_destination_concurrency_failed_cohort_limit.
Files: global/mail_params.h, *qmgr/qmgr.c, *qmgr/qmgr_transport.c,
*qmgr/qmgr_queue.c, *qmgr/qmgr_feedback.c, postconf/auto.awk.
20071202
Feature: output rate control. For example, specify
"smtp_destination_rate_delay = 5m" to insert a five-minute
delay between deliveries. This was an opportunity to define
the mutually exclusive states that a queue can have, and
to detect invalid transitions. This will make adding new
features code easier. Files: *qmgr/qmgr_transport.c,
*qmgr/qmgr_queue.c, *qmgr/qmgr_entry.c.
Bugfix (introduced Postfix 2.2): don't update the back-to-back
delivery time stamp while deferring mail. File: *qmgr/qmgr_entry.c.
20071203
Feature: support for read-write tables in the proxymap
service. This is implemented with a separate master.cf entry
named "proxywrite" that should run with process limit of 1
if you want to update Berkeley DB like tables. This feature
requires that tables be authorized with the proxy_write_maps
configuration parameter. Files: global/dict_procy.[hc],
proxymap/proxymap.c.
Human factors: the postmap and postalias commands now produce
nicer diagnostics when asked to do something with a proxied
map that they can't do. Files: postmap/postmap.c,
postalias/postalias.c.
Bugfix: the proxymap client didn't properly propagate user
options to the proxymap server. File: util/dict.h.
Workaround: force synchronous updates in the proxymap server
so that maps will be in a consistent state between updates.
File: proxymap/proxymap.c.
Bugfix: an empty rate-limited queue wasn't removed after
timer expiry. Files: *qmgr/qmgr_queue.c.
20071204
Use different sockets for proxymap (read-only) and proxywrite
(read-write) services in the proxy: client. Victor Duchovni.
File: global/dict_proxy.c.
Feature: proxymap delete support by Victor Duchovni. Files:
global/dict_proxy.c, proxymap/proxymap.c.
Feature: proxymap delete support. Files: postmap/postmap.c
postalias/postalias.c.
Cleanup: the Postfix sendmail command did not include the
user (name/uid) information in all error messages. File:
sendmail/sendmail.c.
Feature: data_directory configuration parameter for
Postfix-writable data such as caches and random numbers.
Files: postfix-install, conf/postfix-files.
20071206
Security: tlsmgr(8) and verify(8) no longer use root
privileges when opening their cache files. This avoids a
potential security loophole where the ownership of a file
(or directory) does not match the trust level of the content
of that file (or directory). See RELEASE_NOTES for how to
use pre-existing data. Files: util/set_eugid.[hc],
tlsmgr/tlsmgr.c, verify/verify.c.
Compatibility: as a migration tool, redirect attempts by
tlsmgr(8) or verify(8) to open files in non-Postfix directories
to the Postfix-owned data_directory. File: global/data_redirect.c.
Lots of pathname fixes in the examples of TLS_README and
postconf(5); -lm library screw-up in queue manager Makefiles.
20071207
Cleanup: pathname fixes in documentation; unnecessary queue
scan in the queue manager rate limiter; inverse square root
feedback in the queue manager concurrency scheduler. Files:
mantools/postlink, proto/TLS_README.html, *qmgr/qmgr_queue.c.
All changes up to this point should be ready for Postfix 2.5.
Documentation: updated nqmgr preemptive scheduler documentation
by Patrik Rak. File: proto/SCHEDULER_README.html.
20071211
Bugfix (introduced 19980315): the "write" equivalent of
bugfix 20030104. File: util/vstream.c.
20071212
Feature: "stress=" or "stress=yes" attribute in the SMTPD
policy delegation protocol. File: smtp/smtpd_check.c.
Cleanup: allow_min_user now rejects recipients (and senders)
starting with '-' at SMTP session time. To make this possible
the feature was moved from qmgr(8) to trivial-rewrite(8).
Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c.
20071213:
Cleanup: the queue manager and SMTP client now distinguish
between connection cache store and retrieve hints. Once the
queue manager enables connection caching (store and load)
hints on a per-destination queue, it keeps sending connection
cache retrieve hints to the delivery agent even after it
stops sending connection cache store hints. This prevents
the SMTP client from making a new connection without checking
the connection cache first. Victor Duchovni. Files:
*qmgr/qmgr_entry.c, smtp/smtp_connect.c.
Bugfix (introduced Postfix 2.3): the SMTP client never
marked corrupt files as corrupt. Victor Duchovni. File:
smtp/smtp_proto.c.
Cleanup: the SMTP client won't mark a destination as
unavailable when at least one SMTP session was completed
without connect or handshake error. Victor Duchovni. Files:
smtp/smtp_connect.c, smtp/smtp_session.c, smtp/smtp_proto.c,
smtp/smtp_trouble.c.
20071215
Documentation and code cleanup. Files: global/deliver_request.h,
*qmgr/qmgr_entry.c, smtp/smtp_connect.c,
proto/SCHEDULER_README.html.
Bugfix (introduced snapshot 20071006): qmqpd ignored the
qmqpd_client_port_logging parameter setting. File:
qmqpd/qmqpd.c.
20071216
Cleanup: show the remote SMTP server port in verbose logging,
warnings and postmaster notices. Still don't show the port
in delivery status notifications. Files: smtp/smtp_chat.c,
smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c.
The "tls_require_cert" is now compatible with OpenLDAP 2.1
and later. Victor Duchovni. Files: proto/ldap_table,
global/dict_ldap.c.
20071218
Cleanup: removed the "#ifdef USE_LIBMILTER_INCLUDES"
dependencies on system-installed Milter protocol include
files. Verified that the object code has not changed. File:
milter/milter8.c.
Sanity check: idiot filter to detect attempts to use the
same database file for different TLS session caches. File:
tlsmgr/tlsmgr.c.
Cleanup: updated the spell check stoplist and the spell
check script. Files: mantools/spell, proto/stop.
Cleanup: replaced documentation references to xxgdb by ddd.
The xxgdb program hasn't been updated in more than 10 years.
Files: proto/postconf.proto, conf/main.cf.
20071219-20
Feature: support for all new Sendmail 8.14 Milter features
except SMFIR_SKIP (skip further events of this type),
SMFIP_RCPT_REJ (report rejected recipients to the mail
filter), SMFIR_CHGFROM (replace sender, with optional ESMTP
command parameters), and SMFIR_ADDRCPT_PAR (add recipient,
with optional ESMTP command parameters). Files: milter/milters.c,
milter/milter8.c, milter/test-milter.c, cleanup/cleanup_milter.c.
20071221
Feature: support for Sendmail 8.14 Milter SMFIR_SKIP (skip
further events of this type). Files: milter/milter8.c,
milter/test-milter.c.
Cleanup: don't try sending HELO after a 421 EHLO reply.
File: smtp/smtp_proto.c.
20071221-nonprod
Using 20071221 as reference point.
Cleanup: Simplified TLS library cipher and protocol API to
just pass string-valued properties to tls_client_init() and
tls_client_start(). The client is now agnostic of the
mechanics of cipher management internal to the library. The
main.cf parameters used internally in the library are now
loaded by the library, not the caller. Files:
src/smtp/lmtp_params.c, src/smtp/smtp.c, src/smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, src/smtpd/smtpd.c, src/tls/tls.h,
src/tls/tls_client.c, src/tls/tls_level.c, src/tls/tls_misc.c,
src/tls/tls_server.c, src/tls/tls_session.c, src/tls/tls_verify.c
and src/tlsmgr/tlsmgr.c
Cleanup: Client session lookup key "salting" is now handled
internally in the tls library. Files: src/tls/tls_client.c
Cleanup: Cipher state is cached, and only updated when
necessary. Files: src/tls/tls_misc.c
Feature: Extended the syntax of protocol selection to allow
exclusions as well as inclusions. Files: src/tls/tls_misc.c
Cleanup: Updated default verification depth to match reality:
default is 9 in OpenSSL and we don't yet override it. When
we do (soon), the default will match previous behavior.
Files: src/global/mail_params.h
Bugfix: Reference to obsolete "pfixtls" code won't compile
inside #ifdef for OpenSSL <= 0.9.5a. Using an OpenSSL release
that old has not been tested for some time, but may now
work. Files: src/tls/tls_bio_ops.c.
Replaced "void *" TLS library application handles by explicit
pointer types, while hiding data structure implementation
details from the TLS library users. Files: tls/tls_client.c,
tls/tls_server.c, smtp/smtp.c, smtpd/smtpd.c.
The TLS library no longer modifies VSTRINGs passed in by
the caller. Where possible, information is passed as "const"
from application to library. Files: smtp/smtp_proto.c,
tls/tls_client.c.
20071227-nonprod
Replaced explicit initialization of props structures by
emulating function calls with named parameter lists. Files:
tls/tls.h, smtp/smtp.c, smtp/smtp_proto.c, smtpd/smtpd.c.
20071222
Further polishing of the Milter code and logging. File:
milter/milter8.c.
20071123
Further polishing of the Milter code. With SETSYMLIST, each
Milter can now update its own macros instead of clobbering
the global copy that is shared with other Milters. Also an
opportunity to clean up some ad-hoc code for sending macro
lists from smtpd(8) to cleanup(8). Files: milter/milter.c,
milter/milter8.c, milter/milter_macros.c.
20071224
Further polishing of the Milter code. Eliminated unnecessary
steps from the initial smtpd/cleanup Milter handshake. Files:
milter/milter.c, milter/milter8.c, milter/milter_macros.c.
Cleanup: name_code(3) and name_mask(3) now support read-only
tables. Files: util/name_code.[hc], util/name_mask.[hc].
20071227
Cleanup: further refinements of the Milter code, allowing
for multiple macro overrides. The code is now ready for
serious testing. File: milter/milter8.c.
20071229
Bugfix: the Milter client did not replace the Postfix-specific
form for unknown host names by the Sendmail-specific form.
File: milter/milter8.c.
Cleanup: when a cleanup milter reports a problem don't log
generic "4.3.0 Sevice unavailable", but log the text for
the actual error. File: cleanup/cleanup_milter.c.
20080102-nonprod
SMTP client fingerprint security level support and configurable
fingerprint digest algorithm. Victor Duchovni. Files:
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h,
src/smtp/smtp_params.c, src/smtp/smtp_proto.c,
src/smtp/smtp_session.c, tls/tls_client.c, tls/tls_level.c,
tls/tls_verify.c.
20080103-nonprod
Missed "invalid TLS configuration" patch for SMTP client.
Victor Duchovni. File: smtp/smtp_proto.c.
SMTP server configurable fingerprint digest algorithm.
Victor Duchovni. Files: smtpd/smtpd.c, tls/tls.h,
tls/tls_server.c, tls/tls_verify.c.
20080104-nonprod
Cleanup: finally implemented certificate verification depth
limit parameters. Prior to Postfix 2.5 these were ignored.
For backwards compatibility, the default verification depth
limit is now 9, the OpenSSL default. Victor Duchovni. Files:
src/tls/tls_client.c, src/tls/tls_server.c, src/tls/tls_verify.c.
Robustness: Avoid possibility of NULL pointer issues in
application code that checks certificate names, by providing
"empty string" values when no data is available. Victor
Duchovni. Files: src/tls/tls_verify.c, src/tls/tls_client.c,
src/tls/tls_server.c, src/smtpd/smtpd_check.c, src/smtpd/smtpd.c.
Cleanup: separation of TLS handshake from security level
enforcement. The library shakes hands; the application
decides if the resulting security is acceptable. Victor
Duchovni. Files: smtpd/smtpd.c, smtpd/smtpd_proto.c,
tls/tls_server.c, tls/tls_client.c, tls/tls_verify.c.
Robustness: more robust processing of ASN.1 string attributes
in x509v3 certificates, plus additional sanity checks (e.g.
embedded null characters). Victor Duchovni. File:
src/tls/tls_verify.c.
20080104
Workaround: minor change to the Dovecot AUTH request to
prevent dovecot-auth memory wastage. Timo Sirainen. File:
xsasl/xsasl_dovecot_server.c.
20080105-nonprod
Cleanup: renamed TLS-related symbols for consistency (always
include the init, start, stop prefix in the TLS library
function and data structure names; consistently distinguish
between per-application TLS state and per-session TLS state;
consistently use the fpt prefix for fingerprint related
variables and structure members; consistent use of monocase
typedef-ed names).
20080106-nonprod
Cleanup: consistent use of and in examples;
instead of emphasizing new Postfix 2.5 behavior in reference
documentation, describe the new behavior as "current", with
historical behavior as a supplemental note.
20080107
Feature: new "pass" service type (in addition to "inet",
"unix" and "fifo"). The "pass" service type supports
front-end daemons that accept all inbound connections and
that permit only well-behaved clients to talk to the MTA.
This service type had been sitting in the master daemon for
years but was disabled by default. Actual applications for
this will have to be developed later. Files: util/upass_connect.c,
util/upass_trigger.c.
20080108
Cleanup: where possible, store data structures in read-only
memory. Besides the security advantage of no write access,
this also gives slightly better memory utilization when
many processes execute the same file. Files: pretty much
everything that has a static table, except for a few tables
in the benchmark tools with flags that are controlled by
command-line information.
20080109
Cleanup: more read-only data. Files: everything that passes
around a HEADER_OPTS pointer.
20080112
Safety: optional lookup table to prevent the Postfix SMTP
client from making repeated SASL login failures with the
same hostname, username and password. This introduces new
parameters: smtp_sasl_auth_cache_name, smtp_sasl_auth_cache_time.
Based on code by Keean Schupke. Files: smtp/smtp_sasl_glue.c,
smtp/smtp_sasl_auth_cache.c.
Safety: the Postfix SMTP client now by default defers mail
after the server rejects a SASL login attempt with a 535
status code. Specify "smtp_sasl_auth_soft_bounce = no" to
get the earlier behavior. Based on code by Keean Schupke.
Files: smtp/smtp_sasl_glue.c.
20080114
Safety: the smtpd_client_new_tls_session_rate_limit setting
now also limits the number of failed TLS handshakes. This
limits the impact of broken configurations. File: smtpd/smtpd.c.
20080115
Bugfix (introduced 20080112): Patrik Rak found two bugs
that largely canceled each other out, causing Postfix not
to complain about a missing "proxy:" prefix with the new
smtp_sasl_auth_cache_name parameter setting. File:
smtp/smtp_sasl_glue.c.
Documentation: new SOHO_README file for small/home offices.
The text is automatically generated from bits and pieces of
information that are scattered across other documents.
File: mantools/make_soho_readme.
20080116
Bugfix (introduced 20080112): missing #ifdef for the SASL
login failure cache. File: smtp/smtp_sasl_auth_cache.h.
20080123
Name fix: renamed the mumble_delivery_rate_delay parameter
to mumble_destination_rate_delay, because it really is a
per-destination feature. With this change we keep the option
of implementing a future per-transport rate delay.
20080125
Bugfix (introduced 20071216): missing {} in the LDAP client
broke OpenLDAP TLS. The setting tls_require_cert=no was
further broken because Postfix used OpenLDAP incorrectly.
Victor Duchovni. This broke tls_require_cert=no File:
global/dict_ldap.c.
20080126
Cleanup: the post-install script now requires that it is
invoked via the postfix(1) command. This was the intended
use since Postfix 2.1, but it was never enforced. The
documentation for package maintainers has been updated
accordingly. File: conf/post-install.
20080130
Bugfix (introduced 20071204): wrong proxywrite process limit
in the default master.cf file. File: conf/master.cf.
20080131
Bugfix (introduced 20080126): the new "do not execute
directly" test in post-install got broken during code
cleanup. File: conf/post-install.
20080201
Workaround: undo the changes that require that post-install
is invoked via the postfix command, because this breaks
when "postfix start" is invoked with an obsolete postfix
command that doesn't export the new data_directory parameter.
Workaround: pick up a missing data_directory setting from
main.cf when "postfix start" is invoked with an obsolete
postfix command. File: conf/post-install.
20080207
Cleanup: soft_bounce support for multi-line Milter replies.
