			OPENDKIM RELEASE NOTES
	$Id: RELEASE_NOTES,v 1.160.2.18 2010/07/14 05:12:05 cm-msk Exp $


This listing shows the versions of the OpenDKIM package, the date of
release, and a summary of the changes in that release.

2.1.3		2010/07/15
	Fix build when enabling LDAP.
	Fix portability issue with DB 1.x.  Patch from Kaspar Brand.
	Fix bug #SF3026261: Don't try to open the statistics database before
		possibly changing userid.  Reported by Andreas Schulze.
	Plug a couple of potential but minor memory leaks, avoid some NULL
		dereferences, rewrite some clearly incorrect code, and several
		other fixes found by a code analysis tool, used by courtesy
		of Cloudmark.
	Restore "-P" to the command line as it's convenient for start/stop
		scripts.
	MILTERTEST: Support multiple macro values in mt_macros().
	BUILD: Improved support for BerkeleyDB file locations.

2.1.2		2010/07/06
	When testing the domains data set for a domain match for signing,
		check for an explicit "*" record for back-compatibility
		with versions prior to v1.2.0.
	Avoid segmentation faults when colon-separated data in a data set
		isn't formatted properly or has too few fields.
	Add additional database error logging.
	Rework OpenDBX query function use for correctness.  Problem reported
		by Naresh V.
	Fix an internal database call that caused false errors to be reported
		with recent DB versions.
	Fix bug #SF3021228: Avoid a NULL dereference in dkimf_xs_requestsig()
		when the function is called in test mode.
	Fix bug #SF3022409: Improve error logging from dkimf_db_open().
	Patch #SF3023224: Fix up a man page generation warning for opendkim(8).
		From Andreas Schulze.
	Patch #SF3023521: Tidy up some compiler warnings.  From Andreas
		Schulze.
	BUILD: opendkim-stats needs to know where to find the OpenSSL includes.
		Reported by Andreas Schulze.
	TOOLS: Patch #SF3023404: Fix up opendkim-stats usage message.  From
		Andreas Schulze.
	MILTERTEST: Fix bug #SF3020662: Add compatibility with older versions
		of libmilter.  Problem reported by Naresh V.

2.1.1		2010/06/22
	Force IPv6 addresses to lowercase, which is about to become standard
		(see draft-ietf-6man-text-addr-representation).  Problem
		noted by Reuben Farrelly.
	Permit configurations in which KeyTable and SetupPolicyScript are
		defined but SigningTable isn't.
	Return an error when making a default signing request if KeyFile and
		Selector were not both specified.
	Fix odkim.sign() so that it pulls from the correct Lua stack index,
		avoiding a NULL dereference and a crash.  Problem noted
		by Jozsef Kovacs.
	Fix bug #SF3015441: Argument processing for odkim.log() was incorrect.
		Problem reported by Jozsef Kovacs.
	Fix bug #SF3016124: odbx_field_value() returns NULL if the requested
		column contains an SQL NULL.  Problem reported by Jozsef
		Kovacs.
	Patch #SF3015439: Fix bugs in data set name parsing (e.g. allow dots
		in fields so that fully qualified hostnames can be given).
		Patch from Jozsef Kovacs.
	MILTERTEST: Fix bug #SF3005615: Observe negotiated SMFIP_NO* protocol
		option bits.

