postfix/RELEASE_NOTES-2.9

The stable Postfix release is called postfix-2.9.x where 2=major
release number, 9=minor release number, x=patchlevel.  The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-2.10-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day).  Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
before proceeding.

Major changes - critical
------------------------

[Incompat 20110321] You need to "postfix reload" after upgrade from
snapshot 20110320 or earlier.  The hash_queue_names algorithm was
changed to provide better performance with long queue IDs.

[Incompat 20110313] Use "postfix reload" after "make upgrade" on a
running Postfix system. This is needed because the protocol between
postscreen(8) and dnsblog(8) has changed.

Major changes - library API
---------------------------

[Incompat 20110130] The VSTREAM error flags are now split into
separate read and write error flags. As a result of this change,
all programs that use Postfix VSTREAMs MUST be recompiled.

Major changes - compatibility
-----------------------------

[Incompat 20111012] For consistency with the SMTP standard, the
(client-side) smtp_line_length_limit default value was increased
from 990 characters to 999 (i.e. 1000 characters including <CR><LF>).
Specify "smtp_line_length_limit = 990" to restore historical Postfix
behavior.

[Incompat 20111012] To simplify integration with third-party
applications, the Postfix sendmail command now always transforms
all input lines ending in <CR><LF> into UNIX format (lines ending
in <LF>). Specify "sendmail_fix_line_endings = strict" to restore
historical Postfix behavior (i.e. convert all input lines ending
in <CR><LF> only if the first line ends in <CR><LF>).

[Incompat 20111106] To work around broken remote SMTP servers, the
Postfix SMTP client by default no longer appends the "AUTH=<>"
option to the MAIL FROM command.  Specify "smtp_send_dummy_mail_auth
= yes" to restore the old behavior.

Major changes - gradual degradation
-----------------------------------

[Incompat 20120114] Logfile-based alerting systems may need to be
updated to look for "error" messages in addition to "fatal" messages.
Specify "daemon_table_open_error_is_fatal = yes" to get the historical
behavior (immediate termination with "fatal" message).

[Feature 20120114] Instead of terminating immediately with a "fatal"
message when a database file can't be opened, a Postfix daemon
program now logs an "error" message, and continues execution with
reduced functionality.  For the sake of sanity, the number of
"errors" over the life of a process is limited to 13.

Features that don't depend on the unavailable table will continue
to work; attempts to use features that depend on the table will
fail, and will be logged with a "warning" message.

[Feature 20120108] Instead of terminating with a fatal error, the
LDAP, *SQL and memcache clients now handle table lookup errors in
the "domain" feature, instead of terminating with a fatal error.

[Feature 20120102] Degrade gradually when some or all network
protocols specified with inet_protocols are unavailable, instead
of terminating with a fatal error. This eliminates build errors on
non-standard systems where opening an IPv4 socket results in an
error, and on non-standard systems where opening an IPv6 socket
results in an error. In the worst case, the master daemon will log
a message that it disables all type "inet" services. This will still
allow local submission and local delivery.

[Feature 20111222] Instead of terminating with a fatal error, the
Postfix SMTP server now handles errors with database lookups in
mynetworks, TLS client certificate tables, debug_peer_list,
smtpd_client_event_limit_exceptions, permit_mx_backup_networks and
local_header_rewrite_clients, and reports "server local data error"
or "temporary lookup error".

[Feature 20111229] Instead of terminating with a fatal error, the
trivial-rewrite server now handles errors with database lookups in
virtual_alias_domains, relay_domains, virtual_mailbox_domains.  This
means fewer occasions where trivial-rewrite clients (such as the
SMTP server) will appear to hang.

Major changes - long queue IDs
------------------------------

Postfix 2.9 introduces support for non-repeating queue IDs (also
used as queue file names). These names are encoded in a mix of upper
case, lower case and decimal digit characters.  Long queue IDs are
disabled by default to avoid breaking tools that parse logfiles and
that expect queue IDs with the smaller [A-F0-9] character set.

[Incompat 20110320] If you enable support for long queue file names,
you need to be aware that these file names are not compatible with
Postfix <= 2.8.  If you must migrate back to Postfix <= 2.8, you
must first convert all long queue file names into short names,
otherwise the old Postfix version will complain.

The conversion procedure before migration to Postfix <= 2.8 is:

    # postfix stop
    # postconf enable_long_queue_ids=no
    # postsuper

Run the postsuper command repeatedly until it no longer reports
queue file name changes.