File: src/milter/milter8.c.
Cleanup: preserve multi-line format of header/body Milter
replies. Files: cleanup/cleanup_milter.c, smtpd/smtpd.c.
Cleanup: multi-line support in SMTP server replies. File:
smtpd/smtpd_chat.c.
SAFETY: postfix-script, postfix-files and post-install are
moved away from /etc/postfix to $daemon_directory. There
were too many accidents where people clobbered these files
with versions from an older Postfix release and ended up
with an unusable Postfix setup. Files: postfix-install,
Makefile.in, postfix/postfix.c, conf/postfix-files,
conf/postfix-script, conf/post-install.
20080212
Feature: check_reverse_client_hostname_access, to make
access decisions based on the unverified client hostname.
For safety reasons an OK result is not allowed. Noel Jones.
Files: smtpd/smtpd_check.c plus header files and documentation.
20080215
Safety: break SASL loop in case both the SASL library and
the remote SMTP server are confused. File: smtp/smtp_sasl_glue.c.
20080220
Safety: the master daemon now sets an exclusive lock on a
file $data_directory/master.lock, so that the data directory
can't be shared between multiple Postfix instances. This
would corrupt files that rely on single-writer updates
(examples: verify(8) cache, tlsmgr(8) caches, etc.). File:
master/master.c.
20080226
Cleanup: the postfix command did not set argv[0] to a sane
value when invoking postfix-script. Reported by Victor
Duchovni. File: postfix/postfix.c.
20080228
Bugfix: bounce(8) segfault on one-line template text.
Problem found by Sacha Chlytor. File: bounce/bounce_template.c.
20080310
Safety: the SMTP server's Dovecot authentication client now
enforces the SASL mechanism output filter also on client
command input. File: src/xsasl/xsasl_dovecot_server.c.
20080311
Bugfix (introduced 20070811): the MAIL and RCPT Milter
application call-backs no longer received {mail_addr} or
{rcpt_addr} information. Problem reported by Anton Yuzhaninov.
File: smtpd/smtpd.c.
Bugfix (introduced 20080207): "cleanup -v" panic because
the new "SMTP reply" request flag did not have a printable
name. File: global/cleanup_strflags.c.
20080318
Human factors: the PCRE and regexp maps now give more
comprehensible error messages when people make the common
mistake of indenting if/endif blocks. Files: util/dict_pcre.c,
util/dict_regexp.c.
20080324
Cleanup: the event_drain() function is now a proper event
processing loop. File: util/events.c
Feature: when the "postmap -q -" command reads lookup keys
from standard input, it now understands RFC822 and MIME
message format. Specify -h or -b to use headers or body
lines as lookup keys, and specify -hm or -bm to simulate
header_checks or body_checks. The postmap -h option (without
-m) will be compatible with a future postcat -h option.
File: postmap/postmap.c.
20080411
Bugfix (introduced Postfix 2.0): after "warn_if_reject
reject_unlisted_recipient/sender", the SMTP server mistakenly
remembered that recipient/sender validation was already
done. File: smtpd/smtpd_check.c.
Bugfix (introduced Postfix 2.3): the queue manager would
initialize missing client logging attributes (from xforward)
with real client attributes. Fix: enable this backwards
compatibility feature only with queue files that don't
contain logging attributes. Problem reported by Liviu Daia.
Files *qmgr/qmgr_message.c.
20080424
Cleanup: some warning messages said "regexp" or "regexp
map" instead of "pcre map". File: util/dict_pcre.c.
20080426
Feature: finer control over address verification error
handling and amount of information disclosed in the SMTP
reject message. Parameters: unverified_recipient_defer_code,
unverified_recipient_reject_reason, unverified_sender_defer_code,
unverified_sender_reject_reason. If I don't do this properly,
then someone will do it anyway. File: src/smtpd/smtpd_check.c.
20080428
Cleanup: the proxy_read_maps (Postfix 2.0) default setting
was not updated when adding sender/recipient_bcc_maps
(Postfix 2.1) and smtp/lmtp_generic_maps (Postfix 2.3).
File: global/mail_params.h.
Cleanup: the SMTP server's XFORWARD and XCLIENT support was
not updated when the smtpd_client_port_logging configuration
parameter was added. Code by Victor Duchovni. Files:
smtpd/smtpd.c, smtpd/smtpd_peer.c.
20080508
Cleanup: delivery status notifications now prepend a
Return-Path: message header to the returned message.
File: bounce/bounce_notify_util.c.
20080509
Bugfix: null-terminate CN comment string after sanitization.
File: smtpd/smtpd.c.
20080510
Cleanup: when extracting peer and issuer common name from
TLS certificates, convert the result into UTF-8, and use
RFC 2047 encoding when logging these as Received: header
comment fields. Based remotely on code by Victor Duchovni.
Files: smtpd/smtpd.c, tls/tls_verify.c.
20080511
Cleanup: the RFC 2047 encoding of RFC*822 comments is too
problematic. The text that explains the problems is as
long as the code itself. That is usually a good indication
that code is not ready for use. File: smtpd/smtpd.c.
Cleanup: block non-printable ASCII text in UTF8 encoded TLS
peer and issuer common names. File: tls/tls_verify.c.
20080602
Workaround: avoid watchdog timeout in the local pickup
daemon when the cleanup server expands a very large virtual
alias list. Files: master/trigger_server.c, pickup/pickup.c.
20080603
Workaround: avoid "bad address pattern" errors with non-address
patterns in namadr_list_match() calls. File: util/match_ops.c.
Feature: print fsstone elapsed time with sub-second time
resolution. Kenji Kikuchi. File: fsstone/fsstone.c.
20080606
Bitrot: "make test" was broken due to recent changes in
code and due to recent changes at mail-abuse.org.
20080618
Add a note to SMTP session transcript email messages that
other details may be found in the maillog file. Files:
smtpd/smtpd_chat.c, smtp/smtp_chat.c.
20080620
Cleanup: with the "Before-queue content filter", RFC3848
information was not added to the headers. Carlos Velasco.
File smtpd/smtpd.c.
20080621
Cleanup: include unread byte count in the SMTP server's "lost
connection after DATA (xx bytes)" logging. Files: smtpd/smtpd.c.
20080629
Bugfix (introduced Postfix 2.2): multiple inconsistencies
in SASL support after introduction of TLS. The Postfix
SMTP server 1) complained about plain-text SASL configuration
details when SASL was forbidden for plain-text sessions,
and 2) ignored the smtpd_tls_auth_only parameter setting
when built without TLS support. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c, smtpd/smtpd_sasl_glue.[hc],
smtpd/smtpd_state.c.
Some clarification about recipient address versus domain,
and recipients per message versus session. File:
proto/postconf.proto.
The description of SASL authentication attributes was
garbled. File: pipe/pipe.c.
Information: the master(8) server now logs the version
besides the configuration directory upon "postfix reload".
File: master/master.c.
20080717
Cleanup: a poorly-implemented integer overflow check for
TCP MSS calculation had the unexpected effect that people
broke Postfix on LP64 systems while attempting to silence
a compiler warning. File: util/vstream_tweak.c.
20080721
The cleanup server now rejects undisclosed_recipients_header
parameter values with invalid message header syntax.
File: cleanup/cleanup_message.c.
20080725
Paranoia: defer delivery when a mailbox file is not owned
by the recipient. Sebastian Krahmer, SuSE. Files:
local/mailbox.c, virtual/mailbox.c.
20080804
Bugfix: dangling pointer in vstring_sprintf_prepend().
File: util/vstring.c.
20080814
Security: some systems have changed their link() semantics,
and will hardlink a symlink, contrary to POSIX and XPG4.
Sebastian Krahmer, SuSE. File: util/safe_open.c.
The solution introduces the following incompatible change:
when the target of mail delivery is a symlink, the parent
directory of that symlink must now be writable by root only
(in addition to the already existing requirement that the
symlink itself is owned by root). This change will break
legitimate configurations that deliver mail to a symbolic
link in a directory with less restrictive permissions.
20080815
Feature: the milter_default_action parameter now accepts
the "quarantine" action. This works like "accept" but also
freezes the mail in the "hold" queue. File: milter/milter8.c.
Robustness: transition from setjmp()/longjmp() to the signal
mask saving/restoring versions sigsetjmp()/siglongjmp().
These functions have been around for 15 years, but they
have had bugs on supported platforms, so makedefs tests for
them. Files: makedefs, util/sys_defs.h, util/vstream.h.
20080822
Cleanup: the proxymap_service_name and proxywrite_service_name
parameters make the proxymap service names configurable.
This paves the way for a future option where the proxymap
services are accessible via TCP so that they can be shared
among multiple Postfix hosts. File: global/dict_proxy.c.
Feature: MacOS X support for kqueue style event handling,
with workaround for broken MacOS X versions. Files:
util/sys_defs.h, makedefs.
Cleanup: the makedefs script now keeps its test programs
in a directory makedefs.d, instead of inlining them as
fragile "here documents". Files: makedefs, makedefs.d/*.
20080823
Feature: IPv6 dns blocklist lookup. File: smtpd/smtpd_check.c.
20080824
Cleanup: untangled the MacOS X version dependent sections
in the makedefs script, to make future updates easier. File:
makedefs.
Cleanup: don't log multiple Milter "hold" actions for the
same email message. File: cleanup/cleanup_milter.c.
20080826
Cleanup: moving test programs from makedefs into a makedefs.d
directory brought more pain than gain.
Cleanup: untangled the Linux version dependent sections in
the makedefs script, to make future updates easier. File:
makedefs.
Documentation: MacOS process limit configuration by Quanah
Gibson-Mount. File: proto/TUNING_README.html.
Feature: smtp-sink -M option to terminate after receiving
a specified number of messages. Laurent Gentil. File:
smtpstone/smtp-sink.c.
Bugfix (introduced Postfix 2.4): epoll file descriptor leak.
With Postfix >= 2.4 on Linux >= 2.6, Postfix has an epoll
file descriptor leak when it executes non-Postfix commands
in, for example, user-controlled $HOME/.forward files. A
local user can access a leaked epoll file descriptor to
implement a denial of service attack on Postfix. Data
confidentiality and integrity are not affected. File:
util/events.c.
20080903
Don't enable kqueue (which requires poll) support on
MacOS X. File: makedefs.
Cleanup: remove obsolete Rhapsody and MacOS targets from
makedefs.
20080929
Workaround: don't log "file has 2 links" warnings when the
condition appears to be temporary. As kernels have evolved
from non-interruptible system calls towards fine-grained
locks, the showq command has become likely to observe a
file while the queue manager is in the middle of a rename
operation, when the file has links to both the old and new
name. File: global/mail_open_ok.c.
Workaround: don't loop forever when write() fails with a
persistent EAGAIN error on a writable file descriptor.
File: util/write_buf.c.
20081003
Bugfix (introduced Postfix 2.1): when XFORWARD support was
introduced with Postfix 2.1, the specification failed to
clearly distinguish between missing and non-existent client
information. This ambiguity affected the implementation:
in $name expansions by delivery agents, unknown client
hostnames could became empty strings (as if a submission
was local), and local submissions could appear to originate
from an SMTP-based content filter. This was fixed with a
a minor semantic change to the XFORWARD protocol. Files:
smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
cleanup/cleanup_envelope.c, proto/XFORWARD.html. Note: the
changes to propagate local submission details were undone
20082012.
Feature: a DUNNO lookup result in per_sender_relayhost_maps
stops the search without replacing the next-hop destination.
File: trivial-rewrite/resolve.c.
20081005
Bugfix: further refinements to the handling of missing or
non-existent remote client attributes. Files: smtpd/smtpd.c,
smtpd/smtpd.h.
Documentation: the XFORWARD specification of the ADDR
attribute did not agree with the actual on-the-wire protocol.
Since we can't change already existing deployments, the
spec has been updated. File: proto/XFORWARD_README.html.
20081006
Bugfix: further refinements to the handling of remote client
attributes. Introduced a dummy "we have forwarded client
info" record, to eliminate the need for the backwards
incompatible queue file change that was introduced 20081003.
Files: smtpd/smtpd.c, cleanup/cleanup_envelope.c,
*qmgr/qmgr_message.c.
Security: hardened the proxymap client, in case it ever
ends up in a set-gid program. File: global/dict_proxy.c.
20081007
Workaround: undo the proxymap client change. It broke
chrooted servers when they attempted to reconnect to the
proxy read/write service. File: global/dict_proxy.c.
20081008
Safety: added checks that $queue_directory/pid is owned by
root, and that $queue_directory/saved is owned by $mail_owner.
File: conf/postfix-script.
20081010
Feature: controls for opportunistic TLS protocols and
ciphers. The smtp_tls_protocols, smtp_tls_ciphers, and
equivalent parameters for lmtp and smtpd provide global
settings; the SMTP client TLS policy table provides ciphers
and protocols settings for specific peers. Code by Victor
Duchovni. Files: smtp/smtp.c, smtp/smtp_session.c, smtpd/smtpd.c
and documentation.
20081012
Cleanup: simplify the 20081003 changes and don't try to
propagate local submission information through XFORWARD.
Files: smtpd/smtpd.c, qmqpd/qmqpd.c, smtp/smtp_proto.c,
cleanup/cleanup_envelope.c, proto/XFORWARD.html.
20081015
Bugfix: GLIBC API version detection. Rob Foehl. File:
util/sys_defs.h.
20081022
Documentation: removed inapplicable daemon_timeout reference
from qmgr(8), oqmgr(8), pickup(8). These daemons need to
use a much shorter watchdog timer.
20081108
Feature: smtp_sasl_tls_verified_security_options is no
longer #ifdef SNAPSHOT.
Feature: elliptic curve support. This requires OpenSSL
version 0.9.9 or later. Victor Duchovni. Files: TLS_README,
smtpd/smtpd.c, smtp/smtp.c, tls/tls_dh.c, tls/tls_certkey.c,
tls/tls_server.c, tls/tls_client.c, tls/tls.h, tls/tls_misc.c.
Bugfix (introduced Postfix 2.5): the Postfix SMTP server
did not ask for a client certificate with "smtpd_tls_req_ccert
= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.
20081109
Cleanup: confusing names of variables. File: smtpd/smtpd.c.
20081126
Documentation: pcre_table(5) incorrectly claimed that the
'x' flag supports #comment after text. File: proto/pcre_table.
20081202
Cleanup: vstream_bufstat() provides a more systematic
approach to get information about VSTREAM buffers. The
vstream_peek() function is now a backwards compatibility
wrapper. Files: util/vstream.[hc].
Cleanup: the SMTP server should warn about "lost connection
after QUIT" only when the "." reply was pipelined together
with the "QUIT" reply. File: smtpd/smtpd.c.
Cleanup: the SMTP client's code was duplicating buffer
management that was already done in the VSTREAM module.
File: smtp/smtp_proto.c.
20081203
Cleanup: adjust the VSTREAM buffer strategy when reusing
an SMTP connection with a large TCP MSS value. File:
smtp/smtp_reuse.c.
20081204
Cleanup: state the SMTP client PIPELINING implementation's
dependency on monotonic VSTREAM buffer size behavior, and
add some checks for boundary cases with VSTREAM buffer size
change requests. Files: util/vstream.c, smtp/smtp_proto.c.
20081205
Fix 20081202 flush code. Victor Duchovni. File: smtpd/smtpd.c.
Safety: add another check to "postfix check", in this case
for group or other writable queue_directory. File:
conf/postfix-script.
20081217
Debugging: ad-hoc code to log the TLS error stack after
VSTREAM read/write error. File: tls/tls_bio_ops.c. In a
better implementation, each I/O "object" would provide an
optional error reporting method (besides timed_read and
timed_write) that could be queried via the vstream module.
20081222
Documentation: log the "*" pattern as the last transport
map lookup. File: proto/transport.
20090103
Documentation: rewrote NFS_README, to clarify the support
status of Postfix and NFS, and to describe the NFS workarounds
that Postfix actually implements.
20090106
Feature: "postconf -# parametername ..." to comment out
named parameter entries. Victor Duchovni. File:
postconf/postconf.c.
