional
    compilation, and arranged for it to be omitted for Linux.

66. Added settable variables $acl_c0 - $acl_c9 and $acl_m0 - $acl_m9 for use
    during ACL processing.

67. Added "defer" command to system filter.

68. X options such as -bg or -geometry that were added to an eximon command
    were being lost as a result of a bug introduced by 4.12/6.

69. The "more" and "unseen" generic router options can now be expanded strings.

70. The "once_repeat" option in the autoreply tranport is now an expanded
    string.

71. If maildir_format is set on an appendfile transport that is referenced from
    an file_transport setting in a redirect router, it forces maildir delivery,
    even if the path given in the filter does not end with '/'.

72. Fixed three bugs in ${readsocket:
      (i) If the operation failed, and a failure string was given, "}}" was
          erroroneously added to it.
     (ii) If the operation succeeded, but a failure string was present, "}" was
          added to the expanded data.
    (iii) The alarm for the timeout was set with signal() instead of with
          os_non_restarting_signal(), which meant that it only worked on those
          OS whose default is not to restart an interrupted system call.

73. A complete host name (no wildcards) in a host list causes a forward lookup
    for the IP address. If this failed, Exim was behaving as if the host didn't
    match the list, instead of giving an error (as it does when a reverse
    lookup fails).

74. If router_home_directory was passed on as a home directory for a local
    transport, it was being re-expanded in the transport. This has been changed
    so that the expanded value is passed from the router to the transport, and
    no re-expansion takes place.

75. When a redirect router generated a pipe, file, or autoreply, the values of
    $domain_data and $localpart_data were not being propagated to the
    transport.

76. The macros MESSAGE_ID_LENGTH and SPOOL_DATA_START_OFFSET are now defined in
    local_scan.h so that they are available to local_scan() functions.

77. Changes to the SMTP PIPELINING support:

    (1) Exim used always to accept pipelined commands, even when it hadn't
        advertised PIPELINING (i.e. when EHLO had not been received). Now it
        objects unless PIPELINING has been advertised.

    (2) Advertising PIPELINING to specific hosts can be disabled via the new
        option pipelining_advertise_hosts.

78. The acl_smtp_connect ACL was not being run for -bs input when no IP address
    was supplied via -oMa.

79. A "mail" command in a filter could cause a crash if the list of recipients
    for the "to:" line was excessively long - this showed up in a reply to
    a message with a ridiculously long Reply_to: header line.

80. Added allow_utf8_domains.

81. Added $rh_ and $rheader for "raw" header expansion.

82. Added smtp_accept_max_nonmail_hosts.

83. Extended ${stat (see 64 above) to add smode=symbolic mode.

84. Added default logging for host and IP lookup failures, with a log selector
    called host_lookup_failed to turn it off.

85. Added header_maxsize and header_line_maxsize.

86. If a RCPT ACL made use of "verify = sender" without callout, followed by
    another use with callout, and the callout failed, the caching was broken
    such that for a subsequent RCPT command, the first callout failed
    incorrectly. The caching of sender verification has been fixed so that it
    now remembers that the routing succeeded even when the callout fails.

87. Added errno and strerror(errno) to the log line for a failure to lock the
    -D file when receiving a message.

88. If router with check_local_user set up a local delivery, and no user was
    specified on the transport, and errors_to on the router specified an
    address whose verification also invoked check_local_user, the wrong uid/gid
    was used for the transport. It used the uid/gid of the errors_to address
    instead of the uid/gid of the original local part.

89. If log_file_path=:syslog was set, to use the default log path and also
    syslog, and check_log_space was also set, Exim was confused, and refused to
    accept messages, giving the error "cannot find slash in ".

90. If a router stripped a prefix or a suffix from a local part, and then
    routed that address to an smtp or lmtp transport, the address that was
    sent in the RCPT command did not have the affixes stripped.

91. For BSMTP delivery by appendfile or pipe, the address given in the RCPT
    command did not preserve the case of the envelope address, as it is
    supposed to.


Exim version 4.13
-----------------

There was no 4.13. I accidentally put out a fixed version of 4.12 (a typo was
discovered very soon after release) that verified itself as 4.13. This too was
hastily fixed, but it seems best not to use the number, to avoid confusion.


Exim version 4.12
-----------------

 1. Update to change 4.11/82: for the max number of processes, set
    RLIM_INFINITY if it is defined.

 2. An expansion ${run{xxx}} where xxx was a successful command that produced
    no output caused Exim to crash.

 3. Some artificial delays of 1 second existed when running in the test
    harness, to ensure repeatability of debugging output. Now that we have
    the millisleep() function, these can be shorter.

 4. Change 4.11/30 below overlooked the case when an address gets a 4xx
    response from a server. Because this isn't a host problem, the host does
    not get delayed, and it gets tried every time the address is OK'd for
    routing, with the same reponse. However, if hosts_max_try is set, because
    not all the hosts were tried, the address does not time out. I've changed
    things so that if there is a 4xx response to a RCPT command, the host in
    question does not count towards hosts_max_try if the message is older than
    the host's maximum retry time. This means that other hosts are always tried
    in this circumstance; if the address gets 4xx errors from all of them, it
    will eventually time out.

 5. If a retry rule for a host had no actual retry times specified, it could
    cause a crash when checking the ultimate address timeout. (Very old bug,
    spotted in passing, so probably never bothered anybody.)

 6. Change 135 below broke the following scripts when a list of configuration
    files was given: exicyclog, exim_checkaccess, eximon, exinext, and exiwhat.
    In practice, if exim_path was not specified in the configuration file (a
    common case), things would probably work OK. However, the use of
    CONFIGURE_FILE_USE_NODE definitely did not work. These scripts have now
    been updated to fix this problem. They now search for the configuration
    file in the same way Exim itself does: for each name in the list, the
    "noded" file is tried first, then the unsuffixed file.

 7. If a WARN verb in an ACL did not specify an explicit "message" modifier,
    and was triggered by a failing sender or recipient verification, the
    response that would have been sent as an SMTP message for a DENY verb was
    incorrectly being added to the message's headers.

 8. I screwed up change 4.11/155. For lookup types whose names were prefixes of
    other lookup types (e.g. nis and nisplus, dbm and dbmnz), the new search
    function didn't do the correct comparison, meaning that the wrong lookup
    type could be found.

 9. Solaris seems to be one of the LDAPs that doesn't have the lud_scheme
    member of the LDAPURLDesc structure. Since the check that is made on it
    is only to double check that a path is given for ldapi, I've just removed
    the test in the Solaris case.

10. The modified TextPop.c source in the Exim monitor had declarations of errno
    and sys_nerr which never were actually referenced. The second of these
    caused trouble on Darwin, so I've removed both of them. Why were they
    there? Who knows? This is ancient X code...

11. The DEFER ACL verb crashed if no "message" modifier was set.

12. The check on incoming messages that gives the error "too many non-mail
    commands" was too strict. In the case of Exim sending to Exim, when the
    client has queued messages for the server and is using TLS, it will close
    and re-initialize TLS between messages (because the client has to hand the
    SMTP connection to a new process). STARTTLS was being counted as a non-mail
    command, and therefore could cause the limit to be hit. The revised code
    now allows for one RSET, one HELO or EHLO, and one STARTTLS between each
    message without counting them as non-mail commands. (One RSET was
    previously allowed - I *had* spotted that case.)

13. Some log lines for rejections by ACL were putting ident values in
    parentheses instead of using U= after H=. (There are some other lines that
    do use parens, typically when the host name appears without H= within a
    message. This whole area could perhaps do with tidying up.)

14. When processing a redirection file happens in a subprocess (typically so
    that a .forward file is processed as the user), Exim was assuming that a
    call to wait() would always reap the subprocess, and it was failing to
    check the result. In theory, a signal of some sort occurring at the wrong
    time could break this assumption - the process was then left unreaped, and
    could possibly be picked up later during deliveries, thus confusing that
    code ("processes got out of step"). This is conjecture - I haven't got a
    definite test of this. However, I have fixed the code to repeat the wait
    after a signal.

15. When Exim was waiting for a remote delivery subprocess, and the waitpid()
    call found a process that was not in the list of remote delivery processes,
    Exim gave up waiting for remote processes. It is probably better just to
    ignore the unexpected process (though, of course, write to the main and
    panic logs) and to wait for another process, and so that is what now
    happens. If the error situation is caused by failed waiting logic for
    routing or local delivery processes, this approach will minimize bad
    behaviour, I hope.


Exim version 4.11
-----------------

 1. Ignore trailing spaces after numbers in expansion comparisons such as
    ${if > { 5 } { 4 } ... (leading spaces were already ignored).

 2. Two variables, $warnmsg_delay, and $warnmsg_recipients, had got left with
    their old Exim 3 names, when I meant to change to "warn_message", along
    with the warn_message_file option. They have now been changed. The old
    names remain as synonyms, but will be undocumented in due course.

 3. The message "This message was created automatically by mail delivery
    software (Exim)." still confuses people. If they are sufficiently Internet-
    ignorant, they think the message has come from exim.org. At first, I
    changed thw wording to "This message was created automatically by mail
    delivery software (Exim) running on a mail server handling mail for <the
    qualify domain>." in the hope that that might be better. However, in
    testing that still proved confusing on servers handling multiple domains.
    The message has now reverted to the original, simple wording: "This message
    was created automatically by mail delivery software."

 4. It has been discovered that, under Linux, when a process and its children
    are being traced by "strace -f", the children are stolen from the parent
    while they are being traced. A call to waitpid(-1,&x,NOHANG), which Exim
    uses to test for the completion of "any of my children" in a non-blocking
    manner, returns as if there are no children in existence. Exim used treat
    this as a serious unexpected error state. What it does now is to use
    kill(pid,0) to check explicitly for the continued existence of any of its
    children. If it finds any, it assumes it is being traced, and proceeds as
    if the return from waitpid() had been "none of your children have finished
    yet". If it can't find any children, it gives the error as before.

 5. When Exim creates hints databases and their lock files as root, it needs to
    change their ownership to exim. In Exim 3, the function to open a hints
    database wasn't called as root very often, and the check "are we running as
    root?" would usually fail. However, because Exim 4 eschews the use of
    seteuid(), it runs all its routing as root, and this always calls the hints
    database opening function. It wasn't noticing when it was actually creating
    the database, and so it was running chmod() on all the files in the db
    directory every time. This does no harm, of course, but wastes resources.
    Exim now detects when the database was already in existence by opening
    without O_CREAT at first. If this succeeds, it doesn't do the root test.

 6. The line in MakeLinks that creates a link for direct.c had been
    accidentally left in (cf 4.03/6).

 7. The value of $0 in the replacement in a rewriting rule was being corrupted,
    leading to incorrect results or error diagnostics.

 8. Added support for ldapi:// URLs to the LDAP lookups (OpenLDAP only). Also,
    re-organized the code to use ldap_initialize() with OpenLDAP in all cases
    (it seems to be preferred).

 9. With OpenLDAP 2.0.25, ldaps:// doesn't seem to work unless the LDAP
    protocol level is set to 3. This is now standard in the Exim code, as v3
    has been around for 5 years now. Testing ldaps:// is now included in the
    Exim test suite. Although earlier versions claimed to support it, I rather
    suspect that it never worked.

10. Inserted some checking of the syntax of the IP address given as the first
    argument to the exim_checkaccess utility. This gives a better error
    message, especially in the case when somebody gets the arguments in the
    wrong order.

11. Improved the panic log entry if an unsupported format type is passed to
    string_vformat() (now gives the whole format string, not just the little
    bit that's wrong).

12. Ever since its early days, Exim has checked the syntax of non-SMTP
    addresses according to RFC [2]822 rules, rather than the stricter RFC
    [2]821 rules that it uses for SMTP. This allows for a wider set of
    characters in domains. This has now caused a problem, because I forgot
    about it when making some changes to the format of spool files (see
    3.953/44, 4.03/10, and 4.04/1). I can't believe that anybody actually makes
    use of this feature (which isn't documented), so I have removed it. All
    domains must now conform to RFC [2]821 rules. A non-SMTP message with a
    domain that would previously have been accepted will now be bounced.

