summaryrefslogtreecommitdiffstats
path: root/RELEASE_NOTES-2.5
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--RELEASE_NOTES-2.5376
1 files changed, 376 insertions, 0 deletions
diff --git a/RELEASE_NOTES-2.5 b/RELEASE_NOTES-2.5
new file mode 100644
index 0000000..f560d3b
--- /dev/null
+++ b/RELEASE_NOTES-2.5
@@ -0,0 +1,376 @@
+The stable Postfix release is called postfix-2.5.x where 2=major
+release number, 5=minor release number, x=patchlevel. The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-2.6-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day). Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+Incompatibility with Postfix 2.3 and earlier
+--------------------------------------------
+
+If you upgrade from Postfix 2.3 or earlier, read RELEASE_NOTES-2.4
+before proceeding.
+
+Major changes - critical
+------------------------
+
+[Incompat 20071224] The protocol to send Milter information from
+smtpd(8) to cleanup(8) processes was cleaned up. If you use the
+Milter feature, and upgrade a live Postfix system, you may see an
+"unexpected record type" warning from a cleanup(8) server process.
+To prevent this, execute the command "postfix reload". The
+incompatibility affects only systems that use the Milter feature.
+It does not cause loss of mail, just a minor delay until the remote
+SMTP client retries.
+
+[Incompat 20071212] The allow_min_user feature now applies to both
+sender and recipient addresses in SMTP commands. With earlier Postfix
+versions, only recipients were subject to the allow_min_user feature,
+and the restriction took effect at mail delivery time, causing mail
+to be bounced later instead of being rejected immediately.
+
+[Incompat 20071206] The "make install" and "make upgrade" procedures
+now create a Postfix-owned directory for Postfix-writable data files
+such as caches and random numbers. The location is specified with
+the "data_directory" parameter (default: "/var/lib/postfix"), and
+the ownership is specified with the "mail_owner" parameter.
+
+[Incompat 20071206] The tlsmgr(8) and verify(8) servers no longer
+use root privileges when opening the address_verify_map,
+*_tls_session_cache_database, and tls_random_exchange_name cache
+files. This avoids a potential security loophole where the ownership
+of a file (or directory) does not match the trust level of the
+content of that file (or directory).
+
+[Incompat 20071206] The tlsmgr(8) and verify(8) cache files should
+now be stored as Postfix-owned files under the Postfix-owned
+data_directory. As a migration aid, attempts to open these files
+under a non-Postfix directory are redirected to the Postfix-owned
+data_directory, and a warning is logged.
+
+This is an example of the warning messages:
+
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: request
+ to update file /etc/postfix/prng_exch in non-postfix directory
+ /etc/postfix
+
+ Dec 6 12:56:22 bristle postfix/tlsmgr[7899]: warning: redirecting
+ the request to postfix-owned data_directory /var/lib/postfix
+
+If you wish to continue using a pre-existing tls_random_exchange_name
+or address_verify_map file, move it to the Postfix-owned data_directory
+and change ownership from root to Postfix (that is, change ownership
+to the account specified with the mail_owner configuration parameter).
+
+[Feature 20071205] The "make install" and "make upgrade" procedures
+now create a Postfix-owned directory for Postfix-writable data files
+such as caches and random numbers. The location is specified with
+the "data_directory" parameter (default: "/var/lib/postfix"), and
+the ownership is specified with the "mail_owner" parameter.
+
+[Incompat 20071203] The "make upgrade" procedure adds a new service
+"proxywrite" to the master.cf file, for read/write lookup table
+access. If you copy your old configuration file over the updated
+one, you may see warnings in the maillog file like this:
+
+ connect #xx to subsystem private/proxywrite: No such file or directory
+
+To recover, run "postfix upgrade-configuration" again.
+
+[Incompat 20070613] The pipe(8) delivery agent no longer allows
+delivery with the same group ID as the main.cf postdrop group.
