forked from trusteddomainproject/OpenDKIM
-
Notifications
You must be signed in to change notification settings - Fork 0
/
RELEASE_NOTES
1709 lines (1652 loc) · 82.8 KB
/
RELEASE_NOTES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
OPENDKIM RELEASE NOTES
This listing shows the versions of the OpenDKIM package, the date of
release, and a summary of the changes in that release.
2.11.0 2018/11/??
Add support for ED25519 keys. GNUTLS support provided by
Dilyan Palauzov.
Add "header.s" and "header.a" in generated Authentication-Results
header fields.
Add _FFR_CONDITIONAL, experimental support for conditional DKIM
signatures.
Make odkim.internal_ip() available to all Lua hooks. Problem noted
by Iosif Fettich.
Make bind code DNSSEC-aware. Patch from Jack Bates.
Upgrade to OpenSSL 3. Using non-deprecated APIs in OpenSSL 3, but
already present in OpenSSL 1.1.1. Patch by David Bürgin
(PR #162)
Extend KeyTable to specify signing algorithm.
Patch from Yasuhito Futatsuki. (PR #202)
Add config file option CheckSigningTable to determine if it check
the content of SigningTable on loading config file,
and command line option to force turning on/off the option.
Patch from @r-a-z-v-a-n on GitHub (PR #228)
Fix dkimf_db_nextpunct() so it doesn't incorrectly identify an encoded
hex digit as a value delimiter.
Fix issue #8: The password file critical section isn't big enough.
Patch from Dilyan Palauzov.
Fix issue #9: Plug a few failure mode memory leaks. Patch from
Dilyan Palauzov.
Fix issue #15: Don't automatically skip the body when one mode (sign
or verify) doesn't need it, because the other one might.
Patch from Dilyan Palauzov.
Fix issue #28: RequiredHeaders should report and log the specific
error and reject the message, as documented. Patch from
Dilyan Palauzov.
Fix issue #222: When the "Minimum" option is set, don't treat
empty body as partial. Patch from Yasuhito FUTATSUKI
(PR #223).
Fix bug #234: Make "NoHeaderB" do something. Reported by Joseph
Coffland.
Fix bug #235: Quote "header.b" values in case they contain a slash
(which must be quoted).
Fix bug #237: Fix processing of "SoftStart".
Fix issue #24: Insert initial headers like Authentication-Results
before the MTA’s Received header. Patch from @fanto666
on GitHub, PR by David Bürgin (PR #126).
Fix issue #128: Reorder mlfi_close logic fixing use-after-free error
Reported by @apircalabu on GitHub, Patch by David Bürgin
(PR #129).
Fix issue #148: Delete Authentication-Results headers in reverse.
This fixes the bug on "KeepAuthResults = no" that opendkim
cannot remove headers correctly (CVE-2022-48521).
Patch from David Bürgin (PR #189).
Fix an issue on DNS query on getting public key, it had failed if
the response contained DNAME type RR. Patch from
Andreas Jobs (PR #156)
Fix a bug in Lua script interface, fix stack level after register
odkim functions when using Lua >= 5.2. Patch from
Yasuhito Futatsuki. (PR #201)
Fix function signature of vbr_strlcpy in libvbr Patch from
Michael Orlitzky (PR #171).
Fix sample script screen.lua.sample, off-by-one error and
typo in function name. Patch from link2xt (PR #195)
Fix AR header parser so that accept "no-result" result
as a valid syntax. Patch from Yasuhito Futatsuki (PR #205)
Fix issue #191: odkim.del_header should delete the actual requested
header number. Patch by Benoit Branciard (PR #212).
Fix issue #213: The Lua final policy script functions odkim.add_rcpt,
odkim.del_rcpt, odkim.del_header and odkim.quarantine
can actually work regardless of other configuration
parameters. Patch from Benoit Branciard (PR #211).
Fix a bug on usage of struct dkimf_dstring type in mlfi_eoh().
Patch from Michael Orlitzky (PR #214).
Fix crash on config load when specify a memchache as SigningTable.
Patch from Yasuhito Futatsuki (PR #219).
Fix issue #229: The consistency check of SigningTable and KeyTable
on loading config load work correctly.
Patch from Yasuhito Futatsuki (PR #230).
CONFIG: Add compatibility with openssl-1.1.0. Patch from
Scott Kitterman.
CONFIG: Add missing ReplaceHeaders definition. Patch from
Toby Ovod-Everett, Reported again by Harald Dunkel,
GitHub PR by David Bürgin (SF bug #257; PR #125)
CONTRIB: Simplfy some logic in contrib/repute. Patch from
Dilyan Palauzov.
LIBOPENDKIM: Feature request #190: Reject signature object requests
where the domain name or selector includes non-printable
characters. Suggested by Franck Martin.
LIBOPENDKIM: Re-fix bug #226: Deal with header fields that are
wrapped before there's any content. Somehow the wrong fix
was committed. Originally reported by Alessandro Vesely;
re-reported by David Stevenson.
LIBOPENDKIM: Fix bug #233: In the weird case of duplicate signatures,
constrain the size of the resulting "header.b" value. Problem
noted by Joseph Coffland.
LIBOPENDKIM: Fix bug #270: Don't set an upper bound on the size of
the canonicalization buffer, which interferes with processing
oversized input lines. Reported by Mars Peng.
LIBOPENDKIM: Fix parsing bug in dkim_mail_parse_multi(), where quotes
were not being properly handled.
LIBOPENDKIM: Fix implicit function declaration for snprintf.
Patch from Michael Orlitzky (PR #170).
LIBOPENDKIM: Expose conversion table between internal code already
provided as DKIM_ macros and their literal name in C string.
Patch from Yasuhito Futatsuki (PR #207).
LIBOPENDKIM: Extend dkim_test_key() to allow testing a ed25519 key,
as dkim_test_key2(). For API compatibility, function interface
of dkim_test_key() is not changed, but it only calls
dkim_test_key2(). Patch from Yasuhito Futatsuki (PR #208).
BUILD: Fix function signature of main() in configure. Patch from
Michael Orlitzky (PR #171).
BUILD: Fix pkgconfig names of Cyrus SASL and OpenLDAP in configure.
Patch from Michael Orlitzky (PR #192).
BUILD: Fix issue #203: include header files required by resolv.h
before use it in res_ninit detection in configure.
Patch from Yasuhito Futatsuki (PR #204).