13. If widening a domain in a dnslookup router made it syntactically invalid,
    the error message quoted the original domains instead of the widened
    domain.

14. During a queue run initiated by -R or -S (or by -i when the use of message
    logs is disabled), if Exim encountered a message with certain
    characteristics (including text for $local_scan_data, and the setting of
    the "manually thawed" flag), this data was not correctly reset for
    subsequent messages. So if they didn't have those settings themselves,
    strange things could occur.

15. With the "percent hack" enabled for percenthack.domain, if a message had
    two addresses such as X%some.domain@percenthack.domain and X@some.domain,
    Exim was not recognizing the duplication, and was making two deliveries
    instead of one.

16. The output from verification (for -bv and VRFY) used to list a child
    address when verification was applied to children (this happens, for
    example, for aliases that generate just a single child). Now it lists only
    the original address.

17. Changes 34 and 35 of 4.10 did not wholly solve problems with widened
    domains. The following bug still existed:

    . A recipient address was abbreviated (e.g. one component).
    . A dnslookup router caused it to be widened.
    . The new domain was a local domain.
    . The address was redirected to itself.

    At this point, Exim thought it was a duplicate, and discarded it.

    This whole thing turned out to be a large can of worms, so I have reworked
    the address widening code. This should get rid of all these problems.
    Widening now appears similar to redirection, with the unwidened address
    becoming a proper parent address. As part of this, there has been some
    general re-organization of the way addresses are handled.

18. When a filter generated only "unseen" deliveries, the normal delivery that
    happened subsequently lost any value of address_data that was previously
    set. The handling of values like that that are propagated from parents to
    children has been reworked.

19. Added smtp_return_error_details and the check_postmaster option for address
    verification callouts.

20. Long SMTP responses (from ACL messages or wherever) are now automatically
    split up into multi-line responses if possible. The split happens at an
    occurrence of ": " if present after 40 characters. Otherwise it happens at
    the last space before 75 characters. Existing newlines in the message are
    taken into account.

21. When verify = header_sender is set, a different error message is now given
    if a syntax is detected, as opposed to failure to verify.

22. Extended the general mechanism for ${quote_lookuptype:...} expansions by
    allowing for an option to be given after the lookup name, for example
    ${quote_ldap_dn:...}. Unrecognized options cause errors.

23. Re-worked the quote_ldap expansion items to provide two different kinds of
    quoting, since the requirements of filter strings and DNs are different.
    Sigh. Arranged for the DN given in the USER= setting to be de-URL-quoted
    because not all libraries do it themselves.

24. The handling of responses from LDAP searches wasn't right. It was detecting
    situations of the form "ldap_result failed internally or couldn't provide
    you with a message" but not "the server has reported a problem with your
    search". This has now been tidied up (thanks, Brian). Problems of the
    latter kind are now handled as follows:

      (1) For LDAP_SIZELIMIT_EXCEEDED, the truncated list of results is
          returned. This is what happened before.

      (2) For a small set of errors that, in effect, mean "that object does
          not, or cannot, exist in the database", the lookup fails. This is
          also as before.

      (3) For other problems, the lookup defers, giving the LDAP error.

25. Added $ldap_dn to hold the DN of the last entry retrieved in the most
    recent LDAP lookup.

26. Exim was not checking for the LDAP_INVALID_CREDENTIALS error when
    ldap_bind() failed during an ldapauth call. With (at least) OpenLDAP2, the
    connection to the server doesn't happen until ldap_bind(), so failures to
    connect were being treated as authentication failures, and given hard
    errors. Now, all errors other than LDAP_INVALID_CREDENTIALS are treated the
    same way for all calls to ldap_bind(), whether ldaputh or otherwise. They
    lead to temporary errors - if there are more servers, they will be tried.

27. If there was a reference to a non-existent named list, for example, a
    setting such as "senders = +something", but no lists of that type were
    actually defined, Exim misbehaved. For an address list, it treated the name
    as a domain list. For a domain list, it just didn't match. Now it gives a
    panic error about a non-existent named list (as it always did if there were
    named lists of the appropriate type). The error now tells you what type of
    list it thought it was looking for.

28. When -bt or -bv is used by a non-admin user, and there is some kind of
    DEFER (e.g. database unreachable), details of the failure are no longer
    given, because they may include private data such as the password for an
    LDAP lookup.

29. The logic for using a remote host name as a key for looking up retry rules
    in preference to the domain of the email address was broken. It wouldn't
    find such retry rules.

30. There were some problems with the action of hosts_max_try in the smtp
    transport where there were indeed more hosts available than the limit.

    (a) Exim used to time out an address out if all the hosts that were tried
        were past their retry limits, ignoring the state of any hosts that were
        not tried because the hosts_max_try limit was reached. Now it won't
        time out an address unless all its hosts are actually considered and
        are past their retry limits.

    (b) Hosts that are past their retry limits are no longer counted for
        hosts_max_try. This means that when some hosts are in this state, a
        greater number of hosts are tried than before, but this is the only way
        to ensure that all hosts are considered before timing out an address.

    (c) When the hosts_max_try limit is reached, Exim now looks down the host
        list to see if there is a subsequent host with a different MX. If there
        is, that host is used next, and the current host is not counted. More
        details in NewStuff.

31. The source for spa authentication (taken from the Samba project) used the
    type "int16". This has caused compilation problems in some systems that
    happen to have a different definition of it. (Naughty, naughty, non-
    standard.) I've renamed all the defined types by adding "x" on the end.

32. When a delivery that used authentication was run with -v (which an
    unprivileged user can use) it included the authentication data when it
    showed the SMTP transaction. Such data is now replaced by asterisks in any
    reflection of the SMTP commands. This also applies if the command is logged
    as a result of an error response.

33. Some little problems in queue runs:

    (a) The reading end of the synchronising pipe was being left open in the
        delivery subprocess. This caused no harm, but used up a file
        descriptor till that series of deliveries was done.

    (b) If the load level got high enough to abandon a queue run, the
        synchronizing pipe was accidentally not closed. Normally, this wouldn't
        matter, because the queue runner process would finish any way, but...

    (c) If split_spool_directory was set without queue_run_in_order, the code
        for abandoning a queue run because of too high load didn't stop
        cleanly. Instead, it went on to look at the remaining subdirectories.
        Each one would then notice the high load, and abort. Not only was this
        a waste of time, but because of (b) above, it used up one file
        descriptor per subdirectory. With up to 62 subdirectories, this could
        hit the limit of file descriptors if it was as low as 64 (which it
        sometimes is).

34. Added SYSTEM_ALIASES_FILE to the build-time configuration, and the ability
    to set ROOT= when installing. Removed installation instructions for the
    info version of the overview document, because that document no longer
    exists for Exim 4.

35. Added a total line to exiqsumm.

36. convert4r4 can now handle "optional" for single-key lookups in aliasfile
    directors.

37. Change 4.03/25 (making convert4r4 double colons in require_files lists) was
    incomplete. It worked for routers, but not for directors.

38. After verify=recipient in an ACL, the value of $address_data is the last
    value that was set while routing the address.

39. Included eximstats 1.22.

40. If a delivery of another message over an existing SMTP connection yields
    DEFER, we do NOT set up retry data for the host. This covers the case when
    there are delays in routing the addresses in the second message that are so
    long that the server times out. This is alleviated by not routing addresses
    that previously had routing defers when handling an existing connection,
    but even so, this case may occur (e.g. if a previously happily routed
    address starts giving routing defers). If the host is genuinely down,
    another non-continued message delivery will notice it soon enough.

41. Added quota_directory to appendfile.

42. Changed the order of processing configuration input lines. Previously, it
    was comment, .include, continuation, macro expansion, comment again (in
    case a macro turned a logical line into a comment). This meant that macros
    could not be used in .include lines. The order is now macro, comment,
    .include, continuation. That is, macro expansion is done on physical lines,
    not on logical lines.

43. Improved the error message if an option-setting line in the configuration
    does not start with a letter. (It used to say 'option "" unknown'.)

44. Allow -D to set a macro to the empty string. Previously it would have
    moved on to the next commandline item. This seems pointless. Either -DXX or
    -DXX= sets an empty string.

45. Changed OS/Makefile-FreeBSD thus:

      EXIWHAT_MULTIKILL_CMD='killall -m'
      EXIWHAT_MULTIKILL_ARG='^exim($$|-[0-9.]+-[0-9]+$$)'

    This is because, with the Exim standard installation using a symbolic link,
    the name of the running program is not "exim" but (e.g.) "exim-4.10-1".

46. An Exim server now accepts AUTH or STARTTLS commands only if their
    availability has been advertised in response to EHLO.

47. A few source changes to avoid warnings from very picky compilers that don't
    complain about unset variables when the only setting is by passing the
    address to another function.

48. Added -d+pid to force the adding of the pid to all debug lines. Default it
    on when the daemon is run with any debugging turned on. (Pids are still
    automatically added when multiple deliveries are run in parallel.)

49. Included Matt Hubbard's exiqgrep utility.

50. Give error for two routers, transports, or authenticators with the same
    name. (It already caught duplicate ACLs.)

51. If a host has more than MAX_INTERFACES interfaces (common for hosts with a
    slew of virtual interfaces), and Exim had to find the list of local
    interfaces, it ran off the end of the list that the ioctl returned. I had
    assumed the length would be set to correspond to the amount of data
    returned - but in at least one OS it is set to the actual number of
    interfaces, even if they don't all fit in the buffer.

52. Nit-picking changes to store.c. It was assuming the length of the
    storeblock structure would be a multiple of the alignment, which is almost
    certainly "always" true. However, just in case it might not be it is now
    rounded up. For some long-forgotten reason, Exim was getting blocks of
    store of the size (8192 - alignment), which seems strange. I've changed it
    to plain 8192.

53. Added functions to compute SHA-1 digests, added the ${sha1: expansion
    operator, added support for {sha1} to crypteq.

54. When local_scan() times out, include the message size in the log line.

55. If a pipe transport had no command specified, and the address also had
    no command associated with it, the transport process crashed. Now it defers
    with a suitable message.

56. An Exim server output mangled junk if it received a HELP command on an
    TLS-encrypted session.

57. The output from -bV (and at the start of debugging) now lists the optional
    items included in the binary (which routers, etc). The debugging output now
    includes the name of the configuration file at its start.

58. Added support for GnuTLS as an alternative to OpenSSL.

59. Give a configuration error if tls_verify_hosts is set, but tls_verify_
    certificates is not set. It doesn't make sense to require some hosts to
    verify if there's nothing to verify against.

60. A pipe transport may now have temp_errors = * to specify that all errors
    are to be treated as temporary.

61. The lmtp transport can now handle delivery to Unix domain sockets.

62. Added support for flock() to appendfile, for those operating situations
    that need it. Not all OS support flock().

63. It seems that host lists obtained from MX records often turn out to have
    duplicate IP addresses, especially for large sites with many MXs and many
    hosts. Exim now removes duplicate IP addresses. (Previously, it removed
    only duplicate names.)

64. If ${readfile was inside a substring that was not part of the final
    expansion value (because its condition wasn't met), Exim still tried to
    read the file. This made an "exists" test for the file useless.

65. Added ${readsocket to the expansion facilities.

66. It is now possible to set errors_to to the empty string in routers.

67. Added disable_logging as a generic transport and a generic router option.

68. Applied Stefan Traby's patch to support threaded Perl. As I don't have a
    threaded Perl, I can't test that this fixed the problem, but it doesn't
    appear to break the non-threaded case.