+
+Major changes - malware defense
+-------------------------------
+
+[Feature 20080107] New "pass" service type in master.cf. Written
+years ago, this allows future front-end daemons to accept all
+connections from the network, and to hand over connections from
+well-behaved clients to Postfix. Since this feature uses file
+descriptor passing, it imposes no overhead once a connection is
+handed over to Postfix. See master(5) for a few details.
+
+[Feature 20070911] Stress-adaptive behavior. When a "public" network
+service runs into an "all processes are busy" condition, the master(8)
+daemon logs a warning, restarts the service, and runs it with "-o
+stress=yes" on the command line (under normal conditions it runs
+the service with "-o stress=" on the command line). This can be
+used to make main.cf parameter settings stress dependent, for
+example:
+
+/etc/postfix/main.cf:
+ smtpd_timeout = ${stress?10}${stress:300}
+ smtpd_hard_error_limit = ${stress?1}${stress:20}
+
+Translation: under conditions of stress, use an smtpd_timeout value
+of 10 seconds instead of 300, and use smtpd_hard_error_limit of 1
+instead of 20. The syntax is explained in the postconf(5) manpage.
+
+The STRESS_README file gives examples of how to mitigate flooding
+problems.
+
+Major changes - tls support
+---------------------------
+
+[Incompat 20080109] TLS logging output has changed to make it more
+useful. Existing logfile parser regular expressions may need
+adjustment.
+
+- More log entries include the "hostnamename[ipaddress]" of the
+ remote SMTP peer.
+
+- Certificate trust chain error reports show only the first
+ error certificate (closest to the trust chain root), and the
+ reporting is more human-readable for the most likely errors.
+
+- After the completion of the TLS handshake, the session is logged
+ with TLS loglevel >= 1 as either "Untrusted", "Trusted" or
+ "Verified" (SMTP client only).
+ - "Untrusted" means that the certificate trust chain is invalid,
+ or that the root CA is not trusted.
+ - "Trusted" means that the certificate trust chain is valid, and
+ that the root CA is trusted.
+ - "Verified" means that the certificate meets the SMTP client's
+ matching criteria for the destination:
+ - In the case of a destination name match, "Verified" also
+ implies "Trusted".
+ - In the case of a fingerprint match, CA trust is not applicable.
+
+- The logging of protocol states with TLS loglevel >= 2 no longer
+ reports bogus error conditions when OpenSSL asks Postfix to refill
+ (or flush) network I/O buffers. This loglevel is for debugging
+ only; use 0 or 1 in production configurations.
+
+[Feature 20080109] The Postfix SMTP client has a new "fingerprint"
+security level. This avoids dependencies on CAs, and relies entirely
+on bi-lateral exchange of public keys (really self-signed or private
+CA signed X.509 public key certificates). Scalability is clearly
+limited. For details, see the fingerprint discussion in TLS_README.
+
+[Feature 20080109] The Postfix SMTP server can now use SHA1 instead
+of MD5 to compute remote SMTP client certificate fingerprints. For
+backwards compatibility, the default algorithm is MD5. For details,
+see the "smtpd_tls_fingerprint_digest" parameter in the postconf(5)
+manual.
+
+[Feature 20080109] The maximum certificate trust chain depth
+(verifydepth) is finally implemented in the Postfix TLS library.
+Previously, the parameter had no effect. The default depth was
+changed to 9 (the OpenSSL default) for backwards compatibility.
+
+If you have explicity limited the verification depth in main.cf,
+check that the configured limit meets your needs. See the
+"lmtp_tls_scert_verifydepth", "smtp_tls_scert_verifydepth" and
+"smtpd_tls_ccert_verifydepth" parameters in the postconf(5) manual.
+
+[Feature 20080109] The selection of SSL/TLS protocols for mandatory
+TLS can now use exclusion rather than inclusion. Either form is
+acceptable; see the "lmtp_tls_mandatory_protocols",
+"smtp_tls_mandatory_protocols" and "smtpd_tls_mandatory_protocols"
+parameters in the postconf(5) manual.
