			DKIM-MILTER RELEASE NOTES
      $Id: RELEASE_NOTES,v 1.93 2007/03/07 15:51:02 msk Exp $


This listing shows the versions of the dkim-milter package, the date of
release, and a summary of the changes in that release.

Bug and feature request (RFE) numbers that start with "SF" were logged
via Sourceforge (http://www.sourceforge.net) trackers.  Those not so labelled
were logged internally at Sendmail, Inc.


0.6.1		2007/03/07
	Load the -C values from the configuration file if -C wasn't present
		on the command line.  Previously, they were ignored.
	Fix a verification version auto-detection bug that was causing some
		false negatives.
	Fix bug #SF1477211: Add an appropriate Authentication-Results:
		header when a signature uses a hash which the matching
		key does not authorize.
	Fix bug #SF1672787: Fix an additional corruption bug in
		dkim_getsighdr().
	Feature request #SF1497802: Add _FFR_QUARANTINE, allowing optional
		quarantining of messages which fail verification or policy
		checks.
	Feature request #SF1605766: To reduce spurious logging, don't set
		mctx_status to DKIMF_STATUS_NOSIGNATURE unless the signature
		was missing on a message from a domain that claims it signs
		everything.
	Select the correct signature to replay into canonicalization, rather
		than always using the first one.  Problem noted by James
		Sargent of AOL.

0.6.0		2007/03/01
	Bring up to currency with "ietf-base-10" which is probably the
		version that the IETF will issue as an RFC.  This includes:
		- signature "q=" option delimiter is now "/", and the default
		  value is now "dns/txt"
		- if both "t=" and "x=" are present in a signature, make
		  sure the former is less than the latter
		- disregard signatures that appear to have been generated in
		  the future
		- support for draft and final versions of "v=" tags in both
		  keys and signatures
	Activate _FFR_VERIFY_DOMAINKEYS.
	Complete support for DKIM_QUERY_FILE for use in debugging and testing.
	Fix a number of minor bugs in signature header generation which
		could cause corruption and thus validation and/or syntax
		errors.
	Fix bug #SF1507535: Fix an FFR-related build issue.  Reported by
		Frederik Pettai.
	Fix bug #SF1512860: Before returning DKIM_STAT_NOSIG from dkim_eom(),
		try to retrieve the sending domain's policy.
	Patch #SF1505401: Add _FFR_OMIT_HEADERS, copied from dk-milter.
		This will probably be replaced later by an extension to
		dkim_options().  Patch provided by Ben Lentz.
	LIBDKIM: Fix bug #SF1608314: Fix processing of config file items
		"Userid" and "Mode".  Patch from John Villalovos.
	LIBDKIM: Add dkim_geterror() to retrieve additional diagnostic
		data from the API when a function call returns
		DKIM_STAT_INTERNAL or something else whose cause isn't
		readily apparent.
	LIBDKIM: Remove an extraneous pointer type in the parameter list
		for dkim_sign().  Reported by Jeff Barry.

0.5.2		2006/09/18
	Fix bug #SF1537905: If necessary, try again to get the job ID in
		mlfi_eom() in case it came down later than expected (e.g.
		postfix).  Suggested by Mark Martinec.
	Fix a couple of minor build problems.
	Fix bug #SF1559406: Change MAXHEADER to 4096.
	LIBDKIM: Fix bug #SF1544301: Fix an issue with processing a message
		which has trailing spaces on its last line.  Reported by
		Mark Martinec.
	LIBDKIM: Fix bug #SF1558014: Confirm the body hash in the signature
		matches the actual body hash when verifying.  Reported by
		Mark Martinec.
	LIBDKIM: Add preliminary support for the draft-allman-dkim-ssp-02
		specification as _FFR_ALLMAN_SSP_02.
	LIBAR: Adapt to the post-bind4 resolver API.  Problem reported by
		S. Moonesamy of Eland Systems.

0.5.1		2006/06/14
	Add compile-time option _FFR_ANTICIPATE_SENDMAIL_MUNGE which attempts
		to replicate some header rewriting the sendmail MTA will
		do, which otherwise prevents signature validation from
		succeeding.
	Add support for "ietf-base-02" signing mode (which is really
		synonymous with "ietf-base-01").
	LIBDKIM: Report a syntax error when a signature header arrives with
		any required fields missing.

0.5.0		2006/05/19
	Fix an assertion failure under _FFR_SELECT_SIGN_HEADERS.  Reported
		by S. Moonesamy of Eland Systems.
	Under _FFR_REPORTINFO, only send reports when verification failed.
		There are other failure modes, but that's the only one for
		which reports are useful.  Problem noted by Michael
		Thomas of Cisco.
	RFC2822 doesn't require any recipient headers, so remove those checks
		inside _FFR_REQUIRED_HEADERS.
	Fix bug #SF1481303: Don't verify DomainKeys signatures while in
		signing mode.  Reported by S. Moonesamy of Eland Systems.
	Activate _FFR_MACRO_LIST (adds the "-M" command line option) and
		_FFR_EXTERNAL_IGNORE_LIST (adds the "-I" command line option).