69. For SPA (NTLM) client authentication, the options are now expanded.

70. Added support for SPA server authentication, courtesy of Tom Kistner.

71. Latest versions of TCPwrappers use the macro HAVE_IPV6 inside the tcpd.h
    header, it appears, and this clashes with Exim's use of that macro.
    Renaming it for Exim is an incompatible change, so instead I've just
    arranged that HAVE_IPV6 is undefined while including the tcpd.h header.

72. Mac OS 10.2 (Darwin) has IP option support that looks like the later
    versions of glibc, but without the __GLIBC__ macro setting. I've added a
    new macro called DARWIN_IP_OPTIONS, and tidied up the code in smtp_in.c to
    simplify the handling of the three different ways of doing this.

73. If no "subject" keyword is given for a "vacation" command in a filter, the
    subject now defaults to "On vacation".

74. Exim now counts the number of "non-mail" commands in an SMTP session, and
    drops the connection if there are too many. The new option
    smtp_accept_max_nonmail option defines "too many". This catches some DoS
    attempts and things like repeated failing AUTHs.

75. Installed configuration files for OpenUNIX.

76. When a TLS session was started over a TCP/IP connection for LMTP, Exim was
    sending EHLO instead of LHLO after the encrypted channel was established.

77. When an address that was being verified routed to an smtp transport whose
    protocol was set to LMTP, the SMTP callout used EHLO instead of LHLO.

78. Installed eximstats 1.23 in the distribution.

79. Installed a new set of Cygwin-specific files from Pierre Humblet.

80. Added caching for callout verification.

81. Added datestamped logs and $tod_logfile.

82. When Exim starts up with root privilege, set a high limit (1000) for the
    number of files that can be open and the number of processes that can be
    created (on systems where this is possible), in case Exim is called from a
    restricted environment.

83. Minor bugfix in appendfile: when renaming failed for a file whose name was
    extended with a tag, the untagged name was shown in the error message.

84. If Exim's retry configuration was changed so as to bounce a certain
    delivery failure immediately, for example to bounce quota errors:

      *  quota

    and there were messages on the queue that had previously been deferred
    because of this error, Exim crashed when trying to deliver them in a queue
    run. Now it will make one more delivery attempt and bounce on failure.

85. Fixed an obscure problem that arose when (a) an address was redirected
    to itself, AND (b) the message was not delivered at the first attempt, AND
    (c) the pattern of redirection was changed at the next delivery attempt.
    When an address is redirected to the same address, Exim labels the new
    address as "2nd generation", and so on, in order to distinguish these
    homonym addresses from each other. Previously, it recorded the delivery of
    a homonym address as a delivery of the appropriate generation. This does
    not work if the generation numbers change at the next delivery attempt. The
    symptoms can be either duplicated deliveries, or missing deliveries,
    depending on the configuration.

    A real-life example is a configuration that takes "unseen" copies of
    messages at certain times only, because an "unseen" router in effect does a
    redirection to a modified address (the unseen delivery) and to the original
    address (for normal delivery). Thus the normal delivery can be either the
    1st or 2nd generation, depending on whether or not the unseen router is
    triggered at the time of delivery.

    The fix is not to record a delivery to a homonym address as such, but
    instead to record a delivery to the original address by the final
    transport. If the same address is subsequently routed to the same transport
    (whichever generation it now is), the delivery is discarded because it has
    already happened. Homonym addresses that are themselves redirected are now
    never recorded as "done", but non-homonym addresses are unaffected, so they
    are marked when all their children are complete (as before), thus saving
    an unnecessary subsequent expansion.

    The fix causes more routing processing to be done when homonyms are in use
    and a message is not delivered at the first attempt, but this is not
    expected to be very common, and the extra processing isn't all that much.

86. Make sure Exim doesn't overrun the buffer if an oversize packet is received
    from a nameserver.

87. Added argument-expanding versions of hash, length, nhash, and substr
    expansions.

88. The API for Berkeley DB changed at release 4.1. Exim now supports this
    release.

89. When a host was looked up using gethostbyname() (or the more recent
    getipnodebyname() on IPv6 systems), Exim was not inspecting the error code
    on failure. Thus, any failure was treated as "host not found". Exim now
    checks for temporary errors, so the behaviour of "byname" and "bydns"
    lookups in this respect should be the same. However, on some OS it has been
    observed that getipnodebyname() gives HOST_NOT_FOUND for names for which a
    DNS lookup gives TRY_AGAIN. See also change 125 below.

90. Minor rewording of ACL error for attemted header check after RCPT.

91. When USE_GDBM was set, exim_dbmbuild wasn't working properly (still assumed
    NDBM compatibilify interface); similarly in dbmdb lookups when ownership
    was being tested.

92. If a Reply-To: header contained newlines and was used to generate
    recipients for an autoreply, the log line for the autoreply "delivery" had
    unwanted newlines. Such newlines are now turned into spaces.

93. When a redirect router that has the "file" option set discovers that the
    file does not exist (the ENOENT error), it tries to stat() the parent
    directory, as a check against unmounted NFS directories. If the parent
    can't be statted, delivery is deferred. However, it seems wrong to do this
    check if ignore_enotdir is set, because that option tells Exim to ignore
    the error "something on the path is not a directory" (the ENOTDIR error).
    In fact, it seems that some operating systems give ENOENT where others give
    ENOTDIR, so this is a confusing area.

94. When the rejectlog was cycled, an existing Exim process was not noticing,
    and was therefore not opening a new file.

95. If expansion of an address_data setting was forced to fail, and debugging
    was enabled, a debugging statement tried to print an undefined value
    instead of the string that was being expanded. This could cause a crash.

96. When Berkeley DB version 3 or higher is in use, a callback function is now
    set up to log DB error messages that are passed back.

97. The conditions in the Makefile for rebuilding the exim_dbmbuild utility
    were wrong, leading to failures to rebuild when it should have done.

98. Added -no_chown and -no_symlink options to the exim_install script. Also
    arranged for the environment variable INSTALL_ARG to be passed over
    from "make install".

99. Exim sets the IPV6_V6ONLY option on IPv6 listening sockets on operating
    systems that support it. The call to setsockopt() to do this had SOL_SOCKET
    instead of IPPROTO_IPV6 as its second argument (and so wouldn't work).

100. When a frozen message was timed out by timeout_frozen_after, the system
     filter was incorrectly being run for the message before it was thrown
     away.

101. If a filter used $thisaddress in an argument to a pipe command, its value
     was not inserted where expected, because the expansion of a pipe command
     does not happen till transport time, and $thisaddress was not being saved.
     It is now saved (along with $1, $2, etc, which were already being saved),
     and reinstated at transport time.

102. Added host grouping for randomizing to manualroute and smtp. A host list
     that is randomized by manualroute is never re-randomized by smtp. Two
     host lists that are randomized by manualroute are now treated as "the
     same" when checking for possible multiple deliveries in one SMTP
     transaction (this was always true for MX'd host lists).

103. Added "randomize" and "no_randomize" options to manualroute.

104. Added ${hmac expansion item.

105. When compiling with gcc, make use of its facility for checking printf-like
     function calls (debug_printf and smtp_printf). This would have found the
     problem in 95 above. It actually found a number of missing casts to (int)
     in debug lines, and one spurious additional argument.

106. Created an ACKNOWLEDGEMENTS file, which I will endeavour to update in
     future.

107. Minor modification to Makefile: when a command that starts off "cd xxx;"
     is followed by another command (on the next line), put the first one in
     parentheses so that if a "clever" make program amalgamates them, the
     change of directory is turned off when it should be.

108. If log_timezone is set true, the timestamps in log files now include the
     timezone offset. A new variable $tod_zone contains the offset. The exigrep
     utility has been updated to handle timestamps with offsets. The eximstats
     version included with this release (1.23) has been patched to handle
     timestamps with offsets. There is also a new -utc option that specifies
     the timestamps are in UTC. The Exim monitor has been modified so that it
     omits the zone offset from its display.

109. If the expansion of an errors_to option is forced to fail, the option is
     ignored.

110. Added $load_average.

111. Added router_home_directory generic router option.

112. Exim crashed on an attempt to check senders or sender domains in an ACL
     other than after RCPT or DATA. It's now a temporary error.

113. \r was omitted before \n in the SMTP failure response for EHLO/HELO
     argument checking.

114. On receiving EHLO or HELO, Exim was resetting its state before checking
     the validity of the command. However, RFC 2821 says that the state should
     not be changed if an invalid EHLO/HELO is received, so Exim has been
     changed to conform. This applies mainly when there is more than one
     EHLO/HELO command in a session.

115. When an Exim root process wrote to a log file, and the log file did not
     already exist, Exim used to create it as root, and then change its
     ownership to exim:exim. This could lead to a race condition if several
     processes were trying to log things at the same time; this happens
     especially when the exiwhat utility is used. I've changed things so that,
     if an Exim root process needs to create a log file, it does so in a
     subprocess that is running as exim:exim.

116. When running filter tests (-bf and -bF) Exim now changes the current
     directory to "/" so that any assumptions about a particular current
     directory are false.

117. The appendfile transport was doing the quota_threshold check before
     actually writing the message. However, the act of writing the message
     could make it longer by the addition of prefix, suffix, or additional
     headers. This meant that quota warning could be missed if the basic length
     of a message kept the mailbox below the threshold, but the transport
     additions took it over. The warning threshold check is now done after
     writing the message, when an accurate size is known.

118. If all verifications for verify = header_sender deferred, the log was
     "temporarily rejected after DATA", without saying why. Now it adds "all
     attempts to verify a sender in a header line deferred".

119. Added message_id_header_domain option.

120. Ignore message_id_header_text forced expansion failure.

121. Typos: "uknown" in acl.c; missing NULL initialized in drtables.c.

122. When return_size_limit was set greater than zero but smaller than an Exim
     transport buffer size (so that only one buffer would be written), a
     message that was longer than the limit could be omitted from the bounce
     entirely under some circumstances. In other cases, the final buffer full
     before truncation could be omitted.

123. The inode variables in log.c were of type int with -1 for unset; they
     have been changed to ino_t with 0 for unset.

124. There are two Makefiles for NetBSD (for different object formats). They
     were originally supplied in a format where one .included the other. The
     problem with this has finally surfaced: when processing the Makefile to
     build config.h, the inclusion isn't seen. The easy way out has been taken:
     there are now two fully independent files. At the same time, HAVE_IPV6 has
     been added to both of them.

125. Changed the default way of finding an IP address in both the manualroute
     and queryprogram routers. Exim now does a DNS lookup; if that yields
     HOST_NOT_FOUND, it tries calling getipnodebyname() (or gethostbyname()).
     See also change 89 above.

126. Fixed a race bug in the loop that waits for a delivery subprocess to
     complete. After reading all the data from, and then closing, the pipe, it
     assumed that a call to waitpid() for the known pid would always return
     status for that process. An unfortunately timed signal (e.g. SIGUSR1 from
     exiwhat) could cause waitpid() to return -1/EINTR instead. The effect of
     this was to remain in the loop and call FD_SET() with an argument of -1.
     On Solaris it caused a crash; on other systems it might have looped.

127. If an ACL that was read from a file was used in more than one message in a
     single SMTP transaction, Exim could crash or misbehave in arbitrary ways.
     The problem was that the ACL was remembered in memory that was thrown away
     at the end of the first message. In fixing this, I've done a bit of
     refactoring of the way memory allocation works, to provide a non-malloc
     allocator for small blocks of data that must be kept for the life of the
     process. There's a new function store_get_perm() and I've reintroduced a
     second storage pool (previously dropped on the 3->4 conversion). A number
     of instances of malloc calls for small amounts of memory have been changed
     to use this instead. It might be a tad more efficient. Then again, it
     might not...

128. A similar problem to 127: memory corruption could occur for multiple
     messages in one SMTP connection if the data from DNS black list lookups
     was being used in log or user messages, e.g. references to $dnslists_text.

