Page 1 of 1

UnrealIRCd 4.2.0 released

Posted: Sun Sep 30, 2018 6:36 am
by Syzop
Hi everyone,

There have been so many changes in this and the last few 4.0.x versions, it justifies calling this new release UnrealIRCd 4.2.0.

Marking the beginning of the 4.2 series, this release introduces features such as "soft klines" and "soft actions". A significant number of optional modules are now loaded as default, including timed channel bans and textbans. Also, a lot more smaller changes are included in this release, such as fixes for TLSv1.3 and experimental WHOX support. See further down for a full list of changes.

NOTE: Version 4.2.0 is the direct successor to 4.0.18. There will be no further 4.0.x releases (in particular there will be no 4.0.19). For more information, see the FAQ item: Questions about the new 4.2.x series.

Upgrade advice: if you are conservative about upgrades then feel free to wait for 4.2.1. Other than some blacklist fixes there are no major bugs fixed. This release is mostly about new features + some minor fixes.

Changes between version 4.0.18 and 4.2.0:

  • New option to disable a module: blacklist-module "modulename";
    This will cause any 'loadmodule' lines for that module to be ignored. This is especially useful if you only want to disable a few modules that are (normally) automatically loaded by conf/modules.default.conf.
  • Next three new features have to do with SASL. More information on SASL in general can be found here.
    • A new require sasl { } block which allows you to force users on the specified hostmask to use SASL. Any unauthenticated users matching the specified hostmask are are rejected.
    • New "soft kline" and "soft gline". These will not be applied to users that are authenticated to services using SASL. These are just GLINE/KLINE's but prefixed with a percent sign:
      Example: /KLINE %*@10.* 0 Only SASL allowed from here
    • New "soft" ban actions for spamfilter, blacklist, antirandom, etc.
      Actions such as "soft-kline" and "soft-kill" will only be applied to unauthenticated users. Users who are authenticated to services (SASL) are exempt from the corresponding spamfilter/blacklist/antirandom/..
      See for the full action list.
    • WARNING: If your network is not 100% on v4.2.x then it is not recommended to use global soft bans (such as soft gline or any spamfilter with soft-xx actions). There won't be havoc, but the bans won't be effective on parts of the network. Local soft bans such as a soft /kline can still be used.
  • The following extban modules are not new but are now enabled by default: extbans/textban, extbans/timedban and extbans/msgbypass. In case you don't like them, use blacklist-module as mentioned earlier.
    These modules provide the following functionality:
    • TextBan: +b ~T:block:*badword* to block sentences with 'badword'
    • Timed bans: ~t:duration:mask
      These are bans that are automatically removed by the server. The duration is in minutes and the mask can be any ban mask.
      Some examples:
      • A 5 minute ban on a host: +b ~t:5:*!*@host
      • A 5 minute quiet ban on a host (unable to speak): +b ~t:5:~q:*!*@host
      • An invite exception for 1440m/24hrs: +I ~t:1440:*!*@host
      • A temporary exempt ban for a services account: +e ~t:1440:~a:Account
      • Allows someone to speak through +m for the next 24hrs: +e ~t:1440:~m:moderated:*!*@host
      • And any other crazy ideas you can come up with...
    • Timedban support in +f [5t#b2]:10 (set 2 minute ban on text flood).
    • Ban exception ~m:type:mask which allows bypassing of message restrictions.
      Valid types: 'external' (bypass +n), moderated (bypass +m/+M), 'censor' (bypass +G), 'color' (bypass +S/+c) and 'notice' (bypass +T).
      Some examples:
      • Let LAN users bypass +m: +e ~m:moderated:*!*@192.168.*
      • Let ops in #otherchan bypass +m in this channel: +e ~m:moderated:~c:@#otherchan
      • Make GitHub commit bot bypass +n: +e ~m:external:*!*@ipmask
      • Allow a services account to use color: +e ~m:color:~a:ColorBot
  • AntiRandom: The module will now (by default) exempt WEBIRC gateways from antirandom checking because they frequently cause false positives. This new behavior can be disabled via: set { antirandom { except-webirc no; }; }
  • Server linking attempts and errors are now also put in the log file.
  • A new module that provides WHOX support, an enhanced and more standard version of WHO (NOTE: the command is still "WHO").
    This allows, among other things, the client to request additional information, such as which services account each channel member is using.
    The module is currently experimental. To use it, add this to your conf: loadmodule "m_whox";
Major issues fixed
  • Blacklist + WEBIRC: Potential crash issue when concurrently checking DNSBL for a trusted WEBIRC gateway and the spoofed host.
  • Blacklist: In case of multiple blacklists the 2nd/3rd/.. blacklists were not always checked properly.
Minor issues fixed
  • Remote includes: ./Config didn't properly detect libcurl on Ubuntu 18 (and possibly other Linux distributions as well)
  • Timeouts during server linking attempts were not displayed.
  • Delayjoin: Halfops did not see JOIN's when channel mode +D was set.
  • IRCOps with minimal privileges lost their user modes on MODE change.
  • IRCOps could not override channel mode +z (when not using SSL/TLS)
  • Channel names sometimes truncated if using accents or special chars.
  • TLSv1.3 ciphersuite setting was changed to reflect OpenSSL's behavior. There is now set::ssl::ciphersuites, specifically for TLSv1.3.
    Note that the default is perfectly fine so at this point in time it shouldn't need any adjustment (but the option is there...).
Removed: Other changes:
  • Windows users may be prompted to install the Visual C++ redistributable package for Visual Studio 2017. This is because we now build on VS 2017 instead of VS 2012.
  • We now use standard formatted messages for all K-Lines, G-Lines and any other bans that will cause the user to be disconnected. For technical details see the banned_client() function.
  • The except throttle { } block now also overrides any limitations from set::max-unknown-connection-per-ip. Useful for WEBIRC gateways.
  • Localhost connections are considered secure, so these can be used even if you have a plaintext-policy of 'deny' or 'warn'. (This was already the case for servers, but now also for users and opers)
  • Allow slashes in vhost/chghost/sethost/.. (but not through DNS)
For module coders:
  • Windows: Be aware that we now build with Visual Studio 2017. This means 3rd party modules should be compiled with VS 2017 (or VS 2015) as well.
Future versions (heads up):
  • We intend to change the default plaintext oper policy from warn to deny later this year. This will deny /OPER when issued from a non-SSL connection. For security, IRC Operators should really use SSL/TLS when connecting to an IRC server!
As always, you can download UnrealIRCd from