20090107
Library: edit_file(3) module for cooperative editing of a
file. Inspired by the postconf command, this creates a new
version under a deterministic temporary name and renames
it into place. The implementation uses an open/lock/stat
protocol before updating the new file, and rename/unlock/close
afterwards. Based on pieces of code by Victor Duchovni,
with minor improvements by Wietse. Files: util/edit_file.[hc].
Cleanup: the postconf command now uses the edit_file(3)
module to manage collisions when multiple processes attempt
to update the main.cf file.
20090108
Feature: master_service_disable parameter (default: empty)
to easily turn off/on master.cf services by type or by name
and type. For example, to turn off the main SMTP listener
use "master_service_disable = smtp.inet", and to turn off
all TCP/IP listeners use "master_service_disable = inet".
This immediately terminates all processes that provide the
specified services. The master_service_disable feature does
not distinguish services by their privacy property; some
day, clients will not need to specify that anymore. Files:
global/mail_params.h, master/master.c, master/master_vars.c,
master/master_ent.c.
Bugfix (introduced May 19, 1997): removing a parameter
setting from main.cf did not reset the parameter to its
default value. This was a problem only in the master daemon.
File: global/mail_conf.c, master/master_vars.c.
20090109
Cleanup: "defer" action in access maps, and a corresponding
access_map_defer_code parameter. No idea what was behind
this omission. Files: global/mail_params.h, smtpd/smtpd.c,
smtpd/smtpd_check.c, proto/access.
Workaround: specify "tcp_windowsize = 65535" (or less) to
work around broken TCP window scaling implementations. This
is perhaps easier than collecting tcpdump output and tuning
kernel parameters by hand. See RELEASE_NOTES for how to
change this setting without stopping Postfix. Files:
util/inet_connect.c, inet_listen.c, global/mail_params.[hc].
20090110
Cleanup: create separate code modules for TCP window size
handling, master.cf service name matching, and main.cf
change monitoring. Files: util/inet_windowsize.c,
global/match_service.c, master/master_watch.c.
Feature: TCP window size override for the Postfix SMTP/LMTP
client, and for the smtp-source and smtp-sink test programs.
Files: smtp/smtp_connect.c, smtpstone/smtp-source.c,
smtpstone/smtp-sink.c.
20090114
Bugfix: VERP now uses the Postfix original recipient, if
available, because that is what the VERP consumer expects.
Files: *qmgr/qmgr_deliver.c, bounce/bounce_notify_verp.c.
Safety: extra check for broken third-party patches that
allow file size limit < message size limit. This can cause
mail to be stuck in the queue forever.
Invisible change, in preparation for multi-instance support.
Except for main.cf and master.cf, all files are optional
for non-default Postfix configuration directories. File:
conf/postfix-files.
20090115
Cleanup: rewrote the 20090114 VERP bugfix, to replace code
that "works" by code that is "right". Files: *qmgr/qmgr_deliver.c,
bounce/bounce_notify_verp.c, global/verp_sender.c.
20090118
Documentation: some URLs to enable/disable client-side TLS
jumped into the middle of an enumeration. File:
proto/TLS_README.html.
20090119-21
Feature: multi-instance manager plug-in API. A sample
multi-instance manager with instructions is available as
$daemon_directory/postfix-wrapper. The plug-in API itself
is described in postfix-wrapper(5). Files: postfix/postfix.c,
global/mail_params.[hc], proto/postfix-wrapper,
conf/postfix-wrapper, conf/postfix-script, conf/postfix-files.
Support to check/update shared files only in the context
of the default Postfix instance. Files: conf/post-install,
conf/postfix-script.
20090122
Refinements: the multi-instance manager always replaces
"start" by "check" when a Postfix instance is multi-instance
disabled, so that problems will still be reported; polish
documentation; delete unnecessary multi_instance_order
parameter. Files: conf/postfix-wrapper, proto/postfix-wrapper,
global/mail_params.[hc] and documentation.
Bugfix: the data_directory was not automatically created!
File: conf/postfix-files.
20090123
More little fixes in the "trivial but useful" postfix-wrapper
including instructions. It's ready for testing in the field.
File: conf/postfix-wrapper.
20090125
Documentation: more precise description of multi-instance
manager API, and minor edits of the example program. Files:
conf/postfix-wrapper, proto/postfix-wrapper.
20090208
Cleanup: enable multi-instance shared-file logic only when
the instance is listed in multi_instance_directories. Files:
conf/post-install, conf/postfix-script.
20090210
Feature: specify "reject_tempfail_action = defer" to
immediately defer a remote SMTP client request after a
reject-type restriction fails with a temporary error. Based
on code by Rob Foehl. File: smtpd/smtpd_check.c.
Feature: finer control of reject_tempfail_action with
unknown_address_tempfail_action, unverified_sender_tempfail_action
unverified_recipient_tempfail_action, and
unknown_helo_hostname_tempfail_action. See documentation
for details. File: smtpd/smtpd_check.c.
20090211
Workaround: pass the SMTP server socket's local and remote
peer address information to the Dovecot authentication server.
This is incomplete code: it ignores XCLIENT server address
overrides. File: xsasl/xsasl_dovecot_server.c.
20090212
Testing revealed that with mumble_tempfail_action=defer,
the "defer" action was ignored. Cause: the DEFER_IF_PERMIT[0-9]
macros lost the SMTPD_CHECK_REJECT result value. File:
smtpd/smtpd_check.c.
Feature: stress-dependent smtpd_timeout (normal: 300s,
overload: 10s), smtpd_hard_error_limit (normal: 20, overload:
1) and smtpd_junk_command_limit (normal: 100, overload: 1).
Files: global/mail_params.h, global/mail_conf_nint.c,
master/*_server.c, smtpd/smtpd.c.
20090213
Fine tuning: don't enforce smtpd_junk_command_limit for
XCLIENT and XFORWARD commands. These commands can be issued
only by authorized clients. File: src/smtpd/smtpd.c.
20090215
Feature: the Postfix SMTP server hangs up after replying
with "521". This makes overload handling more effective.
See also RFC 1846. File: smtpd/smtpd.c.
Feature: postmulti mult-instance manager command, very
lightly tested. The MULTI_INSTANCE_README still needs to
be proofread. Originally by Victor Duchovni. Files:
src/postmulti/*, proto/MULTI_INSTANCE_README.html,
conf/postmulti-script.
20090216-24
Cleanup: assorted code cleanups in postmulti. File:
src/postmulti/postmulti.c.
20090223
Cleanup: multiple instances of the same global. Files:
util/inet_windowsize.c, util/inet_listen.c.
20090228
Cleanup: the Postfix SMTP server now maintains a per-session
"improper command pipelining detected" flag. This flag can
be tested at any time with reject_unauth_pipelining, and
is raised whenever a client command is followed by unexpected
commands or message content. Files: smtpd/smtpd.c,
smtpd/smtpd_check.c.
Logging: the Postfix SMTP server now logs the first command
pipelining transgression as "improper command pipelining
after from []".
Cleanup: after DATA command failure, log "(approximately
XX bytes)" only if Postfix actually accepted the DATA
command. File: smtpd/smtpd.c.
20090303
Cleanup: word smithing of "sendmail -bv" probe message.
File: sendmail/sendmail.c.
Cleanup: OpenLDAP now provides a sane solution for conflicts
with PAM ldap-over-tls. Victor Duchovni. File: global/dict_ldap.c.
20090304
Cleanup: skip over suspended or throttled queues while
looking for delivery requests. File: *qmgr/qmgr_transport.c.
20090305
Bugfix: in the "new queue manager", the _destination_rate_delay
code needed to postpone the job scheduler updates after
delivery completion, otherwise the scheduler could loop on
blocked jobs. Victor & Wietse. File: qmgr/qmgr_entry.c,
qmgr/qmgr_queue.c, qmgr/qmgr_job.c.
Cleanup: report a "queue file write error", instead of
passing though bogus 2xx replies from proxy filters to SMTP
clients. File: smtpd/smtpd_proxy.c.
20090307
Cleanup: with "lmtp_assume_final = yes", the Postfix LMTP
delivery agent assumes that delivery is final when talking
to an LMTP server that announces no DSN support. Otherwise,
the Postfix LMTP delivery agent assumes that delivery is
"relayed", to maintain compatibility with simple LMTP-based
content filters. Based on code by Michel Sebastien, ATOS
Origin. File: smtp/smtp_rcpt.c.
20090310
Bugfix: Postfix used mumble_concurrency_failed_cohort_limit
instead of mumble_destination_concurrency_failed_cohort_limit
as documented. File: global/mail_params.h.
20090330
Cleanup: add (Resent-) From:, Date:, Message-ID: or To:
headers only when clients match $local_header_rewrite_clients.
Specify "always_add_missing_headers = yes" for backwards
compatibility. Adding such headers to remote mail can break
DKIM signatures that cover headers that are not present.
File: cleanup/cleanup_message.c.
20090415
Workaround: to avoid unnecessary "fatal" delivery agent
exits, delivery agents retry getting a shared lock on a
queue file. This is necessary since the queue manager's
behavior was changed years ago to refill the in-memory
recipient list before it was completely empty. File:
global/deliver_request.c.
Documentation: updated STRESS_README.
20090416
Workaround: some AWK implementations have a limit of 10
output files and lack a working close() function. It is too
much trouble to find out what systems have this limitation,
and where, if any, such systems store their XPG4-compatible
AWK program. So instead we generate a stream of here
documents and let the shell split the stream into files.
File: postconf/extract.awk.
Documentation: clarification of certificate file usage.
Victor Duchovni. Files: proto/postconf.proto,
proto/TLS_README.html.
Feature: pass a "TLS is active" flag to the server-side
SASL support. Based on code by Timo Sirainen, except that
the implementation uses an extensible API so that it will
be less painful to add more attributes in future Postfix
versions. Files: xsasl/xsasl.h, xsasl/xsasl_*server.c,
smtpd/smtpd_sasl_glue.c.
20090417
Documentation: re-generate READMEs and manpages for updated
hyperlinks.
Documentation: missing hyperlinks and missing parameters
in manpages. File: mantools/postlink, mantools/check-postlink.
20090418
Cleanup: use the extensible API to pass SMTP client address
information to the dovecot SASL plugin, and prepare for
passing server address information. Files: xsasl/xsasl.h,
xsasl/xsasl_dovecot_server.c, smtpd/smtpd_sasl_glue.c.
Same extensible API transformation for the SASL client-side
code to make future extensions less painful. Files:
xsasl/xsasl.h, xsasl/xsasl*client.c, smtp/smtp_sasl_glue.c.
More postlink fixes. File: mantools/postlink.
20090419
Bugfix: don't re-enable SIGHUP if it is ignored in the
parent. This may cause random "Postfix integrity check
failed" errors at boot time (POSIX SIGHUP death), causing
Postfix not to start. We duplicate code from postdrop and
thus avoid past mistakes. File: postsuper/postsuper.c.
Robustness: don't re-enable SIGTERM if it is ignored in the
parent. Files: postsuper/postsuper.c, postdrop/postdrop.c.
20090422
Undo delivery agent change 20090415. The queue manager never
locks a queue file to read additional recipients into memory,
so if a delivery agent runs into a locked file, then something
is seriously wrong. File: global/deliver_request.c.
20090424
Compatibility: the Postfix SMTP client no longer uses the
obsolete SSLv2 by default for opportunistic encryption.
This has nothing to do with security (we're willing to send
plaintext over an unauthenticated connection) but with the
loss of advanced options that give better performance.
Victor Duchovni. Files: proto/postconf.proto, global/mail_params.h.
20090426
Feature: more accurate support for Milter macros {mail_addr}
and {rcpt_addr}, and new support for Milter macros {mail_host},
{mail_mailer}, {rcpt_host}, and {rcpt_mailer}. Files:
milter/milter.[hc], smtpd/smtpd.[hc], smtpd/smtpd_milter.c,
smtpd/smtpd_resolve.c.
Feature: support to report rejected recipients to Milters
(SMFIP_RCPT_REJ). Postfix reports the event as decribed in
Sendmail 8.14.0 documentation: {rcpt_mailer} = "error",
{rcpt_host} = enhanced status code (e.g., "5.7.1"), and
{rcpt_addr} = reason to reject (e.g., "Relay access denied").
Files: milter/milter.[hc], milter/milter8.c, smtpd/smtpd.[hc],
smtpd/smtpd_milter.c.
20090427
Feature: Milter support for replacing the envelope sender
and adding recipients (SMFIR_CHGFROM, SMFIR_ADDRCPT_PAR).
This support currently ignores ESMTP command parameters.
Files: milter/milter8.c, cleanup/cleanup_milter.c.
20090428
Compatibility: to make all the new Milter features usable,
raise the default milter_protocol setting from 2 to 6.
This has been tested with a Sendmail 8.14 libmilter.
File: global/mail_params.h.
Bugfix: don't disable MIME parsing with smtp_header_checks,
smtp_mime_header_checks, smtp_nested_header_checks or with
smtp_body_checks. Bug reported by Victor. File: smtp/smtp_proto.c.
Code cleanups: respect VSTRING invariants by using VSTRING_RESET
and VSTRING_TERMINATE instead of directly groping the
underlying character buffer. Files: global/dsn_buf.c,
milter/milter8.c.
20090507
main.cf:tls_random_source now defaults to /dev/arandom on
OpenBSD. This device was introduced before Postfix development
began. Files: util/sys_defs.h, global/mail_params.h.
20090510
Code cleanups: while emulating SMTP client requests for
Milter applications, use user@domain form addresses as
required by the SMTP protocol, instead of bare usernames.
This avoids hard to debug errors from some Milter applications.
Files: cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c,
cleanup/cleanup_addr.c.
20090511
Code cleanups: don't clobber -o command-line arguments so
that Linux people can debug daemon command lines more easily.
Files: master/*server.c.
20090513
Code cleanups: better parsing of Postfix daemon "-o"
command-line options, with better error handling. Files:
master/*server.c.
20090518
Documentation: missing dummy entries for lmtp_mumble_checks.
File: proto/postconf.proto.
20090519
Bugfix (introduced: Postfix 2.3, but did not cause trouble
until 20090427). Queue file corruption with (smtpd_milters
or non_smtpd_milters) enabled, AND with delay_warning_time
enabled, AND with short envelope sender addresses (e.g.,
local submissions with bare usernames, but not bounces).
The queue file would be corrupted when the delay_warning_time
record was marked as "done" after sending the "your mail
is delayed" notice. File: qmgr/qmgr_message.c.
20090522
Bugfix (introduced: Postfix 2.3). The cleanup server
rejected mail with records of type REC_TYPE_DRCP (recipient
deleted by Milter), but such records could be present in
mail re-submitted with "postsuper -r". Found during code
review. Files: global/record.h, cleanup/cleanup_envelope.c.
20090524
Feature: new postcat options: -e (print envelope), -h (print
header), and -b (print body). Specify "postcat -bh" to
suppress information about envelope records, and "postcat
-h" to get the message header only. With large messages,
"postcat -h" is much faster than manually stripping the
message body from the output. File: postcat/postcat.c.
20090528
Bugfix (introduced: Postfix 2.6 change 20080629): with
plaintext sessions, smtpd_tls_auth_only=yes caused spurious
warnings with reject_authenticated_sender_login_mismatch,
and broke reject_unauthenticated_sender_login_mismatch and
reject_sender_login_mismatch. Based on fix by Victor
Duchovni. File: smtpd/smtpd_check.c.
20090603
Cleanup: Postfix 2.3 adopted a file descriptor passing
workaround for OpenBSD. This workaround was hard-coded for
all platforms because there were no have adverse effects.
This is no longer the case: OpenBSD is fixed, and NetBSD
does not like the workaround. We now default back to the
non-workaround code and turn on the workaround dynamically.
Files: util/unix_send_fd.c, unix_recv_fd.c, unix_pass_fd_fix.c.
20090605
Portability: modern kernels below ancient user-land. File:
makedefs.