BUILD: libvbr/vbr.c: include <stdio.h> for vsnprintf().
Patch from Michael Orlitzky (PR #220).
TOOLS: Feature requrest #187: Add option to match subdomains when
generating zone files. Patch from Andreas Schulze.
TOOLS: opendkim-genkey: Use a functional test for OpenSSL ed25519
support rather than a hardcoded openssl version check, for
openssl 3.0+ compatibility. Patch from Geert Hendrickx.
(PR #135)
TOOLS: issue #183: On opendkim-testkey, add support for ed25519 keys.
Patch from Yasuhito Futatsuki (PR #208).
2.10.3 2015/05/12
LIBOPENDKIM: Make strict header checking non-destructive. The last
change to this code resulted in failing signatures. Reported
by Pedro Morales and Wez Furlong.
2.10.2 2015/05/10
Fix bug #221: Report a DKIM result of "policy" if MinimumKeyBits
or UnprotectedKey cause the signature to result in a "pass"
override. Reported by Kurt Roeckx.
Fix bug #227: Revert removal of SenderHeaders configuration setting.
Document that it is now limited to signature selection.
LIBOPENDKIM: Fix bug #226: Deal with header fields that are
wrapped before there's any content. Reported by
Alessandro Vesely.
CONTRIB: Update to contrib/systemd/opendkim.service.in from
Steve Jenkins.
2.10.1 2015/02/03
Fix bug #214: Handle arbitrarily large From: fields. Reported by
Tomohiko Sasaki.
Fix bug #220: Make DB_SIGNINGTABLE symbol available in Lua scripts.
Problem noted by Klaus Heinrich.
LIBOPENDKIM: Fix bug #213: Remove "dkim_default_senderhdrs" from
dkim.h. Problem noted by Daniel J. Luke.
LIBOPENDKIM: Fix bug #219: Unresolved CNAMEs are not failures,
according to the DNS (see RFC6604), so report them as
NXDOMAIN or similar. Reported by Alessandro Vesely.
2.10.0 2014/12/27
Feature request #182: Remove "AddAllSignatureResults". All signature
results will now be added via Authentication-Results header
fields. Requested by Tomki Camp.
Feature request #180: Rename "LDAPSoftStart" to "SoftStart" and apply
it to SQL connections as well. Requested by Daniel Kauffman.
Feature request #179: Add "IgnoreMalformedMail" option.
Fix bug #183: Discontinue support for ADSP. This removes the
following configuration file items:
AddAllSignatureResults LocalADSP
ADSPAction NoDiscardableMailTo
ADSPNoSuchDomain On-PolicyError
BogusPolicy SendADSPReports
DisableADSP SenderHeaders
LDAPSoftStart UnprotectedPolicy
Make "rrvs" and "smime" recognized Authentication-Results methods.
LIBOPENDKIM: Feature request #157: Add dkim_mail_parse_multi().
Suggested by Alessandro Vesely.
LIBOPENDKIM: Feature request #185: Add dkim_set_dnssec(). Patch
from Alec Peterson.
LIBOPENDKIM: Fix bug #183: Discontinue support for ADSP. This
means all of the following:
- the dkim_policy_t type has been removed
- the DKIM_POLICY_* constants have been removed
- the DKIM_PRESULT_* constants have been removed
- passing DKIM_OPTS_SENDERHDRS to dkim_options() now
results in an error
- the DKIM_PSTATE structure has been removed
- all of the following functions have been removed:
dkim_policy(), dkim_policy_dnssec(),
dkim_policy_getqueries(), dkim_policy_getreportinfo(),
dkim_policy_state_free(), dkim_policy_state_new(),
dkim_policy_syntax(), dkim_getpolicystr(),
dkim_getpresult(), dkim_getpresultstr(),
dkim_set_policy_lookup(), dkim_test_adsp()
LIBOPENDKIM: DKIM_LIBFLAGS_STRICTHDRS now also confirms syntactical
validity of the From field before proceeding with a signing or
verifying operation. Suggested by Wez Furlong.
CONTRIB: Fix bug #207: Clean up the "stats" directory.
CONTRIB: Add "repute" directory which could eventually replace the
PHP implementation. Submitted by Daniel Black.
CONTRIB: Patches to systemd and init/redhat from Steve Jenkins.
2.9.3 2014/12/27
Fix bug #177: Plug leaking "result" structures when OpenLDAP is in use.
Truncate configuration file lines at carriage return.
Replace overlapping strlcpy() with memmove() in dkim_get_key_file().
Reported by Daniel J. Luke.
Patch #32: Re-arrange the execution logic to drop privileges in
proper order.
LIBOPENDKIM: dkim_header() is now a lot more strict about the input
it will accept (see RFC5322 Section 2.2).
LIBOPENDKIM: Tighten relaxed modes to break on only DKIM-defined
whitespace characters. Problem noted by Elizabeth Zwicky.
LIBOPENDKIM: Fix bug #208: If a signature fails to verify for either
reason (header hash mismatched or body hash mismatched), set
DKIM_SIGERROR_BADSIG so that Authentication-Results doesn't
report a failure with "no signature error".
TOOLS: Feature request #178: Add "-F" flag to opendkim-genzone so
records are created with the FQDN. Patch from Andreas Schulze.
REPUTATION: Handle parameters safely in repute.php. Reported by
Daniel Black.
2.9.2 2014/04/02
Fix some conflicting unit tests. Reported by Eray Aslan.
BUILD: Fix bug #195 part II: Compile all binaries with pthreads
support as needed by libopendkim features. Reported by
Walter Haidinger.
BUILD: Fix packaging damage with autobuild. Reported by Andreas
Schulze.
2.9.1 2014/03/15
Feature request #177: Add "LuaOnlySigning" so that only the Lua setup
script makes signing requests; suppresses automatic application
of the signing table. Requested by Daniele Orlandi.
Fix bug #185: odkim.signfor() wasn't processing its arguments
properly. Reported by Daniele Orlandi.
Fix bug #199: Fix use of uninitialized buffer when generating
SMTP response strings due to ADSP rejections. Problem
noted by Ache.
Fix infinite loop when mlfi_connect() is called with a hostname
starting with a "." character. Reported by Philip Guenther.
Fix loading of refiles when trailing spaces are present in the value.
Problem noted by Amal Francis.
LIBOPENDKIM: Only call dkiml_dns_close() if there was a
dkiml_dns_service handle set by dkiml_dns_init(). Also,
when closing, reset that handle to NULL.
