diff options
Diffstat (limited to 'RELEASE_NOTES-3.0')
-rw-r--r-- | RELEASE_NOTES-3.0 | 628 |
1 files changed, 628 insertions, 0 deletions
diff --git a/RELEASE_NOTES-3.0 b/RELEASE_NOTES-3.0 new file mode 100644 index 0000000..62ee5e3 --- /dev/null +++ b/RELEASE_NOTES-3.0 @@ -0,0 +1,628 @@ +The stable Postfix release is called postfix-3.0.x where 3=major +release number, 0=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-3.1-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.10 or earlier, read RELEASE_NOTES-2.11 +before proceeding. + +Notes for distribution maintainers +---------------------------------- + +* New backwards-compatibility safety net. + +With NEW Postfix installs, you MUST install a main.cf file with +the setting "compatibility_level = 2". See conf/main.cf for an +example. + +With UPGRADES of existing Postfix systems, you MUST NOT change the +main.cf compatibility_level setting, nor add this setting if it +does not exist. + +Several Postfix default settings have changed with Postfix 3.0. To +avoid massive frustration with existing Postfix installations, +Postfix 3.0 comes with a safety net that forces Postfix to keep +running with backwards-compatible main.cf and master.cf default +settings. This safety net depends on the main.cf compatibility_level +setting (default: 0). Details are in COMPATIBILITY_README. + +* New Postfix build system. + +The Postfix build/install procedure has changed to support Postfix +dynamically-linked libraries and database plugins. These must not +be "shared" with non-Postfix programs, and therefore must not be +installed in a public directory. + +To avoid massive frustration due to broken patches, PLEASE BUILD +POSTFIX FIRST WITHOUT APPLYING ANY PATCHES. Follow the INSTALL +instructions (see "Building with Postfix dynamically-linked libraries +and database plugins"), and see how things work and what the +dynamically-linked libraries, database plugin, and configuration +files look like. Then, go ahead and perform your platform-specific +customizations. The INSTALL section "Tips for distribution maintainers" +has further suggestions. + +Major changes - critical +------------------------ + +[Incompat 20140714] After upgrading Postfix, "postfix reload" (or +start/stop) is required. Several Postfix-internal protocols have +been extended to support SMTPUTF8. Failure to reload or restart +will result in mail staying queued, while Postfix daemons log +warning messages about unexpected attributes. + +Major changes - default settings +-------------------------------- + +[Incompat 20141009] The default settings have changed for relay_domains +(new: empty, old: $mydestination) and mynetworks_style (new: host, +old: subnet). However the backwards-compatibility safety net will +prevent these changes from taking effect, giving the system +administrator the option to make an old default setting permanent +in main.cf or to adopt the new default setting, before turning off +backwards compatibility. See COMPATIBILITY_README for details. + +[Incompat 20141001] A new backwards-compatibility safety net forces +Postfix to run with backwards-compatible main.cf and master.cf +default settings after an upgrade to a newer but incompatible Postfix +version. See COMPATIBILITY_README for details. + +While the backwards-compatible default settings are in effect, +Postfix logs what services or what email would be affected by the +incompatible change. Based on this the administrator can make some +backwards-compatibility settings permanent in main.cf or master.cf, +before turning off backwards compatibility. + +See postconf.5.html#compatibility_level for details. + +[Incompat 20141001] The default settings +have changed for append_dot_mydomain (new: no. old: yes), master.cf +chroot (new: n, old: y), and smtputf8 (new: yes, old: no). + +Major changes - access control +------------------------------ + +[Feature 20141119] Support for BCC actions in header/body_checks +and milter_header_checks. There is no limit on the number of BCC +actions that may be specified, other than the implicit limit due +to finite storage. BCC support will not be implemented in Postfix +delivery agent header/body_checks. + +It works in the same way as always_bcc and sender/recipient_bcc_maps: +there can be only one address per action, recipients are added with +the NOTIFY=NONE delivery status notification option, and duplicate +recipients are ignored (with the same delivery status notification +options). + +[Incompat 20141009] The default settings have changed for relay_domains +(new: empty, old: $mydestination) and mynetworks_style (new: host, +old: subnet). However the backwards-compatibility safety net will +prevent these changes from taking effect, giving the system +administrator the option to make an old default setting permanent +in main.cf or to adopt the new default setting, before turning off +backwards compatibility. See COMPATIBILITY_README for details. + +[Feature 20140618] New INFO action in access(5) tables, for consistency +with header/body_checks. + +[Feature 20140620] New check_xxx_a_access (for xxx in client, +reverse_client, helo, sender, recipient) implements access control +on all A and AAAA IP addresses for respectively the client hostname, +helo parameter, sender domain or recipient domain. This complements +the existing check_xxx_mx_access and check_xxx_ns_access features. + +Major changes - address rewriting +--------------------------------- + +[Incompat 20141001] The default settings have changed for +append_dot_mydomain (new: no. old: yes), master.cf chroot (new: +n, old: y), and smtputf8 (new: yes, old: no). + +Major changes - address verification +------------------------------------ + +[Feature 20141227] The new smtp_address_verify_target parameter +(default: rcpt) specifies what protocol stage decides if a recipient +is valid. Specify "data" for servers that reject invalid recipients +in response to the DATA command. + +Major changes - database support +-------------------------------- + +[Feature 20140512] Support for Berkeley DB version 6. + +[Feature 20140618] The "randmap" lookup table performs random +selection. This may be used to implement load balancing, for example: + +/etc/postfix/transport: + # Deliver my own domain as usual. + example.com : + .example.com : + +/etc/postfix/main.cf: + transport_maps = + # Deliver my own domain as usual. + hash:/etc/postfix/transport + # Deliver other domains via randomly-selected relayhosts + randmap:{smtp:smtp0.example.com, smtp:smtp1.example.com} + +A variant of this can randomly select SMTP clients with different +smtp_bind_address settings. + +To implement different weights, specify lookup results multiple +times. For example, to choose smtp:smtp1.example.com twice as often +as smtp:smtp0.example.com, specify smtp:smtp1.example.com twice. + +A future version may support randmap:/path/to/file to load a list +of results from file. + +[Feature 20140618] As the name suggests, the "pipemap" table +implements a pipeline of lookup tables. The name of the table +specifies the pipeline as a sequence of tables. For example, the +following prevents SMTP mail to system accounts that have "nologin" +as their login shell: + + /etc/postfix/main.cf: + local_recipient_maps = + pipemap:{unix:passwd.byname, pcre:/etc/postfix/no-nologin.pcre} + alias_maps + + /etc/postfix/no-nologin.pcre: + !/nologin/ whatever + +Each "pipemap:" query is given to the first table. Each table +lookup result becomes the query for the next table in the pipeline, +and the last table produces the final result. When any table lookup +produces no result, the entire pipeline produces no result. + +A future version may support pipemap:/path/to/file to load a list +of lookup tables from file. + +[Feature 20140924] Support for unionmap, with the same syntax as +pipemap. This sends a query to all tables, and concatenates non-empty +results, separated by comma. + +[Feature 20131121] The "static" lookup table now supports whitespace +when invoked as "static:{ text with whitespace }", so that it can +be used, for example, at the end of smtpd_mumble_restrictions as +"check_mumble_access static:{reject text...}". + +[Feature 20141126] "inline:{key=value, { key = text with comma/space}}" +avoids the need to create a database for just a few entries. + +Major changes - delivery status notifications +--------------------------------------------- + +[Feature 20140321] Delivery status filter support, to replace the +delivery status codes and explanatory text of successful or +unsuccessful deliveries by Postfix mail delivery agents. + +This was originally implemented for sites that want to turn certain +soft delivery errors into hard delivery errors, but it can also be +used to censor out information from delivery confirmation reports. + +This feature is implemented as a filter that replaces the three-number +enhanced status code and descriptive