2.1.0		2010/06/07
	Feature request #SF2964369: Add _FFR_LDAP_CACHING to cache and share
		common LDAP queries using an internal query cache for
		better optimization of LDAP resources.
	Feature request #SF2964378: Overhaul statistics collection code
		enabled by "--enable-stats".  See stats/README for details.
	Feature request #SF2964380: Do some limited pattern matching for
		ResignMailTo.
	Feature request #SF2964381: The value in the ResignMailTo data set
		can now name a key in the KeyTable to use when re-signing
		a message.
	Feature request #SF2964388: Add a "lua" dataset type.
	Feature request #SF3007640: Add odkim.add_header() function, available
		to the final script.
	Log more information when loading data from the KeyTable fails.
	Remove several command line options that are redundant to the
		configuration file and not useful in test mode.  These
		include: -a, -C, -h, -i, -I, -m, -M, -P, -R and -U.
	Add support for draft-kucherawy-authres-header-b.
	Properly deal with critical errors from libdb that otherwise lead to a
		descriptor leak (because the close operation fails).
		Reported by Warren Horvath; data provided by Graham Murray.
	Don't allow Domain without KeyFile and Selector, which causes an
		assertion failure when calling dkim_sign().  Problem noted
		by Todd Lyons.
	Fix configuration logic around DontSignMailTo that prevented it from
		working.  Reported by Warren Horvath.
	When data set open operations fail during configuration file
		processing, report the name of the data set instead of just
		the error.
	CONTRIB: Patch #SF3010443: Improvements to opendkim.init and
		opendkim.spec from Kaspar Brand.
	LIBOPENDKIM: Add dkim_get_sigsubstring(), required for "header.b"
		production on Authentication-Results: header fields.
	LIBOPENDKIM: Initialize canon_buf in dkim_add_canon() to avoid
		a garbage dereference later during an abort.
	MILTERTEST: Fix SMFIR_ADDHEADER tests.
	STATS: Add "stats" subdirectory including tools for collecting
		and reporting aggregated statistics.
	TOOLS: Feature request #SF2964364: Have opendkim-genzone use
		the KeyTable if defined in a provided configuration file.

2.0.4		2010/05/17
	Fix logic enabling AlwaysAddARHeader.  Reported by Thomas Arnett.
	Return SMFIR_SKIP if available when reaching mlfi_body() if the
		filter is not interested in the body, such as on an unsigned
		message.
	Add more unit tests (but many more are needed).
	LIBOPENDKIM: In dkim_eoh() when verifying, set the DKIM error string
		to something if there was at least one signature on the
		message but none passed.
	MILTERTEST: Add SMFIR_SKIP as a testable milter reply code.
	MILTERTEST: Add mt.chdir().

2.0.3		2010/04/30
	Fix bug #SF2986301: Initialize a pointer for AutoRestart before
		using it, avoiding a segmentation fault.
	Fix bug #SF2992571: Rename _FFR_DNS_UPGRADE to _FFR_DNSUPGRADE to
		match what the build system does.  Problem noted by
		Gary Mills.
	Don't let Authentication-Results: logic from DomainKeys verification
		interfere with that of DKIM verification.
	MILTERTEST: Break out of the sending loop in mt_bodyrandom() if
		something other than SMFIR_CONTINUE comes back from the MTA.
	MILTERTEST: Add support for milter's UNKNOWN and DATA steps.
	MILTERTEST: Fix bug #SF2991011: Honour SMFIP_NR_* no-reply requests
		that may have been made by the filter.

2.0.2		2010/04/12
	Fix bug #SF2983979: Fix a configuration buffer initialization
		error tripped when running in test mode.  Patch from
		Kaspar Brand.
	LIBOPENDKIM: Fix dkim_chunk() to handle a message that starts with
		a CRLF.  Problem noted by Masumi Taketomi Parekh of Yahoo!.
	BUILD: Fix bug #SF2981597: Incorrect variable check for
		"--with-domainkeys" when a path is given, and repair
		DomainKeys build in opendkim/Makefile.am.  Reported by
		Gary Mills.
	BUILD: Fix bug #SF2983206: Optionally pass "-rpath" to libtool for
		libopendkim.
	BUILD: Path fix in opendkim.pc from Stefan Schulze Frielinghaus.

2.0.1		2010/03/20
	Fix bug #SF2964376: Don't use dkim_getsighdr() internally during
		signing as it presumes signatures will fit within a bounded
		character array and sometimes (e.g. with extensive data in
		a "z=" tag) they don't, leading to signing failures on valid
		messages.  Reported by James R. Marcus.
	Fix bug #SF2969700: Remember to NULL-terminate key data loaded from
		disk before using it.
	Don't use MAXHOSTNAMELEN as its value is unreliable.
	LIBOPENDKIM: Return an error from dkim_get_key_dns() if the
		query string is too big for a hostname buffer, rather than
		sending the truncated string to DNS anyway.
	LIBOPENDKIM: Ensure string termination in dkim_sig_getidentity()
		when calling dkim_qp_decode().  Patch from Stefan
		Schulze Frielinghaus.
	LIBOPENDKIM: In dkim_eom_sign(), don't change the handle's overall
		state before erroring out if the chunking state is invalid.
	BUILD: Fix bug #SF2969812: Don't install Lua sample files or man
		pages when "--with-lua" isn't specified.  Patch from
		Kaspar Brand.
	BUILD: Fix bug #SF2965318: Don't define USE_LUA when LDAP is enabled.
		Problem noted by Guillaume Castagnino.
	LICENSE: Change from 4-clause BSD license to 3-clause BSD license.