129. Blanks lines and comments are now ignored in ACLs that are read from
     files.

130. Two instances of missing \n in debug output.

131. The new debugging tag +timestamp causes a timestamp to be added to each
     debug output line.

132. Some debug information is written in multiple calls to debug_printf(),
     with a newline only on the last one. When debugging multiple simultaneous
     processes, the pid was added to each debug text, and for this reason, a
     newline was always forced. Now Exim buffers up debug output until the
     newline is reached, which makes things look much tidier. Also, if there
     are internal newlines and prefix data such as a pid or timestamp are being
     added, the prefix is inserted at the internal newlines.

133. When running in the test harness, arrange to overwrite all memory that
     is released or freed, so that bugs are more easily found. This picked up
     the following bug:

134. Expansion error messages were left in released store, so could have been
     overwritten - but in fact most are used immediately, before this happened.

135. A list of configuration files can be given; the first one  that exists is
     used.

136. Moved the code that ensures that newly-created hints databases and their
     lockfiles are owned by exim:exim so that it runs before the test for
     successful opening, because a case was reported where the file itself was
     created, but the DBM library returned an opening error.

137. If an address is redirected to just one child address, verification
     continues with the child address. However, if verification of the child
     failed because of (for example) a :fail: redirection, the error message
     did not get passed back as it would have been had the original address
     failed. The error information is now passed back for both fail and defer
     responses.

138. Added $rcpt_defer_count and $rcpt_fail_count.

139. Added "rejected_header" log selector.

140. Added the cannot_route_message generic router option.

141. Change 87 above introduced a bug in the expansion of substrings when the
     offset was greater than the length of the string, for example
     ${substr_1:}. Exim crashed instead of returning an empty string.

142. Added extra features to ACLs: the "drop" and "defer" verbs, and the
     "delay" and "control" modifiers (the latter with "freeze" and
     "queue_only").

143. If Exim failed to create a log file, it used to try to create the superior
     directories only if the logs were being written in the spool directory.
     Now it tries in all cases, but always from a process running as the exim
     user.

144. Added $authentication_failed.

145. Added $host_data for use in ACLs.

146. Added new ACLs for non-SMTP messages, SMTP connection, MAIL, and STARTTLS.

147. Added a number of new features to the local_scan() API:
       Access to debug_printf() and the local_scan debug selector
       Direct access to the message_id variable
       LOCAL_SCAN_REJECT_NOLOGHDR and LOCAL_SCAN_TEMPREJECT_NOLOGHDR
       Access to store_get_perm() and store_pool (see 127 above)
       Access to expand_string_message
       Option settings in the main configuration file
       LOCAL_SCAN_ACCEPT_FREEZE and LOCAL_SCAN_ACCEPT_QUEUE
       LOG_PANIC to write to the panic log
       Access to host_checking
       Supporting functions lss_match_xxx() for matching lists

148. Minor security problem involving pid_file_path (admin user could get root)
     has been fixed.

149. When an ACL contained a sender_domains condition with a reference to a
     named domain list, the result of the check was not being cached (an
     oversight).

150. Allowed for quoted keys in lsearch lookups; this makes it possible to have
     whitespace and colons in keys.

151. Added wildlsearch lookup.

152. Yet another new set of configuration files for Cygwin from Pierre Humblet.

153. Ensure that log_file_path contains at most one instance of %s and one
     instance of %D and no other % characters.

154. Added $tls_certificate_verified.

155. Now that the list of lookup types has got so long (and more are in
     prospect) arrange to search it by binary chop instead of linear search.

156. Added passwd lookup.

157. Added simple arithmetic in expansion strings.

158. Added the ability to vary what is appended for partial lookups.

159. Made base 64 encode/decode functions available to local_scan.


Exim version 4.10
-----------------

 1. Added HAVE_SA_LEN=YES to the OS/Makefile-Darwin file, because it needs it
    (unsurprising, as it's based on FreeBSD).

 2. Removed the HTML versions of the PCRE and pcretest documentation from the
    distribution tarbundle, and instead included them in the HTML tarbundle,
    linked to the overall index file.

 3. The code for computing load averages was broken in 64-bit Solaris.

 4. Make the default ACL refuse local parts that start with a dot.

 5. LDAP binds with an empty password are considered anonymous regardless of
    the username and will succeed in most configurations. Exim has been changed
    so that the LDAP authentication (the ${if ldapauth... condition) always
    fails when an empty password is used.

 6. Remove quoting from rbl_domains when used in an ACL by the convert4r4
    script.

 7. A lookup entry in a list that had spaces after the lookup type, e.g.
    "lsearch; /etc/relaydomains" was including the space as part of the file
    name.

 8. Give an error if EXIM_USER or EXIM_GROUP contains control characters (it
    happened when somebody had CRLF terminations in Local/Makefile, which
    messed up the "unknown user" error message).

 9. Ensure recipient address appears in log line for internal pipe problems
    during redirection.

10. Tidies to code for calls to fork(): (a) 3 typos of "<=" that should have
    been "<" (but would have no actual effect). (b) 2 cases of fork() failures
    not being logged: during -M for multiple messages, and for auto-delivery
    of incoming messages.

11. A reference to any header line that contains addresses (e.g. $h_to:) caused
    a crash if the header was empty. Change 46 for 4.05 introduced this bug.

12. If a system filter file was defined as a non-absolute path, but system_
    filter_user was undefined, Exim's behaviour was undefined. It could, for
    example, discard all deliveries, thinking the system filter had overridden
    them all. Delivery is now deferred, with a message written to the panic
    log.

13. If a redirection file (or system filter file when system_filter_user was
    set) was defined as a non-absolute path containing no slash characters,
    Exim crashed.

14. Added $rcpt_count, containing the number of RCPT commands received during
    an SMTP transaction. This differs from $recipients_count when some of the
    RCPTs are rejected.

15. Added $pid, containing the pid of the current process.

16. Fixed uninitialized variable warning in eximstats for relayed messages when
    there was no sending host name (logged as H=[n.n.n.n]). There's no change
    of output.

17. The exiqusumm script failed horribly if it encountered a message that had
    been on the queue for 100 days or more.

18. Added the message_logs option for suppressing the writing of message logs.

19. Allow local_scan() to change the errors_to setting on recipient addresses.
    (This was made trivially possible because of change 10 in 4.03.)

20. Convert4r4 changed: if forbid_pipe is set on a forwardfile director, also
    set forbid_filter_run on the generated redirect router.

21. In the Makefile, $(INCLUDE) was preceding the -I. item that refers to
    Exim's own include files. This caused a conflict with an external library
    that also happened to have a config.h file. Exim saw the wrong file, and
    chaos ensued. I've moved the -I. item in the relevant lines so that it
    comes before $(INCLUDE).

22. Added $acl_verify_message to contain any existing user message when
    expanding the "message" modifier in an ACL.

23. Changed the default argument for egrep when called in exiwhat to find
    Exim processes. It is now ' exim( |$$|-)' instead of ' exim( |$$)' so that
    it works on OS where the true file name appears.

24. In the plaintext authenticator, server_prompts was not being expanded, as
    documented. It now is.

25. The exinext script was outputting in an incorrect format for routing
    delays. It said "deliver" when it should have said "route", and the layout
    of the text was screwed up. In fact, "deliver" is not the right word
    anyway. I've changed it to "transport". Also removed redundant code for
    "directing" delays, because these can't occur in Exim 4.

26. Fixed some problems concerned with retrying address errors in remote
    deliveries:

      (a) I'd overlooked temporary address errors, and assumed that all the
          retry items would be for host errors, and therefore on the first
          address when multiple RCPTs were involved. Consequently, no retry
          record was written for second and subsequent addresses if they
          received a 4xx error. Thus, these addresses wouldn't be delayed
          after such a delivery failure.

      (b) A temporary address error causes a routing delay; when the address
          is eventually tried again, and routing succeeds, the retry record is
          flagged for deletion. If the address gets another temporary error,
          the retry record got updated, and then deleted. Thus, temporary
          address errors were not being delayed and would be tried on every
          queue run.

27. A minor code tidy for the CRAM-MD5 authenticator.

28. Some OS have a command to select processes by the name of the command they
    are running, and send a signal to them. Linux and FreeBSD have "killall";
    Solaris has "pkill" (it also has "killall", but that does something
    disastrously different). Using such a command makes "exiwhat" more
    efficient, and reduces the chances of it trying to signal a non-existent
    process. There are now two build-time parameters, EXIWHAT_MULTIKILL_CMD and
    EXIWHAT_MULTIKILL_ARG, which can be set to enable this feature to be used.
    They are defined in the OS-specific files for Linux, FreeBSD, and Solaris.
    See OS/Makefile-Default for more details.

29. As part of tidying up for 28, changed the name of the build-time parameter
    EXIWHAT_KILL_ARG to EXIWHAT_KILL_SIGNAL so that its name makes more sense
    when used in both kinds of exiwhat processing.

30. By default, the daemon doesn't write a pid file if -bd is not used (i.e. if
    only -q is used). The -oP didn't override this - it was ignored. It now
    overrides the default and causes a pid file to be written.

31. The values of $local_part, $domain, etc. were not being set during the
    expansion of shadow_condition in a local transport.

32. The convert4r4 script failed when macros that had continuation lines were
    present in the Exim 3 configuration file. It inserted junk lines into the
    output and gave uninitialized variable errors.

33. The convert4r4 script discards (with a comment) a setting of "rewrite" on
    a smartuser director that has no setting of new_address when it turns it
    into an "accept" router.

34. When an alias generated an address with a single-component domain, and
    routing that domain caused it to be widened, Exim remembered only that it
    had delivered to the widened domain. If any other addresses were deferred,
    so that another delivery attempt happened later, Exim re-delivered to the
    widened address, because it checked only the original address. When this
    kind of widening happens, Exim now checks for previous delivery.

35. A delivery was silently discarded under the following specific
    circumstances:
      . The original address is x@a.b.c, where a.b.c is the local host;
      . a.b.c is recognized as a local domain, and the address is redirected
        to x@a;
      . a is not recognized as a local domain, causing the address to be
        processed by a dnslookup router;
      . the router widens the address to a.b.c, routes it, and discovers it
        is the local host.
    Exim realized that because the domain had been widened, it might have
    become a local domain, so it arranged to re-route from scratch, using the
    new domain. However, because the original address was the same address,
    it thought it had already dealt with it.

36. A space at the start of an LDAP query in an expansion (after the opening
    curly) was provoking a syntax error.

37. A syntax error in the data of an ldapauth expansion caused the condition to
    be false without an LDAP query even being tried. Now it causes the
    expansion to fail.

38. Ensure that an incomplete config.h is removed when the buildconfig program
    gives an error. Otherwise, if the error is a non-existent Exim user, and
    the admin fixes this by creating the user (and not modifying any files),
    Exim will try to use the broken config.h next time.

39. A call with an argument of the form "-D=xxxx" (i.e. omitting the macro
    name) caused Exim to loop. It now reports an error.

40. If an ACL tested an address for being in a named domain list (e.g.
    +relay_domains) and then called for recipient verification, and the
    recipient was rewritten, the cache for remembering matching domain lists
    was not being cleared after the rewrite, leading to potential routing (and
    therefore verification) errors. Furthermore, the rewritten address would
    (incorrectly) have been used for any subsequent address checking within
    the ACL.

41. If an address such as a%b@c was processed using the "percent hack" and then
    transmitted over SMTP, Exim was sending "RCPT TO:<a%b@c>" instead of
    "RCPT TO:<a@b>".

42. A revised Makefile-CYGWIN file from Pierre Humblet.

43. If local_scan() rejected a -bS message, it wasn't handling the error in the
    way -bS errors should be handled.


Exim version 4.05
-----------------

 1. In the log display in Eximon, put the insert point (caret) at the start of
    the last line instead of at the end, because this stops unwanted horizontal
    scrolling when certain X libraries are used.

 2. A malformed spool file with an incorrect number of recipients (which
    should never occur, of course) could cause eximon (and probably exim) to
    crash.