text in Postfix delivery agent +success, bounce, or defer messages. Note: this will not override +"soft_bounce=yes", and this will not change a successful delivery +status into an unsuccessful status or vice versa. + +The first example turns specific soft TLS errors into hard +errors, by overriding the first number in the enhanced status code. + +/etc/postfix/main.cf: + smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter + +/etc/postfix/smtp_dsn_filter: + /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/ 5$1 + /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/ 5$1 + +The second example removes the destination command name and file +name from local(8) successful delivery reports, so that they will +not be reported when a sender requests confirmation of delivery. + +/etc/postfix/main.cf: + local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter + +/etc/postfix/local_dsn_filter: + /^(2\S+ delivered to file).+/ $1 + /^(2\S+ delivered to command).+/ $1 + +This feature is supported in the lmtp(8), local(8), pipe(8), smtp(8) +and virtual(8) delivery agents. That is, all delivery agents that +actually deliver mail. It will not be implemented in the error and +retry pseudo-delivery agents. + +The new main.cf parameters and default values are: + + default_delivery_status_filter = + lmtp_delivery_status_filter = $default_delivery_status_filter + local_delivery_status_filter = $default_delivery_status_filter + pipe_delivery_status_filter = $default_delivery_status_filter + smtp_delivery_status_filter = $default_delivery_status_filter + virtual_delivery_status_filter = $default_delivery_status_filter + +See the postconf(5) manpage for more details. + +[Incompat 20140618] The pipe(8) delivery agent will now log a limited +amount of command output upon successful delivery, and will report +that output in "SUCCESS" delivery status reports. This is another +good reason to disable inbound DSN requests at the Internet perimeter. + +[Feature 20140907] With "confirm_delay_cleared = yes", Postfix +informs the sender when delayed mail leaves the queue (this is in +addition to the delay_warning_time feature that warns when mail is +still queued). This feature is disabled by default, because it can +result in a sudden burst of notifications when the queue drains at +the end of a prolonged network outage. + +Major changes - dns +------------------- + +[Feature 20141128] Support for DNS server reply filters in the +Postfix SMTP/LMTP client and SMTP server. This helps to work around +mail delivery problems with sites that have incorrect DNS information. +Note: this has no effect on the implicit DNS lookups that are made +by nsswitch.conf or equivalent mechanisms. + +This feature renders each lookup result as one line of text in +standard zone-file format as shown below. The class field is always +"IN", the preference field exists only for MX records, the names +of hosts, domains, etc. end in ".", and those names are in ASCII +form (xn--mumble form for internationalized domain names). + + name ttl class type preference value + --------------------------------------------------------- + postfix.org. 86400 IN MX 10 mail.cloud9.net. + +Typically, one would match this text with a regexp: or pcre: table. +When a match is found, the table lookup result specifies an action. +By default, the table query and the action name are case-insensitive. +Currently, only the IGNORE action is implemented. + +For safety reasons, Postfix logs a warning or defers mail delivery +when a DNS reply filter removes all lookup results from a successful +query. + +The Postfix SMTP/LMTP client uses the smtp_dns_reply_filter and +lmtp_dns_reply_filter features only for Postfix SMTP client lookups +of MX, A, and AAAAA records to locate a remote SMTP or LMTP server, +including lookups that implement the features reject_unverified_sender +and reject_unverified_recipient. The filters are not used for lookups +made through nsswitch.conf and similar mechanisms. + +The Postfix SMTP server uses the smtpd_dns_reply_filter feature +only for Postfix SMTP server lookups of MX, A, AAAAA, and TXT records +to implement the features reject_unknown_helo_hostname, +reject_unknown_sender_domain, reject_unknown_recipient_domain, +reject_rbl_*, and reject_rhsbl_*. The filter is not used for lookups +made through nsswitch.conf and similar mechanisms, such as lookups +of the remote SMTP client name. + +[Feature 20141126] Nullmx support (MX