2.0.0 (Eve)	2010/03/05
	Feature request #SF2917224: Add optional OpenLDAP support.
	Feature request #SF2920389: Add CIDR support for IPv6 addresses.
	Feature request #SF2937428: Add "ExemptDomains" configuration item.
	Add optional Lua support, which enables a few script hooks for
		fine-grained policy controls when signing and verifying,
		and "miltertest", a new Lua-based scripting tool for
		exercising milter applications.
	Add "-Q" command line switch, putting the filter in query test mode
		to exercise the database code.
	Don't overwrite the signature verification status with that of the
		policy query status, leading to spurious "bad signature data"
		entries in the log.  Problem noted by Roman Gelfand.
	Fix database query order for PeerList, InternalHosts, etc. so that
		negation works properly again.
	Fix crash-on-shutdown bug related to the crypto utilities functions.
	Drop "KeyList" in favour of "KeyTable" and "SigningTable" in the
		configuration file.  See the opendkim.conf(5) man page
		for details.  Also, "-K" has been dropped from the command
		line, meaning multiple key support now requires use of the
		configuration file.
	Fixes in DB walk code for DB 1.85.
	Fix bug #SF2936499: Clean up numerous compiler warnings.
	Fix bug #SF2951494: Improve logic for doing ADSP queries and reporting
		their results.
	Fix bug #SF2961161: dkim_sig_getidentity() could return successfully
		even if the provided buffer was too small to accept the
		decoded value.  Reported by Ale Vesely.
	LIBOPENDKIM: Adjust dkim_sign() to accept base64-encoded DER private
		keys as well as PEM-formatted keys.
	LIBOPENDKIM: Several performance optimizations yielded from
		gprof data.
	LIBOPENDKIM: Fix a length computation that caused an invalid
		snprintf() call.  From a Gentoo bug reported by Tilman Giese.
	LIBOPENDKIM: Fix compiler complaint about multiple definitions
		of global variables.  Reported by Maarten Oelering.
	LIBOPENDKIM: Have dkim_eom() process all signatures instead of
		stopping after finding one good one.  Also add library flag
		DKIM_LIBFLAGS_VERIFYONE, causing dkim_eom() to short-circuit
		after finding one good signature while verifying (i.e.
		reproducing the pre-2.0.0 behaviour).
	LIBOPENDKIM: Feature request #SF2961427: Add dkim_libversion().
		Requested by Ale Vesely.
	TOOLS: Add "opendkim-genzone" which generates a BIND zone file
		fragment based on a KeyTable that contains all of the
		public keys required to match the configured private keys.
	BUILD: Add "--enable-codecoverage" to add build steps that generate
		profiling or code coverage reports when running unit tests.
	BUILD: Compile opendkim-testadsp with pthread libraries in case
		"--enable-arlib" was specified.
	BUILD: Fix an m4 quoting error that had rendered "--enable-debug"
		useless.
	BUILD: Check for functions upon which libmilter depends.  Reported
		by Cyro Lord.
	PORTABILITY: Support for OS X from Bob Halley.

1.2.2		2010/01/19
	Fix bug #SF2916729: Fix crash when reporting on multiple signatures,
		one of which was invalid in some way leaving its DKIM_SIGINFO
		only partially populated.  Problem noted by Ryan Burchfield.
	Fix bug #SF2919365: A _SOCK_ADDR is just a (struct sockaddr)
		which isn't big enough for IPv6 addresses.  Use a
		(struct sockaddr_storage) instead.  Problem noted by
		Werner Wiethege.
	Fix initalization and processing of ODBX requests.
	Fix DB get operations for Sleepycat versions prior to 2.0.0.
	Set a flag when crypto initialization is done so that cleanup
		occurs on shutdown.  Problem noted by Deiva Shanmugam.
	BUILD: Fix bug #SF2932392: Restore proper function of
		"--without-milter".  Reported by Mark Sidell.

