summaryrefslogtreecommitdiffstats
path: root/RELEASE_NOTES
blob: af0566fe5369718df71e6c2a1ae0ff33c4b4e4ae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
This is the Postfix 3.4 (stable) release.

The stable Postfix release is called postfix-3.4.x where 3=major
release number, 4=minor release number, x=patchlevel.  The stable
release never changes except for patches that address bugs or
emergencies. Patches change the patchlevel and the release date.

New features are developed in snapshot releases. These are called
postfix-3.5-yyyymmdd where yyyymmdd is the release date (yyyy=year,
mm=month, dd=day).  Patches are never issued for snapshot releases;
instead, a new snapshot is released.

The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.

If you upgrade from Postfix 3.2 or earlier, read RELEASE_NOTES-3.3
before proceeding.

Runtime detection of DNSSEC support
-----------------------------------

The Postfix build system will no longer automatically disable DNSSEC
support when it determines that Postfix will use libc-musl. This removes
the earlier libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12,
and 3.5.2.

Now, when a Postfix process requests DNSSEC support (typically, for
Postfix DANE support), the process may do a runtime test to determine if
DNSSEC validation is available. DNSSEC support may be broken because of
local configuration, libc incompatibility, or other infrastructure issues.

Background: DNSSEC validation is needed for Postfix DANE support;
this ensures that Postfix receives TLSA records with secure TLS
server certificate info. When DNSSEC validation is unavailable,
mail deliveries using opportunistic DANE will not be protected by
server certificate info in TLSA records, and mail deliveries using
mandatory DANE will not be made at all.

The dnssec_probe parameter specifies the DNS query type (default:
"ns") and DNS query name (default: ".") that Postfix may use to
determine whether DNSSEC validation is available. Specify an empty
value to disable this feature.

By default, a Postfix process will send a DNSSEC probe after 1) the
process made a DNS query that requested DNSSEC validation, 2) the
process did not receive a DNSSEC validated response to this query
or to an earlier query, and 3) the process did not already send a
DNSSEC probe.

When the DNSSEC probe has no response, or when the response is not
DNSSEC validated, Postfix logs a warning that DNSSEC validation may
be unavailable. Examples:

warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure

This feature was backported from Postfix 3.6.

libc-musl workaround for Postfix 3.2.15, 3.3.10, 3.4.12, and 3.5.2
------------------------------------------------------------------

Security: this release disables DANE support on Linux systems with
libc-musl, because libc-musl provides no indication whether DNS
responses are authentic. This broke DANE support without a clear
explanation.

TLS Workaround for Postfix 3.4.6, 3.3.5, 3.2.10 and 3.1.13
-----------------------------------------------------------

This release introduces a workaround for implementations that hang
Postfix while shutting down a TLS session, until Postfix times out.
With "tls_fast_shutdown_enable = yes" (the default), Postfix no
longer waits for a remote TLS peer to respond to a TLS 'close'
request. This behavior is recommended with TLSv1.0 and later. Specify
"tls_fast_shutdown_enable = no" to get historical Postfix behavior.

License change
---------------

This software is distributed with a dual license: in addition to the
historical IBM Public License 1.0, it is now also distributed with the
more recent Eclipse Public License 2.0. Recipients can choose to take
the software under the license of their choice. Those who are more
comfortable with the IPL can continue with that license.

Summary of changes
------------------

Incompatible changes, bdat support, containers, database support,
logging, safety, tls connection pooling, tls support, usability,

Incompatible changes
--------------------

[Incompat 20180826] The Postfix SMTP server announces CHUNKING (BDAT
command) by default. In the unlikely case that this breaks some
important remote SMTP client, disable the feature as follows:

/etc/postfix/main.cf:
    # The logging alternative:
    smtpd_discard_ehlo_keywords = chunking
    # The non-logging alternative:
    smtpd_discard_ehlo_keywords = chunking, silent_discard

See BDAT_README for more.

[Incompat 20190126] This introduces a new master.cf service 'postlog'
with type 'unix-dgram' that is used by the new postlogd(8) daemon.
Before backing out to an older Postfix version, edit the master.cf
file and remove the postlog entry.

[Incompat 20190106] Postfix 3.4 drops support for OpenSSL 1.0.1
(end-of-life was December 31, 2016) and all earlier releases.

[Incompat 20180701] To avoid performance loss under load, the
tlsproxy(8) daemon now requires a zero process limit in master.cf
(this setting is provided with the default master.cf file). By
default, a tlsproxy(8) process will retire after several hours.

To set the tlsproxy process limit to zero:

# postconf -F tlsproxy/unix/process_limit=0
# postfix reload

Major changes - bdat support
--------------------

[Feature 20180826] Postfix SMTP server support for RFC 3030 CHUNKING
(the BDAT command) without BINARYMIME, in both smtpd(8) and
postscreen(8). This has no effect on Milters, smtpd_mumble_restrictions,
and smtpd_proxy_filter. See BDAT_README for more.