 3. Updated Cygwin Makefile and os.h (minor tweaks).

 4. Setting allow_domain_literals=true was not allowing domain literal
    addresses in the -f command line option.

 5. Added debugging output for removing and adding header lines at transport
    time.

 6. On systems where SA_NOCLDWAIT is defined, changed from using signal(
    SIGCHLD, SIG_DFL) to using sigaction(), with flags explicitly set zero, to
    ensure that SA_NOCLDWAIT is definitely off. This fixes a bug in AIX where
    subprocesses were disappearing without being turned into zombies for Exim
    to reap. There was a previous report of the error "remote delivery process
    count got out of step" on a Linux box that was never resolved. It is
    possible that this change fixes that too.

 7. Other applications that support IPv6 have been coded to choose IPv6
    addresses in preference to IPv4 addresses where possible. This is
    encouraged, in order to speed up the use of IPv6. Exim has now been changed
    to do likewise when it looks up IP addresses from host names. This applies
    both to hosts that have more than one IP address, and to MX records with
    equal preference values when the hosts they point to have both IPv4 and
    IPv6 addresses. Within one preference value, Exim will try all the IPv6
    addresses before any IPv4 addresses, even when some of the IPv4 addresses
    belong to hosts that also have IPv6 addresses.

 8. When Exim sent HELO after EHLO was rejected, or when it sent a second EHLO
    after starting a TLS session, it used the primary host name as the
    argument, instead of the expansion of the helo_data option.

 9. Exim was failing to batch addresses for local delivery when errors_to was
    set on the router to the same string for each address, in the case when the
    string involved some kind of expansion (that ended up with the same value
    each time). If the string was fixed (i.e. no expansion) the batching was
    not blocked. In other words, I was testing the addresses of the strings but
    forgetting to compare the content. The same problem was not present for
    remote deliveries, but the code was written out instead of using a
    subroutine that now exists for this purpose, so I tidied that code.

10. When Exim passes a connected TCP/IP socket to a new Exim process in order
    to deliver another message on the same connection, it closes down TLS,
    because it can't pass on the state information that is required by the
    OpenSSL package. The new process then tries to start up TLS again.
    Unfortunately, not all servers handle this - and, it has to be said, it is
    a bit of a dubious interpretation of the RFC. (Exim as a server copes OK,
    needless to say.) The problem is that the server may just die or give an
    invalid response, causing a retry delay to occur. The option
    hosts_nopass_tls was invented to help with this, but an automatic way of
    testing has been invented. What now happens is that Exim sends a new EHLO
    after shutting down TLS, before passing the socket on. This in itself
    reduces the dubiousness of the procedure. If there isn't an OK response,
    Exim doesn't try to pass the socket on.

11. There was inconsistency in the way failures to set up TLS sessions in the
    smtp transport were handled when the host was not in hosts_require_tls.
    It deferred for 4xx responses to STARTTLS, but tried in clear if the actual
    TLS negotiation failed. It now does the same thing in both cases, and what
    this is can be controlled by the new option tls_tempfail_tryclear. This
    defaults true, causing a retry in clear to occur. If it is set false, these
    kinds of temporary failure cause a defer (for that host; if there are
    other hosts, they are tried).

12. Tidying. When starting up a new delivery process to deliver another message
    over an existing SMTP connection, pass over the IP address as well as the
    host name. This saves having to get the IP address from the socket.

13. Added "#define base_62 36" to OS/os.h-Darwin because the MacOS X operating
    system has case-insensitive file names.

14. Tidies to rewriting code: (1) It was getting an unnecessarily large block
    of memory for a rewritten header. (2) Removed some unnecessary debugging
    code that just duplicated log output.

15. In an expansion like "${if <condition> {${mask:xxxx}}{yyyy}}" Exim still
    tried to perform the masking operation even when the condition was false
    and the yield was "yyyy". This could fail when "xxxx" wasn't a valid string
    for the masking operation. Some other operators (e.g. base62) could fail in
    a similar way. All string operations are now skipped when processing the
    unused substring of a condition.

16. If a verification of a sender address in a header (caused by verify =
    header_sender in an ACL) caused the address in the header to be rewritten
    (typically because a DNS lookup had widened the domain), the newline at the
    end of the header got lost, thereby causing two headers to be run together.
    Sometimes, but not always, this caused a "spool format error".

17. A user wanted to use "save" in a filter file with a non-absolute path, and
    to set file_transport to a non-appendfile transport that made use of
    $address_file for its own purposes. This didn't work because Exim was
    distinguishing between file and autoreplies by the leading '/' of the
    former. It now checks for the leading '>' of the latter instead.

18. The "accept" router was forcing log_as_local instead of just defaulting it.

19. Exim crashed while verifying a recipient in an ACL if the address was
    verified by a dnslookup router that widened the domain.

20. When checking the parameters returned from an ident call, Exim was assuming
    that the format would be textually identical to the values it sent,
    including the white space. This is not always the case, causing Exim to
    discard returned ident data that it should have been accepting.

21. Typo (space missing) in "failed to expand condition" error message.

22. The option of specifying an individual transport in a route_data or
    route_list option of the manualroute router wasn't working. Such settings
    were being completely ignored.

23. The memory management was poor when building up a string from a lookup that
    retrieved a large number of data items that had to be concatenated, for
    example, an alias lookup in a database that returned thousands of
    addresses. In extreme cases, this could grind the host to a halt. (Compare
    change 8 for 4.00, which was a similar effect.) Two changes have been made
    to improve matters: (a) For longer strings, it extends them in bigger
    chunks, thus requiring fewer extensions. (b) It is now able to release some
    unwanted memory when a string is copied out of it into a larger block.

24. There was a small error in the memory sizes quoted when -d+memory was used
    and emptied memory blocks were released.

25. When helo[_try]_verify was set, Exim crashed if the reverse DNS lookup gave
    a temporary error when trying to look up the host name. It now tries to
    check with a forward DNS lookup (as it does when the reverse lookup can't
    find a name). For helo_verify, a temporary error is now given if
    verification failed, but the host name lookup gave a temporary error. (As
    before, a permanent error is given if there is no host name available.)

26. When checking quotes for maildir++ format, if the directory name was given
    with a trailing slash in the "directory" option of the appendfile
    transport, Exim got the quota calculation wrong because it scanned the
    final directory instead of the parent directory.

27. The "quota_xxx" error facility for retry rules was broken in Exim 4 if
    the mailbox had not been read for more than approximately 10 hours.

28. If a router with "unseen" had a setting of address_data, the value was not
    passed on to subsequent routers for the continuing processing of the
    address. It now is.

29. If a daemon was started with (e.g.) -qff15m, it omitted the second 'f' when
    starting queue runners. Likewise, if the flags included 'i', this was
    omitted.

30. Some operating systems log warnings if exec() happens without the standard
    input, output, and error file descriptors existing. The worry is that the
    called program will open some file which will be allocated one of these
    fds. Another bit of code might assume it can write an error message to
    stderr, or whatever. Exim was calling itself to regain privilege for
    delivery without these fds set, thus provoking the warning. Of course, it
    didn't make use of them itself, but the exposure was there for libraries it
    might be using. The code has been changed to ensure that, if any of the
    file descriptors 0, 1, or 2 does not exist at the time of a call to exec(),
    they are opened to /dev/null.

31. A delivery process could loop under the unusual combination of the
    following circumstances:
      (1) A delivery process had envelope_to_add set for its transport.
      (2) The delivery was for a child address of an envelope address that
          also had another child.
      (3) This other child had been discarded because it was a duplicate of a
          second envelope address.
      (4) The second envelope address had generated a child that was discarded
          because it was a duplicate of the first envelope address.

32. The -bp option was failing to notice delivered addresses that were in the
    -J file but had not yet made it into the -H file. (This got broken between
    Exim 3 and Exim 4.)

33. If "query" or "queries" in aliasfile director, or "route_query" or
    "route_queries" in a domainlist router were enclosed in quotes, the
    convert4r4 script was not removing the quotes before inserting the query
    into an expansion string, leading to invalid queries within the string.

34. If more than two addresses were being delivered in a batch (either local or
    remote deliveries), and they all had the same, non-empty value for
    $self_hostname, but had different domains, Exim crashed. (This is rare,
    because the use of "self=pass", which is the only way $self_hostname gets
    set, is rare.)

35. If $message_headers was used in a context where there were no headers (e.g.
    while verifying an address before receiving a message), it caused an
    "unknown variable" error. Now it just returns an empty string.

36. Exim was not diagnosing missing time units letters in times on retry
    rules. It was treating such malformed times as "-1", which caused the rules
    to misbehave.

37. Added some debugging output to the CRAM-MD5 server code.

38. In the appendfile transport, check for a file name supplied by redirection
    by checking for "not pipe and not autoreply" instead of looking for a
    leading '/' in the "address".

39. The os.h file for Darwin defined CRYPT_H, which apparently is wrong.

40. The "condition" condition in ACLs has been tightened up. Formerly, anything
    other than an empty string, "0", "no" or "false" was treated as "true". Now
    it insists on "yes", "true", or a non-zero number.

41. Change 22 of 4.02 has been improved; somebody mailed me the correct code
    to get an error message when ldap_result() doesn't set a result.

42. Update convert4r4 to recognize "ldap:" in require_files, and double the
    colon.

43. Added "protocol violation" to the "SMTP synchronization" error message, to
    make it clearer what it is complaining about.

44. Change 26 of 4.03 was incomplete. The same problem could arise if a lookup
    failed while checking the pre-conditions of a router that was subsequently
    run. This can happen for negated conditions such as "domains = !<lookup>".

45. Somebody managed to set up a configuration that crashed buildconfig such
    that it left a half-built config.h but did not stop the build process. I
    can't reproduce it, but I have added a check after building config.h to
    test for the presence of its last line ("/* End of config.h */").

46. Added a .PHONY target to the Makefile to be tidy for GNU make. (It should
    be ignored by other versions).

45. When Exim uses Berkeley DB version 3 or 4 to create a DBM file, it creates
    it in hashed format. Previously, it opened these files for reading in the
    same format. Now it opens them as "unknown", which means that other formats
    can be accommodated when using DB files for auxiliary data.

46. When concatenating header lines that may contain lists of addresses (From:,
    To:, etc.) as a result of references to $h_from: etc., a comma is now
    inserted at the concatenation point. Without it, the use of "if
    foranyaddress" fails on such headers, which is dangerous.

47. The code for ratelimiting MAIL commands was triggering on the count of
    messages received, instead of the number of MAIL commands (which is not the
    same thing if no message is accepted in a transaction). The smtp_accept_
    max_per_connection limit has also been changed to use the count of MAIL
    commands instead of the count of messages accepted.

48. There was a typo in the exiwhat script which broke it if the esoteric
    CONFIGURE_FILE_USE_NODE option was in use.


Exim version 4.04
-----------------

 1. Fix 10 for 4.03 had a bug in it, which could cause problems when converting
    from an earlier 4.xx release with delayed "one_time" messages on the spool.
    4.03 incorrectly complains about spool format errors (and refuses to
    process these messages).

 2. Changed the status of the text widgets in the monitor from Append to Edit,
    because this matters on some versions of X.

 3. Change 22 for 4.03 turns out to be misguided. Luckily it is controlled by
    a compile-time macro. I have removed the settings from OS/os.h-Linux that
    made it try to use these functions.


Exim version 4.03
-----------------

 1. Change 12 for 4.02 overlooked one case where 256 should have been replaced
    by MAX_LOCALHOST_NUMBER.

 2. Timeouts (etc) in dnslist lookups were not behaving as documented; they
    were deferring (causing 4xx errors) instead of behaving as if the host was
    not in the list. This has been fixed. In addition, some new special items
    may appear in dns lists, to control what happens in this case. The items
    are +include_unknown, +exclude_unknown, and +defer_unknown.