[Feature 20110320] Support for long, non-repeating, queue IDs (queue
file names).  The benefit of non-repeating names is simpler logfile
analysis, and easier queue migration (if you don't merge different
queues, there is no need to run "postsuper" to change queue file
names that don't match their message file inode number).

Specify "enable_long_queue_ids = yes" to enable the feature. This
does not change the names of existing queue files. See postconf(5)
or postconf.5.html#enable_long_queue_ids for a detailed description
of the differences with the old short queue IDs.

This changes new Postfix queue IDs from the short form 0FCEE9247A9
into the longer form 3Ps0FS1Zhtz1PFjb, and changes new Message-ID
header values from YYMMDDHHMMSS.queueid@myhostname into the shorter
form queueid@myhostname.

Major changes - memcache
------------------------

[Feature 20111209] memcache lookup and update support. This provides
a way to share postscreen(8) or verify(8) caches between Postfix
instances.  See MEMCACHE_README and memcache_table(5) for details
and limitations.

[Feature 20111213] Support for a persistent backup database in the
memcache client.  The memcache client updates the memcache whenever
it looks up or modifies information in the persistent database.

Major changes - postconf
------------------------

The postconf command was restructured - it now warns about unused
parameter name=value settings in main.cf or master.cf (likely to
be mistakes), it now understands "dynamic" parameter names such as
parameters whose name depends on the name of a master.cf entry, and
it can display main.cf and master.cf in a more user-friendly format.

[Feature 20120117] support for legacy database parameter names
(main.cf parameter names that are generated by prepending a suffix
to the database name).

[Feature 20111118] The "postconf -M" (display master.cf) command
now supports filtering.  For example, specify "postconf -M inet"
to display only services that listen on the network.

[Feature 20111113] postconf support to warn about unused "name=value"
entries in main.cf, and about unused "-o name=value" entries in
master.cf.  This should help to eliminate common errors with mis-typed
names.

[Feature 20111108] postconf support for parameter names that are
generated automatically from master.cf entries (delivery agents,
spawn services), and for parameter names that are defined with
main.cf smtpd_restriction_classes.

[Feature 20111106] "postconf -M" support to print master.cf entries,
and "postconf -f" support to fold long main.cf or master.cf lines
for human readability.

Major changes - trickle defense
-------------------------------

[Feature 20110212] Support for per-record deadlines.  These change
the behavior of Postfix timeout parameters, from a time limit per
read or write system call, to a time limit to send or receive a
complete record (an SMTP command line, SMTP response line, SMTP
message content line, or TLS protocol message).  This limits the
impact from hostile peers that trickle data one byte at a time.

The new configuration parameters and their default settings are:
smtpd_per_record_deadline (normal: no, overload: yes),
smtp_per_record_deadline (no), and lmtp_per_record_deadline (no).

Note: when per-record deadlines are enabled, a short time limit may
cause problems with TLS over very slow network connections.  The
reason is that a TLS protocol message can be up to 16 kbytes long
(with TLSv1), and that an entire TLS protocol message must be sent
or received within the per-record deadline.

Per-record deadlines were introduced with postscreen(8) in Postfix
2.8. This program does not receive mail, and therefore it has no
problems with TLS over slow connections.

Major changes - postscreen
--------------------------

[Feature 20111211] The proxymap(8) server can now be used to share
postscreen(8) or verify(8) caches between Postfix instances.  Support
for proxymap-over-TCP, to share a Postfix database between hosts,
is expected to be completed in the Postfix 2.10 development cycle.

[Feature 20111209] memcache lookup and update support. This provides
a way to share postscreen(8) or verify(8) caches between Postfix
instances.  

[Feature 20110228] postscreen(8) support to force remote SMTP clients
to implement proper MX lookup policy.  By listening on both primary
and backup MX addresses, postscreen(8) can deny the temporary
whitelist status to clients that connect only to backup MX hosts,
and prevent them from talking to a Postfix SMTP server process.

Example: when 1.2.3.4 is a local backup IP address, specify
"postscreen_whitelist_interfaces = !1.2.3.4 static:all".

Major changes - tls
-------------------

[Incompat 20111205] Postfix now logs the result of successful TLS
negotiation with TLS logging levels of 0. See the smtp_tls_loglevel
and smtpd_tls_loglevel descriptions in the postconf(5) manpage for
other minor differences.

[Feature 20111205] Support for TLS public key fingerprint matching
in the Postfix SMTP client (in smtp_tls_policy_maps) and server (in
check_ccert access maps).  Public key fingerprints are inherently
more specific than fingerprints over the entire certificate.