20090606
Feature: post-Milter header checks, with all actions except
PREPEND. To enable, specify for example "milter_header_checks
= pcre:/path/to/file". Files: cleanup/cleanup_init.c,
cleanup/cleanup_milter.c, cleanup/cleanup_extracted.c,
cleanup/cleanup_state.c.
Bugfix: non-portable command pathname in postmulti-script.
Safety: "postmulti -e destroy" no longer attempts to remove
files that are created AFTER "postmulti -e create". Rationale:
by design, postfix queue/data directories are not trusted;
actions within those directory trees must not affect files
outside those those trees (e.g. by symlink race attacks).
We don't want to be nailed with a bunch of CVEs for unsafe
pathname handling. File: conf/postmulti-script.
20090607
Cleanup: revise milter_header_checks action implementation,
and avoid redundant logging and work when milter_header_checks
and Milters make redundant or conflicting decisions. File:
cleanup_milter.c.
20090614
Preliminary postscreen triage server for all inbound SMTP
connections. This is not a proxy: it rejects bad clients
and forwards the rest of the connections to a real Postfix
SMTP server. The initial version does a simple "friend or
foe" based on whether the client starts talking too soon.
Decisions are cached, so "good" clients have no overhead.
File: postscreen/postscreen.c.
Cleanup: more robust code for receiving file descriptors
via the "pass" master service protocol. File:
util/upass_listen.c.
20090617
Temporary helper daemon that does parallel DNSBL lookups
for postscreen(8). It logs successful lookups to the maillog
file without blocking the client. postscreen(8) will use
the results in a later non-production version. To enable
DNSBL lookups, specify "postscreen_dnsbl_sites = name,
name, etc". and restart postscreen(8) with "postfix reload".
File: src/dnsblog/dnblog.c.
20090618
postscreen(8) logging and actions are now documented in the
postscreen(8) manpage. When a client is listed in DNSBLs
specified with postscreen_dnsbl_sites, it is no longer
whitelisted. Instead the number of blocklist hits is logged.
File: postscreen/postscreen.c.
20090619
postscreen(8) by default no longer immediately drops
connections. Specify "postscreen_greet_action = drop" and
"postscreen_hangup_action = drop" for the old behavior.
There is also a new postscreen_dnsbl_action parameter, for
completeness. File: postscreen/postscreen.c.
20090708
Portability: FreeBSD 8 has closefrom(). File: uti/sys_defs.h.
20090710
Bugfix (introduced Postfix 2.3): Postfix got out of sync
with a Milter application after the application sent a
"quarantine" request at end-of-message time. The milter
application would still be in the end-of-message state,
while Postfix would already be working on the next SMTP
event (typically, QUIT or MAIL FROM). Problem diagnosed
with help from Alban Deniz. File: milter/milter8.c.
20090711-2
New "event_server" Postfix server framework. It is similar
to the "multi_server" framework but does not manage client
I/O events. This framework is suitable for servers such
as postscreen that have complex event management requirements.
File: master/event_server.c.
New event_fork() primitive to resume event processing in a
child process after it is created with fork(). This is
needed by postscreen to complete work-in-progress in the
background after "postfix reload". File: util/events.c.
Cleanup: postscreen migrated to the "event_server" framework.
File: postscreen/postscreen.c.
20090712
Cleanup: ${multi_instance_name:postfix}${multi_instance_name
?$multi_instance_name} garbage in Postfix logging is now
hopefully gone. File: global/mail_task.c.
20090715
Documentation: as of Postfix 2.6, the reject_unauth_pipelining
feature can be used meaningfully at any protocol stage.
File: proto/postconf.proto.
20090717
Cleanup: postscreen PREGREET detection now uses non-destructive
read, so that the real SMTP server can still receive the
HELO command (apparently some sites allow pregreeters to
talk to their servers). File: postscreen/postscreen.c.
20090805
Bugfix: don't panic when an unexpected smtpd access map is
specified. File: smtpd/smtpd_check.c.
20090918
Bugfix (introduced Postfix 2.3): with Milter RCPT TO replies
turned off, there was no automatic flush-before-read on the
smtpd-to-milter stream, because the read was done on the
cleanup-to-milter stream. Problem reported by Stephen Warren.
File: milter/milter8.c.
20091005
Bugfix: core dump while printing error message for malformed
% sequence in LDAP, MySQL or PostgreSQL configuration.
File: global/db_common.c. Fix by Victor Duchovni.
20091006
Feature: "postscreen_whitelist_networks = $mynetworks" (the
default) to avoid problems with buggy SMTP implementations
in network appliances. Note: this feature never uses the
remote SMTP client hostname. Files: global/addr_match_list.[hc],
postscreen/postscreen.c.
Feature: postscreen_blacklist_networks (default: empty) to
permanently blacklist hosts or networks. Address syntax is
as with mynetworks. Note: this feature never uses the remote
SMTP client hostname. File: postscreen/postscreen.c.
Feature: postscreen_blacklist_action (default: continue)
to control what happens with a permanently blacklisted
client. File: postscreen/postscreen.c.
20091007
Feature: hostname-based check_client_{mx,ns}_access,
check_reverse_client_hostname_{mx,ns}_access (the client
IP address is not used). Rob Foehl. Files: smtpd/smtpd_check.c,
global/mail_params.h, proto/postconf.proto, mantools/postlink.
20091008
Documentation: restructured the postscreen(8) manpage
as a sequence of tests. File: postscreen/postscreen.c.
20091012
Bugfix: postmulti did not skip commands with -p. Luca
Berra. File: postmulti/postmulti.c.
20091023
Feature: specify "smtpd_command_filter = pcre:/file/name"
to replace remote SMTP client commands before they are
executed by the Postfix SMTP server. This a last-resort
tool to fix inter-operability problems. See examples in
the postconf(5) manual page. File: smtpd/smtpd.c.
20091026
Cleanup: changed parameter evaluation order so that the
multi_instance_wrapper parameter value is evaluated after
the command and daemon directory parameters. File:
global/mail_params.h.
20091101
Performance: specify "smtpd_proxy_options = speed_adjust"
to receive an entire message before sending it through a
before-queue content filter. This reduces the number of
simultaneous content filtering processes, and thus, the
system memory requirements. Files: smtpd/smtpd.[hc],
smtpd/smtpd_proxy.[hc].
20091103-4
Cleaned up the speed-adjust code, streamlined the error
handling, and updated documentation. Files: smtpd/smtpd.[hc],
smtpd/smtpd_proxy.[hc], proto/SMTPD_PROXY_README.html.
20091105
Cleaning up after speed_adjust introduction: smtpd segfault
caused by an incomplete API change; refined the queue space
check; release scratch space immediately after delivering
mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.
20091110
Workaround: specify "smtp_tls_block_early_mail_reply = yes"
to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555). The attack involves prepending
malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
client TLS session. The attack would succeed with non-Postfix
SMTP servers that reply to the malicious commands after
negotiating the Postfix SMTP client TLS session. File:
smtp/smtp_proto.c.
20091113
Workaround: skip interfaces without netmask, to avoid
segfaults (reported by Dmitry Karasik). Don't supply a dummy
null netmask, as that would turn Postfix into an open relay
(mynetworks = 0.0.0.0/0). File: util/inet_addr_local.c.
Bugfix: forgot to flush output to the smtpd_proxy speed-adjust
buffer before truncating the file. Reported by Mark Martinec,
fix by Victor Duchovni. File: smtpd/smtpd_proxy.c.
20091114
Feature: specify "smtp_reply_filter = pcre:/file/name" to
replace remote SMTP server reply lines before they are
parsed by the Postfix SMTP client. This a last-resort tool
to fix inter-operability problems. See examples in the
postconf(5) manual page. File: smtp/smtp_chat.c.
Safety: don't send postmaster notifications to report
problems delivering (possible) postmaster notifications.
File: smtp/smtp_connect.c.
20091121
Feature: sender_dependent_default_transport_maps, to override
the default transport in a sender-dependent manner. This
is not a transport_maps override, and therefore it does not
use the transport_maps syntax for null transport, null
nexthop, or null email address.
20091127
Usability: the Postfix SMTP client now logs a warning that
wrappermode TLS is not supported, when configured to connect
to port smtps/465. File: smtp/smtp_connect.c.
20091203
Safety: the postscreen daemon logs a warning when table
lookup is slow. Slow lookups cause postscreen to fall behind,
and worse, to catch up in bursts, which results in overload
elsewhere. File: postscreen/postscreen.c.
20091206
Feature: by popular demand, the Postfix SMTP server now
logs the before-queue content filter's end-of-message
accept/reject response. File: smtpd/smtpd.c.
20091209
Portability: as the result of continuous improvement,
Berkeley DB no longer allows fork-then-close. File:
postscreen/postscreen.c.
Bugfix: sender_dependent_relayhost_maps did not reject an
empty lookup result, and did not recognize lookup errors,
thus treating errors as "not found". Problem found during
code maintenance. File: trivial-rewrite/resolve.c.
Cleanup: the postscreen daemon now applies the permanent
whitelist first. It is a safety feature that prevents mail
from being blocked. File: postscreeb/postscreen.c.
20091224
Bugfix (introduced 20041215): dict_dbm_sequence() did not
release the shared lock when the end of the sequence was
reached. File: util/dict_dbm.c.
20091227
Cleanup: postscreen and verify periodic cache cleanup
(default: 12 hours after the previous cache cleanup run).
This is based on a new dict_cache(3) module that implements
a generalized version of the tlsmgr(8) cache maintenance
code. Once the new dict_cache(3) code is burned in, the
tlsmgr(8) will be migrated to it. See the RELEASE_NOTES for
user interface details. Files: util/htable.[hc], util/dict_ht.c,
util/dict_cache.[hc], postscreen/postscreen.c, verify/verify.c.
Bugfix: the event handler starved I/O events when a timer
call-back routine scheduled a zero-delay timer request.
This bug was exposed when adding the new dict_cache(3)
module for cache expiration. File: util/events.c.
20091228
Cleanup: postscreen and verify periodic cache cleanup is
now optional (specify a null time interval between cache
cleanup runs).
20091229
Cleanup: the address_verify_poll_count default parameter
value is now stress-dependent, so that the Postfix SMTP
server will not wait (up to 6 seconds) for the address
verification result. File: global/mail_params.h.
Final solution for the I/O event starvation problem when a
timer call-back schedules a zero-delay timer request. File:
util/events.c.
20091231
Cleanup: the non-shared, in-memory hash table is now
accessible as the "internal:" map type. This simplifies
code by eliminating some special cases. Files: util/dict_ht.c,
util/dict_open.c, and documentation.
20100101
Bugfix: the mantools/postlink script applied hyperlinks
for the "virtual:" transport to "/etc/postfix/virtual:".
Symptom reported by Christoph Anton Mitterer.
20100102
Workaround: don't report bogus Berkeley DB close errors as
fatal errors. All operations before close are already error
checked, so the data is known to be safe. File: util/dict_db.c.
20100107
Documentation: the access(5) manual page did not document
the "send 521 and disconnect" behavior in the Postfix SMTP
server (introduced with Postfix 2.6). File: proto/access.
Bugfix: the pickup daemon did not discard messages that
were requeued after all recipients were delivered (or
bounced), and the cleanup server tried to bounce such
messages. Files: pickup/pickup.c, global/cleanup_user.h.
Future proofing: redundant code in postdrop to reject a
submission without recipient record. File: postdrop/postdrop.c.
20100109
Cleanup: "postcat -q" will now access files in the "saved"
queue directory (for corrupted queue files). As before, the
"postsuper" command will not, to avoid suddenly deleting
such files. Files: global/mail_queue.h postcat/postcat.c.
20100113
Cleanup: don't supply the "-o stress" command-line option
with a single-process service. File: master/master_ent.c.
20100115
Bugfix: the valid_hostname() fuction did not set the
"non-numeric" flag after encountering the '-' character.
Reported by Jan Schampera. File: util/valid_hostname.c.
20100116
Documentation: the content_filter and FILTER features never
supported the special cases of transport_maps. References
to transport_maps syntax are now removed from content filter
discussions. Files: proto/postconf.proto, proto/FILTER_README.
Workaround: as of Postfix 2.3 the VRFY command did not allow
a mailbox address inside <>, which broke expectations. RFC
2821 (and 5321) is vague about the VRFY request format, but
spends lots of text on the reply format. File: smtpd/smtpd.c.
20100117
Cleanup: when a content_filter parameter or FILTER command
specifies an empty next-hop destination, the queue manager
now uses the recipient domain instead of $myhostname. Specify
"default_filter_nexthop = $myhostname" for compatibility
with Postfix 2.6 and earlier, or specify a non-empty next-hop
filter destination. Files: *qmgr/qmgr_message.c proto/access,
proto/header_checks, proto/postconf.proto, proto/FILTER_README.
20100120
Cleanup: detect illegal pipelining after HELO, EHLO. File:
smtpd/smtpd.c.
20100128
Documentation: streamlined the decriptions of protocol and
cipher tweaks. Victor Duchovni. Files: proto/TLS_README,
proto/postconf.proto.
20100131
Documentation: the address verification database is now
persistent by default. This, combined with the now default
stress-dependent configuration, improves the performance
limits and simplifies database maintenance. Files:
proto/ADDRESS_VERIFICATION_README, verify/verify.c.
Cleanup: undo the proxymap and trivial-rewrite max_idle=1s
override that was introduced with Postfix 2.3. It did not
help to retire long-lived proxymap or trivial-rewrite
processes on busy servers, and worsened performance on
low-traffic servers. The reduced ipc_ttl value (introduced
with Postfix 2.4) already solves the problem of retiring
long-lived proxymap or trivial-rewrite processes. Files:
proxymap/proxymap.c, trivial-rewrite/trivial-rewrite.c.
20100202
Documentation: major revision of SASL_README with many
details on how to configure Cyrus SASL internals. Patrick
Koetter. File: proto/SASL_README.html
20100204
Feature: added "forward_secrecy" option for Cyrus SASL.
File: xsasl/xsasl_cyrus_security.c.
20100206
Bugfix (from day zero): the local delivery agent returned
undeliverable mail to the envelope sender instead of the
owner- alias, when delivering to command or file. This
reuses the workaround that was implemented to report a
Delivered-To: loop. Files: local/file.c, local/command.c,
local/recipient.c, local/bounce_workaround.c.
20100209
The tcp_table(5) interface is now part of the stable release.
The last protocol change was in Postfix 2.1. File:
util/dict_open.c.
20100305
Feature: reject_rhsbl_reverse_client, to reject a remote
SMTP client based on its unverified reverse hostname. Code
by Noel Jones. Files: smtpd/smtpd_check.c, proto/postconf.proto.
Feature: smtp_address_preference (default: ipv6) to control
the order in which the Postfix SMTP client will connect to
a destination that has IPv6 and IPv4 addresses with equal
MX preference. Files: global/mail_params.h, smtp/smtp.c,
smtp/smtp_params.c, smtp/smtp_addr.c, dns/dns_rr.c,
and documentation.
20100321
Feature: allow Milter applications to use a lower protocol
version than the version that Postfix is configured for.
Based on an idea by Kouhei Sutou. File: milter/milter8.c.
20100322
Bugfix (introduced 20100305) the new smtp_address_preference
feature was not tested with LMTP support. Problem reported
by Stefan Foerster. File: smtp/smtp.c.
20100407
Bugfix (introduced 20100305): reject_rhsbl_reverse_client
was skipped if the forward-confirmed reverse DNS (FCRDNS)
remote SMTP client hostname was "unknown". Victor Duchovni.
File: smtpd/smtpd_check.c.
20100422
Workaround (introduced: postfix-19990906 a.k.a. Postfix
0.8.0). The Postfix local delivery agent did not properly
distinguish between "address has no extension" and "address
has an extension, but the extension is invalid". In both
cases it would run only the full recipient local-part through
the alias maps. Instead, it now drops the faulty extension
from the recipient address local-part (it would be too
error-prone to replace all tests for "no extension" by tests
for "no valid extension". File: local/recipient.c.
20100430
Feature: customized hard/soft reject responses by Jason
Parsons. File: smtpstone/smtp-sink.c.
