Page 1 of 1

UnrealIRCd 4.0.16 released

Posted: Sun Nov 12, 2017 7:36 am
by Syzop
Hi everyone,

UnrealIRCd 4.0.16 (stable) is now available for download. This release consists of a huge amount of enhancements and other changes.

Thanks to everyone who previously tested the release candidate.

Improvements:
  • There's now an easy method to remove spamfilters. '/SPAMFILTER del' will show a list of spamfilters along with the appropriate command to remove them (by id).
  • CAP v3.2 support.
  • CAP 'cap-notify': notify users of any CAP changes.
  • CAP 'extended-join': show account and gecos in JOIN.
  • CAP 'chghost': notify on user/host changes. Note that if you use set::allow-userhost-change force-rejoin then clients which support CAP 'chghost' will not see the PART+JOIN+MODE sequence as it is unnecessary. They already receive a "CHGHOST" message as part of CAP 'chghost' instead.
  • Updated CAP 'sasl' to specification 3.2 (includes mechlist).
  • Automatically discover SASL server if saslmechlist is sent by services and set::sasl-server is not set by the administrator. This should help to get more networks to support SASL automatically (if you run up to date services, of course)
  • We send "CAP DEL sasl" if set::sasl-server squits and a "CAP NEW" message when the server returns (to cap-notify and CAPv3.2 clients).
  • Added password::type 'spkifp'. It's similar to 'sslclientcertfp' but is a hash based on the public TLS key rather than the certificate. The benefit of this is that the 'spkifp' can stay the same even if you get a new certificate from Let's Encrypt. Note that 'certbot' does not re-use keys by default so you will still get a different spkifp every 60-90 days. Consider using another (3rd party) client or tell the certbot guys to finally implement --reuse-key at https://github.com/certbot/certbot/issues/3788
  • The command './unrealircd spkifp' will output the SPKI fingerprint
  • New option set::handshake-delay will delay the handshake (when a user is connecting) up to this amount of time.
  • If you have any blacklist { } block then UnrealIRCd will set an set::handshake-delay of 2 seconds by default. This will allow (most) DNSBL checking to be finished before the user comes online, while still allowing a smooth user experience. If your DNS(BL) is slow then you could raise this setting slightly.
  • You can now have multiple webirc { } blocks with the same mask. This permits multiple blocks like..

    Code: Select all

    webirc {  
            mask *;
            password "....." { sslclientcertfp; };
        };
    ..should you need it. In other words: we don't stop matching upon an authentication failure.
  • Move CONNECTTIMEOUT to set::handshake-timeout.
  • Move MAXUNKNOWNCONNECTIONSPERIP to set::max-unknown-connections-per-ip.
  • Add set { cloak-method ip; }; which will make cloaking only be done on the IP and thus result in an XX.YY.ZZ.IP cloaked host.
  • This so you can have "IP cloaking" without disabling DNS lookups. GLINES on hosts still work and IRCOps (and yourself) can still see the host in /WHOIS.
  • New option set { ban-include-username yes; }; which will make bans placed by spamfilters (and some other systems) to be placed not on *@ip but on user@ip. Note that this won't work for ZLINE/GZLINE since no no ident/username lookups are done in such cases.
Major issues fixed
  • None
Minor issues fixed
  • Gracefully handle incorrect server-to-server messages. These no longer cause UnrealIRCd to crash. Note that this does not mean you can now go send random RAW messages from a trusted server connection. Doing so can cause desynchs, KILLs and SQUITs. We just try not to crash anymore.
  • A small memory leak upon 'DNS i' (IRCOp only command)
Removed:
  • Various old config.h settings that didn't have any effect.
  • A few config.h settings that should never be turned off have been removed altogether (eg: NO_FLOOD_AWAY is now always on).
  • The deprecated and unused commands "CAP CLEAR" and "CAP ACK".
Other changes:
  • When linking servers and not having any certificate validation, UnrealIRCd will give you specific instructions on how to use password::spkifp or verify-certificate. This to fix a possible Man-in-the-Middle attack. Note that you'll only see this message when linking two servers that are 4.0.16+.
  • When a user does a nick change from a registered nick you will now see the user mode -r. Previously this happened invisibly.
  • The default oper snomask now includes 'S' (spamfilter notices).
For module coders:
  • API change for HOOKTYPE_PRE_INVITE:

    Code: Select all

    int hook_pre_invite(aClient *sptr, aClient *target, aChannel *chptr, int *override)
    Modules must now send the error message instead of only returning HOOK_DENY. Also check for operoverride and set *override=1.
  • Please use the following procedure in case of an user/host change:

    Code: Select all

    userhost_save_current(acptr);
    /* now do what you need to do: like change username or hostname */
    userhost_changed(acptr);
    This function will take care of notifying other clients about the userhost change, such as doing PART+JOIN+MODE if force-rejoin is enabled, and sending :xx CHGHOST user host messages to "CAP chghost" capable clients.
For services coders:
  • If you provide SASL then please send the mechlist like this:

    Code: Select all

    MD client your.services.server saslmechlist :EXTERNAL,PLAIN
  • Don't forget to send an EOS (End Of Synch) at the end of the handshake, if you are not doing so already. It's important:

    Code: Select all

    :your.services.server EOS
As always, you can download UnrealIRCd from www.unrealircd.org.