LIBOPENDKIM: The various dkim_dns_set_*() functions, when passed a
NULL function pointer, merely store it, making the
corresponding function a no-op. Previously, doing
so restored the default.
LIBOPENDKIM: Have dkim_sig_getreportinfo() return descriptors
(if available) regardless of the signer's reporting parameters.
Problem noted by Wez Furlong.
BUILD: Fix bug #188: Clean up last remnants of libstrl.
BUILD: Fix bug #190: Check for HAVE_SUN_LEN in opendkim-db.c.
Problem noted by Patrick Laimbock.
BUILD: Fix bug #191: Better minimum version checks for libmemcached.
Problem noted by Patrick Laimbock.
BUILD: Fix bug #192: Different test for libevent, from Patrick
Laimbock.
BUILD: Fix bug #193: Don't throw away user-provided compilation
variables. Problem noted by Quanah Gibson-Mount.
BUILD: Fix bug #195: Compile opendkim-genzone with pthreads support.
Reported by Walter Haidinger.
BUILD: Fix bug #202: Fix pkg-config check for GNUTLS. Reported by
Dilian Wesselinov Palauzov.
BUILD: Fix bug #203: opendkim-genzone requires pthreads.
BUILD: Patch #29: Look for libmilter in lib64. Patch from
Dilian Wesselinov Palauzov.
BUILD: Patch #30: Include libdl when linking in Lua. Patch from
Dilian Wesselinov Palauzov.
BUILD: Don't throw away user-provided compilation variables.
Problem noted by Quanah Gibson-Mount.
BUILD: Rename "--with-mdb" to "--with-lmdb" for consistency
with that package's naming conventions.
CONTRIB: Fix bug #184: Update to contrib/systemd/opendkim.service
from Steve Jenkins.
MILTERTEST: Add "polite" flag to mt_disconnect().
TOOLS: Fix bug #187: Increase buffer size for the private key in
opendkim-testkey. Problem noted by Andreas Schulze.
TOOLS: Fix opendkim-spam to match the schema found in stats/mkdb.mysql.
Problem noted by Benny Pedersen.
2.9.0 2013/12/09
NOTE: During the development cycle for this release, SourceForge
changed their bug numbering system. Bug numbers are recorded
here as they were generated by the current system at the time
they were filed. The older ones (prefixed "SF") have since
been renumbered or may no longer be in the system.
Feature request #169: Discontinue libxml2 support in the reputation
code.
Feature request #174: Drop internal libstrl implementation.
Feature request #175: Discontinue support for libdkimrep.
Feature request #176: Update to the final REPUTE RFCs.
Activate _FFR_REDIRECT.
Fix bug #178: Add support for "dmarc" as an authentication method
(though it hasn't been formally registered yet) and fix
a minor Authentication-Results parsing problem. Problem
noted by Martin Kauchler.
Fix bug #179: Correct handling of SignatureTTL. Problem noted by
Kyle Cummings.
Fix bug #180: Drain results object when doing a DB walk of a postgresql
table. Problem noted by Szucs Adam.
Fix bug #182: Add an Authentication-Results header field even for
messages with no valid From: field or a fatal structural
violation. Reported by John Wood.
Teach dkimf_db_walk() about LDAP soft starting, and don't escape the
forced "*" when walking. Also handle incorrect attribute
counts without causing an assertion failure. Problem noted
by Andreas Schulze.
Call dkimf_config_free() on shutdown so that all DBs get properly
closed and everything gets deallocated.
LIBOPENDKIM: Fix bug #168: Report an unresolved CNAME for ADSP records
as simply absent. Suggested by Eugene Crosser.
LIBOPENDKIM: Add DKIM_LIBFLAGS_REQUESTREPORTS to request that an
"r=y" tag be added to signatures, per RFC6651.
TOOLS: Fix boundary condition in opendkim-testmsg. Reported by
Wez Furlong.
DOCS: Feature request #168: Improve documentation of signature
verification failure debugging features.
DOCS: Feature request #172: Describe socket selection procedure in
detail, and mention selinux command to get set up. Suggested
by Kevin San Diego.
2.8.4 2013/07/15
Fix bug #169: Add "::1" to the default InternalHosts list. Suggested
by Norbert Aschendorff.
Fix bug #171: Escape "+" character in regex generation. Reported
by Scott Kitterman.
Fix bug #172: Repair broken AutoRestartRate logic. Patch from
Sho Kubata.
Fix bug #SF3603525: Discard duplicate results from non-DKIM methods.
Problem noted by John Wood.
Fix bug #SF3611976: Fix up quarantine option handling. Problem noted
by Claus Assmann.
TOOLS: Fix bug #SF3609716: Fix meaning of "-S" in opendkim-genkey.
Problem noted by Quanah Gibson-Mount.
BUILD: Fix bug #SF3612816: Build compatibility with Lua 5.2. Patch
from Hirohisa Yamaguchi.
2.8.3 2013/05/04
Log something when refusing to sign because the private key was too
small. This also adds a new "On-SignatureError" handler
setting, and a new status code DKIM_STAT_SIGGEN. Problem
noted by Jim Fenton.
Fix application of "On-InternalError" setting. Problem noted by
Claus Assmann.
Feature request #SF3609496: Don't apply reputation checks to internal
clients.
2.8.2 2013/03/27
Authentication-Results tokens should be checked without case
sensitivity. Problem noted by Chris Meidinger.
Fix snprintf() arguments in dkimf_checkfsnode(). Problem noted by
Scott Kitterman.
CONTRIB: Patch #SF3608716: Fixes to spec/opendkim.spec.in from
Kouhei Sutou.
2.8.1 2013/03/19
Fix bug #SF3607071: Report the reason why a key file is determined
to be unsafe. Problem noted by Doug Barton.
Fix bug #SF3607072: When checking for key file safety, take any
"-u" value provided on the command line into account.
Problem noted by Doug Barton.
Fix bug #SF3608401: Solaris 10 doesn't have strsep(). Problem noted
by Bryan Costales.
BUILD: Fix build for versions of libdb between 3.1 and 4.6.
Problem noted by John Wood.
2.8.0 2013/02/25
Feature request #SF2964383: Add DKIM_LIBFLAGS_STRICTRESIGN, which
inhibits signing of a handle tagged for resigning when the
attached verifying handle had no valid signatures in it.
Feature request #SF3155117: Do a more thorough check for writeable
key files, checking more of the filesystem permission tree.