1.2.1		2009/12/23
	Fix a disconnect in configuration regarding "On-KeyNotFound".
	Fix a type mismatch in dkimf_db_open() with respect to Sleepycat
		version 2 libraries, and a bug in dkimf_db_walk() with
 		respect to Sleepycat version 1 libraries.
	Report _FFR_REPORT_INTERVALS in "-V" output.
	LIBAR: Tidy up some compile-time warnings.
	BUILD: Correct name of "bodylength_db" feature.
	BUILD: Define VERIFY_DOMAINKEYS in build-config.h when
		"--with-domainkeys" is enabled.
	BUILD: Define USE_DB in build-config.h when "--with-db" is enabled.

1.2.0		2009/12/08
	Feature request #SF2873902: Overhaul the database backend code so that
		features that use external files or databases can be in any
		of several supported formats.  This will make adding new
		external data sources and formats simpler, and obviates the
		need for a bunch of individual feature requests.  This may
		have a few backward compatibility issues with respect to
		the configuration file.  Feature requested by Daniel Black.
	Feature request #SF2873900: Add optional support for OpenDBX for
		connecting to ODBC and SQL backend databases.  Requested
		by Daniel Black.
	Add "On-PolicyError" setting, allowing continuation of processing
		when an ADSP query fails.
	Activate _FFR_MULTIPLE_SIGNATURES, allowing optional addition of
		more than one signature per message passing through the
		filter.
	Add _FFR_RESIGN which allows binding of a signing handle to a
		verifying handle so that only one body hash needs to be
		run when a message will be re-signed as-is.  Suggested
		by Daniel Black.
	LIBOPENDKIM: Move VBR functions from libopendkim into their own
		new library, libvbr.
	LIBOPENDKIM: Rename the rfc2822_*() parsing functions to have
		"dkim_" prefixes, and rename their containing file
		accordingly.
	LIBOPENDKIM: Fixes in relaxed body canonicalization and chunk
		processing.  Problems noted by Masumi Taketomi Parekh
		of Yahoo!.
	LIBOPENDKIM: New library flag DKIM_LIBFLAGS_BADSIGHANDLES which
		asks the library to tolerate signature syntax errors and
		make such signatures available for limited inspection
		rather than completely ignoring them.  Requested by Masumi
		Taketomi Parekh of Yahoo!.
	BUILD: Split up library assignments between libopendkim and opendkim,
		taking advantage of libtool.  Based on a patch by Daniel Black.
	BUILD: When possible, limit the symbols exported as part of
		libopendkim to only those listed in dkim.h.
	BUILD: Generate opendkim.conf.5 man page containing all features,
		including FFR, annotated with if they are included and their 
		experimental status (for FFRs).
	BUILD: Improve static linking against openssl as noted by Roman
		Gelfand.  Compiles against openssl version 1.0.0-beta4 now. 
	BUILD: Provide pkg-config files {opendkim,vbr,ar}.pc for use by 
		other applications.
	BUILD: Fix up libresolv detection.
	BUILD: Add pkg-config checks for openssl, tre and opendbx packages to
		determine their installed library locations. Automate 
		versioning and deployment.
	BUILD: Added m4 macro library directory with updated ax_pthread.m4.
	BUILD: Moved feature, _FFR and library #defines from Makefiles to 
		build-config.h. Added macros for FFR and FEATURES.
	BUILD: Add support for versions of libtre older than 0.8.0.
	BUILD: Move all libopendkim tests into their own subdirectory.