 3. Added #include <unix.h> to OS/os.h-QNX because it was reported that this
    was needed, in order to get O_NDELAY.

 4. Added #define BASE_62 36 to OS/os.h-Cygwin.

 5. Change 8 for 4.02 overlooked the fact that "directory" need not be set if
    the directory name is coming from a filter or forwarding file. The check
    has now been moved from initialization time to run time. Thus, it happens
    later, but it still helps to diagnose the problem.

 6. The file direct.c had been accidentally left in the distribution.

 7. When a new process was forked to deliver another message down an existing
    SMTP connection, a pipe file descriptor was accidentally left open. This
    meant that if there was a long chain of such processes, the number of open
    file descriptors increased by one for each process, and if there were
    sufficent, the limit of open descriptors could be reached, causing various
    problems.

 8. When an address was being checked with -bt and the routing involved an
    errors_to setting whose address verification also involved an errors_to
    setting, Exim got into a verifying loop. It shouldn't verify an errors_to
    setting when already verifying, but got this wrong if it started from -bt.

 9. Tidied up some compiler warnings when compiling with TCP wrappers.

10. When a child address was promoted to a toplevel address by "one_time" after
    a deferred delivery, it was not remembering any "errors_to" address that
    was set by the routers that processed the original address. Consequently,
    the subsequent delivery had (incorrectly) the original sender address in
    the envelope. Exim now remembers the "errors_to" address with the new
    toplevel address and reinstates it for the next delivery.

11. When Exim received a message other than from the daemon, there were two
    situations in which it did not re-exec itself for delivery: when it was
    running as root, or when it was running in an unprivileged mode. This was
    an attempt to save some resources (very early Exims ran as root more often)
    but has turned out to be pretty rare. A bug has been discovered in this
    case: if the incoming message was on a TLS session (from inetd, for
    example), but the outgoing delivery was on an unencrypted SMTP connection,
    Exim got confused. The effect was minimal: it sent two EHLO commands, but
    otherwise worked. Multiple EHLOs are not an error, according to the RFCs,
    but there was at least one broken MTA that objected. This error would have
    occurred only when synchronous delivery (-odi or -odf) was specified.

    While sorting this out, I have abandoned the logic that did a delivery
    without forking in the interests of simplicity. This was an even rarer
    case: it only happened when Exim was running as root or in an unprivileged
    mode AND synchronous delivery was specified.

12. Change references to /bin/rm in the Makefile to plain rm.

13. If EXIM_PERL was set in Local/Makefile, but PERL_COMMAND was set to a
    command that was not a file, or if it was set to a non-existent file,
    the build process carried on trying to build Perl support, but without the
    relevant variables for the Perl libraries, etc., which is disastrous. In
    fact, the build process shouldn't have been using PERL_COMMAND; that is a
    value for screwing into utility scripts. The build process assumes a
    suitable PATH for things like rm, mv, etc., which have xxx_COMMAND
    variables for scripts. So I've changed it to use just "perl". It now bombs
    out if "perl --version" doesn't produce some output.

14. Changed the #includes in perl.c for the Perl headers to use <> instead of
    "" because this is apparently better usage.

15. Added local_scan_timeout to apply a timeout to local_scan().

16. Recognize IPv6 addresses as IP addresses, even when Exim is not compiled
    with IPv6 support.

17. When verifying a HELO/EHLO name, Exim was not checking the alias host names
    it obtained from calling gethostbyaddr(). In many cases, this didn't cause
    any unwanted rejections because as a last resort Exim does a forward lookup
    on the HELO name to see if any of its IP addresses matches. But it fixing
    the bug saves the unnecessary additional lookup.

18. Added "domains = ! +local_domains" to the commented-out ipliteral router in
    the default configuration.

19. Default sender_host_aliases to an empty alias list, instead of NULL. This
    is just for tidiness; the way it was coded, it didn't cause any problems.

20. Added -tls-on-connect, which starts a TLS session without waiting for
    STARTTLS. This supports older clients that used a different port.

21. Added support for the Cyrus pwcheck daemon.

22. Arranged to use getipnodebyaddr() instead of gethostbyaddr() in systems
    with IPv6 support that have this function, because gethostbyaddr() doesn't
    work for IPv6 addresses on all systems (it does on some).

23. Header lines added by "warn" statements in the ACL for RCPT are saved up to
    be added after the message's header has been received. Previously, Exim was
    saving up all added headers, from both RCPT and DATA, until the very end.
    Now it adds those from RCPT before the DATA ACL is obeyed, so that they can
    be accessed from within the DATA ACL.

24. Changed TLS initialization to use SSL_CTX_use_certificate_chain_file()
    instead of SSL_CTX_use_certificate_file(). This means that the file can
    contain the whole chain of certificates that authenticate the server.

25. Updated convert4r4 to check for colons that look as if they are part of
    expansion items in require_files lists (e.g. ${lc:xxxx}). In Exim 3, the
    whole list was expanded before splitting up, but in Exim 4, the splitting
    happens first, so such colons must be doubled. The conversion script now
    doubles such colons, and outputs a warning message. The test for one of
    these colons is a match against "\$\{\w+:".

26. If, while verifying a recipient address, a router was skipped because a
    lookup did not succeed, and the following router suffered a temporary
    failure (e.g. a timeout), the log line for the temporary rejection showed
    the error from the first router instead of from the second.

27. Exim crashed if a dnslists test was obeyed in an ACL for an SMTP message
    from the local host. Now it just fails to match the list.


Exim version 4.02
-----------------

 1. Bug in string expansion: if a "fail" substring of a conditional contained
    another conditional that used the "fail" facility, Exim didn't swallow the
    right number of closing parentheses in the case when the original condition
    succeeded (i.e. when the condition containing the "fail" should be
    skipped).

 2. helo_verify_hosts wasn't working when comparing host names.

 3. When delivering down an existing SMTP connection, the error "Unexpectedly
    no free subprocess slot" was sometimes given for other addresses in the
    message.

 4. Binary zeroes in the message body are now turned into spaces in the
    contents of $message_body and $message_body_end.

 5. If the value of a field in a MySQL result was SQL NULL, and more than one
    field was selected, Exim crashed.

 6. It seems that many OS treat 0.0.0.0 as meaning the local host, typically
    making it behave like 127.0.0.1. Since there have been incidents where this
    was found in the DNS, two changes have been made:
      (a) Added 0.0.0.0 to the ignore_target_hosts setting in the default
          configuration.
      (b) Unconditionally recognize 0.0.0.0 as the local host while routing.

 7. Added helo_allow_chars so people can let in underscores if they really
    have to. Sigh.

 8. Give configuration error if "maildir_format" or "mailstore_format" is
    specified for appendfile without specifying "directory".

 9. When return_path was expanded in an smtp transport, the values of
    $local_part and $domain were not set up.

10. The optimization for sending multiple copies of a single message over one
    SMTP connection when there are lots of recipients (but too many for one
    copy of the message) was messing up in the case when max_rcpt was set to 1
    (for VERP). It would send lots of copies with one RCPT each, correctly, but
    because the transport was passed more than one address, $local_part and
    $domain weren't set. Since setting max_rcpt to 1 is almost always
    associated with VERP (or at least, you do it because you want to use
    $domain or $local_part), I've made that a special case where the
    optimization is disabled.

11. Cygwin has case-insensitive file names. Therefore, we can't use base 62
    numbers for Exim's identifiers. We have to use base 36 instead. Luckily 6
    base 36 digits are still plenty enough to hold the time for some years to
    come. There's now a macro that is set either to 62 or 36, but the names and
    documentation still talk about "base 62".

12. Added build-time variable MAX_LOCALHOST_NUMBER (default 256) to allow the
    localhost number to be traded off against the maximum number of messages
    one process can receive in one second. This is relevant only when
    localhost_number is set. It may be useful for Cygwin, where the maximum
    sequence number is much less when up to 256 hosts are allowed.

13. Extended MySQL server data to allow for the specification of an alternate
    Unix domain socket.

14. Give error if too many slashes in mysql_servers or pgsql_servers item.

15. Changed the wording "debug string overflowed buffer" to "debug string too
    long - truncated" to make it clearer that it's not a big disaster.

16. Now that I finally understand the difference between the resolver's returns
    HOST_NOT_FOUND and NO_DATA, I've optimized Exim's DNS lookup so that if an
    MX lookup gets HOST_NOT_FOUND, it doesn't bother to try to look up an
    address record. Only if it gets NO_DATA does it do that.

17. The contents of Envelope-To: were not correct in cases when more than one
    envelope address was redirected to a single delivery address via an
    intermediate address, because the duplication was detected at the
    intermediate stage, but the checking for Envelope-To: only looked at
    duplicates of the final address.

18. If a message with the -N flag was on the spool, and was selected during a
    queue run by -R or -S, the -N flag was incorrectly passed on to all
    subsequent messages, leading to their being thrown away.

19. Remove unnecessary check for the local host when looking up host names in
    host lists.

20. If tls_certificate is supplied, but tls_privatekey is not, assume that both
    are in the tls_certificate file.

21. If a router set transport_current_directory or transport_home_directory
    to something that involved an LDAP lookup, and there was more than one
    local delivery to be done for a single message, all but the first got
    deferred because the LDAP connection for those variables got opened in the
    superior process, but closed in the first subprocess. The second subprocess
    then assumed it was still open. We now ensure that each subprocess starts
    with a clean slate (everything closed down) so that it can open and close
    its own connections as needed.

22. After a failure of ldap_result(), Exim was calling ldap_result2error() in
    order to get an error message. However, it appears that it shouldn't do
    this if the value of result variable is NULL. As I can't find any way of
    getting an error message out of LDAP in this circumstance, Exim now just
    gives says "ldap_result failed and result is NULL".

23. If a message arrives over a TLS connection via inetd, close down the SSL
    library in the subprocess for message delivery (but don't molest the
    parent's SSL connection).


Exim version 4.01
-----------------

 1. When setting TCP_NODELAY, the call to setsockopt() was using SOL_SOCKET
    instead of IPPROTO_TCP, which caused excessive logging on some systems.

 2. Changed the Makefile for Cygwin to set EXIM_USER and EXIM_GROUP to 0.

 3. The SMTP rewriting facility was broken.

 4. There was some malformatting in the spec.txt file (the other formats were
    OK).

 5. Made convert4r4 change "bydns_a" into "bydns" in route_list options, and
    to do the same for "bydns_mx", but in this case to comment that it won't
    work the same (and to suggest a workaround).

 6. Removed redundant code in deliver.c for indicating when a reused SMTP
    connection had been closed in a subprocess - this was being done twice.

 7. Change 2 of 3.164 removed Exim's explicit checking that a reverse DNS
    lookup yielded a name whose forwarded lookup gave the original IP address,
    because I thought that gethostbyaddr() did this automatically (it seems to
    on some systems). There is hard evidence that I was wrong, so this test has
    been put back, and in a better form, because it now checks alias names.
    This means that the verify=reverse_host_lookup condition in an ACL reduces
    to requiring that the host name has been looked up, since the checks it
    previously did are not always applied.

 8. When sender verification fails, the error associated with it is given by
    default before the 550 error for the first RCPT command. Not everybody
    wants to see this. There is now an option (no_details) that suppresses it.

 9. The patterns in rewriting rules with the 'S' flag were not being expanded.
    For consistency with other patterns (and the documentation), this has been
    changed.

10. "domainlist", "hostlist", and "addresslist" weren't recognized if the
    immediately following character was a tab rather than a space.

11. The rules for writing daemon pid files have changed. A new option -oP has
    been added to provide a way of specifying a pid file path on the command
    line. Exim now writes a pid file when -bd is used, unless -oX is specified
    without -oP.

12. The version number of OpenSSL was included in the response to the STARTTLS
    command - a legacy from the original contributed code that doesn't seem
    sensible. It no longer appears, and I took it out of the debug output as
    well because that was the only place left, and the code to compute it was
    "mysterious magic" that didn't seem worth keeping.