0.4.1		2006/05/02
	Include the list of supported DKIM versions in the output of "-V".
	Feature request #SF1238442: Add _FFR_VERIFY_DOMAINKEYS which
		will verify DomainKey signatures, if present.  Requires
		libdk, which is available in the dk-milter package.
	Feature request #SF1453565: Add _FFR_SELECT_SIGN_HEADERS which permits
		specification of which headers to sign.
	Add _FFR_SET_DNS_CALLBACK which allows registration of a callback
		per-handle which is called periodically while waiting for
		DNS responses.
	LIBDKIM: Return an error if the signing function returned success but
		also reported a zero-length signature.  Reported by
		S. Moonesamy of Eland Systems.

0.4.0		2006/04/18
	Add preliminary support for IETF DKIM draft 01.  "rsa-sha256" support
		was already added, but this also adds support for the
		"bh" (body hash) tag in signatures.
	Add "-v" command line switch to select DKIM version to use when
		signing.
	Add "-x" command line switch to specify a configuration file to read
		and parse.
	LIBAR: Fixes regarding retransmissions.

0.3.2		2006/04/05
	Don't remove the wrong "b=" when canonicalizing the signature header
		during verification.  Problem noted by Michael Thomas
		of Cisco.
	Properly process empty values in parameter sets.  Problem noted by
		Michael Thomas of Cisco.

0.3.1		2006/03/19
	Report the size of the key on successful verifications in the
		Authentication-Results: header.
	Fix bug #SF1453591: Tolerate empty strings in dkim_process_set(),
		and just apply defaults.
	LIBDKIM: Add dkim_getkeysize(), dkim_getsignalg(), dkim_getsigntime().

0.3.0		2006/03/15
	Add preliminary support for "rsa-sha256" signatures.
	Rearrange command line arguments somewhat.
	Include the list of supported canonicalization and signing algorithms
		in the output when "-V" is specified.
	Fix an intermittent crash condition caused by an uninitialized
		variable.
	Add _FFR_LOG_SSL_ERRORS to log any queued SSL error messages
		before releasing a message from the filter.

0.2.3		2006/03/03
	Add a "testing" comment when the key or policy used to verify a
		message is marked with a test flag.
	Flush the base64 output stream before sending the reports under
		_FFR_REPORTINFO so that the reports don't contain truncated
		data.  Discovered by Tony Hansen of AT&T.
	Fixes in processing of signature headers that contained extraneous
		spaces.  Reported by Tony Hansen of AT&T.
	Fix bug #SF1442606: Clone the configuration string before parsing
		it so that "ps" doesn't show weird output.

0.2.2		2006/01/24
	Evaluate the key granularity honouring "*" as a wildcard.
	Add _FFR_SET_REPLY which requests a more useful SMTP reply code
		when instructing the MTA to temp-fail or reject messages.

0.2.1		2005/12/09
	Further fixes to dkim_getsighdr().  Problem reported by Sung-hoon
		Choi of Dreamwiz.
	Plug a few small but definite memory leaks.
	Fix bug #SF1373746: Repair a _FFR_SELECT_CANONICALIZATION build
		problem introduced in the previous release.  Reported by
		S. Moonesamy of Eland Systems.

0.2.0		2005/12/02
	Update for revised ESTG draft.  Mainly this involved changing
		the "nowsp" canonicalization to "relaxed", and allowing
		specification of different canonicalizations for header
		and body.
	Don't allow the header to end with "\n\t" in dkim_getsighdr().
		Problem reported by Sung-hoon Choi of Dreamwiz.
	Report "neutral" instead of "fail" for failed verifications
		when they key was marked as being in test mode.  Patch from
		Sung-hoon Choi of Dreamwiz.
	Allow "-d" to specify a file from which domain names should be read,
		and allow domain names to contain wildcards.
	Fix bug #SF1243980: An empty key granularity matches nobody.  Reported
		by Jim Fenton of Cisco.
	LIBAR: Fix bug #SF1282755: Fix a build issue introduced in the
		last release.  Reported by Fredrik Pettai.

0.1.1		2005/07/21
	Prevent a garbage pointer free() in dkim_free().  Reported by
		S. Moonesamy of Eland Systems.
	Fix bug #SF1241118: Don't add an Auth-Results header for messages
		which are unsigned and come from a domain that doesn't
		advertise a signs-all policy.  Reported by S. Moonesamy of
		Eland Systems.
	Report "neutral" instead of "fail" for domains advertising test
		mode in their policies.
	Feature request #SF1238617: Add a compile-time option to map
		smfi_insheader() to smfi_addheader() on machines with older
		MTA and libmilter versions.

0.1.0		2005/07/13
	Initial public open source release.