Feature request #SF3530734: Add "LDAPDisableCache", which suppresses
the creation of a local cache in front of LDAP queries.
Requested by Quanah Gibson-Mount.
Feature request #SF3547359: If compiled with libcurl, add "SMTPURI"
configuration option that allows direct SMTP transmission
failure reports. Requested by Andreas Schulze.
Feature request #SF3578197: Allow per-message override of the list of
header fields to be signed. Requested by Alec Peterson.
Feature request #SF3590860: Combine collected reputation values into
an overall allowed rate under _FFR_REPRRD, as is done for the
other reputation code.
Feature request #SF3598991: Add odkim.signfor() function to the Lua
setup script. Requested by Marcin Owsiany.
Feature request #SF3599409: Modify dkimf_checkip() to try surrounding
the IP address part of every query with square brackets, which
is a common way to do IP address literals in email contexts.
Requested by Quanah Gibson-Mount.
Fix bug #SF3531477: Add (hopefully temporary) configuration option
"DisableCryptoInit" so that opendkim's initialization of the
crypto library doesn't conflict with the same work done by
other libraries. Reported by Quanah Gibson-Mount.
Fix bug #SF3599901: Rename "InsecureKey" to "UnprotectedKey" and
"InsecurePolicy" to "UnprotectedPolicy", as the term "insecure"
in reference to a key is sometimes interpreted to mean "not
enough random bits" rather than as a keyword describing the
presence or absence of DNSSEC protection. What's logged in
Authentication-Results header fields has been similarly
modified. Suggested by Scott Kitterman.
Fix bug #SF3604525: Don't divide by zero when the query cache hasn't
been used. Reported by Denis Klimov.
Protect against handling of signatures with empty domains, which could
cause a NULL dereference and a crash. Problem noted by
Motohiro Ishiyama and John Wood.
Do ATPS checks when enabled even if ADSP is disabled.
Don't fail to start on empty or null configuration files. Problem
noted by Steve Jenkins.
Patch #SF3593422: Update for MDB 0.9.5 support. Patch from
Quanah Gibson-Mount.
LIBOPENDKIM: Fix header canonicalization when DKIM_LIBFLAG_FIXCRLF is
used in combination with dkim_chunk(). Problem noted by
Dave Kelly and Heather Lord.
LIBOPENDKIM: Enable dkim_getcachestats() and the underlying function
to extract the current number of keys in the cache, and also
provide a counter reset mechanism.
BUILD: Feature request #SF3547151: Check for Lua package name variants
in use on Debian. Requested by Scott Kitterman.
BUILD: Feature request #SF3599902: Change OpenSSL existence test
to help with Debian packaging. Requested by Scott Kitterman.
BUILD: Add "--with-test-socket" to force all of the filter unit tests
to use a specific socket. Based on a bug report from
Scott Kitterman.
BUILD: Add checks for strlcat()/strlcpy() in libbsd. Patch from
Scott Kitterman.
CONTRIB: Fix bug #SF3575666: Pass pid file path to killproc.
Suggested by Christophe Wolfhugel.
CONTRIB: Add systemd directory. Contributed by Steve Jenkins.
CONTRIB: Split out initial key generation function from
contrib/init/redhat/opendkim. Contributed by Steve Jenkins.
MILTERTEST: Don't crash in mt_connect() if the socketspec doesn't
contain a colon.
MILTERTEST: When connect() fails for an AF_INET socket, it apparently
leaves the socket unusable. Discard the socket when that
happens and get a new one.
MILTERTEST: Add a way to extend the mt.connect() retry interval via
environment variables so a large test suite can be easily
extended on slow systems. Problem noted by Scott Kitterman.
TOOLS: Register DNS functions before calling dkim_dns_init() in
opendkim-testkey. Problem noted by Jeff Anton.
TOOLS: Add "-K" (keep temporary files) flag for opendkim-testmsg.
2.7.4 2013/01/06
Fix bug #SF3596147: Allow arbitrarily long configuration file lines.
Based on a patch from Daniel Black.
Fix bug #SF3596229: Fix logging of signature errors, which logged
the domain name twice instead of the domain name and the
selector. Patch from Daniel Black.
Safely handle incoming Authentication-Results fields with large number
of tokens. Problem noted by Motohiro Ishiyama and John Wood.
Avoid mixing up status codes when processing conf_logresults, leading
to confusing log entries. Problem reported by John Wood.
Fix ADSP logging. Problem noted by Claus Assmann.
2.7.3 2012/11/29
Log DB error string in dkimf_add_signrequest(), and fix a DSN handling
error in dkimf_db_strerror(). Problem noted by
Simone Caruso.
LIBOPENDKIM: Ignore entries in the oversign header field name list
that are empty, and an oversign header field name list that
is present but empty. Problem noted by Alec Peterson.
LIBOPENDKIM: Allow header field lists to be empty, flushing any that
were previously defined. Problem noted by Alec Peterson.
BUILD: Improve tests for including <strl.h>. Based on a patch from
Eray Aslan.
REPUTATION: Use lowercase for keywords in REPUTE query generation
and handling.
STATS: Clean up a dead link in opendkim-genstats. Patch from Andreas
Schulze.
2.7.2 2012/11/14
Log the author domain name when rejecting or discarding due to ADSP.
LIBOPENDKIM: Improve re-entrancy of dkim_eoh() when verifying.
Requested by Alec Peterson.
LIBOPENDKIM: Only do a single read attempt of a private key under
GNUTLS to avoid hiding a useful error code. Problem noted
by Alec Peterson.
STATS: Add long option support for opendkim-importstats. Based on
a patch from Christian Roessner.
STATS: Fix overly-strict domain name rules in opendkim-reportstats.
Reported by Christian Roessner.
TOOLS: Fix opendkim-genkey subdomains default. Problem noted by
Quanah Gibson-Mount.
TOOLS: Fix opendkim-testmsg GNUTLS initialization. Problem noted
by Alec Peterson.
TOOLS: Add ability to assert a reporter ID to opendkim-spam. Based
on a patch from Christian Roessner.
TOOLS: Add ability to skip a fixed number of Received: fields.
Problem noted by Christian Roessner.
TOOLS: Print a warning when asked to generate a key smaller than
the recommended minimum.
BUILD: Fix bug #SF3585163: Use a provided libstrl if detected.
Based on a patch from Eray Aslan.
