Release notes

This file contains notes for each release, summarizing changes and explicitly noting backward-incompatible changes or known security issues.

1.14.0 (2024-04-21)

• Add built-in DKIM signing and verification.
• Rename master branch to main. Docker users pulling from the master docker label should update the label accordingly. No action is needed if using latest.
• Starting with this release, version numbers will be SemVer-compatible, to help integration with other software that expects it (e.g. pkg.go.dev).

1.13 (2023-12-24)

Security fixes:

• Strict CRLF enforcement in DATA contents, to prevent SMTP smuggling attacks (CVE-2023-52354).
  RFC5322 and RFC5321 say that the only valid newline terminator in SMTP is CRLF.
  When an invalid newline terminator is found in an incoming message, the connection is now aborted immediately (previous releases also accepted LF-terminated lines).
  The MTA courier now uses CRLF-terminated lines (previous releases used LF-terminated lines).

Other changes:

• Add support for receive-only users.
• Reject empty listening addresses, to help prevent accidental misconfiguration. To prevent chasquid from listening, just comment out the entry in the config.
• docker/add-user.sh: Support getting email and password from env variables.

1.12 (2023-10-07)

• Support aliases with drop characters and suffix separators.
• Improved delivery on some low-level TLS negotiation errors.
• smtp-check: Add flag to specify local name.
• chasquid-util: aliases-resolve and domaininfo-remove subcommands now talk to the running server. That results in more authoritative answers, and performance improvements.
• chasquid-util: Remove aliases-add subcommand. This was an undocumented command that was added a while ago, and there is no need for it anymore.
• Handle symlinks under the certs/ directory.

1.11 (2023-02-19)

• New tracing library for improved observability.
• Update fuzz tests to the new standard infrastructure.

1.11.1 (2023-12-26)

Backport the security fixes from 1.13 (Strict CRLF enforcement in DATA contents, fixes CVE-2023-52354).

1.10 (2022-09-01)

• Support catch-all aliases.
• Fix bug in Docker image with user-provided certificates.
• Miscellaneous test improvements.

1.9 (2022-03-05)

• Improve certificate validation logic in the SMTP courier.
• Remove alias-exists hook, and improve aliases resolution logic.
• Support "" values for drop_characters and suffix_separators in the configuration file.

1.8 (2021-07-30)

• Stricter error checking to help prevent cross-protocol attacks (like ALPACA).
• Allow authenticating users without an @domain part.
• Add integration for chasquid-rspamd and dkimpy in the example hook.
• Add a -to_puny option to mda-lmtp, to punycode-encode addresses.
• Use application/openmetrics-text as content type in the openmetrics exporter.

1.7 (2021-05-31)

• chasquid-util no longer depends on the unmaintained docopt-go. If you relied on undocumented parsing behaviour before, your invocations may need adjustment. In particular, --a b is no longer supported, and --a=b must be used instead.
• Improve handling of errors when talking to Dovecot for authentication.
• Fix handling of hostname option in the Docker image.
• Miscellaneous documentation and test improvements.

1.6 (2020-11-22)

• Pass the EHLO domain to the post-data hook.
• Add /exit endpoint to monitoring server.
• Implement HAProxy protocol support (experimental).
• Documentation updates.

1.5 (2020-09-12)

• Add OpenMetrics exporter (compatible with Prometheus).
• Support log rotation via SIGHUP, and other misc. logging improvements.
• Fix error code on transient authentication issues.
• Fix rspamd greylist action handling in the default hook.
• Miscellaneous monitoring server improvements.

1.4 (2020-05-22)

• Use the configured hostname in outgoing SMTP HELO/EHLO.
• Allow config overrides from the command line.
• Miscellaneous test improvements and code cleanups.

1.3 (2020-04-12)

• Improved handling of DNS temporary errors.
• Documentation updates (use of SRS when forwarding, Dovecot troubleshooting, Arch installation instructions).
• Miscellaneous test improvements and cleanups.

1.2 (2019-12-06)

Security fixes:

• DoS through memory exhaustion due to not limiting the line length (on both incoming and outgoing connections). Thanks to Max Mazurov (fox.cpp@disroot.org) for the initial report.

Release notes:

• Fix handling of excessive long lines on incoming and outgoing connections.
• Better error codes when DATA size exceeded the maximum.
• New documentation sections (monitoring, release notes).
• Many miscellaneous test improvements.

1.1 (2019-10-26)

• Added hooks for aliases resolution.
• Added rspamd integration in the default post-data hook.
• Added chasquid-util aliases-add subcommand.
• Expanded SPF support.
• Documentation and test improvements.
• Minor bug fixes.

1.0 (2019-07-15)

No backwards-incompatible changes. No more are expected within this major version.

• Fixed a bug on early connection deadline handling.
• Make DSN tidier, especially in handling multi-line errors.
• Miscellaneous test improvements.

0.07 (2019-01-19)

No backwards-incompatible changes.

• Send enhanced status codes.
• Internationalized Delivery Status Notifications (DSN).
• Miscellaneous test improvements.
• DKIM integration examples and test.

0.06 (2018-07-22)

No backwards-incompatible changes.

• New MTA-STS (Strict Transport Security) checking.

0.05 (2018-06-05)

No backwards-incompatible changes.

• Lots of new tests.
• Added a how-to and manual pages.
• Periodic reload of domaininfo, support removing entries manually.
• Dovecot auth support no longer considered experimental.

0.04 (2018-02-10)

No backwards-incompatible changes.

• Add Dovecot authentication support (experimental).
• Miscellaneous bug fixes to mda-lmtp and tests.

0.03 (2017-07-15)

Backwards-incompatible changes:

• The default MTA binary has changed. It's now maildrop by default. If you relied on procmail being the default, add the following to /etc/chasquid/chasquid.conf: mail_delivery_agent_bin: "procmail".
• chasquid now listens on a third port, submission-on-TLS. If using systemd, copy the etc/systemd/system/chasquid-submission_tls.socket file to /etc/systemd/system/, and start it.

Release notes:

• Support submission (directly) over TLS (submissions/smtps/port 465).
• Change the default MDA binary to maildrop.
• Add a very basic MDA that uses LMTP to do the mail delivery.

0.02 (2017-03-03)

No backwards-incompatible changes.

• Improved configuration checks and safeguards.
• Fall back through the MX list on errors.
• Experimental MTA-STS implementation (disabled by default).

0.01 (2016-11-03)

Initial release.