20100515
Bugfix (introduced Postfix 2.6): the Postfix SMTP client
XFORWARD implementation did not skip "unknown" SMTP client
attributes, causing a syntax error when sending a PORT
attribute. Reported by Victor Duchovni. File: smtp/smtp_proto.c.
20100526
Cleanup: a unit-test driver was not updated after an internal
API change. Vesa-Matti J Kari File: milter/milter.c.
20100529
Portability: OpenSSL 1.0.0 changes the priority of anonymous
cyphers. Victor Duchovni. Files: postconf.proto,
global/mail_params.h, tls/tls_certkey.c, tls/tls_client.c,
tls/tls_dh.c, tls/tls_server.c.
Portability: Mac OS 10.6.3 requires
instead of . Files: makedefs, util/sys_defs.h,
dns/dns.h.
20100531
Robustness: skip LDAP queries with non-UTF-8 search strings
(in anticipation of UTF8SMTP support). File: global/dict_ldap.c.
Strict UTF-8 validator per RFC 3629. File: util/valid_utf8_string.c.
20100601
Cleanup: Postfix LDAP client support for RFC 2255 LDAP URLs.
Victor Duchovni. Files: proto/ldap_table global/dict_ldap.c.
Safety: Postfix processes log a warning when a matchlist
has a #comment at the end of a line (for example mynetworks
or relay_domains). File: util/match_list.c.
Portability: Berkeley DB 5.x has the same API as Berkeley
DB 4.1 and later. File: util/dict_db.c.
20100610
Bugfix (introduced Postfix 2.2): Postfix no longer appends
the system default CA certificates to the lists specified
with *_tls_CAfile or with *_tls_CApath. This prevents
third-party certificates from getting mail relay permission
with the permit_tls_all_clientcerts feature. Unfortunately
this may cause compatibility problems with configurations
that rely on certificate verification for other purposes.
To get the old behavior, specify "tls_append_default_CA =
yes". Files: tls/tls_certkey.c, tls/tls_misc.c,
global/mail_params.h. proto/postconf.proto, mantools/postlink.
20100615
Cleanup: the master no longer logs "process P killed with
signal S" when it shuts down a running service (for example,
the service is removed from master.cf, or the service is
disabled via the main.cf master_service_disable parameter).
File: master/master_spawn.c.
20100617
Feature: read-only sqlite support based on code by Axel
Steiner and documentation by Jesus Garcia Crespo. Files:
conf/postfix-files, mantools/postlink, proto/DATABASE_README.html,
proto/Makefile.in, proto/INSTALL.html, proto/mysql_table,
proto/pgsql_table, proto/sqlite_table, proto/SQLITE_README.html,
global/Makefile.in, global/mail_dict.c, global/dict_sqlite.c,
global/dict_sqlite.h, postconf/postconf.c, postfix/postfix.c.
20100618
Cleanup: SQLite read-only driver and documentation. Files:
global/dict_sqlite.c, proto/mysql_table, proto/SQLITE_README.html.
20100707
Completed the 20100610 bugfix. File: tls/tls_misc.c.
20100714
Compatibility with Postfix < 2.3: fix 20061207 was incomplete
(undoing the change to bounce instead of defer after
pipe-to-command delivery fails with a signal). Fix by Thomas
Arnett. File: global/pipe_command.c.
20100715
Convenience: "postconf name=value ..." is now equivalent to
"postconf -e name=value ...". File: postconf/postconf.c.
20100724
Feature: INFO header/body_checks action for non-warning
messages (for example, to log all Milter-inserted headers).
File: global/header_body_checks.c, proto/header_checks.
Cleanup: after-filter Postfix SMTP servers now log before-filter
queue IDs. For this, the XFORWARD protocol was extended
with an IDENT attribute for the before-filter queue ID.
This code was started in Postfix 2.1, but it was never
finished due to time constraints. Files: smtpd/smtpd.[hc]
smtpd/smtpd_proxy.c, smtpd/smtpd_sasl_proto.c,
*qmgr/qmgr_messsage.c, *qmgr/qmgr_deliver.c,
global/deliver_request.[hc], global/mail_proto.h,
global/deliver_pass.c, smtp/smtp_proto.c.
20100727
Bugfix: the milter_header_checks parser provided only the
actions that change the message flow (reject, filter,
discard, redirect) but disabled the non-flow actions (warn,
replace, prepend, ignore, dunno, ok). File:
cleanup/cleanup_milter.c.
20100827
Performance: fix for poor smtpd_proxy_filter TCP performance
over loopback (127.0.0.1) connections. Problem reported by
Mark Martinec. Files: smtpd/smtpd_proxy.c.
Bugfix: the Postfix SMTP client no longer appends the local
domain when looking up a DNS name without ".". Specify
"smtp_dns_resolver_options = res_defnames" to get the old
behavior, which can produce unexpected results. Files:
smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c.
20100828
Refactoring: postscreen source code broken up into multiple
files, and identifiers updated to match changes in their
purpose. This will be the baseline for adding support for
DNSBL weighting, then a dummy engine to collect forensic
evidence with the option of future protocol checks. Files:
postscreen/*.[hc], Makefile.in.
20100829
Postscreen DNSBL support for optional fixed-string filters
and optional integral weight factors (use negative weights
for whitelisting). See RELEASE_NOTES and postconf(5) for
details. Files: postscreen/postscreen_dnsbl.c,
proto/postconf.proto, mantools.postlink, global/mail_params.h.
Incompatibility: the postscreen-to-dnsblog protocol was
changed to support DNSBL query result filters. Use "postfix
reload" after installing the new version otherwise the
dnsblog(8) server may complain.
20100830
Polished the postscreen documentation and comments to clarify
the user interface and implementation. No code changes.
20100831-910
Restructured postscreen and added support for a dummy SMTP
protocol engine. This engine logs rejected attempts to
deliver mail with helo/sender/recipient information, and
implements deep protocol tests. The first deep protocol
test is for command pipelining, where a client sends multiple
commands instead of waiting for the server to respond to
each command. The second one implements the Postfix SMTP
server's smtpd_forbidden_commands feature. Files:
postscreen/*.[hc]. See RELEASE_NOTES, postconf(5) and
postscreen(8) for incompatibilities, features, and configuration
parameters.
20100910
Feature: boolean configuration parameters with string-valued
defaults, so that they can be subject to macro expansions.
This was needed to make some postscreen parameter defaults
to the values of the corresponding smtpd parameters. Files:
global/mail_conf.h, global/mail_conf_nbool.c,
master/event_server.c, master/mail_server.h, master/multi_server.c,
master/single_server.c, master/trigger_server.c,
postconf/extract.awk, postconf/postconf.c.
20100911
Feature: texthash read-only database. This is similar to
hash: files, except that you don't need to run the postmap(1)
command before you can use the file, and that it does not
detect changes after the file is read. All information is
read into memory. Files: util/dict_open.c, util/dict_thash.[hc],
proto/DATABASE_README.html, postconf/postconf.c
20100912
Feature: bare newline detection in postscreen. Real spambots
don't make this mistake anymore, but poorly-written software
still does. File: postscreen/smtpd.c.
Documentation: POSTSCREEN_README including instructions for
turning postscreen(8) on without blocking mail, and more.
Trimmed the text in the postscreen(8) manpage. File:
proto/POSTSCREEN_README.html, postscreen/postscreen.c.
20100914
Cleanup: the "postscreen_greet_wait" delay now ends as soon
as both the pregreet and DNSBL tests complete (the postscreen
documentation mentions in history/credits that the program
started as a crude prototype). The default postscreen_dnsbl_ttl
caching time is now reduced to 1h from 24h, allowing
postscreen to catch up on DNSBL updates more quickly. If
this increases the database update frequency too much then
we'll need to make dnsbl result non-cachable. Files:
postscreen/postscreen_dnsbl.c, global/mail_params.h.
20100915
Bugfix (introduced 20100914): missing precondition for
call-back notification. File: postscreen/postscreen_dnsbl.c.
Bugfix (introduced 20100914): the "postscreen_greet_wait"
delay speedup worked only for DNSBL listed sites. File:
postscreen/postscreen_dnsbl.c.
Workaround: better handling of pregreeting spambots. The
postscreen built-in SMTP engine no longer sends a 220 banner
to a client that falls into the pregreet trap. This eliminates
many "NON-SMTP COMMAND" records in postscreen logging, as
the SMTP client and server no longer get out of sync. It
also results in better logging of sender/recipient information.
File: postscreen/postscreen_smtpd.c.
20100916
Cleanup: postscreen now uses the first responding DNSBL
name in the "5.7.1 Service unavailable" reply, instead of
the last responding one. File: postscreen/postscreen_dnsbl.c.
Cleanup: the 20100914 "postscreen_greet_wait" speedup did
not happen as often as it should, because some older code
still turned on PREGREET tests gratuitously, causing a full
greet-wait delay. File: postscreen/postscreen_tests.c.
Cleanup: to avoid "address in use" problems, postscreen now
closes the listening socket after "postfix stop". It also
closes the socket after "postfix reload" but that does not
hurt. Files: master/event_server.c, master/multi_server.c.
Cleanup: postscreen now logs CONNECT and DISCONNECT events.
Files: postscreen/postscreen.c, postscreen/postscreen_misc.c.
20100917
Bugfix: cut-and-paste error. Postscreen used pregreet_ttl
instead of dnsbnl_ttl. File: postscreen/postscreen_early.c.
20100920
Cleanup: minor cleanups and invisible fixes. Files:
postscreen/postscreen_misc.c, postscreen/postscreen.h,
postscreen/postscreen_tests.c.
Feature: preliminary postscreen penalty mechanism. Basic
idea: when a client exceeds some threshold, don't allow it
to pass any tests until the penalty expires. Penalties
provide a way to slow down clients without blocking mail
permanently. Files: postscreen/postscreen_misc.c,
postscreen/postscreen_tests.c, postscreen/postscreen.c.
A first application of the postscreen penalty mechanism
triggers on clients that make brief connections to find out
if the mail server is up. With "postscreen_early_hangup_penalty
= 600" they will disqualify themselves for 10 minutes.
Unfortunately, this behavior is used by legitimate bulk
mail services. This application was removed 20101103. The
penalty mechanism itself is left in place as #ifdef NONPROD.
20100923
Cleanup: renamed MUMBLE_FLAG_MUMBLE aggregates to
MUMBLE_MASK_MUMBLE for consistency with other Postfix code.
Files: postscreen/*.[hc].
20100930
Cleanup: flag PIPELINING errors with NOOP and VRFY. File:
smtpd/smtpd.c.
20101006
Bugfix (introduced: 20100914) dangling pointer when a client
makes N > 1 simultaneous connections and closes M < N
connections before postscreen has delivered the DNSBL score
to the corresponding pseudothreads. In practice the pointer
will refer to a block of 0xff bytes; the program terminates
with a segmentation violation, and is restarted immediately
by the master daemon. Files: postscreen/postscreen_early.c,
postscreen/postscreen_dnsbl.c.
Cleanup: avoid repeated delivery to mailing list members
with pathological nested alias configurations. The local(8)
delivery agent now keeps the owner-alias attribute of the
parent alias, when delivering mail to a child alias that
does not have its own owner alias. With this change, local
addresses from that child alias will be written to a new
queue file, and a temporary error with one local address
will no longer result in repeated delivery to other mailing
list members. Specify "reset_owner_alias = yes" for the
older behavior. File: local/alias.c.
20101007
Bugfix (introduced: 2100923): duplicate "PASS OLD" logging.
File: postscreen/postscreen_misc.c.
20101008
Cleanup: dnsblog now logs "addr X listed by domain Y as Z"
instead of "addr X blocked by domain Y as Z", because the
service may be used for whitelist lookups. File:
dnsblog/dnsblog.c.
20101023
Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
20101103
Cleanup: new qmgr_ipc_timeout parameter (default: 60s) to
override the system-wide ipc_timeout setting (default:
3600s). The shorter timeout allows the queue manager to
reset a deadlocked IPC connection before the watchdog timer
goes off. Files: *qmgr/qmgr.c.
Cleanup: new qmgr_daemon_timeout parameter (default: 1000s)
to make the hard-coded 1000s watchdog timeout configurable.
Files: *qmgr/qmgr.c.
Cleanup: request default DSN notification when adding a
recipient with smfi_addrcpt, instead of requesting "never
notify" as with Postfix automatically-added BCC recipients.
Files: cleanup/cleanup_addr.c, cleanup/cleanup.h,
cleanup/cleanup_milter.c.
20101105
Feature: DNS whitelist support in the Postfix SMTP server.
permit_dnswl_client whitelists a client by IP address, and
permit_rhswl_client whitelists a client by its hostname.
The syntax is the same as reject_rbl_client etc., but the
result is PERMIT instead of REJECT. For safety reasons,
permit_xxx_client are silently ignored when they would
override reject_unauth_destination. The result is
DEFER_IF_REJECT when DNSWL lookup fails. The implementation
is based on a design documented by Noel Jones (August 2010).
File: smtpd/smtpd_check.c.
20101108
Workaround: strip off IPv6 datalink suffix from peer address
to avoid problems with strict address checking code. Files:
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20101114
Robustness: postscreen(8) now implements a time limit on
reading an entire command, instead of a time limit for
reading individual characters. File: postscreen/postscreen_smtpd.c.
20101023
Cleanup: don't apply reject_rhsbl_helo to non-domain forms
such as network addresses. This would cause false positives
with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
20101117
Bugfix: the "421" reply after Milter error was overruled
by Postfix 1.1 code that replied with "503" for RFC 2821
compliance. We now make an exception for "final" replies,
as permitted by RFC. Solution by Victor Duchovni. File:
smtpd/smtpd.c.
20101124-6
Feature: pattern matching for DNSWL/DNSBL responses. For
example, with "reject_rbl_client example.com=d.d.d.d", each
"d" can now be a pattern inside "[]" that contains one or
more comma-separated decimal numbers or number..number
ranges. Files: smtpd/smtpd_check.c, postscreen/postscreen_dnsbl.c,
util/ip_match.c, util/ip_match.h.
20101126
Cleanup: don't log "blocked using example.com=127.0.0.1",
just log the domain name. File: smtpd/smtpd_check.c.
20101129
Cleanup: postscreen_client_connection_count_limit (default:
$smtpd_client_connection_count_limit) to limit the number
of connections from the same IP address to the postscreen(8)
daemon. Files: postscreen/postscreen.c, postscreen/postscreen.h,
postscreen/postscreen_state.c.
20101130
Cleanup: all postscreen(8) logging now reports the client
as [address]:port. This requires an update of tools that
process postscreen logging. Files: postscreen/*.c,
proto/POSTSCREEN_README.html.
Cleanup: polishing recent documentation and code. Files:
postscreen/postscreen_dnsbl.c, util/ip_match.c.
20101201
Bugfix (introduced 20101129): broken default value for
postscreen_client_connection_count_limit if the
smtpd_client_connection_count_limit parameter was left at
its default. File: postscreen/postscreen.c.
Workaround: BSD-ish mkdir() ignores the effective GID
and copies group ownership from the parent directory.
File: util/make_dirs.c.
20101202
Feature: the LDAP client can now authenticate to LDAP servers
via SASL. This is tested with SASL GSSAPI and Kerberos 5.
Original code by Quanah Gibson-Mount adapted by Victor
Duchovni. Files: global/dict_ldap.c, proto/LDAP_README.html,
proto/ldap_table.
Cleanup: the cleanup server now reports a temporary delivery
error when it reaches the virtual_alias_expansion_limit or
virtual_alias_recursion_limit. Previously, it would silently
ignore the excess recipients and deliver the message. File:
cleanup/cleanup_map1n.c.
20101205
Cleanup: sache_clnt_create() had an unnecessary data
dependency on the non-library var_scache_service variable,
causing problems with shared library builds. Instead, it
should use its service argument (which has the same value).
File: global/scache.c.
Cleanup: pipe_command.c had an unnecessary data dependency
on the non-library var_command_maxtime variable, causing
problems with shared library builds. The dependency was not
necessary because the callers already specify an explicit
time limit. File: global/pipe_command.c.