records with a null hostname). +This change affects error messages only. The Postfix SMTP client +already bounced mail for such domains, and the Postfix SMTP server +already rejected such domains with reject_unknown_sender/recipient_domain. +This feature introduces a new SMTP server configuration parameter +nullmx_reject_code (default: 556). + +Major changes - dynamic linking +------------------------------- + +[Feature 20140530] Support to build Postfix with Postfix +dynamically-linked libraries, and with dynamically-loadable database +clients. These MUST NOT be used by non-Postfix programs. Postfix +dynamically-linked libraries introduce minor runtime overhead and +result in smaller Postfix executable files. Dynamically-loadable +database clients are useful when you distribute or install pre-compiled +packages. Postfix 3.0 supports dynamic loading for CDB, LDAP, LMDB, +MYSQL, PCRE, PGSQL, SDBM, and SQLITE database clients. + +This implementation is based on Debian code by LaMont Jones, initially +ported by Viktor Dukhovni. Currently, support exists for recent +versions of Linux, FreeBSD, MacOS X, and for the ancient Solaris 9. + +To support Postfix dynamically-linked libraries and dynamically-loadable +database clients, the Postfix build procedure had to be changed +(specifically, the files makedefs and Makefile.in, and the files +postfix-install and post-install that install or update Postfix). + +[Incompat 20140530] The Postfix 3.0 build procedure expects that +you specify database library dependencies with variables named +AUXLIBS_CDB, AUXLIBS_LDAP, etc. With Postfix 3.0 and later, the +old AUXLIBS variable still supports building a statically-loaded +CDB etc. database client, but only the new AUXLIBS_CDB etc. variables +support building a dynamically-loaded or statically-loaded CDB etc. +database client. See CDB_README, LDAP_README, etc. for details. + +Failure to follow this advice will defeat the purpose of dynamic +database client loading. Every Postfix executable file will have +database library dependencies. And that was exactly what dynamic +database client loading was meant to avoid. + +Major changes - future proofing +------------------------------- + +[Cleanup 20141224] The changes described here have no visible effect +on Postfix behavior, but they make Postfix code easier to maintain, +and therefore make new functionality easier to add. + +* Compile-time argument typechecks of non-printf/scanf-like variadic + function argument lists. + +* Deprecating the use of "char *" for non-text purposes such as + memory allocation and pointers to application context for call-back + functions. This dates from long-past days before void * became + universally available. + +* Replace integer types for counters and sizes with size_t or ssize_t + equivalents. This eliminates some wasteful 64<->32bit conversions + on 64-bit systems. + +Major changes - installation pathnames +-------------------------------------- + +[Incompat 20140625] For compliance with file system policies, some +non-executable files have been moved from $daemon_directory to the +directory specified with the new meta_directory configuration +parameter which has the same default value as the config_directory +parameter. This change affects non-executable files that are shared +between multiple Postfix instances such as postfix-files, dynamicmaps.cf, +and multi-instance template files. + +For backwards compatibility with Postfix 2.6 .. 2.11, specify +"meta_directory = $daemon_directory" in main.cf before installing +or upgrading Postfix, or specify "meta_directory = /path/name" on +the "make makefiles", "make install" or "make upgrade" command line. + +Major changes - milter +---------------------- + +[Feature 20140928] Support for per-Milter settings that override +main.cf parameters. For details see the section "Advanced policy +client configuration" in the SMTPD_POLICY_README document. + +Here is an example that uses both old and new syntax: + + smtpd_milters = { inet:127.0.0.1:port1, default_action=accept, ... }, + inet:127.0.0.1:port2, ... + +The supported attribute names are: command_timeout, connect_timeout, +content_timeout, default_action, and protocol. These have the same +names as the corresponding main.cf parameters, without the "milter_" +prefix. + +The per-milter settings are specified as attribute=value pairs +separated by comma or space; specify { name = value } to allow +spaces around the "=" or within an attribute value. + +[Feature 20141018] DMARC compatibility: when a Milter inserts a +header ABOVE Postfix's own Received: header, Postfix no longer +exposes its own Received: header to Milters (violating protocol) +and Postfix no longer hides the Milter-inserted header from Milters +(wtf). + +Major changes - parameter syntax +-------------------------------- + +[Feature 20140921] In preparation for configurable mail headers and +logging, new main.cf support for if-then-else expressions: + + ${name?