hermes/ChangeLog

ChangeLog
---------

2014-10-09 06:54 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* fix a bug with certificate handling, load a full chain from a file if a
availabe
* fix building on win32

2014-06-28 18:46 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* add more information to the headers injected by hermes
* make ip matching for sqlite-black/whitelisted a strict match instead of a
loose one
* fix build issues on newer compilers

Older changes which were not previously released:

* number_of_unimplemented_commands_allowed option to limit the number of
unimplemented commands a server can return.
* mark ssl IO as such
* try to detect if ssl will not work before accepting ssl connections
* change to how we manage SSL initialization. It needs to be done in two steps
to be able to return the correct smtp code in case of failure
* ignore SIGPIPE and SIGCHLD. this was causing hermes to randomly finish
* fix bug when trying to enable ssl and not suceeding. now we handle it
gracefully instead of failing and randomly crashing
* add spf-fail to the headers
* add the add_status_header_if_dns_listed option
* fix small bug in the percentage estimation optimization
* add option to control verboseness of log
* report PID at startup
* fix stats submission
* make filelogger log more similar to unixlogger
* fixes for win32
* quick get_canonical_filename version for win32

2011-01-08 19:28 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* fixed NullLogger

2011-01-08 17:22 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* fixed small bug when submitting stats that would stop the thread that
submits them


2011-01-08 02:27 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* revamped logging system. hopefully, messages will be more informative now


2011-01-06 23:53 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* development restarted

* print a small message about which config file we are actually using. Some
people seem to have gotten confused about this...


2008-12-14 20:17 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Implemented log rotation for filelogger. Sponsored by Damir Simunic of
http://edgeof.net

* Disable chunking extension, it interferes with hermes operation

* Updated email address... again


2008-08-30 21:35 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Updated email address.


2007-11-28 19:54 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Fixed some sqls


2007-11-20 19:14 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Added a small feature sponsored by http://www.pixelkinder.com. It allows to 
specify a list of valid ips for each domain, if a mail comes from an ip not on 
the list, then reject it.


2007-10-02 11:33 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Add blacklisting based on the "to" address and domain. Useful to migrate
sites and to correct MTAs errors.


2007-07-20 20:03 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* 1.6 release

* Bugs:

* Fixed a DoS-causing, remotely explitable bug in Proxy.cpp. This bug only affects version 1.3 to
1.5, both inclusive. If you are using either 1.3, 1.4 or 1.5 UPDATE NOW.
Thanks to Veit Wahlich for finding and reporting the bug and for submitting
a preeliminar patch.

* While looking for similar vulnerabilities in the code, found a small
incorrection, although it doesn't have security implications.


2007-07-19 12:57 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* 1.5 release

* Enhancements:

* Allow permanently rejecting mails with dnsbl or spf errors. To use configure
return_temp_error_on_reject as false (default). To keep the old behaviour,
configure the above option as true.

* File logger can now be configured to only open the file sporadically to
write its buffer. This allows for external log rotators on platforms that
can't rename an open file (i.e. windows). The option is called
keep_file_locked. To use the new behaviour, configure as false, to keep the
old one configure as true.

* Implemented win32 service support. To enable, configure with
--enable-win32-service. The windows build on the website are already compiled
with this option. To install the service execute:

c:\hermes> hermes -install

To uninstall:

c:\hermes> hermes -uninstall

To start:

c:\hermes> net start hermes

To stop:

c:\hermes> net stop hermes

Of course, you can also use the service manager to start and stop the service.
Using the service code there's a big warning everyone should read:

The config file MUST be named "hermes.ini" and be located on the same
directory as "hermes.exe". Also, since hermes is started from another
directory, you have to specify the full path to the database:

database_file = "c:\hermes\greydatabase.db"



* Fixes:

* Fix SPF requests to be synchronized. I haven't seen a single failure from
this, but this is the right way.

* Removed an stale debug statement. It could be noticed when starting hermes
that the list of dns white/black lists was printed on the standard output.