BUILD: Portability fixes for Solaris 10 from Claus Assmann and
Leena Heino.
2.7.1 2012/10/30
Fix bug #SF3581657: Fix faulty logic in LDAP open code. Problem noted
by Quanah Gibson-Mount.
Fix bug #SF3581743: Properly handle NULLs returned from OpenDBX
queries and low field counts in dkimf_db_walk(). Problem
noted by Adam M. Jacques.
In the _FFR_REPUTATION code, free JSON objects when done with them.
TOOLS: Fix argument parsing in new version of opendkim-genkey.
Problem noted by Steve Jenkins.
2.7.0 2012/10/24
Feature request #SF2964375: Reject configuration files that have
a SigningTable referencing a missing or malformed KeyTable
entry.
Feature request #SF3544764: Support for libar has been discontinued.
For asynchronous and/or thread-safe resolver service,
use libunbound or a suitable version of BIND.
Feature request #SF3545658: Replace "ResolvConf" with "Nameservers"
and add support for NS list overrides for versions of bind
that have res_setservers(). Also rename "UnboundConfigFile"
to "ResolverConfiguration", and make "TrustAnchorFile"
generally available.
Feature request #SF3547124: Skip reputation checks on passing
signatures whose keys had a "t=y" value.
Feature request #SF3555842: Add "ReputationTest" setting. Requested
by Andreas Schulze.
Feature request #SF3556439: Update opendkim-atpszone per RFC6541.
Feature request #SF3559744: Add library option DKIM_OPTS_MINKEYBITS
allowing one to specify a minimum number of key bits for
acceptable keys and signatures. This is exposed through new
configuration file option "MinimumKeyBits". The default
is 1024.
Fix bug #SF3536414: Activate _FFR_OVERSIGN, and remove
DKIM_OPTS_ALWAYSHDRS.
Fix bug #SF3536655: Rename "X-Header" to "SoftwareHeader", and rename
all header fields added that start "X-" to remove that prefix,
per RFC6648. The old name will be accepted through the end
of the 2.7.x line.
Fix bug #SF3538896: Remove antiquated CVS Id: tags, which cleans up
some (harmless) build warnings. Suggested by Andreas Schulze.
Fix bug #SF3548741: Add "ReputationTimeout" for use inside
_FFR_REPUTATION, rather than using the built-in default
or a hard-coded one.
Fix bug #SF3549307: Remove _FFR_REPUTATION_CACHE, as it is redundant
to caching code that's part of _FFR_REPUTATION already.
Fix bug #SF3555844: Get repute client code in sync with repute.php
(and the current REPUTE WG drafts). Problem noted by
Andreas Schulze.
Fix bounds checking in the dstring printf functions.
Fix loop structure in the C side of odkim.get_rcpt(). Problem
noted by Todd Lyons.
Change all temporary directory defaults from /var/tmp to /tmp.
Activate _FFR_LUA_GLOBALS.
Request the milter permissions required to get _FFR_REDIRECT working.
Patch from Andreas Schulze.
Add _FFR_REPRRD, which is a second approach to DKIM-based reputation
using round robin databases and Holt-Winters foreacasting
using rrdtool (see http://oss.oetiker.ch/rrdtool/). Still
experimental.
Patch #SF3555843: With sufficient verbosity, report the default
configuration file path. Patch from Andreas Schulze.
BUILD: Fix bug #SF3531658: Move the strlcat() and strlcpy()
implementations to their own library so that programs don't
drag in crypto and other dependencies they don't need.
Also clean up several other unnecessary dependencies imposed
by imprecise use of autoconf. Problem noted by Andreas
Schulze.
BUILD: Patch #SF3555845: Add support for older versions of libcurl.
Based on a patch by Andreas Schulze.
BUILD: Install non-user things in sbin instead of bin. Suggested
by Andreas Schulze.
LIBOPENDKIM: Feature request #SF3565006: Add dkim_add_querymethod()
and dkim_sig_seterror(), define DKIM_CBSTAT_DEFAULT, and
remove an assertion in dkim_get_key_dns(), which together
allow for applications to develop non-standard key retrieval
mechanisms. Suggestion and patches from Ken Murchison.
LIBOPENDKIM: Fix bug #SF3559080: Log correct domains and selectors
with SSL errors.
LIBOPENDKIM: Add DNS functions dkim_dns_config(), dkim_dns_init(),
dkim_dns_nslist(), dkim_dns_set_init(), dkim_dns_set_close(),
dkim_dns_set_nslist(), dkim_dns_set_config(),
dkim_dns_set_trustanchor(), dkim_dns_trustanchor().
LIBOPENDKIM: Patch #SF3562496: Add DKIM_OPTS_REQUIREDHDRS to allow
alteration of the mandatory header field set. Patch from
Ken Murchison.
LIBOPENDKIM: If "q=" is present and method "dns" is specified, it
must be followed by "/txt", per RFC6376.
LIBOPENDKIM: For dkim_add_xtag(), copy the provided values so the
caller doesn't have to keep them around.
LIBOPENDKIM: Allow dual signing of a single body with dkim_resign().
Suggested by Ken Murchison.
STATS: Fix bug #SF3555847: Add "--nocircles" to opendkim-gengraphs
to allow operation with versions of gnuplot that don't know
what "with circles" means. Problem noted by Andreas
Schulze.
STATS: Patch #SF3555841: Temporary table SQL correction. Patch from
Andreas Schulze.
TOOLS: Feature request #SF3553918: Add "-u" flag to opendkim-atpszone
and opendkim-genzone enabling them to produce output suitable
for use as input to nsupdate(8). Based on a suggestion by
Dave Crocker.
TOOLS: Feature request #SF3558818: Teach opendkim-testkey about the new
"ResolverConfiguration" setting. Based on a problem report
from Patrick Ben Koetter.
TOOLS: Fix bug #SF3565013: Replace opendkim-genkey with a perl script
that knows how to do splitting of character-strings in DNS
TXT records. Problem reported by Todd Lyons.
TOOLS: Fix bug #SF3568846: Add "-t" to opendkim-testmsg to allow
override of the directory where temporary files go. Also,
clean up temporary files after creating them.
TOOLS: Add opendkim-rephistory.
2.6.7 2012/07/23
Fix input handling for file data sets for the macro case. Problem
noted by Allan Wind.
Ensure NULL-termination of macro value tests.
STATS: Fix hang bug in opendkim-reportstats. Problem noted by
Todd Lyons.
