From 89b7b67a13ebb7965cc7f13ad0595e2194a2d34c Mon Sep 17 00:00:00 2001 From: Jannis Hoffmann Date: Wed, 3 Jul 2024 15:48:04 +0200 Subject: add sqmail-4.2.29a --- doc/CHANGELOG | 196 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 doc/CHANGELOG (limited to 'doc/CHANGELOG') diff --git a/doc/CHANGELOG b/doc/CHANGELOG new file mode 100644 index 0000000..e48d1ed --- /dev/null +++ b/doc/CHANGELOG @@ -0,0 +1,196 @@ +s/qmail 4.0 CHANGE log +====================== + +Older changes can be found in CHANGELOG_V3. + +Version Descripition +-------------------- + +4.0.00 Initial version, removed SRS, fixed SPF. +4.0.01 Recovered SRS and added srsforward + srsreverse + as compile option; still depending on librsrs2. + Added man pages for srsforward + srsreverse. + Fixed columnt (buf incorrectly used). +B(2) Changed 'puts' to 'out'; where applicable. + Fixed dnsq call in qmail-smtpd concerning + lookup type "M" -> 'M', "A" -> 'A' (char ). +B(3) Fixed missing timestamp for mails in maildir.c + making qmail-pop3d behaving erratic. + Substituted put -> out almost everywhere. + Fixed wrong 'identity' in Received header ('unknown') + due to misplaced 'if' nesting. + Streamlined qmail-authuser to support APOP auth + even for Unix system accounts (tx Drew). + Fixed wrong CAPA announcement in qmail-popup + (APOP instead of UIDL). +4.0.02 Removed dependency on libsrs2 providing srs2.[c|h] + natively together with sha1[_hmac].[c|h]. + Complete refactoring of sha1 and sha1_hmac. + Included Drew W's enhancements for Dovecot auth + in qmail-authuser. + Fixed bug in IPv4/IPv6 matching for spf_mx. +4.0.03 Enhanced qmail-authuser. + Redone srsforward and srsreverse + man pages. + Fixed qmail-smtpd to cope with new DNS resolver + behaviour (in particular for SPF segfaulting for bounces). + Finally streamlined man pages. +4.0.04 SMTPUT8 is now triggered via environment variable UTF8 for + qmail-smtpd. + Fixed segfaulting qmail-smtpd in case of multiple recipients + in the RCPT TO dialog. + qmail-smtpd exits now if Auth and Auth not announced or PAM missing. +4.0.05 Fixed bug in qmail-remote with wrong CNAME address mangling (tx. Leah). + Removed SMTPUTF8 compiler flags in qmail-remote and qmail-smtpam + which now auto-detect UTF8 encoded addresses. +4.0.06 Fixed qmail-smtpd segfaulting while wrongly evalute 'fakehelo' for SPF. + Added compatibility for other tcpserver/sslserver programs + calling qmail-smtpd and different IPv6 environment variables (4Leah). +4.0.07 Straightend some code in SPF evalution which might prevent it (tx Leah). + Fixed bug returning wrong SPF results in case a TXT but no SPF record is given. + Fixed qmail-remote potentially not binding to IPv4 addresses (tx. MB). + Fixed qmail-authuser insuffient handle of passwords using crypt (tx. MB). +4.0.08 Fix for qmail-vmailuser not respecting vpopmail's home dir (tx. Ueli H.). + Changed qmail-remote to cope better with fehQlibs-15 and IPv4 qualification. + Fixed CVE-2011-0411: Pipelining command injection for qmail-smtpd. + Fixed the Guninski CVE-2005-1513 (in fehQlibs-15): Buffer overflow + if size of mail > 4 GByte. +4.0.09 Reworked fix for CVE-2011-0411 to provide a general solution. (tx. Fabian) + Applied fix to qmail-popup as well. +4.0.10 GCC 10 refactoring (together with fehQlibs-15b). + qmail-remote now recognizes a MX retrieved IP to be itself and skips it. +EOL for 4.0 + +4.1.00 Added TLSA DNS lookup for qmail-remote. +4.1.01 Added qmail-ldapam; needs tweaking and verification still. +4.1.02 Added qmail-postgrey client together with the qmail-smtpd IF (permisssion by jan.mojzis). +4.1.03 Fixed TLSA off-by-one error for qmail-remote. + Removed idedit.c (could be used in later version). + Disabled compilation of qmail-ldapam. (cleanups, beta version). + Added postgrey run script together with adjustments for doc and man. +4.1.04 Included Reiser FS patch; see unlinking problems also with vdeliver (qmail-queue, qmail-local). + Fixed 'incorrect' xtext generation in qmail-remote. + Added qmail-qmaint providing sanity checks on the queue and + allowing removal of messages (based on E. Huss code). + Integrated DANE lookup (exceptions) into tlsdestinations + doc. +4.1.04+ Fixed bug not freeing X509 cert, thus TLSA fails. The X509_digest API is stupid. +4.1.05 Added selector evalution in tlsa_check and re-formulated logic. + Moved header files to ./include directory (and changed conf-cc accordingly). +4.1.06 Compliance with fehQlibs-17 (could solve [20201123#1/4.0.10]). + Fixed bug in smtproutes not authenticating [20210213#1/4.0.10]. + Reformulated qmail-smtpd smtproutes to support setting localip [RfC:20201112#1/4.0.10]. +4.1.07 Fixed bug in qmail-smtpd confusing badmailfrom with badrcptto [20120312#1/4.0.10]. + Adjusted header files to compile on ARM64 (Clang) and with GCC-10 (AMD64). +4.1.08 Removed references to qmail-ldapam in package. + Changed SPF DEFEXP macro using expand for domaiGn rather than 'spf.pobox.com' [20210212#1/4.0.10]. +4.1.09 Fixes for qmail-remote and rewriting the SIZE extension interface (tx. Drew): + a) (Occasional) wrong parsing of multiple X.509 fingerprints in dnstlsa and tls_remote.c + which might qmail-remote advice to reject valid TLSA indicated connections. + b) Wrong SIZE indication (mailfrom, mailfrom_xtext) in SMTP dialogue [20210622#1/4.1.08] (tx. Drew). + c) Wrong SMTPUTF8 indication (mailfrom, mailfrom_xtext) [20210622#2/4.1.08]. + Note: qmail-rspawn API left unchanged wrt vanilla qmail. +4.1.10 Fixed flaw in qmail-remote not producing immediate bounce for server's 5xx reply code. + Fixed bug in qmail-remote introduded in sqmail-4.1.09 evaluating size information for qmtp delivery. +4.1.11 Fixed bug in qmail-vmailuser not evaluating vpopmail's user directories correctly. + Fixed bug in qmail-smtpam segfaulting. Sitting there since 3.0; nobody is using it. + Added 'implicit TLS' support for qmail-remote in control/smtproutes, ./authusers, ./tlsdestinations. + Added 'implicit TLS' support for qmail-smtpam on the command line. +4.1.12 Improved and streamlined qmail-remote TLS errors. + Multiple DNS queries vor TLSA check; first early; second after cert received. + TLSA check working again; stupid OpenSSL doc ;-) +4.1.13 Better RFC 6698 (TLSA) conformance for PKIX-EE (with full X.509 chain given). +4.1.14 TLSA record lookup follows now a CNAME query. Pretty unusual for MX environments. + Removed recognition of 451 SMTP return code as greylisting in qmail-remote logs. +4.1.14a Fixed two integration bugs in 4.1.14 and straightend TLSA lookup and evalution. +4.1.15 Off-by-one error in dnstlsa (cert finterprint too short) and + corrections (and simplifications) to evaluate the TLSA finterprints (tls_remote.c). +4.1.16 Additional corrections for TLSA evaluation with several fingerprints. + TLSA lookup not bound to PTR lookup anymore but just hostname of MX. + qmail-local does not disclose virtual user name extension in 'Delivered-To' field. + Installation routine removes now potential remnants in ./src diretory. + Removed irritating 'greylisting' log info from qmail-remote for certain SMTP reply codes. + qmail-queue fast injection race condition fix from Manvendra included. + qmail-remote evaluates MX distance according to IPv4/IPv6 local bindings. +4.1.17 Fixed OpenSSL's X509_pubkey_digest() function for TLSA. +EOL for 4.1 + + +4.2.00 Taken over qmail-ldapam development from 4.1. +4.2.03 Synced with current s/qmail (4.1.16); enhanced RECIPIENTS mechanmism to read + users/assign.cdb. Note: This breaks old qmail, since the name was just 'cdb' here. + Adjusted qmail-newu to confirm with this decision. +4.2.04 First step integrating libdkim (from Kai Peter's implementation and adjustments + for current OpenSSL and LibreSSL). +4.2.05 libdkim implemented (native C++) als qmail-dkim; added stub qmail-dksign. + Synced with sqmail-4.1.17. New requirement: fehQlibs-20 due to dns_txt.c changes. +4.2.06 Integration tests and documentation for qmail-dksign. +4.2.07 Integration tests successful; except for DKIM over QMTP. Needs changes for qmail-qmtpd. + Included man pages for qmail-dkim.8 and qmail-dksign.8. +4.2.08 Replace 'execve' with 'pathexec' in qmail-rspawn and qmail-dksign. + Fixed permissions on DKIM 'default' files. Preliminary qmail-dkverify.c. + Removed creation of qmail-ldapam; still a useful solution is required (separate package?). + Changed defaults for qmail-dksign to the anticipated ones; verified CRLF prior of signing. + qmail-dkim options work now as expected. Fixed wrong hash functions in dkimsign (tx. Pascal). + DKIM signing working now. +4.2.09 Removed 'Allman' code from DKIM. Adjusted qmail-dksign man page. + First attempt for qmail-dkverify.c. Removed the qmail-ldap dependencies. +4.2.10 Included 'Ed25519' signatures in dkimsign.cpp. Works fine - but untested. + Removed chdir(auto_qmail) dependency from qmail-dkim; universal usage again. + Moved back to include tabs for the DKIM header; double WSP seems not to work well here. + Removed ADSP (Author Domain Signing Practice) from dkverify.cpp (RFC 6541; experimental). +4.2.11 qmail-remote recognizes