20101206
Bugfix (introduced 20101205): postscreen hung up due to
incorrect output error test. File: postscreen/postscreen_send.c.
20101207
Cleanup: the undisclosed_recipients_header default value
is now the empty string. The Internet mail RFCs have supported
messages without recipient header for almost 10 years now.
File: global/mail_params.h.
Cleanup: use strtol() instead of sscanf() for consistent
handling of out-of-range numbers. Files: global/cfg_parser.c,
global/conv_time.c, global/mail_conf_int.c,
global/mail_conf_long.c, global/mail_conf_nint.c.
20101217
Cleanup: eliminated the code that copied TLS protocol
messages between the OpenSSL TLS engine and the network.
This change hopefully simplifies the TLS library enough
that it can be used in an event-driven TLS proxy in front
of postscreen. Files: tls/tls_bio.c, tls/tls_server.c,
tls/tls_client.c.
This change eliminates an obscure bug where the SMTP server
would wait for another $smtpd_timeout seconds after sending
the "421 Error: timeout exceeded" message to the client.
20101221
Cleanup: simplified the VSTREAM "large buffer" support by
dropping the Postfix 2.4 "binary compatibility" requirement.
Files: util/vstream.c, util/vstream.h.
20101222
Cleanup: the SMTP client PIPELINING code did not account
for TLS protocol overhead. This could (only in theory)
result in deadlock when the remote SMTP server announces a
very small receive window after the client and server have
synchronized their SMTP state. Victor Duchovni. File:
smtp/smtp_proto.c.
20101223
Feature: with "tls_preempt_cipherlist = yes" the Postfix
SMTP server will preempt the remote SMTP client's cipher
preference order. This requires OpenSSL 0.9.7 and later.
Victor Duchovni. Files: src/smtpd/smtpd.c, src/tls/tls_server.c,
proto/TLS_README.html, proto/postconf.proto.
Future proofing: specify "tls_disable_workarounds = a list
or bit-mask of OpenSSL bug work-arounds to disable". This
may become necessary when a bug workaround is found to cause
problems (security or interoperability). Victor Duchovni.
Files: tls/tls_misc.c, proto/TLS_README.html, proto/postconf.proto.
Infrastructure: extended name_mask module feature set with
extensive documentation and 32-bit regression tests. Victor
and Wietse. File: util/name_mask.[hc].
20101224
Cleanup: sanitized the name_mask API so that errors will be
ignored only upon explicit request. Files: util/name_mask.[hc],
src/global/ehlo_mask.c, src/smtp/smtp_proto.c,
src/util/name_mask.c, src/xsasl/xsasl_dovecot_server.c.
Cleanup: more TLS overhead horrors for the SMTP client's
PIPELINING engine. Wietse and Victor. File: smtp/smtp_proto.c.
20101226
Cleanup: the SMTP client logic for pipelining the "." and
"QUIT" commands was bogus - the pipelining engine could not
know how much unacknowledged data is pending in the local
TCP stack. We now ignore the buffer check for sending
"QUIT" after ".". Wietse and Victor. File: smtp/smtp_proto.c.
20110101
Cleanup: the Postfix SMTP server now always refreshes the
SASL authentication mechanism list after STARTTLS. Some
Dovecot versions may change their responses when they know
that the SMTP connection is encrypted. File: smtpd/smtpd.c.
Cleanup: the smtpd_starttls_timeout default value is now
stress-dependent. Files: global/mail_params.h,
proto/postconf.proto.
Compatibility: postscreen_discard_ehlo_keyword(s|maps)
support for compatibility with smtpd_discard_ehlo_keyword(s|maps).
Files: postscreen/postscreen_smtpd.c.
20110102
Feature: STARTTLS support for the postscreen(8) daemon.
With early testing feedback from Victor Duchovni and Ralf
Hildebrandt. Files: postscreen/postscreen_smtpd,
postscreen/postscreen_starttls.c.
Feature: event-driven tlsproxy(8) daemon that translates
TLS <=> plaintext for postscreen(8). One tlsproxy(8) process
can translate traffic for multiple remote SMTP clients.
With early testing feedback from Victor Duchovni and Christian
Roessner. Files: util/nbbio.[hc], tlsproxy/*.[hc],
postscreen/postscreen_starttlsd.c, postscreen/postscreen_smtpd.c.
20110103
Cleanup: missing tls_level support in tlsproxy (it has no
way to send plaintext, but perhaps an informative error
message is in order anyway). File: tlsproxy/tlsproxy.c.
Cleanup: simplified the handling of throttled output (i.e.
output that can't be sent because the receiver tries to be
nasty). File: postscreen/postscreen_send.c.
20110104
Feature: add contact information to each SMTP server reject
message. For example, "smtpd_reject_footer = call 800-555-0101
for assistance", with macro expansion and with multi-line
support. Files: global/mail_params.h, mantools/postlink,
proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c,
smtpd/smtpd_expand.[hc], util/mac_expand.[hc].
20110105
Cleanup: the forest of TLS-related booleans was shrunk.
Victor Duchovni. Files: smtpd/smtpd.c, postscreen/postscreen.c,
postscreen/postscreen_smtpd.c, tlsproxy/tlsproxy.c.
Non-production: tlsproxy support in the Postfix SMTP server
for stress testing of the tlsproxy daemon (#ifdef TLSPROXY).
Seen from outside, Postfix works just as if it has TLS
support built into in smtpd(8). Files: smtpd/smtpd.c,
tls/tls_proxy*.[hc], tlsproxy/tlsproxy.c, util/vstream.[hc].
Bugfix (introduced with the Postfix TLS patch): discard
plaintext following the STARTTLS command or response. This
matters only for the minority of SMTP clients that actually
verify server certificates. Files: smtpd/smtpd.c,
smtp/smtp_proto.c.
20110106
Non-production: cleaned up the tlsproxy support in the
Postfix SMTP server for stress testing of the tlsproxy
daemon (still #ifdef TLSPROXY). File: smtpd/smtpd.c.
20110107
Cleanup: smtpd_reject_contact_information is renamed to
smtpd_reject_footer, because it can be used for non-contact
information.
Compatibility: postscreen_reject_footer support for
compatibility with smtpd_reject_footer. Files:
global/smtp_reply_footer.[hc], global/mail_conf.[hc],
postscreen/postscreen_expand.c, postscreen/postscreen_send.c,
postscreen/postscreen.c, smtpd/smtpd_chat.c.
Compatibility: postscreen_command_filter support for
compatibility with smtpd_command_filter. Files:
postscreen/postscreen_dict.c, postscreen/postscreen_smtpd.c
20110108
Cleanup: postscreen(8) now displays control characters in
PREGREET responses as C-style \letter escapes, instead of
"?". File: postscreen/postscreen_early.c.
20110109
Cleanup: Solaris support for "pass" (file descriptor passing
based) services in master.cf. This was needed by postscreen(8).
Also, renamed upass_xxx.c to unix_pass_xxx.c. One-character
prefixes are too short. Removed upass_connect.c because it
was useless code. Files: util/stream_pass_connect.c,
util/unix_pass_listen.c, util/unix_pass_trigger.c.
Bugfix (introduced Postfix 2.4): on Solaris the Postfix
event engine was deaf for SIGHUP and SIGALRM signals after
the switch to /dev/poll. Symptoms were delayed "postfix
reload" response, and killed processes when the watchdog
timeout was less than max_idle. The fix is to set up SIGHUP
and SIGALRM handlers that write to a pipe, and to monitor
that pipe for read events via the Postfix event engine.
Files: master/master_sig.c, util/watchdog.c, util/sys_defs.h.
20110111
Cleanup: replaced the postscreen(8) separate blacklist and
whitelist lookup tables by one postscreen_access_list table.
See postconf(5) and POSTSCREEN_README for examples. Files:
postscreen/postscreen_access.c, postscreen/postscreen.c,
proto/postconf.proto, proto/POSTSCREEN_README.html.
20110112
Cleanup: suspend/resume logic for postscreen(8) SMTP sessions
that temporarily switch control to an external program such
as tlsproxy, or perhaps a future policy plugin. Files:
postscreen/postscreen_smtpd, postscreen/postscreen_starttls.c.
20110113
Cleanup: ps_cache and psc_cache are now postscreen_cache.
There is no need for obscure name abbrevations. File:
src/global/mail_params.h.
20110115
Workaround: malloc fuzz (safety margin for malloc requests).
Files: util/sys_defs.h, util/mymalloc.c.
Cleanup: dnsblog_service_name and tlsproxy_service_name are
now configurable, in case someone needs this. Files:
global/mail_params.h, postscreen/postscreen.c, mantools/postlink,
proto/postconf.proto.
20110116
Cleanup: soft_bounce support for postscreen(8). Files:
postscreen/postscreen_smtpd.c, postscreen/postscreen_send.c.
Cleanup: for smtpd(8) compatibility, postscreen(8) now
strips deprecated route address prefixes from email addresses
(@here,@there:user@example becomes user@example). This is
primarily to make postscreen(8) logging more similar to
that of smtpd(8). File: postscreen/postscreen_smtpd.c.
Cleanup: documentation, in preparation for the Postfix 2.8
stable release.
20110117
Bugfix (introduced Postfix alpha, or thereabouts): on HP-UX
the Postfix event engine was deaf for SIGALRM signals.
Symptoms were killed processes when the watchdog timeout
was less than max_idle. The fix is the same as Solaris fix
20110109. Since we can't know what other systems need this,
the workaround is enabled by default. Files: util/sys_defs.h.
Cleanup: "smtpd_tls_eecdh_grade = strong" by default, instead
of snapshot-only. File: global/mail_params.h, proto/postconf.proto.
Cleanup: missing "#include " in util/watchdog.c.
Bugfix: when compiled without -DUSE_TLS, tlsproxy used the
wrong server skeleton (multi_server instead of event_server).
File: tlsproxy/tlsproxy.c.
Workaround: added a panic check for code that is mis-compiled
by the HP-UX compiler. File: postscreen/postscreen.c,
postscreen/postscreen.h, postscreen/postscreen_state.c.
20110118
Bugfix: the tls_disable_workarounds word list only included
workarounds in SSL_OP_ALL. Problem report by Steve Jenkins,
problem fix by Victor Duchovni. File: tls/tls_misc.c.
Last-minute incompatible syntax change: Postfix now uses
";" instead of "," to separate DNSBL/DNSWL address filter
fields inside "[]". The compatibility break is not an issue,
because the syntax never worked in main.cf. Problem reported
by Mark Martinec. Files: util/ip_match.c, util/ip_match.in,
util/ip_match.ref, proto/postconf.proto.
Cleanup: postscreen now monitors the AVERAGE latency of
table access, and complains at most once per minute. File:
postscreen/postscreen_dict.c.
Bugfix: support for the "dunno" command somehow disappeared
from the postscreen_access_list implementation. File:
postscreen/postscreen_access.c.
20110123
Feature: read/write deadlines. Deadlines were introduced
with postscreen's dummy SMTP engine. In the Postfix SMTP
client and server, deadlines limit the total amount of time
to read or write one command line, one response line, or
one line of message content. This reduces the impact of
application exhaustion attacks that trickle data one byte
at a time. Files: util/vstream.[hc], global/smtp_stream.c.
Cleanup: remove #ifdef MIGRATION_WARNING transitional code
from postscreen. File: postscreen/postscreen.c.
20110125
Cleaned up and finalized read/write deadline support. Once
this code has been fielded it can go into Postfix 2.8.1,
and made available as optional patch for earlier releases.
Further refinements have only dimishing returns and can
evolve in the 2.9 release cycle. File: util/vstream.c.
20110128
Infrastructure: separate VSTREAM flags for read or write
errors. Files: util/vbuf.[hc], util/vstream.[hc].
Cleanup: after write error, the smtp_stream routines now
disable further network writes. This eliminates the need
for clumsy code to avoid unwanted I/O while shutting down
a TLS engine or closing a VSTREAM. File: util/smtp_stream.c.
20110201
Cleanup: when verifying that the client_address->client_name
lookup result resolves to the client_address, request
hostname->address lookup with the same protocol family (IPv4
or IPv6) as the client_address. Files: util/myaddrinfo.[hc],
smtpd/smtpd_peer.c, qmqpd/qmqpd_peer.c.
20110205
Infrastructure: vstream_peek_data() primitive to look ahead
at buffered input. Use vstream_peek() to find out how much,
and escape() for human presentation. Files: util/vstream.[hc].
Cleanup: smtpd(8) and postscreen(8) now log the input that
triggers an SMTP command pipelining violation. File:
postscreen/postscreen_smtpd.c, smtpd/smtpd.c.
Infrastructure: smtp_get() option to skip over input in
excess of the line length limit. Files: smtp/smtp_stream.[hc].
Cleanup: handle excessively-long client requests and server
responses more gracefully, i.e. without losing synchronization.
Files: smtpd/smtpd_chat.c, smtpd/smtpd_proxy.c, smtp/smtp_chat.c,
smtpstone/smtp-source.c.
20110207
Bugfix (introduced Postfix 2.8): segfault with smtpd_tls_loglevel
>= 3. Files: tls/tls_server.c, tls.h, smtpd.c, tlsproxy.c.
Cleanup: read/write deadline support for single_server TLS
applications (i.e. smtpd(8), smtp(8)). File: tls/tls_bio_ops.c.
20110212
Infrastructure: run-time switch for read/write deadline
support. Files: util/vstream.[hc], global/smtp_stream.[hc],
tls/tls_bio_ops.c.
Cleanup: configurable read/write deadline support with
smtpd_per_record_deadline (normal: "no", overload: "yes")
and smtp_per_record_deadline (default: "no"). Files:
global/mail_params.h, smtpd/smtpd.c, smtp/smtp.c,
smtp/smtp_proto.c, proto/postconf.proto, mantools/postlink.
20110213
Workaround: the TLS library passes the same information via
different function arguments, and this same information is
maintained by different functions, so things get out of
step when code is updated. As of 20110212, tls_client_start()
needs to set the VSTREAM property of the TLS session object.
File: tls/tls_client.c.
20110215
Human factors: the FCRDNS (forward-confirmed reverse DNS)
checking code now logs "hostname X does not resolve to
address Y", when a "reverse hostname" lookup result does
not resolve to the client IP address. Files: smtpd/smtpd_peer.c,
qmqpr/qmqpd_peer.c.
20110216
Cleanup: don't log a "connection reset by peer" error when
postscreen(8) tries to send a server response. File:
postscreen/postscreen_send.c.
20110218
Cleanup: Postfix now uses long integers for message_size_limit,
mailbox_size_limit and virtual_mailbox_limit. On LP64 (64-bit
long and pointer, but 32-bit integer) systems, these message
and mailbox limits can now exceed 2GB. Files: global/mail_params.c
global/mail_params.h local/local.c master/event_server.c
master/mail_server.h master/multi_server.c master/single_server.c
master/trigger_server.c virtual/virtual.c postconf/extract.awk
postconf/postconf.c.
20110220
Cleanup: compiler gripe. File: util/vstream.c.
20110223
Cleanup: Debian build tool gripe. File: smtpstone/smtp-sink.c.
20110224
postscreen(8) support to enforce proper client MX lookup
policy. Some spambots connect first to a backup MX address
in the hope that the server has a weaker anti-spam policy.
By listening on both primary and backup MX addresses,
postscreen(8) can deny the temporary whitelist status to
clients that connect only to backup MX hosts, and prevent
them from talking to a Postfix SMTP server process.
For example, when 1.2.3.4 is a local backup IP address,
specify "postscreen_whitelist_interfaces = !1.2.3.4 static:all"
to disable dynamic whitelisting for clients that connect
(only) to the backup MX address. Files: mantools/postlink,
proto/postconf.proto, proto/POSTSCREEN_README.html,
global/mail_params.h, postscreen/postscreen.c,
postscreen/postscreen.h, postscreen/postscreen_state.c.
20110225
Workaround (problem introduced with IPv6 support in Postfix
2.2): the SMTP client did not support mail to [ipv6:ipv6addr].
Fix based on a patch by Gurusamy Sarathy (Sophos). File:
util/host_port.c and regression test files.