{text1}:{text2}} + +and for logical expressions: + + ${{text1}=={text2}?{text3}:{text4}} + ${{text1}!={text2}?{text3}:{text4}} + +Whitespace before and after {text} is ignored. This can help to +make complex expressions more readable. See the postconf(5) manpage +for further details. + +[Feature 20140928] Support for whitespace in daemon command-line +arguments. For details, see the "Command name + arguments" section +in the master(5) manpage. Example: + + smtpd -o { parameter = value containing whitespace } ... + +The { ... } form is also available for non-option command-line +arguments in master.cf, for example: + + pipe ... argv=command { argument containing whitespace } ... + +In both cases, whitespace immediately after "{" and before "}" +is ignored. + +[Feature 20141005] Postfix import_environment and export_environment +now allow "{ name=value }" to protect whitespace in attribute values. + +[Feature 20141006] The new message_drop_header parameter replaces +a hard-coded table that specifies what message headers the cleanup +daemon will remove. The list of supported header names covers RFC +5321, 5322, MIME RFCs, and some historical names. + +Major changes - pipe daemon +--------------------------- + +[Incompat 20140618] The pipe(8) delivery agent will now log a limited +amount of command output upon successful delivery, and will report +that output in "SUCCESS" delivery status reports. This is another +good reason to disable inbound DSN requests at the Internet perimeter. + +Major changes - policy client +----------------------------- + +[Feature 20140703] This release introduces three new configuration +parameters that control error recovery for failed SMTPD policy +requests. + + * smtpd_policy_service_default_action (default: 451 4.3.5 Server + configuration problem): The default action when an SMTPD policy + service request fails. + + * smtpd_policy_service_try_limit (default: 2): The maximal number + of attempts to send an SMTPD policy service request before + giving up. This must be a number greater than zero. + + * smtpd_policy_service_retry_delay (default: 1s): The delay between + attempts to resend a failed SMTPD policy service request. This + must be a number greater than zero. + +See postconf(5) for details and limitations. + +[Feature 20140928] Support for per-policy service settings that +override main.cf parameters. For details see the section "Different +settings for different Milter applications" in the MILTER_README +document. + +Here is an example that uses both old and new syntax: + +smtpd_recipient_restrictions = ... + check_policy_service { inet:127.0.0.1:port3, default_action=DUNNO } + check_policy_service inet:127.0.0.1:port4 + ... + +The per-policy service settings are specified as attribute=value pairs +separated by comma or space; specify { name = value } to allow +spaces around the "=" or within an attribute value. + +The supported attribute names are: default_action, max_idle, max_ttl, +request_limit, retry_delay, timeout, try_limit. These have the same +names as the corresponding main.cf parameters, without the +"smtpd_policy_service_" prefix. + +[Feature 20140505] A client port attribute was added to the policy +delegation protocol. + +[Feature 20140630] New smtpd_policy_service_request_limit feature to +limit the number of requests per Postfix SMTP server policy connection. +This is a workaround to avoid error-recovery delays with policy +servers that cannot maintain a persistent connection. + +Major changes - position-independent executables +------------------------------------------------ + +[Feature 20150205] Preliminary support for building position-independent +executables (PIE), tested on Fedora Core 20, Ubuntu 14.04, FreeBSD +9 and 10, and NetBSD 6. Specify: + +$ make makefiles pie=yes ...other arguments... + +On some systems, PIE is used by the ASLR exploit mitigation technique +(ASLR = Address-Space Layout Randomization). Whether