now Greylisting after HELO with SMTP Reply > 400 (and tries again). + Big reminder: Always use byte arrays in constmap hash tables => tls_destination()++. + Added 'l' (length) flag in dkimdomains for specific customization. + Changed dkimsign's BodyLength calculation; was strange before. +4.2.12 Progress on dkimverify.cpp. +4.2.13 dkimverify.cpp stripped down and working now with socket interface. +4.2.14 Fixed bug in spf_exists return wrong results for DNS lookup (tx. Laurentiu). + First version with working qmail-dkverify. Tests pending. +4.2.15 qmail-dkverify working now; except for Ed25519 signatures. + Replaced socket interface by file interface for reporting results to qmail-dkverify. + Stripped CR from outgoing mails. qmail-dksign ignores input domains for which no privkey exists. +4.2.16 qmail-dkverify considers now d=domain in X-Authentication results. + Removed obsolete 'selector' file in ssl/domainkeys/ and rather + permit now tailored selector names in ssl/domainkeys// to pick up private key. + Ed25519 signing and verification working now. Fixed wrong variable for 'sender' upon call. +4.2.17 Fixed premature close of cdb in fastforward; removed slurpclose.c. + Final trimming and documentation. + qmail-remotes's cafile and cipher handling reworked. +4.2.18 Removed 'selector' as file name for qmail-dksign and used 'default' instead, making it more robust. + Changed erroneous 'domain' to 'sdid' in qmail-dksign (tx. Pascal). Udated man page for qmail-dksign. +4.2.19 Changed back to 4.2.16 behavior of reading the DKIM private key based on selector. + Added new default signing capability for qmail-dksign to consider only 'own' domains, + which are given in rcpthosts. The token '=:' can be used in control/dkimdomains. + Compatibility with LibreSSL 3.7.x and Ed25519 signature operations (tx. Nicolai). + Improved robustness and error message handling for qmail-dksign. +4.2.20 Updated mkdkimkey.sh; no TLSA lookup for bounces. + dkimverify update for message with both RSA and Ed25519 signatures and selection. + Added more verbose logging to qmail-remote in case of unsuccessful delivery. + qmail-rspawn does not read control/dkimdomains but rather stats it -> less FDs. +4.2.21 Fixed wrong DKIM ed25519 indication in DKIM header. DKIM ed25519 key stripped from ASN.1 header + in order to conform with RFC 8463 while prepending that for DKIM verification. + SPF evaluation considers now fehQlibs-22 new CIDR API. +4.2.22 Internal version with first attempt for hybrid DKIM signatures. + Fixed qmail-remote abends in case of contacting RFC (2)821 none-compliant SMTP MTAs. +4.2.23 Fix for qmail-remote handling of none StartTLS MTAs to fallback for unencrypted service. +4.2.23 Hybrid DKIM signatures working now; required changes of qmail-dkim API and qmail-dksign. +4.2.23a Some typos in documentation and spelling mistakes fixed. +4.2.24 Fixed SPF PTR lookup (cleared up weired logic) [202310503#1/4.2.24] and straightened error output line. + Tweaks for DNS behavior in case of missing DNS records and bouncing for qmail-remote. + Added Return Code values in man pages for DNS client programs. +4.2.25 Fixed bug in DKIM validation not considering Pubkey if k= is missing in DNS TXT record => DKIM fail. +4.2.26 Backported fixes for [20230922#1/4.3.01], [20230920#1/4.3.01], and [20230823#1/4.3.00] included. +4.2.27 Fixed qmail-smtpd Auth bug segfaulting if no/wrong arguments [20230931#1/4.2.27] +4.2.27a Misspelled prototype in smtpd.log may lead to confusing auth eror messages [20231003#1/4.2.27a]. +4.2.27b control/domainips adds erroneously a \0 to helohost which violates RFC 2821 [20231004#1/4.2.27b]. +4.2.28 Backported TLSA handling for qmail-remote from s/qmail 4.3. +4.2.29 DKIM sender evaluated in lowercase for signing [20231109#1/4.2.29]; + DKIM header for verification does not depend on position of 'Content' header (missing verification). + Fixed irritating log output in case no DKIM key is found. + DKIM signing now robust against wrong keys and remnant files left in DKIM staging area. + Fixed crash in qmail-smtpd while logging SPF evaluation with un-terminated spfbounce [20231203#1/4.2.29]. + Fixed 'missing' mails for bounces problem in case DKIM signing failed due to missing key [20231119#1/4.2.29]. +EOL for 4.2 +4.2.29a Fix for EHLO X-fields and StartTLS in qmail-remote. + Fix for recipients() and assign.cdb reading. + Fix for qmail-dkverify with incomplete information in email header. + Fix for qmail-dksign reading from inital stage file in case of signing errors. -- cgit v1.2.3