MeTA1 Changelog

New in version 1.1 Alpha 0.0

September 11th, 2014
  • 2014-07-07 Change in behaviour: if relaying is allowed via STARTTLS or AUTH, and the flag delay_checks is set, then access map entries that deny access using the cltresolve: tag will be overridden. Requested by Matthias Waechter.
  • 2014-06-07 New option -n for milter-regex to check the syntax of a configuration file, e.g., milter-regex -c new.conf -dn would show any errors in new.conf.
  • 2014-06-05 Print also OpenSSL version string instead of just the version number when requested (smtps/smtpc -VV)
  • 2014-05-31 Handle temporary map lookup failures for configuration data better.
  • 2014-05-28 Increase size for values in access map that contain configuration data, e.g., smtpc_rcpt_conf:. The size was not increased when new options where added, thus possibly causing temporary lookup failures.

New in version 1.0 Alpha 21.0 (February 18th, 2014)

  • A new flag for the tls section (smtps only) has been added: request_cert: request a (client) cert. This flag is set by default and can be turned off via the usual negation methods, e.g., dont_request_cert.
  • The SMTP test client smtpc2 supports STARTTLS.
  • The size of cert information (cert_subject, cert_issuer) has been limited to SM_TLS_NAME_MAX (1024). Data that is longer will now be truncated; previously no data would have been recorded if a maximum size was exceeded.
  • If the compile time option FFR_CERT_PINNING is set then smtpc will try to handle TLS handshake failures automatically: first it will try different TLS version (1.0, 1.1, 1.2) if those are available, and finally it will fall back to not using STARTTLS with that server (based on IP address) again. See doc/README.* for details.

New in version 1.0 Alpha 20.0 (January 21st, 2014)

  • 2014-01-18 Cert pinning is available as experimental feature (compile time option FFR_CERT_PINNING).
  • 2014-01-16 Read errors in smtps are now logged as NOTICE instead of WARN as there are too many clients that simply disconnect.
  • 2014-01-15 tls_requirement violation are logged as WARN (instead of INFO or NOTICE).
  • 2014-01-09 The SMTP test servers smtps{2,3} support STARTTLS now too.
  • 2013-12-24 mcp now handles also "soft" errors to avoid repeated restarts of services.
  • 2013-12-22 mcp will no longer try to restart services that depend on a permanently failed service.

New in version 1.0 Alpha 19.0 (December 27th, 2013)

  • 2013-12-18 MeTA1 smtps crashed on recent FreeBSD/OpenBSD versions running amd64 due to a misaligned stack in sha1_block_data_order_ssse3. A workaround has been implemented for statethreads, but it is not yet clear whether this is the proper fix.
  • 2013-12-12 Fix DKIM tests on some 64 bit platforms. Note: the problem affected only some tests (they were written in a platform-dependent way), not the DKIM signing code itself.
  • 2013-12-07 If MTA_TLS_DEBUG is used as compile time option, information about TLS handling (esp. handshake) is logged.
  • 2013-12-03 Details about TLS problems during an SMTP session are now logged with the session id to make it easier to correlate them (previously it was basically just a dump of ERR_get_error_line_data(3)).
  • 2013-11-29 INCOMPATIBLE CHANGE: The lookup algorithm in maps for IP addresses requires now that subnets end with their delimiter (./:), similar to subdomains. Otherwise it is not clear what
  • cltaddr:10 relay
  • means: an IPv4 or an IPv6 net? This removes the ambiguity:
  • cltaddr:10: relay
  • cltaddr:10. relay
  • Affected tags are cltaddr, icm, icr, oci, ocm, ocr, octo, smtpc_session_conf. Note: cltaddr can also appear in the RHS for protectedrcpt.
  • 2013-11-28 Add IPv6 support for cltaddr: values in protectedrcpt.
  • 2013-11-23 contrib/femail.c: fixed dot stuffing algorithm so leading dots are not lost.
  • 2013-11-20 IPv6 addresses are represented in the "non-compressed" form, i.e., "::" to denote a sequence of zeros is not used. This allows the map lookup mechanism of removing less significant parts to work.

New in version 1.0 Alpha 18.0 (November 26th, 2013)

  • Do not start smar if no nameservers are configured. This can only happen if no nameservers are configured, the flag use_resolvconf is not explicitly cleared, and /etc/resolv.conf does not contain any nameserver entries. If the flag is cleared then smar uses 127.0.0.1 by default.
  • Be less restrictive about what is considered a "good enough" result for DNS lookups. Previously it was required to receive an address record for at least one of the lowest preference MXs, now receiving an address record for any MX is sufficient. This will at least get the mail closer to its destination instead of waiting for the DNS problem to be resolved.
  • Add experimental, untested, support for certificate revocation lists: CRL_file and CRL_directory.
  • Log session id in tls_verify_cert_cb so the information can be correlated with the correct session.
  • New option cert_fps for tls_requirements which can be used to specify a list of (SHA-1) fingerprints, one of which must match the fingerprint of the cert presented by the server.
  • New option root_ca_subjects for tls_requirements which can be used to specify a list of CNs, one of which must match the CN of the root CA cert that signed the cert presented by the server.

New in version 1.0 Alpha 17.0 (November 4th, 2013)

  • 2013-10-19 New option for tls section: verify_depth: this specifies the limit up to which depth certificates in a chain are used during the verification procedure. If the certificate chain is longer than allowed, the certificates above the limit are ignored (quoted from SSL_CTX_set_verify_depth(3)).
  • 2013-10-17 Work around a (linker?) problem on Darwin so MeTA1 configures, compiles, and works on it. Tested on Darwin 12.4.0 using Apple LLVM version 5.0 (clang-500.2.75) (based on LLVM 3.3svn), Target: x86_64-apple-darwin12.4.0.
  • 2013-10-12 Enhance logging for TLS requirement violations in smtpc.

New in version 1.0 Alpha 16.0 (October 21st, 2013)

  • It is now possible to override a DNSBL rejection via a "from:" entry too provided the RHS is quick:ok.
  • subjectAltName in certs are now extracted provided they are of type DNS and can be used for a new option "hostnames" in tls_requirements.

New in version 1.0 Alpha 15.0 (August 29th, 2013)

  • 2013-08-24 Use the appropriate time_t related macros/functions from the library when transferring data (DEFEDB).
  • 2013-08-21 Fix configure script to detect getaddrinfo() on SunOS 5.x.
  • 2013-04-26 Upgrade statethreads to 1.9: adds support for Darwin and more event systems, e.g., kqueue and epoll.
  • 2013-04-26 Fix configuration on systems that need nameser_compat.h

New in version 1.0 Alpha 14.0 (December 3rd, 2012)

  • 2012-11-29 Enable basic DH support for STARTTLS in SMTP server.
  • 2012-11-02 If a limit for outgoing connections was reached, the scheduler previously only tried other servers with the same MX preference (in contrast to actual temporary SMTP problems which would of course go through all available servers as specified in the RFCs). This behaviour was changed to try the next server even if it has a different MX preference in order to speed up delivery (the previous behaviour was implemented to avoid hitting "off site backup MX" servers which could make the overall deliver to the actual recipient longer, however, it seems very few sites actually still use those kind of setups).