Re: OpenDKIM v2.7.0 released

From: Steve Jenkins <>
Date: Thu, 25 Oct 2012 13:43:44 -0700

On Wed, Oct 24, 2012 at 1:48 PM, Murray S. Kucherawy <> wrote:
> The Trusted Domain Project announces availability of OpenDKIM v2.7.0, now
> available for download from SourceForge.
> This is a major release, with some new features and some bug fixes. None
> of the fixes or features are critical, so upgrading is not mandatory unless
> one of these changes resolves a current issue.
> Among the major changes in this release:
> o SECURITY: The library will now decline to generate a signature, or pass even
> a valid signature, if the signing key is compirsed of too few bits, thus
> being insecure. The default is 1024. This can be controlled through the
> API, and the setting can also be adjusted in the filter via the new
> "MinimumKeyBits" setting.
> o Support for libar (the provided asynchronous resolver library) has been
> discontinued. Instead, use either libunbound or a thread-safe version
> of the BIND resolver.
> o Per RFC6648, "X-" header fields are now discouraged. Accordingly,
> we no longer generate (or expect) any. This also means the "X-Header"
> configuration file item has been renamed to "SoftwareHeader". Configuration
> files referring to the old name will need to be updated.
> o All copyrights have been updated to reflect that The Trusted Domain Project
> is the copyright holder. The OpenDKIM Project is now an initiative of that
> organization.
> o A third experimental domain reputation system has been added. Look in the
> new reprrd/ directory for more information.
> The full RELEASE_NOTES for this version:
> 2.7.0 2012/10/24
> Feature request #SF2964375: Reject configuration files that have
> a SigningTable referencing a missing or malformed KeyTable
> entry.
> Feature request #SF3544764: Support for libar has been discontinued.
> For asynchronous and/or thread-safe resolver service,
> use libunbound or a suitable version of BIND.
> Feature request #SF3545658: Replace "ResolvConf" with "Nameservers"
> and add support for NS list overrides for versions of bind
> that have res_setservers(). Also rename "UnboundConfigFile"
> to "ResolverConfiguration", and make "TrustAnchorFile"
> generally available.
> Feature request #SF3547124: Skip reputation checks on passing
> signatures whose keys had a "t=y" value.
> Feature request #SF3555842: Add "ReputationTest" setting. Requested
> by Andreas Schulze.
> Feature request #SF3556439: Update opendkim-atpszone per RFC6541.
> Feature request #SF3559744: Add library option DKIM_OPTS_MINKEYBITS
> allowing one to specify a minimum number of key bits for
> acceptable keys and signatures. This is exposed through new
> configuration file option "MinimumKeyBits". The default
> is 1024.
> Fix bug #SF3536414: Activate _FFR_OVERSIGN, and remove
> Fix bug #SF3536655: Rename "X-Header" to "SoftwareHeader", and rename
> all header fields added that start "X-" to remove that prefix,
> per RFC6648. The old name will be accepted through the end
> of the 2.7.x line.
> Fix bug #SF3538896: Remove antiquated CVS Id: tags, which cleans up
> some (harmless) build warnings. Suggested by Andreas Schulze.
> Fix bug #SF3548741: Add "ReputationTimeout" for use inside
> _FFR_REPUTATION, rather than using the built-in default
> or a hard-coded one.
> Fix bug #SF3549307: Remove _FFR_REPUTATION_CACHE, as it is redundant
> to caching code that's part of _FFR_REPUTATION already.
> Fix bug #SF3555844: Get repute client code in sync with repute.php
> (and the current REPUTE WG drafts). Problem noted by
> Andreas Schulze.
> Fix bounds checking in the dstring printf functions.
> Fix loop structure in the C side of odkim.get_rcpt(). Problem
> noted by Todd Lyons.
> Change all temporary directory defaults from /var/tmp to /tmp.
> Activate _FFR_LUA_GLOBALS.
> Request the milter permissions required to get _FFR_REDIRECT working.
> Patch from Andreas Schulze.
> Add _FFR_REPRRD, which is a second approach to DKIM-based reputation
> using round robin databases and Holt-Winters foreacasting
> using rrdtool (see Still
> experimental.
> Patch #SF3555843: With sufficient verbosity, report the default
> configuration file path. Patch from Andreas Schulze.
> BUILD: Fix bug #SF3531658: Move the strlcat() and strlcpy()
> implementations to their own library so that programs don't
> drag in crypto and other dependencies they don't need.
> Also clean up several other unnecessary dependencies imposed
> by imprecise use of autoconf. Problem noted by Andreas
> Schulze.
> BUILD: Patch #SF3555845: Add support for older versions of libcurl.
> Based on a patch by Andreas Schulze.
> BUILD: Install non-user things in sbin instead of bin. Suggested
> by Andreas Schulze.
> LIBOPENDKIM: Feature request #SF3565006: Add dkim_add_querymethod()
> and dkim_sig_seterror(), define DKIM_CBSTAT_DEFAULT, and
> remove an assertion in dkim_get_key_dns(), which together
> allow for applications to develop non-standard key retrieval
> mechanisms. Suggestion and patches from Ken Murchison.
> LIBOPENDKIM: Fix bug #SF3559080: Log correct domains and selectors
> with SSL errors.
> LIBOPENDKIM: Add DNS functions dkim_dns_config(), dkim_dns_init(),
> dkim_dns_nslist(), dkim_dns_set_init(), dkim_dns_set_close(),
> dkim_dns_set_nslist(), dkim_dns_set_config(),
> dkim_dns_set_trustanchor(), dkim_dns_trustanchor().
> alteration of the mandatory header field set. Patch from
> Ken Murchison.
> LIBOPENDKIM: If "q=" is present and method "dns" is specified, it
> must be followed by "/txt", per RFC6376.
> LIBOPENDKIM: For dkim_add_xtag(), copy the provided values so the
> caller doesn't have to keep them around.
> LIBOPENDKIM: Allow dual signing of a single body with dkim_resign().
> Suggested by Ken Murchison.
> STATS: Fix bug #SF3555847: Add "--nocircles" to opendkim-gengraphs
> to allow operation with versions of gnuplot that don't know
> what "with circles" means. Problem noted by Andreas
> Schulze.
> STATS: Patch #SF3555841: Temporary table SQL correction. Patch from
> Andreas Schulze.
> TOOLS: Feature request #SF3553918: Add "-u" flag to opendkim-atpszone
> and opendkim-genzone enabling them to produce output suitable
> for use as input to nsupdate(8). Based on a suggestion by
> Dave Crocker.
> TOOLS: Feature request #SF3558818: Teach opendkim-testkey about the new
> "ResolverConfiguration" setting. Based on a problem report
> from Patrick Ben Koetter.
> TOOLS: Fix bug #SF3565013: Replace opendkim-genkey with a perl script
> that knows how to do splitting of character-strings in DNS
> TXT records. Problem reported by Todd Lyons.
> TOOLS: Fix bug #SF3568846: Add "-t" to opendkim-testmsg to allow
> override of the directory where temporary files go. Also,
> clean up temporary files after creating them.
> TOOLS: Add opendkim-rephistory.
> Please use the mailing lists at to report problems.
> Bug reports and feature requests can be made through the project trackers,
> which can be found via
> The Trusted Domain Project

Congrats. I'll start finalizing an updated RHEL package. :)

Received on Thu Oct 25 2012 - 20:43:58 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:44 PST