20110227
Portability: FreeBSD closefrom() support time window. Sahil
Tandon. File: util/sys_defs.h.
Cleanup: each lookup table now has an owner status and UID
attributes for provenance purposes, even memory-resident
tables such as pcre, regexp and cidr. This fixes a problem
where local(8) ignored the non-root ownership of a regular
expression-based aliases(5) file. The table owner status
is TRUSTED (data straight from root-owned configuration
file), UNKNOWN (unauthenticated data from proxy or tcp) or
KNOWN (we actually have an owner UID). With most tables,
the owner UID is the file owner UID. With LDAP and *SQL,
the owner UID is the Postfix configuration file owner.
Files: src/util/dict_unix.c src/util/dict_thash.c
src/util/dict_static.c src/util/dict_sdbm.c src/util/dict_regexp.c
src/util/dict_pcre.c src/util/dict_nisplus.c src/util/dict_nis.c
src/util/dict_ni.c src/util/dict_ht.c src/util/dict_env.c
src/util/dict_dbm.c src/util/dict_db.c src/util/dict_cidr.c
src/util/dict_cdb.c src/util/dict_alloc.c src/util/dict.h
src/util/dict.c src/local/alias.c src/global/dict_sqlite.c
src/global/dict_pgsql.c src/global/dict_mysql.c
src/global/dict_ldap.c src/global/cfg_parser.h
src/global/cfg_parser.c.
20110311
Feature: Base 32 encoder/decoder per RFC 4648. This code
was going to be used for long queue IDs, but plans were
changed. Files: src/util/base32_code.[hc].
20110313
Bugfix (introduced Postfix 2.8): postscreen DNSBL scoring
error. When a client disconnected and then reconnected
before all DNSBL results for the earlier session arrived,
DNSBL results for the earlier session would be added to the
score for the later session. Problem report by Larry Vaden.
Files: dnsblog/dnsblog.c, postscreen/postscreen_dnsbl.c.
Cleanup: protocol description in dnsblog(8) manpage. File:
dnsblog/dnsblog.c.
20110314
Portability: the SUN compiler had trouble with a pointer
expression of the form ``("text1" "text2") + constant'' so
we don't try to be so clever. Fix by Victor Duchovni. File:
global/mail_params.h.
20110320
Feature: specify "enable_long_queue_ids = yes" to enable
support for non-repeating queue IDs (also used as queue
file names). These queue IDs encode the time and inode
number with a safe alphabet of the 52 characters 0-9B-Zb-z.
The alphabet excludes vowels (AEIOUaeiou) to avoid creating
real words. The queue ID format is: time in seconds, time
in microseconds, 'z', inode number (the inode number is
encoded without using the 'z' character of the safe alphabet).
Turning on long queue IDs changes the width of the first
output column of the mailq (postqueue -p) command, and
changes the appearance of Postfix Message-ID headers to
queueID@myhostname. Files: global/file_id.[hc],
global/safe_ultostr.[hc], global/mail_queue.[hc],
postsuper/postsuper.c, showq/showq.c
20110321
Performance: with long queue file names, queue hashing now
produces the same result as with short names. Postfix uses
the hexadecimal representation of the file creation time
in microseconds, instead of the beginning of the file name
which changes once every year or so, a problem that was
reported by Victor Duchovni. The base 16 encoding gives
finer control over the number of directories than possible
with base 52 encoding. Files: global/mail_queue.[hc]. This
change requires "postfix reload".
20110322
Cleanup: preserve the microseconds value when renaming
long->short or short->short queue file names. As a side
benefit, renaming long->short queue IDs will not change the
result from queue hashing. File: postsuper/postsuper.c.
20110323
Bitrot: qshape regexp pattern for long queue file names.
Ralf Hildebrandt. File: auxiliary/qshape/qshape.pl.
Bitrot: text about queue ID reuse in the postsuper manpage.
File: postsuper/postsuper.c.
20110328
Cleanup: don't log warnings about socket shutdown() errors
after a connection breaks. Postfix calls shutdown() to avoid
unnecessary socket write timeouts. This is only an optimization,
and failure is not critical. File: global/smtp_stream.c.
20110411
Cleanup: postscreen(8) and verify(8) daemons now lock their
respective cache file exclusively upon open, to avoid massive
cache corruption by unsupported sharing. Files: util/dict.h,
util/dict_open.c, verify/verify.c, postscreen/postscreen.c.
20110414
Bugfix (introduced with Postfix SASL patch 20000314): don't
reuse a server Cyrus SASL handle after authentication
failure. File: smtpd/smtpd_proto.c.
20110418
Bugfix (introduced Postfix 2.3 and Postfix 2.7): the Milter
client reported some "file too large" errors as temporary
errors. Problem reported by Michael Tokarev. Files:
milter/milter8.c, cleanup/cleanup_milter.c.
20110420
Performance: a high load of DSN success notification requests
could stall the queue manager. Solution: make the trace
client asynchronous, just like the bounce and defer clients.
Problem reported by Eduardo M. Stelmaszczyk of terra.com.br.
Files: global/abounce.[hc], *qmgr/qmgr_active.c (the
qmgr_active.c files are identical).
20110421
Cleanup: updated abounce warning message, and added a safety
timeout to abounce() etc. requests. File: global/abounce.c.
20110426
Bugfix (introduced in Postfix 1.1, duplicated in Postfix
2.3, unrelated mistake in Postfix 2.7): the local(8) delivery
agent ignored table lookup errors in mailbox_command_maps,
mailbox_transport_maps, fallback_transport_maps and (while
bouncing mail to alias) alias owner lookup. Problem reported
by William Ono. Files: local/command.c, local/mailbox.c,
local/unknown.c, local/bounce_workaround.c.
20110516
Update the warning when permit_naked_ip_address is used,
and add permit_sasl_authenticated to the list of suggested
alternatives. File: smtpd/smtpd_check.c.
20110601
Bugfix (introduced Postfix 2.6 with master_service_disable)
loop control error when parsing a malformed master.cf file.
Found by Coverity. File: master/master_ent.c.
20110602
Bugfix (introduced: Postfix 2.7): "sendmail -t" reported
"protocol error" after queue file write error. File:
postdrop/postdrop.c.
20110605
Cleanup: removed the PSC_STATE_FLAG_CACHE_EXPIRED flag.
Nothing uses this anymore. Files: postscreen/postscreen.h,
postscreen/postscreen_state.c, postscreen/postscreen_tests.c.
20110614
Linux kernel version 3 support. Linus Torvalds has reset
the counters for reasons not related to changes in code.
Files: makedefs, util/sys_defs.h.
20110615
Workaround: some Spamhaus RHSBL rejects lookups with "No
IP queries" even if the name has an alphanumerical prefix.
We play safe, and skip both RHSBL and RHSWL queries for
names ending in a numerical suffix. File: smtpd/smtpd_check.c.
20110624
Cleanup: added error checks for smtpd access primitives
that don't automatically terminate the program after table
lookup error: these primitives are permit_tls_clientcerts,
permit_tls_all_clientcerts, and check_address_map (the last
one is used in local_header_rewrite_clients only). File:
smtpd/smtpd_check.c.
20110729
Workaround: some getpwnam() and getpwuid() implementations
cause mail to bounce ("user unknown") after LDAP etc. lookup
error. Postfix now uses POSIX getpwnam_r() and getpwuid_r()
where available. Initially, this workaround supports FreeBSD,
Solaris and Linux. Files: makedefs, util/sys_defs.h,
global/mypwd.[hc], local/alias.c, local/dotforward.c,
local/include.c, local/mailbox.c, local/recipient.c.
20110731
MacOS X 10.5 supports POSIX getpwnam_r() and getpwuid_r()
(source: MacOS manpages at www.freebsd.org). If MacOS turns
out to make a false promise, then we will undo this change.
Files: makedefs, util/sys_defs.h.
20110810
Cleanup: optimize an optimization to avoid uid->name lookup
when all users are authorized with authorized_submit_users,
authorized_mailq_users, authorized_flush_users. File:
global/user_acl.c.
20110811
Workaround: report a {client_connections} Milter macro value
of zero instead of garbage, when the remote SMTP client is
not subject to any smtpd_client_* limits. Problem reported
by Christian Roessner. Files: smtpd/smtpd_state.c,
proto/MILTER_README.html.
20110817
Cleanup: avoid misleading error messages after future code
change. The tls_bio_ops(3) module now returns non-zero errno
values only when requests fail due to a system-call error.
File: tls/tls_bio_ops.c.
Cleanup: TLS handshake error messages. The SMTP client and
server now report STARTTLS network errors as "connection
timed out", "connection reset by peer", etc., instead of
reporting TLS error number 0. Files: tls/tls_bio_ops.c,
tls/tls_server.c, tls/tls_client.c.
20110818
Cleanup: VSTREAM-over-TLS error return values, for robustness
against future change. For consistency with VSTREAM internal
interfaces, the tls_stream(3) read/write routines now return
-1 instead of unspecified negative OpenSSL results. File:
tls/tls_stream.c.
20110819
Cleanup: further TLS code cleanups, for robustness against
future change. Unexpected TLS errors are no longer silently
treated as ordinary errors, and one corner-case error in TLS
timeout handling was fixed before it could cause trouble.
File: tls/tls_bio_ops.c.
20110821-24
Cleanup: simplified the TLS read/write deadline implementation,
and documented why this same simplification is not possible
higher-up, at the VSTREAM level. Files: tls/tls_bio_ops.c,
util/vstream.c.
20110831
Bugfix: allow for Milters that send an SMTP server reply
without RFC 3463 enhanced status code. Reported by Vladimir
Vassiliev. File: milter/milter8.c.
20110902
Cleanup: don't log vstream_tweak "connection reset by peer"
errors. File: util/vstream_tweak.c.
20110904-7
Bugfix: master daemon panic with "master_spawn: at process
limit", when "postfix reload" reduces the process limit
from (a value larger than the current process count for
some service) to (a value <= the current process count),
and then a new connection is made to that service. This
structural solution centralizes the decision to monitor a
service port (or not). To improve robustness against future
code changes, it clarifies some of the internal dependencies
that exist inside the master daemon. Files: master/master.h,
master/master_avail.c, master/master_conf.c,
master/master_service.c, master/master_spawn.c.
20110911
Debugging: report the request size when memory allocation
fails. File util/mymalloc.c.
20110914
Incompatibility: the default inet_protocols value is now
"all" instead of "ipv4", meaning use both IPv4 and IPv6.
As a compatibility workaround for sites without global IPv6
connectivity, the commands "make upgrade" and "postfix
upgrade-configuration" append "inet_protocols = ipv4" to
main.cf when no explicit setting is present. This compatibility
workaround will be phased out in a future release. Files:
util/sys_defs.h, conf/post-install, proto/postconf.proto.
Incompatibility: the default smtp_address_preference value
is now "any" instead of "ipv6", meaning choose randomly
between IPv6 and IPv4. With this the Postfix SMTP client
will have more success delivering mail to sites that have
problematic IPv6 configurations. Files: global/mail_params.h,
proto/postconf.proto.
20110918
Workaround for multiple ancient FreeBSD getsockopt() bugs
after non-blocking connect fails with 'host unreachable'
that resulted in a unreasonable memory allocation request.
File: util/vstream_tweak.c.
20110921
Bugfix (introduced: Postfix 1.1): smtpd(8) did not sanitize
newline characters in cleanup(8) REJECT messages, causing
them to be sent out via SMTP as bare newline characters.
This happened when a REJECT pattern matched multi-line
header text. Discovered by Kevin Locke. File: smtpd/smtpd.c.
20110922
Bugfix (introduced: Postfix 2.1): smtpd(8) sent multi-line
responses from a before-queue content filter as text with
bare instead of . Found during code maintenance.
File: smtpd/smtpd_proxy.c.
20111011
Cleanup: for consistency with the SMTP standard, the
smtp_line_length_limit default value was increased from 990
characters to 998 (i.e. 1000 characters including ).
File: global/mail_params.h, proto/postconf.proto.
Cleanup: the Postfix sendmail command now always transforms
all input lines ending in into UNIX format (lines
ending in ). This simplifies integration with third-party
mail generating applications. Specify "sendmail_fix_line_endings
= strict" to restore historical Postfix behavior (i.e. convert
all input lines ending in only if the first input
line ends in ). Files: sendmail/sendmail.c,
global/mail_params.h, proto/postconf.proto.
20111017
Cleanup: refined the heuristic that automagically transforms
legacy "sendmail -V" VERP requests into contemporary "sendmail
-XV" syntax. File: sendmail/sendmail.c.
Cleanup: when the cleanup daemon goes into discard mode,
don't get stuck when it runs onto milter file descriptor
information. File: cleanup/cleanup.c.
20111020
EAI Future-proofing: don't apply strict_mime_encoding_domain
checks to unknown message subtypes such as message/global*.
File: global/mime_state.c.
20111025
Bugfix (introduced: Postfix 2.8): postscreen sent non-compliant
SMTP responses (220- followed by 421) when it could not
hand off a connection to a real smtpd process, causing some
remote SMTP clients to bounce mail. The fix redirects the
client to the dummy SMTP engine which sends the 421 reply
at the first legitimate opportunity. Problem reported by
Ralf Hildebrandt. Files: postscreen/postscreen_send.c,
postscreen/postscreen_smtpd.c, postscreen/postscreen.h.
20111102
Workaround: to improve inter-operability with broken remote
SMTP servers, the Postfix SMTP client by default no longer
appends the "AUTH=<>" option to the MAIL FROM command.
Specify "smtp_send_dummy_mail_auth = yes" to restore the
old behavior.
20111106
Feature: "postconf -M" support to show Postfix's idea of
what is in the master.cf file. File: postconf/postconf.c.
Feature: postconf "-f" option to "nicely" format long lines
from main.cf or master.cf. File: postconf/postconf.c.
20111108
Cleanup: postconf finally supports dynamic configuration
parameter names: parameters whose name depend on a mail
delivery transport or spawn service in master.cf, and
parameters whose names are specified with smtpd_restriction_classes
in main.cf. This adds 70 parameters to the "postconf" output,
more if additional mail delivery transports are defined in
master.cf. File: postconf/postconf.c.
20111109
Cleanup: account for "," in smtpd_restriction_classes
value (Victor Duchovni). File: postconf/postconf.c.
20111112
Cleanup: postconf finally warns about possible mis-typed
main.cf and master.cf parameter names (i.e. parameters that
aren't used anywhere), and it finally displays user-defined
main.cf parameters that *are* used. File: postconf/postconf.c.
20111113
Portability: specify ``make makefiles "CCARGS=-DNO_NIS
..."'' to build on systems without NIS support. Files:
makedefs, util/sys_defs.h.
Cleanup: documented the postconf algorithms and their
limitations, and added regression tests to speed up future
development. File: postconf/postconf.c
20111117
Cleanup: postconf didn't "bless" type "inet" service names.
Cleanup: with pipelined sessions, smtp-sink flushed the
output too often. Reported by Mark Martinec. File:
smtpstone/smtp-sink.c.
Workaround: don't use IPv6 at build time. File: conf/main.cf.
Workaround: don't abort when IPv6 is present but busted.
File: util/inet_proto.c.
Portability: the Dovecot 2.0 authentication server supports
more socket types for its authentication server. File:
xsasl/xsasl_dovecot_server.c.
Documentation: the Dovecot 2.0 authentication server supports
communication over TCP sockets. Patrick Ben Koetter. File:
proto/SASL_README.html.
20111118
Cleanup: "postconf -M" now supports filtering. For example,
"postconf -M inet" shows only services that listen on the
network, and "postconf -M smtp.unix" shows the SMTP delivery
agent. File: postconf.c.
20111119
Cleanup: "postconf" commands in postfix-install needed to
be updated before master.cf was installed. Reported by
Sahil Tandon. File: postfix-install.
20111120
Cleanup: support for parameter name spaces for master.cf
entries. With this, postconf should no longer log false
warnings for "-o user-defined-name=value" in master.cf. As
a benefit, it will warn for user-defined parameters with
"name=value" entries that are unused because they are hidden
by master.cf "-o name=value" entries with the same parameter
name. File: postconf/postconf.c.
