Re: [exim] Exim 4.95 released
On Tue, Sep 28, 2021 at 11:19:34PM +0200, Heiko Schlittermann via Exim-users wrote: > New stuff we've added since 4.94: > > - From previous experimental support: > - fast-ramp queue run > - native SRS > - TLS resumption I'd like to ask, if I may, how TLS resumption interacts with DANE or other authenticated TLS policy, assuming potential earlier unauthenticated TLS connections to the same IP:port or name:port on behalf of some other domain (or via an alternate "router") which did not require an authenticated connection, or otherwise had a different set of TLS requirements. In Postfix, Wietse and I had to take care in the session cache design to avoid resumption across distinct client TLS "policies" (PKI type, authentication, cipher list, allowed protocol versions, sorted DANE TLS RRset, ...). Does Exim also partition the session cache by a security policy fingerprint? > - faster TLS startup May I ask what this means? -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Exim 4.95 released
Dear Exim users and maintainers,
we're proud to announce the release of Exim 4.95.
New stuff we've added since 4.94:
- From previous experimental support:
- fast-ramp queue run
- native SRS
- TLS resumption
- LMDB lookups with single key
- New:
- smtp transport option "message_linelength_limit"
- optionally ignore lookup caches
- quota checking for appendfile transport during message reception
- sqlite lookups allow a "file=" option
- lsearch lookups allow a "ret=full" option
- command line option for the notifier socket
- faster TLS startup
- new main config option "proxy_protocol_timeout"
- expand "smtp_accept_max_per_connection"
- log selector "queue_size_exclusive"
- main config option "smtp_backlog_monitor"
- main config option "hosts_require_helo"
- main config option "allow_insecure_tainted_data"
- Removed:
- support for MacOS
All fixes from the 4.94.2+fixes branch (this includes the "21 nails" CVEs) are
included too.
If you upgrade from previous versions <4.94: the new taint checks are likely to
make your runtime configuration unusable. Read about the mitigation via the
"allow_insecure_tainted_data" first or make your configuration "taint check
proof".
If you upgrade from 4.94.2, nothing should break.
For those who used 4.95-RC2, a list changes that were introduced since RC2:
* 780ea2a5c - OpenBSD: disable compiler-time param checking for
string_sprintf() etc (8 days ago)
* 8b78698fa - Docs: fix closed-mailinglist example (8 days ago)
* 8f0d0a313 - DCC: fix loop expression (2 weeks ago)
* 48505c2b8 - TLS: build dependency for LibreSSL (2 weeks ago)
* 6c706bde1 - Docs: tidying (3 weeks ago)
* 889894461 - Fix validation of domain-literals in Message_ID: headers.
Bug 2805 (3 weeks ago)
* 8dcd5efb1 - Avoid using CLOCK_MONOTONIC for $received_time. Bug 2615 (4
weeks ago)
Exim 4.95 is available
- as tarball:https://ftp.exim.org/pub/exim/exim4
- directly via Git: https://git.exim.org/exim.git
tag exim-4.95
The tarball checksums are signed using the same GPG key as I used to
sign this message (Key-ID: D0BFD6B9ECA5694A6F149DCEAF4CC676A6B6C142),
as the tag and tagged commit are.
Thank you and all contributors for your support. Especially thanks to
Jeremy, as he does the vast majority of coding and support.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --- key ID: F69376CE -
signature.asc
Description: PGP signature
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
