s/qmail 4.0 CHANGE log
======================

Older changes can be found in CHANGELOG_V3.

Version	Descripition
--------------------

4.0.00	Initial version, removed SRS, fixed SPF.
4.0.01	Recovered SRS and added srsforward + srsreverse
				as compile option; still depending on librsrs2.
				Added man pages for srsforward + srsreverse.
				Fixed columnt (buf incorrectly used).	
B(2)		Changed 'puts' to 'out'; where applicable.
				Fixed dnsq call in qmail-smtpd concerning 
				lookup type "M" -> 'M', "A" -> 'A' (char ).
B(3)		Fixed missing timestamp for mails in maildir.c 
				making qmail-pop3d behaving erratic.
				Substituted put -> out almost everywhere.
				Fixed wrong 'identity' in Received header ('unknown')
				due to misplaced 'if' nesting.
				Streamlined qmail-authuser to support APOP auth
				even for Unix system accounts (tx Drew).
				Fixed wrong CAPA announcement in qmail-popup 
				(APOP instead of UIDL).
4.0.02	Removed dependency on libsrs2 providing srs2.[c|h]
				natively together with sha1[_hmac].[c|h].
				Complete refactoring of sha1 and sha1_hmac.
				Included Drew W's enhancements for Dovecot auth 
				in qmail-authuser.
				Fixed bug in IPv4/IPv6 matching for spf_mx.
4.0.03	Enhanced qmail-authuser.
				Redone srsforward and srsreverse + man pages.
				Fixed qmail-smtpd to cope with new DNS resolver
				behaviour (in particular for SPF segfaulting for bounces).
Final		Streamlined man pages.
4.0.04	SMTPUT8 is now triggered via environment variable UTF8 for 
				qmail-smtpd.
				Fixed segfaulting qmail-smtpd in case of multiple recipients
				in the RCPT TO dialog.
				qmail-smtpd exits now if Auth and Auth not announced or PAM missing.
4.0.05	Fixed bug in qmail-remote with wrong CNAME address mangling (tx. Leah).
				Removed SMTPUTF8 compiler flags in qmail-remote and qmail-smtpam
				which now auto-detect UTF8 encoded addresses.
4.0.06	Fixed qmail-smtpd segfaulting while wrongly evalute 'fakehelo' for SPF.
				Added compatibility for other tcpserver/sslserver programs 
				calling qmail-smtpd and different IPv6 environment variables (4Leah).
4.0.07	Straightend some code in SPF evalution which might prevent it (tx Leah).
				Fixed bug returning wrong SPF results in case a TXT but no SPF record is given.
				Fixed qmail-remote potentially not binding to IPv4 addresses (tx. MB).
				Fixed qmail-authuser insuffient handle of passwords using crypt (tx. MB).
4.0.08	Fix for qmail-vmailuser not respecting vpopmail's home dir (tx. Ueli H.).
				Changed qmail-remote to cope better with fehQlibs-15 and IPv4 qualification.
				Fixed CVE-2011-0411: Pipelining command injection for qmail-smtpd.
				Fixed the Guninski CVE-2005-1513 (in fehQlibs-15): Buffer overflow
				if size of mail > 4 GByte.
4.0.09	Reworked fix for CVE-2011-0411 to provide a general solution. (tx. Fabian)
				Applied fix to qmail-popup as well.
4.0.10  GCC 10 refactoring (together with fehQlibs-15b).
				qmail-remote now recognizes a MX retrieved IP to be itself and skips it.
EOL for 4.0