13. When another message was processed in order to send it down an existing
    SMTP connection, Exim was doing the routing for all the addresses. Even if
    called from a delivery from a queue runner, this doesn't count as "in a
    queue run", so retry times were not being inspected. If the message had a
    large number of recipients, and several of them timed out while routing,
    the delay could be so large that the server at the other end of the SMTP
    connection would time out. To avoid this happening, Exim now skips routing
    for any addresses that have a domain retry time set for routing, whether or
    not that retry time has arrived, when dealing with a pre-existing SMTP
    connection. This will be "right" pretty well all of the time, and even
    when it is "wrong", the only consequence will be some delay. (This doesn't
    apply to "address" retry times, because those are usually the result of 4xx
    errors, not timeouts.)

14. Added words to the initial output from -bh pointing out that no ident
    callback is done.

15. The convert4r4 script wasn't getting it quite right with an aliasfile
    director that had a "transport" setting. It was missing the "yes/no" in the
    "condition" setting.


Exim version 4.00
-----------------

 1. Changed the name of debug_print for authenticators (3.953/38) to
    server_debug_print because it applies only when the authenticator is
    running as a server.

 2. Forgot to change DB_ to EXIMDB_ in the Cygwin Makefile.

 3. There were still a couple of uses of vfork() when passing a socket to a
    new delivery process. The use of vfork() is not recommended these days,
    so I changed them to fork().

 4. Added the spa authentication mechanism, using the code contributed by Marc
    Prud'hommeaux (and mostly taken from the Samba project). This supports
    Microsoft's "Secure Password Authentication", but only as a client.

 5. queryprogram had current_directory unset, but used "/" when it was unset.
    It is tidier just to make the default "/" and have done with it.

 6. When a delivery is run with -v, the -v flag is no longer passed on to new
    processes that are started in order to send other messages on existing
    SMTP connections. This prevents non-admin users from seeing these other
    deliveries. Admin users can specify a higher level of debugging, and when
    this is done, the debugging selection is passed on.

 7. Increased the increment for dynamic strings from 50 to 100.

 8. When Exim was building a dynamic string for $header_xxx from a number of
    headers of the same name, or for $message_headers, it was using the dynamic
    string function which is designed for use with relatively short strings. If
    a pathological message had an enormous header, it chewed up memory at a
    ridiculous rate. The code has been rewritten so that it does not do this.
    With a 64K header string (there's a limit set at 64K) it now just gets one
    64K buffer. Previously it used a large number of megabytes to build such a
    string, and some system filter processing ran machines into the ground on
    messages with huge headers.

 9. The work for 8 involved a small amount of other "refactoring" in the
    expansion functions.

10. If "headers add" or "headers remove" were used in a system filter, the
    headers didn't actually get changed when testing with -bF. This could
    affect later commands in the filter that referred to the headers.

11. Two system filter bugs: (a) The system filter was always being run as root,
    even if system_filter_user was set. (b) When the system filter was not run
    as root, changes to the header lines by "headers add" or "headers remove"
    were being lost. Because of (a), (b) would never have bitten.

12. Some "refactoring" in the daemon:
      (a) Removed redundant statement smtp_in=NULL.
      (b) The test for fork failure for a delivery process was not quite in the
          right place.
      (c) Added main and panic logging for receive and delivery fork failures.
      (d) Check for fdopen() failure, and don't try to continue, but ensure
          the sockets get closed.
      (e) Log fclose() failures.

13. Added the "/data" facility to ACL dnslists so as to make it easy to use,
    for example, the domain lookup of rfc-ignorant.org.

14. Refactored the code in the daemon to use a vector of structures instead of
    two separate vectors for storing the pid of a spawned accepting process and
    the corresponding IP address of the client. (This is to make it easier to
    add other things.)

15. If EXIM_USER or EXIM_GROUP were set to the empty string in Local/Makefile,
    the uid or gid were set to zero, which is unsafe. These settings now cause
    an error message at build time.

16. check_ancestor was doing its check case-sensitively, which meant that it
    did not work with some configurations when redirecting changed the case of
    the local part. Now check_ancestor respects the setting of
    caseful_local_part on the router which routed the ancestor address.

17. The check for router looping (whether the current router had previously
    routed the same address) was always being done case-insensitively. It
    should do the local part check case-sensitively when caseful_local_part is
    set for that router.

18. Added helo_try_verify_hosts, which is like helo_verify_hosts except that
    it doesn't reject failing HELO/EHLO. Instead the verification state can be
    testing in an ACL by verify=helo.

19. When echoing log writes from a parallel remote delivery process to the
    debug output, the pid of the parallel process was being omitted.

20. In an ACL run for a RCPT command, the values of $domain and $local_part
    were becoming unset after a sender or recipient verification.

21. Exim crashed if called with -C followed by a ridiculously long string.

22. Some other potential points of trouble caused by pathological input data
    have been defended.

23. If hosts_randomize was set on an smtp transport, the randomizing code had
    a bug which could put the delivery process into a tight loop.



Exim version 3.953
------------------

 1. Exim was not terminating the names of named lists in memory. It got away
    with this on systems where newly malloc()d store is zeroed (always a bad
    practice). When running in its test harness, Exim now ensures that all
    new memory from malloc is filled with a non-zero value. This will help
    pick up bugs like this in future. (I haven't made it do it always, for
    performance reasons.)

 2. When skip_syntax_errors was set on a redirect router, and a forward file
    (NOT a filter file) contained only invalid addresses, the message was
    discarded. The router now declines, as it does for invalid filter files.
    Thus, the address is passed on unless no_more is set.

 3. When an address containing upper case letters in the local part was
    deferred, eximon showed the lowercased version with the caseful version
    as a "parent", as well as the original caseful version in its queue list.

 4. When hide_child_in_errmsg was set on a redirect router, bounce messages
    still showed the failed addresses in the X-Failed-Recipients: header line.

 5. Change 6 for 3.952 should also have included SIGTERM.

 6. exim -bP +something was searching only the domain lists. It now searches
    all lists for a matching name.

 7. If Local/Makefile contains more than one of USE_DB, USE_GDBM, or USE_TDB,
    give a build-time error. When it does contain one of them, arrange for any
    OS default for any other one to be overridden. (The code expects at most
    one of these to be defined.)

 8. When a value for transport_home_directory is taken from the password
    information, wrap it in \N...\N so that it isn't expanded in the transport.
    This affects Cygwin, where home directories may contain $ characters.

 9. Fixed an occasional crash when autoreply was sending a message created by
    a user's filter file. It was referencing uninitialized memory. (The
    prophylactic mentioned in 1 above made it a hard error.)

10. The "run" and "readfile" expansion items could sometimes return extra junk
    characters (yet another uninitialized memory bug).

11. The lockout options forbid_filter_existstest etc. were not propagating to
    the expansion of files sent as part of "mail" messages from users' filter
    files.

12. Another unterminated string bug: when an ACL was read from a file
    dynamically it wasn't properly terminated.

13. Cached pgsql connections weren't being re-used, leading to a potential
    build-up of open connections.

14. $message_headers is supposed to be limited to 64K in length, but it wasn't
    so limited if an individual header line was longer than 64K.

15. An individual header line, or concatenation of multiple identically-
    named header lines, inserted by $h_xxxx is supposed to be limited to 64K in
    length, but it wasn't so limited if the only header line was longer than
    64K.

16. A syntactically incorrect setting of -d... is now treated as a command line
    syntax error (message to stderr, return code 1), without any entry on the
    log.

17. Modifications to the exim_install script:
      (a) Scan the combined Makefile in the build directory instead of messing
          around scanning its individual constituent files.
      (b) Use sed instead of a pipe of grep, tail and cuts. This allows better
          control, but has to be very simple sed in order to work on Solaris.
      (c) Allow for the setting of EXE to add a subscript to executables for
          the benefit of Cygwin.
      (d) Use -c instead of -b with "cut" because the "cut" in BSD/OS doesn't
          grok -b.

18. Changes for Cygwin:
      (a) Update scripts/os-type to recognize CYGWIN.
      (b) Arrange (via the Uopen() macro) for all calls to open() to have
          the O_BINARY flag, to avoid CRLF problems.
      (c) If OS_INIT is defined, call it at the very start of Exim's execution.
      (d) When resolver debugging is enabled, set _res.options |= RES_DEBUG
          before calling res_init() as well as after, because that generates
          some debugging info during initialization.

19. Make the initial call to os_getloadavg() in exim.c conditional on
    LOAD_AVG_NEEDS_ROOT because it is done just to initialize os_getloadavg()
    on systems that require the first call to be done as root. It should be
    called only when messages are being received; it was being called
    unnecessarily in some cases.

20. If Exim failed to open its retry hints database at routing time, it crashed
    during a subsequent local delivery.

21. If Exim is neither setuid root nor called by root, there is no need to
    attempt to drop root privilege when it is not needed.

22. I'd forgotten to remove the check for the presence of %s in pid_file_path
    when it was set at run time.

23. If a transport filter crashed, or yielded a non-zero return code during an
    SMTP delivery, Exim was not aborting the delivery. This led to multiple
    partial deliveries of the message until the transport filter was fixed.

24. Do not try alternate hosts if a transport filter crashes or yields a
    non-zero return during an SMTP delivery.

25. When exim -be is reading input lines from stdin, backslash can now be used
    for continuations. This makes it easier to test expansions from a
    configuration file by cut and paste, and long expansions in general.

26. The file src/auths/xtextdecode.c was incorrectly named xtestdecode.c, but
    because the MakeLinks script built a symbolic link that worked, this
    mistake didn't actually show up.

27. When Exim is delivering another message down an existing connection,
    remote_max_parallel should be forced to 1; this wasn't happening, though
    it would have caused a problem only if a message had more than 100
    recipients routed to the host.

28. When there was a problem while delivering down an existing connection, such
    that the transport process closed the connection, this fact wasn't getting
    communicated to the calling delivery process, which might have tried to do
    more deliveries on the same connection. This would only have caused a
    problem if there were more than 100 recipients to the same host.

29. The ${extract} action, with a negative field number that selected the first
    field in a string, could return junk characters at the start of the
    extracted field.

30. When Exim is acting as a client, if an attempt to start a TLS session fails
    during the TLS negotiation phase (i.e. STARTTLS is accepted, but there's a
    problem such as an unrecognized certificate during TLS session startup),
    Exim used always to defer delivery. Now, unless the host is in
    hosts_require_tls, Exim makes a new connection to the host and attempts to
    send the message unencrypted. This avoids stuck messages for servers that
    advertise STARTTLS but don't actually support it properly.

31. Added ${address:xxx} to go with ${domain:xxx} and ${local_part:xxx} which
    extract from RFC 2822 addresses.

32. The rules for recognizing when Exim is being called from inetd have
    changed. Previously Exim required SMTP input, stdin to be a TCP/IP socket,
    and the caller to be root or the Exim user. This left a gaping hole if the
    caller was not root or the Exim user, because then it wouldn't do the
    policy checking for a remote host, because it didn't realize it was being
    called from inetd. (This was seen on Debian configurations). Exim now
    behaves as follows: if the input is SMTP and stdin is a TCP/IP socket, a
    call from inetd is assumed. This is allowed to proceed either if the caller
    is root or the Exim user, or if the port used is privileged (less than
    1024). Otherwise (a different user passing an unprivileged port) Exim gives
    a "Permission denied" error.

33. Removed $compile_number from the default SMTP banner line (after discussion
    on the mailing list). Also removed it from the default $Received: header.

34. # is documented as a comment character in the run time configuration only
    when it appears at the start of a line. In the case of boolean values,
    extra characters after "= true" or "= false" were being ignored, leading to
    a false impression that comments could appear there. This is now diagnosed
    as an error.

35. If a boolean option without a following "=" was followed by # (in the
    mistaken belief that this would be a comment), the error was "missing =",
    which was confusing. Exim now complains about extra characters.

36. When Exim complains about extra characters following an option setting, it
    now adds a comment about comments if the first extra character is #.