specifying +"pie=yes" has any effect at all depends on the compiler. Reportedly, +some compilers always produce PIE executables. + +Major changes - postscreen +-------------------------- + +[Feature 20140501] Configurable time limit (postscreen_dnsbl_timeout) +for DNSBL or DNSWL lookups. This is separate from the timeouts in +the dnsblog(8) daemon which are controlled by system resolver(3) +routines. + +Major changes - session fingerprint +----------------------------------- + +[Feature 20140801] The Postfix SMTP server now logs at the end of +a session how many times an SMTP command was successfully invoked, +followed by the total number of invocations if some invocations +were unsuccessful. + +This logging will enough to diagnose many problems without using +verbose logging or network sniffer. + + Normal session, no TLS: + disconnect from name[addr] ehlo=1 mail=1 rcpt=1 data=1 quit=1 + + Normal session. with TLS: + disconnect from name[addr] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 + + All recipients rejected, no ESMTP command pipelining: + disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 quit=1 + + All recipients rejected, with ESMTP command pipelining: + disconnect from name[addr] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 + + Password guessing bot, hangs up without QUIT: + disconnect from name[addr] ehlo=1 auth=0/1 + + Mis-configured client trying to use TLS wrappermode on port 587: + disconnect from name[addr] unknown=0/1 + +Logfile analyzers can trigger on the presence of "/". It indicates +that Postfix rejected at least one command. + +[Feature 20150118] As a late addition, the SMTP server now also +logs the total number of commands (as "commands=x/y") even when the +client did not send any commands. This helps logfile analyzers to +recognize sessions without commands. + +Major changes - smtp client +--------------------------- + +[Feature 20141227] The new smtp_address_verify_target parameter +(default: rcpt) determines what protocol stage decides if a recipient +is valid. Specify "data" for servers that reject recipients after +the DATA command. + +Major changes - smtputf8 +------------------------ + +[Incompat 20141001] The default settings have changed for +append_dot_mydomain (new: no, old: yes), master.cf chroot (new: +n, old: y), and smtputf8 (new: yes, old: no). + +[Incompat 20140714] After upgrading Postfix, "postfix reload" (or +start/stop) is required. Several Postfix-internal protocols have +been extended to support SMTPUTF8. Failure to reload or restart +will result in mail staying queued, while Postfix daemons log +warning messages about unexpected attributes. + +[Feature 20140715] Support for Email Address Internationalization +(EAI) as defined in RFC 6531..6533. This supports UTF-8 in SMTP/LMTP +sender addresses, recipient addresses, and message header values. +The implementation is based on initial work by Arnt Gulbrandsen +that was funded by CNNIC. + +See SMTPUTF8_README for a description of Postfix SMTPUTF8 support. + +[Feature 20150112] UTF-8 Casefolding support for Postfix lookup +tables and matchlists (mydestination, relay_domains, etc.). This +is enabled only with "smtpuf8 = yes". + +[Feature 20150112] With smtputf8_enable=yes, SMTP commands with +UTF-8 syntax errors are rejected, table lookup results with invalid +UTF-8 syntax are handled as configuration errors, and UTF-8 syntax +errors in policy server replies result in execution of the policy +server's default action. + +Major changes - tls support +--------------------------- + +(see "Major changes - delivery status notifications" above for +turning 4XX soft errors into 5XX bounces when a remote SMTP server +does not offer STARTTLS support). + +[Feature 20140209] the Postfix SMTP client now also falls back to +plaintext when TLS fails AFTER the TLS protocol handshake. + +[Feature 20140218] The Postfix SMTP client now requires that a queue +file is older than $minimal_backoff_time, before falling back from +failed TLS to plaintext (both during or after the TLS handshake). + +[Feature 20141021] Per IETF TLS WG consensus, the tls_session_ticket_cipher +default setting was changed from aes-128-cbc to aes-256-cbc. + +[Feature 20150116] TLS wrappermode support in the Postfix smtp(8) +client (new smtp_tls_wrappermode parameter) and in posttls-finger(1) +(new -w option). There still is life in that deprecated protocol, +and people should not have to jump hoops with stunnel. |