* dns_{white,black}list_percentage now defaults to 100. Setting it to 0 makes
no sense and makes all your emails to be considered white/black listed.

* Fixed spec file to include the AUTHORS file.

* The value of spf_query now defaults to true when compiled with SPF support.

* Applied patch by Veit Wahlich that fixes stats submission to be each 60
minutes exactly. Previously it would send the stats on intervals of
approximattely 60 minutes.

* Whitelisting IPs is now partial like blacklisting. For example, whitelisting
192.168.0 will whitelist 192.168.0.* (192.168.0.0/24)

* Small fixes to the building system.


2007-06-14 20:23 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* 1.4 release

* Enhancements:

* SPF: if you enable query_spf, everytime someone gets through greylisting,
they will be checked for spf compliance. If they either FAIL or SOFTFAIL, they
will be rejected.

* Specify your hostname on the config file (option hostname). If it's empty,
it gets filled by gethostname() (as before)

* DNS Whitelisting: similar to DNS Blacklisting, but the other way around.

* DNS Whitelisting and DNS Blacklisting both support querying more than one
server at a time. It means that you don't have to rely 100% on a dns list, but
can use more than one. To control how many of the list need to list a server,
use dns_{black,white}list_percentage option on config file.

* If you define now whitelisted_disables_everything, whitelisted host will not
be forced to go through throttling and banner delaying (or anything else).

* Blacklisting is now partial. That means that if you blacklist 192.168.0. you
are actually blacklisting 192.168.0.* (192.168.0.0/24 if you prefer)

* Added the	throttling_time option that controls how much we sleep between
lines when throttling a connection.

* Changed logging format. Should be clearer now, although there are still some
things I'd like to change.

* We are also logging now also when someone gets their connection dropped
because of throttling or data-before-banner (or black/whitelisting, spf, etc. ).
It should help to get a better feeling of how much spam we are stopping with 
these techniques.

* We now can reject emails if peer doesn't have an inverse resolution (patch
by Veit Wahlich) or if the inverse resolution doesn't match the helo string.
Both of these features should be used with extreme care, and are disabled by
default. You shouldn't use them if you don't know what you are doing.


* Fixes:

* FileLogger.cpp: file logging now flushes its buffer after a few lines (15).
This should update the log on file more often.

* Configfile.tmpl: when compiling on windows, all default values should be
valid

* Fixed a bug when closing the filelogger file (most people noticed that
hermes crashed when closing when using file logger).

* Changed the X-Anti-Spam-Proxy header to be more clear.

* Fixed all typos with wether to whether

* Fixed a minor RFC-strict error when defining the non-existing extension

* Timezone _should_ be correct now on windows. If it isn't, write to the
mailing list with an example and why you think it's incorrect.

* Fixed configure.in. If you specify now --disable-openssl it will disable
openssl even if you have it installed

* Updated the .spec file (thanks again to Veit Wahlich's patch)

* Added AUTHORS file and also added lot's of docs to the windows release.

2007-05-18 20:11 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* 1.3 release

* added the add_headers option, will add the rfc-required "Received" headers
should give a better idea of where emails are coming/going

* also added date to logging when it is done to a file

* fixed filelogger, should now use file_logger_file config option

* windows version can now resolve addresses, so rbl works and also you can now
use fancy names like "localhost" instead of ugly ips like "127.0.0.1"

* updated rpm, hopefully everything should be ok now

2007-05-13 18:21 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* 1.2 release

* added rbl checking. Simply define rbl_domain in configfile

2007-04-20 12:04 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Added an option to configure the initial delay of the SMTP banner

2007-04-19 20:28 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Bugfix 1.1 release

* Implemented the bind_to config option. Defining bind_to in the configfile
will force hermes to only bind to one ip.