+
+Major changes - scheduler
+-------------------------
+
+[Feature 20071130] Revised queue manager with separate mechanisms
+for per-destination concurrency control and for dead destination
+detection. The concurrency control supports less-than-1 feedback
+to allow for more gradual concurrency adjustments, and uses hysteresis
+to avoid rapid oscillations. A destination is declared "dead" after
+a configurable number of pseudo-cohorts(*) reports connection or
+handshake failure.
+
+(*) A pseudo-cohort is a number of delivery requests equal to a
+ destination's delivery concurrency.
+
+The drawbacks of the old +/-1 feedback scheduler are a) overshoot
+due to exponential delivery concurrency growth with each pseudo-cohort(*)
+(5-10-20...); b) throttling down to zero concurrency after a single
+pseudo-cohort(*) failure. The latter was especially an issue with
+low-concurrency channels where a single failure could be sufficient
+to mark a destination as "dead", and suspend further deliveries.
+
+New configuration parameters: destination_concurrency_feedback_debug,
+default_destination_concurrency_positive_feedback,
+default_destination_concurrency_negative_feedback,
+default_destination_concurrency_failed_cohort_limit, as well as
+transport-specific versions of the same.
+
+The default parameter settings are backwards compatible with older
+Postfix versions. This may change after better defaults are field
+tested.
+
+The updated SCHEDULER_README document describes the theory behind
+the new concurrency scheduler, as well as Patrik Rak's preemptive
+job scheduler. See postconf(5) for more extensive descriptions of
+the configuration parameters.
+
+Major changes - small/home office
+---------------------------------
+
+[Feature 20080115] Preliminary SOHO_README document that combines
+bits and pieces from other document in one place, so that it is
+easier to find. This document describes the "mail sending" side
+only.
+
+[Feature 20071202] Output rate control in the queue manager. For
+example, specify "smtp_destination_rate_delay = 5m", to pause five
+minutes between message deliveries. More information in the postconf(5)
+manual under "default_destination_rate_delay".
+
+Major changes - smtp client
+---------------------------
+
+[Incompat 20080114] The Postfix SMTP client now by default defers
+mail after a remote SMTP server rejects a SASL authentication
+attempt. Specify "smtp_sasl_auth_soft_bounce = no" for the old
+behavior.
+
+[Feature 20080114] The Postfix SMTP client can now avoid making
+repeated SASL login failures with the same server, username and
+password. To enable this safety feature, specify for example
+"smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache"
+(access through the proxy service is required). Instead of trying
+to SASL authenticate, the Postfix SMTP client defers or bounces
+mail as controlled with the new smtp_sasl_auth_soft_bounce configuration
+parameter.
+
+[Feature 20071111] Header/body checks are now available in the SMTP
+client, after the implementation was moved from the cleanup server
+to a library module. The SMTP client provides only actions that
+don't change the message delivery time or destination: warn, replace,
+prepend, ignore, dunno, ok.
+
+[Incompat 20070614] By default, the Postfix Cyrus SASL client no
+longer sends a SASL authoriZation ID (authzid); it sends only the
+SASL authentiCation ID (authcid) plus the authcid's password. Specify
+"send_cyrus_sasl_authzid = yes" to get the old behavior.
+
+Major changes - smtp server
+---------------------------
+
+[Feature 20070724] Not really major. New support for RFC 3848
+(Received: headers with ESMTPS, ESMTPA, or ESMTPSA); updated SASL
+support according to RFC 4954, resulting in small changes to SMTP
+reply codes and (DSN) enhanced status codes.
+
+Major changes - milter
+----------------------
+
+[Incompat 20071224] The protocol to send Milter information from
+smtpd(8) to cleanup(8) processes was cleaned up. If you use the
+Milter feature, and upgrade a live Postfix system, you may see an
+"unexpected record type" warning from a cleanup(8) server process.
+To prevent this, execute the command "postfix reload". The
+incompatibility affects only systems that use the Milter feature.
+It does not cause loss of mail, just a minor delay until the remote
+SMTP client retries.
+
+[Feature 20071221] Support for most of the Sendmail 8.14 Milter
+protocol features.
+
+To enable the new features specify "milter_protocol = 6" and link
+the filter application with a libmilter library from Sendmail 8.14
+or later.