STATS: Fix bug #SF3547363: Fix "Top 10" and DNSSEC trend reports.
Problem noted by Andreas Schulze.
2.6.6 2012/07/18
LIBAR: Fix bug #SF3544522: Not all systems define a "_len" member for
the sockaddr structures. Reported by Stevan Bajic.
LIBOPENDKIM: Fix bug #SF3545490: If the body handed to the library was
missing a trailing line terminator, then dkim_canon_closebody()
would end the hashes with some data not included. Now, if
DKIM_LIBFLAGS_FIXCRLF is set, it will detect this condition
and correct it; if not, an error is returned. Problem noted
by James Erickson.
LIBOPENDKIM: If the job ID passed in during handle creation includes
slashes and temporary file creation is enabled, convert the
slashes to dots in the temporary file template. Problem
noted by James Erickson.
2.6.5 2012/07/14
Swap order of "header.d" and "header.i" values in
Authentication-Results fields.
BUILD: Fix bug #SF3543282: Corrections to Darwin/libar build adjustment
made in 2.6.3. Problem noted by Daniel J. Luke.
2.6.4 2012/07/12
Feature request #SF3542099: Include "header.d" in all
Authentication-Results fields, not just "header.i". This
makes life easier for users of OpenDMARC.
BUILD: Fix SHA256 test on some systems. Problem noted by James
Erickson.
2.6.3 2012/07/11
Add "ResolvConf" setting, allowing the ability to pass a
resolv.conf-like file to unbound to allow specific nameservers
to be used instead of the default.
LIBOPENDKIM: Return the correct error code when a SHA1-only library
encounters a SHA1 signature that references a SHA256-only key.
Problem noted by Andrew Birchall.
LIBAR: Add ar_resolvconf().
BUILD: Fix bug #SF3538676: Build with -DDARWIN on MacOSX, and default
to arlib if unbound isn't selected. Patch from Daniel J. Luke.
2.6.2 2012/07/02
Fix build confusion between _FFR_RATE_LIMIT and _FFR_RESIGN.
Problem noted by Rolf Sonneveld.
Fix bug #SF3538639: Fix error when --domain is not provided to
opendkim-genrates. Problem noted by Andreas Schulze.
Fix bug #SF3539449: Clarify legal "Socket" values. Requested
by Scott Kitterman.
Fix bug #SF3539493: Handle certain cases of data set names that
appear to be comma-separated lists which include IPv6
addresses. Reported by Scott Kitterman.
2.6.1 2012/06/25
Restore and activate _FFR_SELECT_CANONICALIZATION. Also adds a
SelectCanonicalizationHeader configuration option.
Remove _FFR_SELECTOR_HEADER.
Update Authentication-Results parsing to understand "dkim-atps"
(RFC6541) and no longer understand "hardfail" (RFC6577).
LIBAR: Fix bug #SF3309946: Ensure the dispatcher doesn't hold the
master lock when it might enter a read wait.
STATS: Add a database index on messages.msgtime to aid with
expiration performance.
TOOLS: Feature request #SF3536385: Add "-a" to opendkim-genkey to
include a domain name in the generated TXT record.
Requested by Quanah Gibson-Mount.
2.6.0 2012/06/07
Feature request #SF3495969: Add support for Lua v5.2.0. Requested
by Rolf Sonneveld.
Feature request #SF3502777: Log all authentication results rather than
relying on logging of Authentication-Results header fields.
Requested by Andreas Schulze.
Feature request #SF3512286: Add "LDAPSoftStart" flag so the filter
doesn't abort on startup when LDAP is not available.
Feature request #SF3512836: Add _FFR_SOCKETDB, which enables support
for a generic socket data set.
Feature request #SF3514982: Add Erlang data set support. Patch
provided by Andre Nathan.
Feature request #SF3516253: Update to newest "repute" working group
documents, which mainly means adding JSON support and
promoting application-specific extensions to the top level
in the reputon structure.
Feature request #SF3518593: Add support for OpenLDAP's MDB as a
data set backend. Requested by Quanah Gibson-Mount.
Feature request #SF3519002: Put reason information inside a "reason"
tag in Authentication-Results header fields rather than in
comments.
Feature request #SF3521000: Log hostname and daemon name (taken from
macros) when logging "no MTA name match". Requested by
Andreas Schulze.
Feature request #SF3524756: Add ability to request TCP keepalive
features via the OpenLDAP client library. Requested by
Quanah Gibson-Mount.
Feature request #SF3529233: Add odkim.get_envfrom() to all Lua scripts.
Requested by Charles Cazabon.
Fix bug #SF3518877: Separate variable expansion from literal text in
opendkim-genkey.
Fix bug #SF3522883: Allow TLS for ldapi URIs. Problem noted by
Quanah Gibson-Mount.
Fix bug #SF3527428: Construct the LDAP URI list properly, rather than
only keeping the last one, and add failover code. Problems
noted by Quanah Gibson-Mount.
Patch #SF3522895: Add contrib/ldap/opendkim.ldif. Contributed
by Quanah Gibson-Mount.
Activate _FFR_XTAGS.
Remove _FFR_SELECT_CANONICALIZATION.
LIBAR: Fix bug #SF3444318: Do proper buffer size calculations to
avoid valgrind warnings about references to unaddressable
space. Reported by Todd Lyons.
LIBOPENDKIM: Fix bug #SF3496041: Remove _FFR_PARSETIME.
LIBOPENDKIM: Fix bug #SF3516653: By default, treat a syntax error
in an ADSP record as an NXDOMAIN. Add new library flag
DKIM_LIBFLAGS_REPORTBADADSP to restore the original
behaviour. Suggested by Scott Kitterman.
LIBOPENDKIM: Fix bug #SF3524865: Disallow generation of signatures
where signer and signing domain don't match per the DKIM
specification. Add DKIM_LIBFLAGS_DROPSIGNER which, if set,
will still generate signatures in that case, but with the
signer omitted so the signature is still compliant.
BUILD: Fix bug #SF3425384: Add missing support for compiling
against libevent2, which is an option for unbound.
Noted by Andreas Schulze.
BUILD: Fix bug #SF3475799: Don't do a manual check for libdb.a.
Use the AC_CHECK_* macros instead.
DOCS: Fix bug #SF3518864: The license for IETF documents is not
compatible with free software licensing, which makes packaging
a bit of a chore. Replace all the text files in the "docs"
directory with a single HTML page that includes links to
all the things we used to include here. Requested by
Scott Kitterman.