1.1.2		2009/11/01
	Under _FFR_SENDER_MACRO, need to check the value of "SenderMacro"
		in the configuration file.  Noted by Daniel Black.
	Feature request #SF2873901: Add _FFR_REDIRECT which optionally
		redirects messages that fail verification to a specific
		address, storing the original recipients in
		X-Original-Recipient: header fields.  Suggested by
		Daniel Black.
	LIBOPENDKIM: Have dkim_dns_set_callback() return
		DKIM_STAT_NOTIMPLEMENT if the underlying resolver doesn't
		have a callback facility.  Suggested by Daniel Black.
	LIBOPENDKIM: Move internal-only types and macros from dkim.h
		to dkim-internal.h.  Based on an idea from Daniel Black.
	LIBOPENDKIM: Add in all previously optional functions so that the
		API is invariant regardless of selected features.  Add
		dkim_libfeature() as a way to detect availability of features
		at runtime.  Suggested by Daniel Black.
	LIBOPENDKIM: Some global namespace consolidation.  Suggested by
		Daniel Black.
	BUILD: Fix bug #SF2882206, patch #SF2880986: Handle libtre
		installations where "--enable-system-abi" was selected.
		Reported by Stevan Bajic; patch from Daniel Black.
	BUILD: Convert libar compilation to the libtool method.
		Suggested by Daniel Black.
	BUILD: Minor autoconf fixes, contributed by Daniel Black.

1.1.1		2009/10/09
	Plug a number of potential but minor memory and file handle leaks,
		remove some dead code, guard against NULL dereferences, fix an
		errant return code check, fix a double-free(), and several
		other fixes found by a code analysis tool, used by courtesy
		of Cloudmark.
	Change "x-dkim-adsp" to "dkim-adsp" in Authentication-Results header
		field code now that RFC5617 is published.
	Apply "On-DNSError" setting when policy queries fail.
	BUILD: Some compilation fixes and type cleanup.  Based on patches
		provided by Daniel Black.
	Add _FFR_SENDER_MACRO: Determine the message sender based on the
		contents of a macro instead of on a header field.
		Based on a patch from Ondrej Sury.

1.1.0		2009/09/16
	Feature request #SF2839110: Add _FFR_IDENTITY_HEADER, to set an
       		identity (i=) for signing based on the value found in a
		particular header.  Requested by Florian Sager. 
	Fix inside dkimf_libstatus() to return extended status code 
		4.7.5 if temp-fail is due to key retrieval failure.
	Fix bug #SF2831720: Use new dynamic signature header generation
		code (see below).
	Add new exception handling code "keynotfound" (short form "key")
		and "On-KeyNotFound", which handles keys not found in DNS
		separately from other DNS errors.
	Fixes inside dkimf_libstatus() so that SMTP reply codes get set
		properly for temp-fails.
	Remove _FFR_COMMAIZE.
	LIBOPENDKIM: Add dkim_getsighdr_d(), a dynamic-length version of
		dkim_getsighdr().  The old function interface remains
		unchanged for backward compatibility.
	LIBOPENDKIM: Add dkim_dstring_printf().
	LIBOPENDKIM: Fix bug #SF2839858: Change "default_senderheaders" list
		to include only "from", per RFC5617.  Problem noted
		by Erik Lotspeich.
	Activate _FFR_SENDER_HEADERS, adding "SenderHeaders" to the
		configuration file.
	BUILD: Fix bug #SF2841499: Fix building of opendkim tools so that
		they link against libdb when necessary.
	BUILD: Fix building of libopendkim/t-test115 so it agrees with
		what SHA methods are found by libopendkim itself.
	BUILD: Don't bother building libar unless --enable-arlib is specified.

1.0.0		2009/08/14
	Initial release after code fork from dkim-milter package (v2.8.3).
	Fix bug #SF2813077: Don't do anything other than deliver messages
		when "t=y" is present in the verifying key record.  Problem
		noted by Jens Elkner.
	Fix bug #SF2835208: Set the signal mask earlier so that signals
		of interest aren't delivered to threads that can't handle
		them.  Problem noted by Mike Markley.
	LIBOPENDKIM: Fix bug #SF2795523: Correct canonicalization problem
		when a CRLF is split across body chunks and consecutive
		blank line counting is in progress.  Reported by Mark
		Martinec.
	TESTS: Fix bug #SF2813058: Fix t-test117 so it doesn't fail if
		the DKIM_TMPDIR environment variable is set.  Problem
		noted by Jens Elkner.
	PORTABILITY: Fix bug #SF2813058: Fixes to t-test100 for
		Solaris 10 (64-bit).  Patch from Jens Elkner.