37. Output debug_print strings when testing a host using -bh.

38. Added server_debug_print to authenticators (compare routers and
    transports). This outputs when an authenticator is called as a server. It
    can be helpful while testing with -bh.

39. Added debugging output to the crypteq condition.

40. If a named domain or local part list used in a "domains" or "local_parts"
    option on a router matched by means of a lookup, the $domain_data and
    $local_part_data variables were set for the first router that did this, but
    were not set for any subsequent routers that used the same named list. The
    same was true for multiple tests of named domain or local parts lists in an
    ACL.

41. If the variable "build" is set when the top-level Makefile is run, the
    variable now propagates from the top-level Makefile to subsidiary ones.
    In addition, Local/Makefile-$(build) is added to the list of concatenated
    files that go at the start of the Makefile in the build directory.

42. If NO_SYMLINK is defined in Local/Makefile, the exim_install script just
    copies the Exim binary in with its unique name, without moving the "exim"
    symbolic link to it.

43. Added BSDI 4.2 as a BSDI variant in scripts/os-type.

44. The spool file format for remembering a "one_time" redirection has changed;
    I had forgotten to make Exim 4 capable of reading Exim 3 spool files.

45. Address lists are now permitted to include items of the form *@+name where
    "name" is a named domain list. (Note that an item of the form +name is
    taken as a named _address_ list.)

46. When Exim gives up privilege and reverts to the calling user because it was
    called with the -C, -D, -be, or -bi options, it now reinstates the
    supplementary group list as well as the uid and gid.

47. The crypteq condition has been extended. When the encrypted string begins
    with "{md5}" Exim used to assume that the digest was encoded as a base64
    string. Now it assumes this only if its length is 24 bytes. If the length
    is 32 bytes, Exim assumes a digest expressed in hex characters. If the
    length is neither 24 nor 32, the comparison always fails.

48. Updated the convert4r4 script:

      (a) Some typos in the comments.
      (b) Remove kill_ip_options, log_ip_options, and refuse_ip_options, which
          no longer exist.
      (c) Move all macro definitions to the top of the output, to ensure that
          they precede any references to them.
      (d) If tls_verify_ciphers was set without tls_verify_hosts, the generated
          new configuration insisted on encryption ("these ciphers must be
          used for all connections") instead of just checking the cipher when
          encryption happened ("if encrypted, these ciphers must be used").
      (e) Address lists are now checked to see if they contain any bare lookup
          items and if they do, these are converted to two items, the first
          preceded by "*@" and the second with "partial-" removed. This makes
          Exim 4 behave in the way that Exim 3 used to. An explanatory comment
          is output.
      (f) Put more explanation in above the "hosts = :" test.

49. Write a main and panic log entry when "partial-" is ignored in a lookup
    that is part of an address list. (Applies when the item is a lookup for
    which the whole address is the key.)

50. Two changes to the way $original_local_part and $parent_local_part work:

      (a) When an address that had a prefix or suffix was redirected to another
          address, the value of $original_local_part and $parent_local_part
          had the prefix or suffix stripped when referred to during the
          processing of the child address. This doesn't seem right, so it has
          been changed.
      (b) When an address that had a prefix or suffix was being processed,
          $local_part had the affix stripped, and if it was a top-level
          address, $original_local_part also has the affix stripped. This has
          been changed. Now $original_local_part contains the same value at all
          levels. ($parent_local_part remains empty at top level.)

51. A number of macros in the Exim source began with "DB_". When compiling
    with Berkeley DB version 4, DB_LOCK_TIMEOUT clashed with a macro set by
    that package. The Exim macros now all start with "EXIMDB_", and Exim
    therefore now supports DB version 4.

52. Newlines in a "freeze" text from a system filter were being sent as \n
    in messages created by the "freeze_tell" option. They are now converted
    back to newlines (in the log line they continue to appear as \n).

53. Added a new ACL condition "verify = reverse_host_lookup". This does a
    reverse lookup of the client host's IP address, then does a forward lookup
    for all the names it receives, and checks that at least one of the IP
    addresses obtained from the forward lookup matches the incoming IP address.
    The lookups are done with gethostbyaddr() and gethostbyname(),
    respectively.

54. A small fix to eximstats reduces its store usage substantially when it is
    processing very large log files: when a message's "completed" line is
    reached, discard the memory of the message's size.

55. If an address was redirected to itself more than once (e.g. by two
    different "redirect" routers, or because of the use of "unseen", it was
    incorrectly discarded as a duplicate address.

56. For a rewrite pattern of the form *@something, if an actual address
    contained @ in the local part (e.g. "a@b"@x.y), the value of $1 was set
    incorrectly during expansion of the replacement address (it stopped at the
    first @ instead of at the last one).

57. Added hosts_nopass_tls to the smtp transport. For any host that matches
    this list, a connection on which a TLS session has been started will not be
    passed to a new delivery process for sending another message on the same
    connection.

58. The -dropcr command line option now turns CRLF into LF, while leaving
    isolated CR characters alone. (Previously it removed _all_ CR characters.)
    There is now also a drop_cr main option which has the effect of -dropcr for
    all incoming non-SMTP messages.

59. If a configuration file macro expanded into a boolean option which was not
    followed by = and a value, Exim gave a spurious error for an "unknown"
    value for the option (typically a string from the previous line).


Exim version 3.952
------------------

 1. convert4r4 had an incorrect file name in its comment output.

 2. convert4r4 was looking up $local_part instead of $domain in its generated
    manualroute output.

 3. There was no check that getpeername() was giving a socket address when
    called on stdin passed from a previous delivery.

 4. Fixed an old bug whereby Exim could segfault if debugging was turned on and
    a DNS lookup found MX records for hosts whose A records had to be looked up
    separately, and some of them pointed to the local host (pretty rare).

 5. The debugging output for log writes now shows the names of any log selectors
    instead of the hex value of the selector word.

 6. If a delivery subprocess is terminated by SIGKILL or SIGQUIT, do not freeze
    the message. This can happen during system shutdown. Other kinds of process
    failure indicate problems.

 7. If a sender verification did not complete (e.g. DNS lookup timed out), the
    log line for the temporary RCPT rejection did not always say why (it lost
    the message if there had been a previous call to any lookup).

 8. The special message about MX records that point to IP addresses instead of
    host names was not getting returned in the SMTP response when a
    verification failed. This has been fixed, and the message that is logged in
    this circumstance has been made less verbose.

 9. When an SMTP callout is done, Exim tries to use the interface and port
    number from the transport that the address was routed to during the prior
    verification. If it wasn't routed to a remote transport, or if there's a
    problem expanding the relevant options, Exim does not use a specific
    interface, and it connects to port 25.

10. If the string "syslog" happened to occur in the log file path, eximon was
    failing to extract the name of the main log file correctly.

11. Unlike other operating systems, Linux does not sync a directory after a
    rename. However, we need this to happen to be sure an incoming message has
    been safely recorded after it has been received. I have therefore added a
    macro called NEED_SYNC_DIRECTORY (which is set in OS/os.h_Linux) to request
    Exim to do an explicit sync on the directory after the rename. If
    O_DIRECTORY is defined, it is used when opening the directory.

12. When a system filter creates any new deliveries, they are given a fake
    "parent" address which appears on the logs, and is necessary for pipes,
    files, and autoreplies, which cannot be toplevel addresses. This fake was
    set up with the text "system filter". It's been changed to "system-filter"
    because the space in the previous text could cause trouble.

13. The new option local_sender_retain suppresses the removal of Sender: header
    lines in locally-submited (non-TCP/IP) messages from untrusted users. It is
    required that no_local_from_check be set with local_sender_retain.

14. In a file interpolated into an address list, if a local part contained a
    # character and there was also a following comment (introduced by a #
    preceded by white space), the comment was not recognized.

15. Local part lists are now handled as address lists as far as recognition of
    comments in interpolated files and the processing of +caseful at the top
    level are concerned. In the local_parts option of a router, +caseful will
    restore case-sensitive matching, even when the router does not have
    caseful_local_part set (the default).

16. The key used for a dsearch lookup may not contain '/'. If it does, the
    lookup defers.

17. When starting a delivery process after receiving a message locally, discard
    the controlling terminal unless debugging is turned on.

18. The exim group was automatically trusted; this was not correct because it
    meant that admin users who were in the exim group were automatically
    trusted. If you want the exim group to be trusted, it must now be
    explicitly configured.

19. The default configuration mentioned "dns_lists" instead of "dnslists" in a
    comment.

20. Minor corrections and changes to the Exim4.upgrade document and to the
    OptionLists.txt document.

21. If a local part beginning with a pipe symbol was routed to a pipe
    transport, the transport got confused as to which command it should run.
    This could be a security exposure if unchecked local parts are routed to
    pipe transports.

22. When logging SMTP connections to the daemon from other hosts, include the
    connection count in the log line. Tidied up the identification of SMTP
    sources in logging lines.

23. Added "sender_domains" as a new ACL condition so that the Exim 3 setting
    of sender_verify_callback_domains can easily be replicated. Corrected
    convert4r4, which was incorrectly converting this to a "domains" setting.

24. The code for reading ident values was not discarding leading spaces, which
    some hosts seem to send.

25. The building process was still insisting that PID_FILE_PATH contained %s,
    but this is not required for Exim 4.

26. The logging of ETRN commands had got lost. It has been restored, and the
    log selector "etrn" (on by default) added to control it.

27. IPv6 reverse DNS lookups were originally specified as happening in the
    ip6.int domain, but this is being changed to ip6.arpa (and they've changed
    the meaning of "arpa" to "Address and Routing Parameters Area"). The only
    time Exim does reverse lookups directly (as opposed to calling
    gethostbyaddress()) is in the code for the dnsdb lookup type. This has been
    changed to use ip6.arpa.

28. Made the test programs (test_dbfn for testing DBM files, and some others)
    compile! Updated the help output from test_dbfn.

29. Changed all occurrences of "r" and "w" in fopen() fdopen() calls to "rb"
    and "wb". This makes no difference in Unix systems, but is apparently
    necessary for running Exim under Cygwin.

30. Three changes that make virtually no difference when Exim is run on a real
    Unix system, but which were asked for to make life easier when porting it
    to run under Cygwin:

    (a) Changed the logic for locking a message when an Exim process is
        handling it. Previously, the entire -D file was locked to indicate
        this. Now Exim locks only the first line, which contains the name of
        the file. Apparently, in the Cygwin environment, a subprocess cannot
        read locked parts of a file, even when it is passed an open file
        descriptor to that file from the process that did the locking. By
        locking only the first line, which the subprocess does not want to read
        (it just needs to read the data that follows), we can get round this
        restriction with minimal effort.

    (b) Added support for native gdbm function calls. GDBM is apparently the
        only DBM library that is currently available Cygwin, and only with its
        native API.

    (c) The default modes for files, directories, and lock files in the
        appendfile transport can now be set in Local/Makefile at build time.

31. When transmitting a message using SMTP with PIPELINING, if the server gave
    a malformed SMTP response, the message logged by Exim didn't associate it
    with the pipelined SMTP command to which it referred. For example it logged
    "after DATA" if all the recipients had been sent. Also, if the response
    was an empty line (illegal), it didn't show up very clearly. The error
    messages are now more accurate, and point out empty lines.

32. Minor corrections and changes to src/configure.default.

33. When a host list in a route_list item that was enclosed in double quotes
    contained single quotes within it, the quoting was incorrectly terminated.
    Both the pattern and the host list in route_list items are now handled by
    the standard quote-processing function.

34. Corrected the EDITME file for eximon so that the default stripchart
    patterns work with the default runtime configuration for local deliveries.
    (Previously it matched a delivery via a director - not possible in Exim 4.)


Exim version 3.951
------------------

Exim 3.951 is the first alpha testing release for Exim 4. A list the many
individual changes to the code made between Exim 3.33 and Exim 3.951 was not
kept. The functional changes are listed in the Exim4.upgrade file.

****