* Fixed a small bug when closing hermes with clean_db=false (it would segfault
previously)

* Added more documentation and updated http://www.hermes-project.com

2007-04-16 19:48 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Initial 1.0 release

2007-04-09 20:27 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* *.{h,cpp}: add GPL license to all source files. also added gpl.txt with the
full license text on /docs

* Makefile.am: configure automake more correctly (not a lot, probably still
very wrong)

* TODO: cleaned up a bit

2007-04-09 18:57 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* *.{h,cpp}: Ifdef'd all output to terminal. From now on if you want all that
output, define REALLY_VERBOSE_DEBUG on config.h (once it is generated)

* generate_config.pl: generate also a default config file from the information
on Configfile.tmpl

2007-03-18 19:16 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* *Logger.{h,cpp}: Implement logging as a base class with different subclasses
depending on a configure option. Also added option to Configfile.tmpl to
configure the filename for FileLogger.
This change will allow us to port hermes more easily to other platforms,
specially non-unix(i.e. win32), but also will help if we don't have a logger
installed or if it's not compatible with the common interface (I'm using
metalog, btw).

2007-03-18 17:06 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* *: change all instances of spit to hermes to reflect project's new name

2007-03-09 18:19 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Database.*: modified cleanDB, now the method counts the number of spams we
have blocked since the last time we cleaned

* spit.cpp: if we have configured it, send the number of spams blocked to a
server to keep the statistics

* Configfile.tmpl: added options to configure the previous changes.
submit_stats (bool) submit_stats_username (string) and submit_stats_password
(string)

2007-02-14 18:20 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* *.*: change all calls to Exception constructor to send also the file name and line
number

2007-02-12 19:03 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Socket.*: new option setTimeout, sets the timeout for receive/send operations, should
help with the sockets getting blocked on recv() or send()

* Exception.*: new constructor accepts a filename and line number. The idea is to migrate
all calls to Exception to this new constructor so that errors get printed with their source
filename and line number to make debugging easier.

2007-02-10 17:25 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Configfile.*: changed Configfile.{cpp,h} to be generated from Configfile.tmpl and
Configfile.{cpp,h}.in . It should be MUCH easier to add new config options
from now on. As a proof, adding options for the time to greylist and the
initial delay were a breeze compared to before.

* spit.cpp: instead of sending the data for thread_main in a pointer, send a
pointer to a stack and just pop the last element added.

2006-11-12 21:22 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* updated changelog to use gnu coding standards

* autotoolize spit
* Makefile.am
* configure.in
* Config.h: rename class to Configfile

2006-10-22 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Socket.cpp: now creates the ssl context and loads certificates on the first socket
creation, so we now use less memory per-thread, AND we also load the certs
BEFORE chrooting, so now private_key and certificate DON'T need to be
(and are NOT recomended) INSIDE the chroot, which is a cool security feature.

2006-10-21 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* SQL.cpp: Changed SQL class so that every query is made through doQuery, that
controls that everything works the right way.

* Exception.cpp: When an Exception ocurrs, we notify it by email, either through smtp
or through sendmail

2006-10-15 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Config.cpp: Fixed Config.cpp::validateConfig to take into account chrooting

* Socket.cpp: Fixed Socketp.cpp::close, we were sometimes closing fds twice

* main.cpp: if you send SIGINT or SIGTERM once you close gracefully, if you do
it twice, you forcefully stop the program, for when a socket is waiting to timeout,
and you can't restart the proxy in-between

2006-10-12 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Config.cpp: Overhauled Config class

* main.cpp: fixed chrooting, now only /etc/resolv.conf is needed

2006-10-08 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* Socket.cpp: ssl is now fully working
decimal time for waiting in Socket::canRead

* SQL.cpp: whitelisting based on hostname of peer added.

* Logger.cpp: implements a logger for unix

* preeliminary port to solaris 10

2006-09-24 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* LOTS of bugfixes, some change in semantics and a bit of heavy-work
testing. Should be MUCH more stable now.

2006-09-18 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* main.cpp (main): Made threads detached to allow them to free resources

2006-09-17 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>

* main.cpp (main): Create a thread to clean the database each hour
Threads now clean themselves up when finishing

2006-09-16 Juan José Gutiérrez de Quevedo <juanjo@gutierrezdequevedo.com>
* Initial import to svn