Major changes - containers
--------------------------

[Feature 20190126] Support for logging to file or stdout, instead
of using syslog.

- Logging to file solves a usability problem for MacOS, and
  eliminates multiple problems with systemd-based systems.

- Logging to stdout is useful when Postfix runs in a container, as
  it eliminates a syslogd dependency.

See MAILLOG_README for configuration examples and logfile rotation.

[Feature 20180422] Better handling of undocumented(!) Linux behavior
whether or not signals are delivered to a PID=1 process.

Major changes - database support
--------------------------------

[Feature 20181105] Support for (key, list of filenames) in map
source text.

- Currently, this feature is used only by tls_server_sni_maps.

- When a map is created from source with "postmap -F maptype:mapname",
  the command processes each key as usual and processes each value
  as a list of filenames, concatenates the content of those files
  (with one newline character in-between files), and stores an entry
  with (key, base64-encoded result).

- When a map is queried with "postmap -F -q ...", the command
  base64-decodes each value. It reports an error when a value is
  not in base64 form.

  This "postmap -F -q ..." behavior also works when querying the
  memory-resident map types cidr:, inline:, pcre:, randmap:, regexp:,
  and static:. Postfix reads the files specified as table values,
  stores base64-encoded content, and base64-decodes content upon
  table lookup.

  Internally, Postfix will turn on this behavior for lookups (not
  updates) when a map is opened with the DICT_FLAG_RHS_IS_FILE flag.

Major changes - logging
-----------------------

[Feature 20190126] Support for logging to file or stdout, instead
of using syslog.

- Logging to file solves a usability problem for MacOS, and
  eliminates multiple problems with systemd-based systems.

- Logging to stdout is useful when Postfix runs in a container, as
  it eliminates a syslogd dependency.

See MAILLOG_README for configuration examples and logfile rotation.

Major changes - safety
----------------------

[Feature 20180623] Automatic retirement: dnsblog(8) and tlsproxy(8) process
will now voluntarily retire after after max_idle*max_use, or some
sane limit if either limit is disabled. Without this, a process
could stay busy for days or more.

Major changes - tls connection pooling
--------------------------------------

[Feature 20180617] Postfix SMTP client support for multiple deliveries
per TLS-encrypted connection. This is primarily to improve mail
delivery performance for destinations that throttle clients when
they don't combine deliveries.

This feature is enabled with "smtp_tls_connection_reuse=yes" in
main.cf, or with "tls_connection_reuse=yes" in smtp_tls_policy_maps.
It supports all Postfix TLS security levels including dane and
dane-only.

The implementation of TLS connection reuse relies on the same
scache(8) service as used for delivering plaintext SMTP mail, the
same tlsproxy(8) daemon as used by the postscreen(8) service for
inbound connections, and relies on the same hints from the qmgr(8)
daemon. It reuses the configuration parameters described in
CONNECTION_CACHE_README.

The Postfix SMTP client now logs whether an SMTP-over-TLS connection
is newly established ("TLS connection established") or whether the
connection is reused ("TLS connection reused").

The following illustrates how TLS connections are reused:

    Initial plaintext SMTP handshake:
      smtp(8) -> remote SMTP server

    Reused SMTP/TLS connection, or new SMTP/TLS connection:
      smtp(8) -> tlsproxy(8) -> remote SMTP server

    Cached SMTP/TLS connection:
      scache(8) -> tlsproxy(8) -> remote SMTP server

Major changes - tls support
---------------------------

[Feature 20190106] SNI support in the Postfix SMTP server, the
Postfix SMTP client, and in the tlsproxy(8) daemon (both server and
client roles). See the postconf(5) documentation for the new
tls_server_sni_maps and smtp_tls_servername parameters.

[Feature 20190106] Support for files that contain multiple (key,
certificate, trust chain) instances. This was required to implement
server-side SNI table lookups, but it also eliminates the need for
separate cert/key files for RSA, DSA, Elliptic Curve, and so on.
The file format is documented in the TLS_README sections "Server-side
certificate and private key configuration" and "Client-side certificate
and private key configuration", and in the postconf(5) documentation
for the parameters smtp_tls_chain_files, smtpd_tls_chain_files,
tlsproxy_client_chain_files, and tlsproxy_tls_chain_files.

Note: the command "postfix tls" does not yet support the new
consolidated certificate chain format.  If you switch to the new
format, you'll need to manage your keys and certificates directly,
rather than via postfix-tls(1).

Major changes - usability
-------------------------

[Feature 20180812] Support for smtpd_reject_footer_maps (as well
as the postscreen variant postscreen_reject_footer_maps) for more
informative reject messages. This is indexed with the Postfix SMTP
server response text, and overrides the footer specified with
smtpd_reject_footer.  One will want to use a pcre: or regexp: map
with this.