STATS: Feature request #SF3110059: Move opendkim-reportstats from
contrib/stats to stats, making it fully supported.
STATS: Feature request #SF3525786: Add opendkim-expire script.
Requested by Andreas Schulze.
STATS: Feature request #SF3528652: Allow a specific list of domains,
possibly read from a file, for opendkim-gengraphs and
opendkim-genrates. Requested by Andreas Schulze.
2.5.2 2012/04/09
Fix bug #SF3496208: Replace stats/opendkim-genstats with a perl
script so it's far more efficient.
Fix bug #SF3514793: Pass proper flags to libdb when creating
temporary LDAP caches. Problem noted by Sergey Romanov.
Fix a crash bug when using LocalADSP with a message with no
parseable From: field. Problem noted by John Merriam.
Fix a crash bug when using LDAP with authentication when LDAPAuthUser
is not defined. Problem noted by Christian Roessner.
STATS: Fix bug #SF3510729: Convert stats/opendkim-gengraphs to a perl
script.
2.5.1 2012/03/15
Fix bug #SF3496131: Fix query cache build problem. Reported by
Dilian Wesselinov Palauzov.
Fix bug #SF3500660: Add Date: header field to generated reports.
Reported by Andreas Schulze.
BUILD: A few subsidiary libraries need to know about -lresolv on
systems that need it. Reported by Scott Kitterman.
STATS: Add "-E" command line flag to opendkim-importstats, forcing
an abort on any input error.
2.5.0 2012/02/29
#####################################################################
### ###
### This release is dedicated to the memory of J.D. Falk, a ###
### tireless champion of anti-abuse technology and collaboration ###
### and a founding member of the Board of the Trusted Domain ###
### Project, a participant in related IETF work, and a long-time ###
### particpant and supporter of MAAWG. J.D. was taken by cancer ###
### on November 16, 2011. His enthusiasm and perspective for ###
### all of this work will be sorely missed. ###
### ###
#####################################################################
Feature request #SF3385816: Discontinue DomainKeys support.
Feature request #SF3393282: Update ARF output per
draft-ietf-marf-authfailure-report-03 et seq.
Feature request #SF3406814: Add ability to invoke chroot().
Requested by Andreas Schulze.
Feature request #SF3477908: Update DKIM reporting per
draft-ietf-marf-dkim-reporting-10.
Add "WeakSyntaxChecks" suppressing some short-circuiting error checks
on syntax. Requested by Todd Nagengast.
Allow a set of test files to be passed via "-t" rather than just one.
Add _FFR_REPUTATION, and several new support libraries (in the
libut/ and reputation/ directories) for doing DKIM-based
reputation evaluations of arriving messages. Full
documentation of the algorithms will appear in an upcoming
white paper. This also includes several new configuration
options that make use of reputation data pulled from servers:
ReputationCache
ReputationCacheTTL
ReputationLimits
ReputationLowTime
ReputationMinimum
ReputationLimitModifiers
ReputationRatios
ReputationSpamCheck
ReputationTimeFactor
For now these are briefly documented in reputation/README.
As this subsystem matures, they will be fully documented in
opendkim.conf(5).
Fix bug #SF3471520: Don't crash when the first line of a configuration
file is an "Include" instruction. Reported by Dilian
Wesselinov Palauzov.
Fix bug #SF3475149: Apply RFC2254 encoding to LDAP queries.
Problem noted by Yoshiaki Yanagihara.
LIBOPENDKIM: Feature request #SF3317160: Per RFC6376, remove
granularity checks.
LIBOPENDKIM: Feature request #SF3385768: Add dkim_privkey_load(),
allowing validation of a private key before reaching
end-of-message. Requested by Heikki Gruner.
LIBOPENDKIM: Feature request #SF3423226: Copy header field name lists
instead of using the caller's copy. Suggested by
Heikki Gruner.
LIBOPENDKIM: Update list of header fields that should be signed
per RFC6376.
LIBOPENDKIM: Don't report the absence of "c=" as an error, since
there is a default.
LIBOPENDKIM: Add DKIM_SIG_CHECK() macro. Suggested by Heikki
Gruner.
LIBAR: Fix bug #SF2917856: Rename "ar.h" to "async-resolv.h" since
"ar.h" is already in common use.
STATS: Feature request #SF3397903: Drop all support for data needed
for the DKIM Implementation Report, as it has been completed.
Leave stuff that's useful for reputation R&D.
STATS: Feature request #SF3402857: Modify opendkim-spam to be able
to write update records to statistics files.
STATS: Feature request #SF3439384: Make opendkim-importstats more
backend-agnostic. Requested by Andreas Schulze.
TOOLS: Add opendkim-testmsg, for signing/verifying messages without
all the milter code being invoked. Requested by
Todd Nagengast.
CONTRIB: Add LDAP documentation and examples. Provided by
Patrick Ben Koetter.
2.4.3 2011/12/26
Fix bug #SF3400670: Send ADSP failure reports when rejecting
a message. Reported by Andreas Schulze.
Fix bug #SF3419149: Add MaximumSignedBytes to opendkim-config.h.
Reported by Adam Bernstein.
Fix bug #SF3441240: Apply ReportBccAddress when generating ADSP
reports. Reported by Richard Rognlie.
Fix bug #SF3447199: Fix logic preventing the application of the
BodyLengthDB. Problem noted by Richard Rognlie.
Fix Authentication-Results generation with "AddAllSignatureResults"
enabled. Reported by Todd Nagengast.
Fix a crash bug when trying to handle certain malformed header fields
in verify-only mode. Reported by Todd Lyons.
Improve error checking in the callback provided to libunbound to
avoid crashes. Problem noted by Todd Lyons.
Cope with versions of Sleepycat DB that crash when asking for a file
descriptor for in-memory databases. Problem reported by
Todd Lyons.
Don't override "On-NoSignature" when "Quarantine" is set. Reported
by Jarry Jeremy.
Ignore header field names that contain semi-colons, as they produce
syntactically invalid signatures. Problem noted by
Heikki Gruner.
LIBOPENDKIM: Fix bug #SF3465400: Don't use "new" as a parameter name
in dkim.h since that's an error for C++. Reported by
Amit Schreiber.
LIBOPENDKIM: NOERROR is the same as NXDOMAIN for the purposes of
the ADSP existence check. Problem noted by Todd Nagengast.
