Exim 4.86 released

unihostbrasil

Verified User
Joined
Nov 23, 2009
Messages
208
Location
São Paulo - Brazil
Exim version 4.86
-----------------
JH/01 Bug 1545: The smtp transport option "retry_include_ip_address" is now
expanded.

JH/02 The smtp transport option "multi_domain" is now expanded.

JH/03 The smtp transport now requests PRDR by default, if the server offers
it.

JH/04 Certificate name checking on server certificates, when exim is a client,
is now done by default. The transport option tls_verify_cert_hostnames
can be used to disable this per-host. The build option
EXPERIMENTAL_CERTNAMES is withdrawn.

JH/05 The value of the tls_verify_certificates smtp transport and main options
default to the word "system" to access the system default CA bundle.
For GnuTLS, only version 3.0.20 or later.

JH/06 Verification of the server certificate for a TLS connection is now tried
(but not required) by default. The verification status is now logged by
default, for both outbound TLS and client-certificate supplying inbound
TLS connections

JH/07 Changed the default rfc1413 lookup settings to disable calls. Few
sites use this now.

JH/08 The EXPERIMENTAL_DSN compile option is no longer needed; all Delivery
Status Notification (bounce) messages are now MIME format per RFC 3464.
Support for RFC 3461 DSN options NOTIFY,ENVID,RET,ORCPT can be advertised
under the control of the dsn_advertise_hosts option, and routers may
have a dsn_lasthop option.

JH/09 A timeout of 2 minutes is now applied to all malware scanner types by
default, modifiable by a malware= option. The list separator for
the options can now be changed in the usual way. Bug 68.

JH/10 The smtp_receive_timeout main option is now expanded before use.

JH/11 The incoming_interface log option now also enables logging of the
local interface on delivery outgoing connections.

JH/12 The cutthrough-routing facility now supports multi-recipient mails,
if the interface and destination host and port all match.

JH/13 Bug 344: The verify = reverse_host_lookup ACL condition now accepts a
/defer_ok option.

JH/14 Bug 1573: The spam= ACL condition now additionally supports Rspamd.
Patch from Andrew Lewis.

JH/15 Bug 670: The spamd_address main option (for the spam= ACL condition)
now supports optional time-restrictions, weighting, and priority
modifiers per server. Patch originally by <[email protected]>.

JH/16 The spamd_address main option now supports a mixed list of local
and remote servers. Remote servers can be IPv6 addresses, and
specify a port-range.

JH/17 Bug 68: The spamd_address main option now supports an optional
timeout value per server.

JH/18 Bug 1581: Router and transport options headers_add/remove can
now have the list separator specified.

JH/19 Bug 392: spamd_address, and clamd av_scanner, now support retry
option values.

JH/20 Bug 1571: Ensure that $tls_in_peerdn is set, when verification fails
under OpenSSL.

JH/21 Support for the A6 type of dns record is withdrawn.

JH/22 Bug 608: The result of a QUIT or not-QUIT toplevel ACL now matters
rather than the verbs used.

JH/23 Bug 1572: Increase limit on SMTP confirmation message copy size
from 255 to 1024 chars.

JH/24 Verification callouts now attempt to use TLS by default.

HS/01 DNSSEC options (dnssec_require_domains, dnssec_request_domains)
are generic router options now. The defaults didn't change.

JH/25 Bug 466: Add RFC2322 support for MIME attachment filenames.
Original patch from Alexander Shikoff, worked over by JH.

HS/02 Bug 1575: exigrep falls back to autodetection of compressed
files if ZCAT_COMMAND is not executable.

JH/26 Bug 1539: Add timout/retry options on dnsdb lookups.

JH/27 Bug 286: Support SOA lookup in dnsdb lookups.

JH/28 Bug 1588: Do not use the A lookup following an AAAA for setting the FQDN.
Normally benign, it bites when the pair was led to by a CNAME;
modern usage is to not canoicalize the domain to a CNAME target
(and we were inconsistent anyway for A-only vs AAAA+A).

JH/29 Bug 1632: Removed the word "rejected" from line logged for ACL discards.

JH/30 Check the forward DNS lookup for DNSSEC, in addition to the reverse,
when evaluating $sender_host_dnssec.

JH/31 Check the HELO verification lookup for DNSSEC, adding new
$sender_helo_dnssec variable.

JH/32 Bug 1397: Enable ECDHE on OpenSSL, just the NIST P-256 curve.

JH/33 Bug 1346: Note MAIL cmd seen in -bS batch, to avoid smtp_no_mail log.

JH/34 Bug 1648: Fix a memory leak seen with "mailq" and large queues.

JH/35 Bug 1642: Fix support of $spam_ variables at delivery time. Was
documented as working, but never had. Support all but $spam_report.

JH/36 Bug 1659: Guard checking of input smtp commands again pseudo-command
added for tls authenticator.

https://raw.githubusercontent.com/Exim/exim/master/doc/doc-txt/ChangeLog
 
Hi,

Upgraded through Custombuilld 2.0 and went fine. But my log is telling me otherwise, no matter where I send the e-mail I get:

SSL verify error: certificate name mismatch: "/C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost/emailAddress=webaster@localhost"

If there is no certificate or filled in if there is one. But everytime a "name mismatch", is there something wrong? Or does the config need to be changed?

Regards.
 
I'm seeing similar log entries in exim, but not to everyone. To ziggo (big dutch isp) for example it does:

[212.54.34.8] SSL verify error: certificate name mismatch: "/C=NL/postalCode=3542 AB/ST=Utrecht/L=Utrecht/street=Atoomweg 100/O=Ziggo BV/OU=NO Internet Services/OU=Hosted by Realtime Register B.V./OU=InstantSSL/CN=smtp.ziggo.nl"

And from one of my servers to another one of mine as well, it shows the ssl domain I configured for my own clients (imap/smtp). I'm guessing that certificate was(is) being used for communication between smtps as well. Maybe exim checks things more strict now, starting with warnings, later maybe it needs to be a valid certificate? Just guessing here.

E-mails are still delivered after the error here.

Edit:
JH/06 Verification of the server certificate for a TLS connection is now tried
(but not required) by default. The verification status is now logged by
default, for both outbound TLS and client-certificate supplying inbound
TLS connections
Guess that is it.
 
Last edited:
Back
Top