[Feature 20111205] Revision of Postfix TLS logging. The main
difference is that Postfix now logs the result of successful TLS
negotiation with TLS logging levels of 0.  See the smtp_tls_loglevel
and smtpd_tls_loglevel descriptions in the postconf(5) manpage for
other minor differences.

Major changes - sasl authentication
-----------------------------------

[Incompat 20111218] To support external SASL authentication, e.g.,
in an NGINX proxy daemon, the Postfix SMTP server now always checks
the smtpd_sender_login_maps table, even without having
"smtpd_sasl_auth_enable = yes" in main.cf.

[Feature 20111218] Support for external SASL authentication via the
XCLIENT command.  This is used to accept SASL authentication from
an SMTP proxy such as NGINX. This support works even without having
to specify "smtpd_sasl_auth_enable = yes" in main.cf.

[Incompat 20111106] To work around broken remote SMTP servers, the
Postfix SMTP client by default no longer appends the "AUTH=<>"
option to the MAIL FROM command.  Specify "smtp_send_dummy_mail_auth
= yes" to restore the old behavior.

Major changes - large file support
----------------------------------

[Feature 20110219] Postfix now uses long integers for message_size_limit,
mailbox_size_limit and virtual_mailbox_limit. On LP64 systems (64-bit
long and pointer, but 32-bit integer), these limits can now exceed
2GB.

Major changes - ipv6
--------------------

[Incompat 20110918] The following changes were made in default
settings, in preparation for general availability of IPv6:

- The default inet_protocols value is now "all" instead of "ipv4",
  meaning use both IPv4 and IPv6.  

  To avoid an unexpected loss of performance for sites without
  global IPv6 connectivity, the commands "make upgrade" and "postfix
  upgrade-configuration" now append "inet_protocols = ipv4" to
  main.cf when no explicit inet_protocols setting is already present.
  This workaround will be removed in a future release.

- The default smtp_address_preference value is now "any" instead
  of "ipv6", meaning choose randomly between IPv6 and IPv4. With
  this the Postfix SMTP client will have more success delivering
  mail to sites that have problematic IPv6 configurations.

Major changes - address verification
------------------------------------

[Feature 20111211] The proxymap(8) server can now be used to share
postscreen(8) or verify(8) caches between Postfix instances.  Support
for proxymap-over-TCP, to share a Postfix database between hosts,
is expected to be completed in the Postfix 2.10 development cycle.

[Feature 20111209] memcache lookup and update support. This provides
a way to share postscreen(8) or verify(8) caches between Postfix
instances.  

[Feature 20111203] Support for time-dependent sender addresses
of address verification probes. The default address, double-bounce,
may end up on spammer blacklists. Although Postfix discards mail
for this address, such mail still uses up network bandwidth and
server resources. Specify an address_verify_sender_ttl value of
several hours or more to frustrate address harvesting.

Major changes - session transcript notification
-----------------------------------------------

[Incompat 20120114] By default the Postfix SMTP server no longer
reports transcripts of sessions where a client command is rejected
because a lookup table is unavailable. Postfix now implements gradual
degradation, for example, the SMTP server keeps running instead of
terminating with a fatal error. This change in error handling would
result in a very large number of "transcript of session" email
notifications when an LDAP or *SQL server goes down).

To receive such reports, add the new "data" class to the notify_classes
parameter value. The reports will be sent to the error_notice_recipient
address as before.  This class is also used by the Postfix SMTP
client to report about sessions that fail because a table is
unavailable.

Major changes - logging
----------------------------------------

[Incompat 20120114] Logfile-based alerting systems may need to be
updated to look for "error" messages in addition to "fatal" messages.
Specify "daemon_table_open_error_is_fatal = yes" to get the historical
behavior (immediate termination with "fatal" message).

[Incompat 20111214] Logfile-based analysis tools may need to be
updated. The submission and smtps examples in the sample master.cf
file were updated to make their logging easier to distinguish.

See the source file pflogsumm_quickfix.txt for a "quick fix".

[Incompat 20111205] Postfix now logs the result of successful TLS
negotiation with TLS logging levels of 0. See the smtp_tls_loglevel
and smtpd_tls_loglevel descriptions in the postconf(5) manpage for
other minor differences.

[Incompat 20110219] The Postfix SMTP and QMQP servers now log
"hostname X does not resolve to address Y", when a "reverse hostname"
lookup result does not resolve to the client IP address. Until now
these servers logged "Y: hostname X verification failed" or "Y:
address not listed for hostname X" which people found confusing.