LIBOPENDKIM: Return DKIM_STAT_SYNTAX from dkim_header() if the header
field name contained a semi-colon.
LIBAR: After computing a timeout, if the fractional seconds portion
adds to exactly a second, convert that amount to seconds.
Previous versions only converted when the fractional portion
exceeded a second. This led to threads that spin
indefinitely. Problem noted by Todd Lyons and Gary Mills;
forensic evidence revealing the problem at long last provided
by Todd Lyons.
STATS: Fix a crash bug in opendkim-importstats due to improper handling
of NULL returns from SQL. Reported by Andreas Schulze.
2.4.2 2011/08/05
Don't apply BodyLengthDB when not signing. Problem noted by
Andreas Schulze.
LIBOPENDKIM: Update for draft-kucherawy-dkim-atps-06.
LIBOPENDKIM: Terminate the strings returned by dkim_sig_getsubstring()
and dkim_sig_getidentity() whenever possible. Suggested by
Heikki Gruner.
CONTRIB: Change "chkconfig" instruction in RHEL init script,
and a minor tweak to the RPM spec file. From Steve Jenkins.
2.4.1 2011/06/28
Fix bug #SF3312691: Add "-e" command line switch to extract a value
from configuration.
Fix bug #SF3324488: Accommodate postfix's job ID generation by moving
the BodyLengthDB check down to EOH. Reported by Andreas
Schulze.
Fix bug #SF3327106: Fix mode-based short-circuit logic. Reported
by Yoshiaki Yanagihara.
Patch #SF3321766: Remove "-d" from usage message (not implemented).
Patch from Andreas Schulze.
Print database error strings instead of just return codes in
query test mode, and clean up error strings when extracting
them from the layers below.
Minor fixes related to use of OpenDBX.
LIBOPENDKIM: Fix bug #SF3328330: Correct generation of "z=" tags.
Problem reported by Christophe Wolfhugel.
LIBOPENDKIM: Patch #SF3313534: Improve thread-safe use of OpenSSL
in dkim_init() and dkim_free(). Patch from Masatake Daimon.
LIBOPENDKIM: Patch #SF3314269: Change all uses of off_t to
ssize_t, as the former is reserved for use with filesystem
APIs. Patch from Manuel Mausz.
LIBOPENDKIM: Make the user context pointer (void) rather than
(const void) since the caller is allowed to change it.
Problem noted by Heikki Gruner.
LIBOPENDKIM: Proper handling of DKIM_CBSTAT_ERROR from the prescreen
and final callbacks. Problem noted by Heikki Gruner.
LIBOPENDKIM: Fix up initialization under _FFR_OVERSIGN. Problem
noted by Eray Aslan.
BUILD: Adjust gprof code to accomodate systems that put profiling
output in <binary>.gmon rather than gmon.out.
2.4.0 2011/06/06
Feature request #SF3060140: Extension of odkim.sign() to include
maximum signed byte count.
Feature request #SF3171865: Add _FFR_LUA_GLOBALS, enabling a
mechanism to maintain state between Lua scripts.
Feature request #SF3241982: Optionally add an Authentication-Results
field for all signatures present, not just the first good
one.
Feature request #SF3256630: Add _FFR_RATE_LIMIT, enabling hooks for
post-verification rate controls.
Feature request #SF3290461: Add optional support for querying a
memcache daemon via libmemcached.
Feature request #SF3299041: Be tougher on use of the "l=" tag by
removing "BodyLengths", renaming "BodyLengthDBFile" to
"BodyLengthDB", and allowing pattern matches. This
effectively activates _FFR_BODYLENGTH_DB as well.
Feature request #SF3303911: Add "DisableADSP" setting.
In the stats recording code, only check for a domain match for
signatures that don't have errors (i.e., short circuit if
sigerror is not zero).
LIBOPENDKIM: Feature request #SF2969516: Teach dkim_chunk() about
DKIM_LIBFLAGS_FIXCRLF.
LIBOPENDKIM: Feature request #SF3123731: Extend FixCRLF to cover
header fields.
LIBOPENDKIM: Feature request #SF3151534: Extract DKIM reputation
support to its own library.
LIBOPENDKIM: Feature request #SF3279589: Add _FFR_XTAGS, adding
support for generic extension tags in signatures.
LIBOPENDKIM: Feature request #SF3300738: Add dkim_sig_getqueries()
and dkim_policy_getqueries() to assist API consumers that
have their own DNS mechanisms not directly adaptable to ours.
Requested by Heikki Gruner.
LIBOPENDKIM: Return an error from dkim_getsighdr() or
dkim_getsighdr_d() if called after a key load failure.
Problem noted by Heikki Gruner.
LIBAR: Check that the descriptor's write socket is writable before
calling ar_sendquery() when trying to identify open requests
that need retransmission.
STATS: Feature request #SF3066106: Add "opendkim-anonstats" tool.
CONTRIB: Paths in init/redhat/opendkim are now auto-generated.
Activate _FFR_MAXVERIFY.
2.3.2 2011/04/14
Fix bug #SF3067338: Create a pool of DB handles for SQL operations
so that queries don't all share one serially.
Fix bug #SF3156559: Don't compile Lua scripts anew for each execution.
Fix bug #SF3210385: Fix issue with configuration reload failures
having some side effects on the remaining active configuration
handle. Reported by Andreas Schulze.
Fix bug #SF3235131: Don't report ADSP errors as signature errors
in Authentication-Results header fields.
Fix bug #SF3258459: Don't send progress messages during EOH. Problem
reported by Gary Mills.
Add ADSP processing error information to A-R header fields.
LIBOPENDKIM: Fix bug #SF3276469: When generating "z=" tags, apply
omit and sign header field lists. Problem noted by Todd Lyons.
LIBOPENDKIM: Use a time_t to store TTL and clock drift options
rather than unsigned long. Patch from Piotr Sikora.
LIBAR: Include class and type in debugging messages. Suggested
by Gary Mills.
LIBAR: Start the dispatcher on the first query, not in ar_init().
Allows ar_init() to be called before a fork() safely.
CONTRIB: Adjust installed path in RedHat start script. Patch
from Naresh V.
CONTRIB: Require the current libopendkim in the opendkim definition
in the RPM spec file. Patch from Naresh V.
2.3.1 2011/03/28
Feature request #SF3196060: Log retrieved reputation values.
Patch from Andreas Schulze.
Feature request #SF3199824: Don't log "no signature data" unless