+
+Sendmail 8.14 Milter features supported at this time:
+
+- NR_CONN, NR_HELO, NR_MAIL, NR_RCPT, NR_DATA, NR_UNKN, NR_HDR,
+ NR_EOH, NR_BODY: The filter can tell Postfix that it won't reply
+ to some of the SMTP events that Postfix sends. This makes the
+ protocol less chatty and improves performance.
+
+- SKIP: The filter can tell Postfix to skip sending the rest of
+ the message body, which also improves performance.
+
+- HDR_LEADSPC: The filter can request that Postfix does not delete
+ the first space character between header name and header value
+ when sending a header to the filter, and that Postfix does not
+ insert a space character between header name and header value
+ when receiving a header from the filter. This fixes a limitation
+ in the old Milter protocol that can break DKIM and DK signatures.
+
+- SETSYMLIST: The filter can override one or more of the main.cf
+ milter_xxx_macros parameter settings.
+
+Sendmail 8.14 Milter features not supported at this time:
+
+- RCPT_REJ: report rejected recipients to the mail filter.
+
+- CHGFROM: replace sender, with optional ESMTP command parameters.
+
+- ADDRCPT_PAR: add recipient, with optional ESMTP command parameters.
+
+It is unclear when (if ever) the missing features will be implemented.
+SMFIP_RCPT_REJ requires invasive changes in the SMTP server recipient
+processing and error handling. SMFIR_CHGFROM and SMFIR_ADDRCPT_PAR
+require ESMTP command-line parsing in the cleanup server. Unfortunately,
+Sendmail's documentation does not specify what ESMTP options are
+supported, but only discusses examples of things that don't work.
+
+Major changes - address verification
+------------------------------------
+
+[Incompat 20070514] The default sender address for address verification
+probes was changed from "postmaster" to "double-bounce", so that
+the Postfix SMTP server no longer causes surprising behavior by
+excluding "postmaster" from SMTP server access controls.
+
+Major changes - ldap
+--------------------
+
+[Incompat 20071216] Due to an incompatible API change between
+OpenLDAP 2.0.11 and 2.0.12, an LDAP client compiled for OpenLDAP
+version <= 2.0.11 will refuse to work with an OpenLDAP library
+version >= 2.0.12 and vice versa.
+
+Major changes - logging
+-----------------------
+
+[Incompat 20080109] TLS logging output has changed to make it more
+useful. Existing logfile parser regular expressions may need
+adjustment.
+
+- More log entries include the "hostnamename[ipaddress]" of the
+ remote SMTP peer.
+
+- Certificate trust chain error reports show only the first
+ error certificate (closest to the trust chain root), and the
+ reporting is more human-readable for the most likely errors.
+
+- After the completion of the TLS handshake, the session is logged
+ with TLS loglevel >= 1 as either "Untrusted", "Trusted" or
+ "Verified" (SMTP client only).
+ - "Untrusted" means that the certificate trust chain is invalid,
+ or that the root CA is not trusted.
+ - "Trusted" means that the certificate trust chain is valid, and
+ that the root CA is trusted.
+ - "Verified" means that the certificate meets the SMTP client's
+ matching criteria for the destination:
+ - In the case of a destination name match, "Verified" also
+ implies "Trusted".
+ - In the case of a fingerprint match, CA trust is not applicable.
+
+- The logging of protocol states with TLS loglevel >= 2 no longer
+ reports bogus error conditions when OpenSSL asks Postfix to refill
+ (or flush) network I/O buffers. This loglevel is for debugging
+ only; use 0 or 1 in production configurations.
+
+[Incompat 20071216] The SMTP "transcript of session" email now
+includes the remote SMTP server TCP port number.
+
+Major changes - loop detection
+------------------------------
+
+[Incompat 20070422] [Incompat 20070422] When the pipe(8) delivery
+agent is configured to create the optional Delivered-To: header,
+it now first checks if that same header is already present in the
+message. If so, the message is returned as undeliverable. This test
+should have been included with Postfix 2.0 when Delivered-To: support
+was added to the pipe(8) delivery agent.