4.1.00	Added TLSA DNS lookup for qmail-remote.
4.1.01	Added qmail-ldapam; needs tweaking and verification still.
4.1.02	Added qmail-postgrey client together with the qmail-smtpd IF (permisssion by jan.mojzis).
4.1.03	Fixed TLSA off-by-one error for qmail-remote.
				Removed idedit.c (could be used in later version).
				Disabled compilation of qmail-ldapam. (cleanups, beta version).
				Added postgrey run script together with adjustments for doc and man.
4.1.04	Included Reiser FS patch; see unlinking problems also with vdeliver (qmail-queue, qmail-local).
				Fixed 'incorrect' xtext generation in qmail-remote.
				Added qmail-qmaint providing sanity checks on the queue and 
				allowing removal of messages (based on E. Huss code).
				Integrated DANE lookup (exceptions) into tlsdestinations + doc.
4.1.04+ Fixed bug not freeing X509 cert, thus TLSA fails. The X509_digest API is stupid.
4.1.05	Added selector evalution in tlsa_check and re-formulated logic.
				Moved header files to ./include directory (and changed conf-cc accordingly).
4.1.06	Compliance with fehQlibs-17 (could solve [20201123#1/4.0.10]).
				Fixed bug in smtproutes not authenticating [20210213#1/4.0.10].
				Reformulated qmail-smtpd smtproutes to support setting localip [RfC:20201112#1/4.0.10].
4.1.07	Fixed bug in qmail-smtpd confusing badmailfrom with badrcptto [20120312#1/4.0.10].
				Adjusted header files to compile on ARM64 (Clang) and with GCC-10 (AMD64).
4.1.08	Removed references to qmail-ldapam in package. 
				Changed SPF DEFEXP macro using expand for domain rather than 'spf.pobox.com' [20210212#1/4.0.10].
4.1.09	Fixes for qmail-remote and rewriting the SIZE extension interface (tx. Drew):
				a) (Occasional) wrong parsing of multiple X.509 fingerprints in dnstlsa and tls_remote.c
				which might qmail-remote advice to reject valid TLSA indicated connections.
				b) Wrong SIZE indication (mailfrom, mailfrom_xtext) in SMTP dialogue [20210622#1/4.1.08] (tx. Drew).
				c) Wrong SMTPUTF8 indication (mailfrom, mailfrom_xtext) [20210622#2/4.1.08].
				Note: qmail-rspawn API left unchanged wrt vanilla qmail.
4.1.10	Fixed flaw in qmail-remote not producing immediate bounce for server's 5xx reply code.
				Fixed bug in qmail-remote introduded in sqmail-4.1.09 evaluating size information for qmtp delivery.
4.1.11	Fixed bug in qmail-vmailuser not evaluating vpopmail's user directories correctly.
				Fixed bug in qmail-smtpam segfaulting. Sitting there since 3.0; nobody is using it.
				Added 'implicit TLS' support for qmail-remote in control/smtproutes, ./authusers, ./tlsdestinations.
				Added 'implicit TLS' support for qmail-smtpam on the command line.
4.1.12	Improved and streamlined qmail-remote TLS errors.
				Multiple DNS queries vor TLSA check; first early; second after cert received.
				TLSA check working again; stupid OpenSSL doc ;-)
4.1.13	Better RFC 6698 (TLSA) conformance for PKIX-EE (with full X.509 chain given).
4.1.14	TLSA record lookup follows now a CNAME query. Pretty unusual for MX environments.
				Removed recognition of 451 SMTP return code as greylisting in qmail-remote logs.
4.1.14a	Fixed two integration bugs in 4.1.14 and straightend TLSA lookup and evalution.
4.1.15	Off-by-one error in dnstlsa (cert fingerprint too short) and 
				corrections (and simplifications) to evaluate the TLSA finterprints (tls_remote.c).
4.1.16	Additional corrections for TLSA evaluation with several fingerprints.
				TLSA lookup not bound to PTR lookup anymore but just hostname of MX - ipalloc extended.
				qmail-local does not disclose virtual user name extension in 'Delivered-To' field.
				Installation routine removes now potential remnants in ./src directory.
				Removed irritating 'greylisting' log info from qmail-remote for certain SMTP reply codes.
				Greylisting is now done/testing based on 421 SMTP reply code only [RFC 6647].
				qmail-remote evaluates MX distance according to IPv4/IPv6 local bindings.
4.1.17	Fixed OpenSSL's X509_pubkey_digest() function for TLSA.
EOL for 4.1
4.1.18  Fixed premature close of cdb in fastforward; removed slurpclose.c.
        Backported qmail-remote (and tls_remote.c) from s/qmail-4.2.16 to fix TLS and Greylisting issues.
        Backported qmail-smtpam due to changes in tls_remote.c.
        Backported spfdnsip.c from s/qmail-4.2.16 to solve the SPF 'exists' issue.
        Forwardported tls_destinations() from s/qmail-4-0.09 for stralloc host and added 0-terminated hostname.
        Fixed tls_checkpeer() to verify X.509 certs and DN/SAN against FQDN comparison.
        qmail-local does not truncate virtual recipient on default.
        Fixed erroneous fastforward.
4.1.18a Improved handling for given certificates and ciphers and log messages for qmail-remote.
4.1.18b Fixed missing buffer write in qmail-remote.
4.1.18c Fixes defect [20230303#1/4.2.22].
4.1.18d Fixes defect [20230316#1/4.2.23] Can't connect to none-StartTLS MTAs by qmail-remote.
4.1.18e Backported fixes for [20230922#1/4.3.01], [20230920#1/4.3.01], and [20230823#1/4.3.00] included. 