20111121
Cleanup: documentation fixes. File: postconf/postconf.c.
Cleanup: in postconf "main.cf management" mode, errors
opening master.cf are non-fatal. File: postconf/postconf.c.
20111122
Documentation: examples to request VERP-style delivery at
SMTP time with the smtpd_command_filter feature. Files:
proto/VERP_README.html, proto/postconf.proto.
Feature: TLS certificate public-key fingerprint matching
(SMTP server and client), and TLS logging cleanup. Victor
Duchovni. Files: proto/SMTPD_POLICY_README.html,
proto/TLS_README.html, proto/postconf.proto, global/mail_proto.h,
smtpd/smtpd_check.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c,
tls/tls_proxy_print.c, tls/tls_proxy_scan.c, tls/tls_server.c,
tls/tls_stream.c, tls/tls_verify.c.
Documentation: complete list of "make makefiles" overrides.
File: proto/INSTALL.html.
Cleanup: postscreen now logs more than the first word of
non-SMTP commands. File: postscreen/postscreen_smtpd.c.
20111124
Cleanup: eliminated false postconf "unused parameter"
warnings with legacy parameters such as $virtual_maps, and
with non-default parameter values for smtpd_expansion_filter
that can contain legitimate "$" without a macro name.
Cleanup: split postconf source into separate modules.
Files: postconf/postconf.c, postconf/postconf_builtin.c,
postconf/postconf_edit.c, postconf/postconf_main.c,
postconf/postconf_master.c, postconf/postconf_misc.c,
postconf/postconf_node.c, postconf/postconf_other.c,
postconf/postconf_service.c postconf/postconf_unused.c,
postconf/postconf_user.c, postconf/postconf.h.
20111126
Bitrot: changes in error reporting to the under-documented
OpenLDAP API. Problem reported by Quanah Gibson-Mount. Fix
by Viktor Dukhovni. File: global/dict_ldap.c.
Cleanup: four-space indentation had become a tab character.
Files: postconf/postconf.h, postconf/test20.ref,
postconf/test21.ref.
20111127
Cleanup: documented _suffix parameters that don't
show in postconf command output of earlier Postfix versions.
Files: proto/SMTPD_POLICY_README.html, proto/postconf.proto,
proto/SCHEDULER_README.html.
Cleanup: added the pipe(8) delivery agent to the list of
programs that implement transport_time_limit parameters.
File: postconf/postconf_service.c, postconf/test6.ref,
postconf/test22.ref.
20111128
Feature: "postconf -C class,..." support to print parameters
in one or more classes (builtin= built-in parameter names,
service=service-defined parameter names, user=user-defined
parameter names). Files: postconf/postconf.c, postconf/postconf.h,
postconf_service.c, postconf/postconf_user.c.
20111129
Cleanup: TLS logging level configuration. Files:
global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
smtp/smtp_params.c, smtp/smtp_proto.c, smtpd/smtpd.c,
tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c,
tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.
20111203
Cleanup: time-dependent sender addresses of address
verification probes. Specify an address_verify_sender_ttl
value of several hours or more to frustrate address harvesting.
Files: global/verify_sender_addr.[hc], smtpd/smtpd.c,
smtpd/smtpd_check.c, verify/verify.c, proto/postconf.proto,
proto/ADDRESS_VERIFICATION_README.html.
20111204
Cleanup: removed the log_level arguments from tls_client_start()
and tls_server_start() calls. This information is already
given to tls_client_init() and tls_server_init(). Files:
smtpd/smtpd.c, tlsproxy/tlsproxy.c, smtp/smtp_proto.c,
tls/tls.h, tls/tls_client.c, tls/tls_server.c, tls/tls_misc.c.
20111205
Documentation: made the postconf(5) manpage more precise
in its use of "client" and "server"; reorganized the
TLS_README presentation of client configuration so that
most relevant information is presented earlier. Files:
proto/postconf.proto, proto/TLS_README.html.
Bugfix: tlsproxy(8) stored TLS sessions with a serverID of
"tlsproxy" instead of "smtpd", wasting an opportunity for
session reuse. File: tlsproxy/tlsproxy.c.
20111206
Documentation: removed descriptions of Postfix < 2.3 user
interface from TLS_README. Users of earlier releases are
referred to TLS_LEGACY_README. File: proto/TLS_README.html.
20111207
Cleanup: tlsproxy(8) now receives the session cache serverID
from its client (postscreen(8)). Files: global/mail_proto.h,
postscreen/postscreen_starttls.c, tlsproxy/tlsproxy.[hc],
tlsproxy_state.c.
Cleanup: the postscreen(8) daemon did not support a zero
cache cleanup interval. This is needed for memcache support.
File: postscreen/postscreen.c.
Bugfix (introduced: 20110227): null pointer bug while
updating dictionary owner attributes, after reading an empty
(database) configuration file. File: util/dict.c.
20111208
Cleanup: db_common_parse_domain() could not be called without
preceding db_common_parse() call. Files: global/db_common.[hc].
20111209
Feature: memcache client support. This implementation is
based on the under-documented libmemcache library, and
therefore supports only libmemcache version 1.4.0. Files:
conf/postfix-files, global/dict_memcache.[hc], global/mail_dict.c,
html/index.html, mantools/postlink, postconf/postconf.c,
postfix/postfix.c, proto/DATABASE_README.html,
proto/MEMCACHE_README.html, proto/memcache_table.
20111209
Cleanup: support for scripted and manual database tests with
LDAP, *SQL, and memcache. Files: util/dict_test.c, util/dict.c,
global/mail_dict.c.
Workaround: apparently, some distributions use Postfix
shared libraries without proper so-number versioning. This
causes programs to fail mysteriously, after an update
replaces the Postfix library but not the program (someone
experienced this with an extra copy of the Postfix SMTP
server). Files: global/mail_version.[hc], master/*server.c,
master/master.c, src/postalias/postalias.c,
src/postdrop/postdrop.c, src/postfix/postfix.c,
src/postlog/postlog.c, src/postmap/postmap.c,
src/postmulti/postmulti.c, src/postqueue/postqueue.c,
src/postsuper/postsuper.c, src/sendmail/sendmail.c.
20111211
Feature: first/next (sequence) support in the proxymap
protocol. This is needed for cache cleanup of a proxied
postscreen or verify persistent cache. Files:
global/dict_proxy.[hc], proxymap/proxymap.c.
Feature: memcache client support without libmemcache
dependencies. Files: global/memcache_proto.[hc],
global/dict_memcache.c.
Bugfix: missing lookup table entry and terminator, causing
proxymap(8) server segfault when postscreen(8) or verify(8)
attempted to access their cache via the proxymap(8) server.
This could never have worked anyway, because the Postfix
proxymap protocol did not support cache cleanup. File
util/dict.c.
Feature: support for persistent backup database in the
memcache client. The database can be shared with the proxymap
service, but it needs to be listed as "proxy:maptype:mapname"
in the proxy_read_maps or proxy_write_maps parameter value
(depending on whether the access is read-only or read-write).
Support for proxymap-over-tcp (proxy:maptype:mapname@host:port)
is under development. File: global/dict_memcache.c.
20111214
Documentation: updated the submission and smtps examples
in the sample master.cf file, so that their logging is
easier to recognize. File: conf/master.cf.
20111215
Documentation: use different hosts to separate MUA "port
25" traffic from the "port 25" MX service. Files:
postscreen/postscreen.c, proto/POSTSCREEN_README.html.
20111216
Cleanup: the proxymap client did not correctly propagate
the "open_lock" flag, causing the proxymap service to open
postscreen(8) and verify(8) caches twice, instead of once.
File: global/dict_proxy.c.
Cleanup: the verify and postscreen caches were not listed
as "authorized" for access via the proxywrite service. File:
global/mail_params.h.
Refactoring: the postscreen permanent access list code is
now a library module, so that it can be also used for remote
access to the proxymap server. Files: global/server_acl.[hc].
Hardening: read/write deadlines, to make the proxymap server
suitable for remote access. File: proxymap/proxymap.c.
20111217
Cleanup: more orthogonal definition of when the proxymap
server can/cannot share a single map instance among multiple
requestors, and corresponding code cleanup in the proxymap
client and server. Files: util/dict.h, util/dict_test.c,
global/dict_proxy.c, proxymap/proxymap.c.
Human factors: the postscreen/verify cache manager now logs
the full database name including the proxy: prefix, to avoid
WTF surprises. File: util/dict_cache.c.
20111218
Cleanup: more configurable memcache client error handling.
Files: global/dict_memcache.c, proto/memcache_table.
Feature: the Postfix SMTP server XCLIENT command now supports
the LOGIN attribute (e.g., login information from nginx).
Based on the nginx:xclient-login-patch from citrin.ru (Anton
Yuzhis). The patch was further enhanced to support SASL
login information everywhere in the Postfix SMTP server
without having to specify "smtpd_sasl_auth_enable = yes"
in main.cf. Files: smtpd.[hc], smtpd_sasl_glue.[hc],
smtpd_check.c, smtpd_sasl_proto.[hc], smtpd_state.c,
proto/XCLIENT_README.html.
Incompatibility: the Postfix SMTP server now always checks
the smtpd_sender_login_maps table, even without having
"smtpd_sasl_auth_enable = yes" in main.cf.
20111219
Cleanup: the match_list-based primitives now provide an
option to return an error result instead of terminating the
process with a fatal error. Files: util/match_ops.[hc],
util/match_list.c, global/addr_list_match.c, domain_list.c,
string_list.c, namadr_list.c.
Cleanup: a "fail:" database type that reliably fails all
requests. The lookup table name specifies the internal error
result code. having this table facilitates a systematic
review of all Postfix table lookup error handling.
Cleanup: trivial-rewrite now "catches" errors with implicit
database lookups in virtual_alias_domains, relay_domains,
virtual_mailbox_domains, just like it already caught explicit
database lookup errors. This means there are fewer occasions
where trivial-rewrite clients will appear to hang. File:
trivial-rewrite/resolve.c.
Cleanup: a broken relay_domains table would cause many
Postfix processes to terminate with fatal error as they
initialized the flush() client (used by defer_append()
etc.). Postfix now logs a warning instead. File:
global/flush_clnt.c.
Cleanup: the Postfix SMTP server now "catches" errors with
implicit database lookups in mynetworks, TLS client certificate
tables, and local_header_rewrite_clients, and reports "server
configuration error" or "table lookup error" instead of
terminating with a fatal error. This is work in progress;
errors with opening a database may be covered later. Files:
smtpd/smtpd.c, smtpd/smtpd_check.c.
20111220
Cleanup: the Postfix SMTP server now "catches" errors with
implicit database lookups in mynetworks, debug_peer_list,
smtpd_client_event_limit_exceptions, permit_mx_backup_networks.
This continues work started 20111219, and does not cover
errors with opening a database. Files: smtpd/smtpd.c,
smtpd/smtpd_checks.c, smtpd/smtpd_error.in, smtpd/smtpd_error.ref.
Cleanup: memory leak testing of error handling. File:
util/name_mask.c.
20111222
Cleanup: memory leak testing of error handling. File:
util/name_mask.c.
Cleanup: simplified the match_list error reporting, thereby
reducing the footprint of the changes to "catch" errors
with implicit database lookups in mynetworks, and other
lists. Files: util/match_ops.[hc], util/match_list.c,
global/addr_list_match.c, domain_list.c, string_list.c,
namadr_list.c, trivial-rewrite/resolve.c, smtpd/smtpd.c,
smtpd/smtpd_check.c, global/flush_clnt.c, flush/flush.c.
20111224
Cleanup: eliminated the global dict_errno variable that
made error reporting convenient but not necessarily precise.
This was a straightforward change except in the few modules
that propagate errors from one dictionary API to another:
dict_cache.c, dict_debug.c, maps.c, dict_memcache.c. Files:
src/cleanup/cleanup_map11.c, src/cleanup/cleanup_map1n.c,
src/global/addr_match_list.c, src/global/dict_ldap.c,
src/global/dict_memcache.c, src/global/dict_mysql.c,
src/global/dict_pgsql.c, src/global/dict_proxy.c,
src/global/dict_sqlite.c, src/global/domain_list.c,
src/global/flush_clnt.c, src/global/mail_addr_find.c,
src/global/mail_addr_map.c, src/global/maps.c, src/global/maps.h,
src/global/match_parent_style.h, src/global/namadr_list.c,
src/global/resolve_local.c, src/global/resolve_local.h,
src/global/server_acl.c, src/global/string_list.c,
src/local/alias.c, src/local/bounce_workaround.c,
src/local/mailbox.c, src/local/unknown.c, src/proxymap/proxymap.c,
src/qmqpd/qmqpd.c, src/smtp/smtp_map11.c, src/smtpd/smtpd_check.c,
src/trivial-rewrite/resolve.c, src/trivial-rewrite/transport.c,
src/util/dict.h, src/util/dict_alloc.c, src/util/dict_cache.c,
src/util/dict_cidr.c, src/util/dict_db.c, src/util/dict_debug.c,
src/util/dict_env.c, src/util/dict_fail.c, src/util/dict_ht.c,
src/util/dict_pcre.c, src/util/dict_regexp.c,
src/util/dict_static.c, src/util/dict_tcp.c, src/util/dict_test.c,
src/util/dict_thash.c, src/util/dict_unix.c, src/util/match_list.c,
src/util/match_list.h, src/util/match_ops.c, src/virtual/mailbox.c.
20111226
Bugfix (introduced 20110426): after lookup error with
mailbox_transport_maps, mailbox_command_maps or
fallback_transport_maps, the local delivery agent did not
log the problem before deferring mail, and produced no defer
logfile record. Files: local/mailbox.c, local/unknown.c.
20120102
Workaround: degrade gracefully when the network protocols
specified with inet_protocols are unavailable. Files:
global/mail_params.c, global/mynetworks.c, global/own_inet_addr.c
master/master_ent.c, master/master_vars.c, postscreen/postscreen.c,
qmqpd/qmqpd.c, smtp/smtp_connect.c, smtpd/smtpd.c,
util/inet_proto.c.
20120107
Workaround: degrade gracefully when the "domain" feature
of LDAP, *SQL and memcache databases has a table lookup
problem. Files: global/db_common.c, global/dict_ldap.c,
global/dict*sql*.c, global/dict_memcache.c.
Cleanup: fixed memcache client error handling for things
that never happen. global/dict_memcache.c.
Future proofing: prepare postmap/postalias error logging
for future changes to database code. Files: postalias/postalias.c,
postmap/postmap.c.
20120108
Cleanup: the postscreen(8) and verify(8) cache managers log
warnings at a reduced rate of one per second per cache
operation, to avoid logging large numbers of warnings about
a problem with low-value information. File: util/msg_rate_delay.c,
util/dict_cache.c.
20120110
Cleanup: added logging for failed table lookups, and replaced
some "fatal" errors by warnings. Files: cleanup/cleanup_addr.c,
cleanup/cleanup_message.c, cleanup/cleanup_milter.c,
cleanup/cleanup_masquerade.c, global/header_body_checks.c,
global/smtp_stream.c, postscreen/postscreen_dnsbl.c,
postscreen/postscreen_smtpd.c, smtp/smtp_chat.c,
smtp/smtp_proto.c, smtp/smtp_sasl_auth_cache.c,
smtp/smtp_sasl_glue.c, smtp/smtp_session.c, smtp/smtp_trouble.c,
smtpd/smtpd.c, smtpd/smtpd_check.c.
20120114
Cleanup: gradual degradation after database file open errors.
Instead of terminating immediately with a "fatal" error, a
Postfix daemon logs an error and continues execution with
reduced functionality. In other words, features that don't
depend on the unavailable table will keep working. However,
for the sake of sanity, the number of such errors over the
life of a process is limited to 13. Files:
src/global/cfg_parser.c, src/util/dict_thash.c,
src/util/dict_cidr.c, src/util/dict_nis.c, src/util/dict_nisplus.c,
src/global/dict_ldap.c, src/global/dict_mysql.c,
src/global/dict_pgsql.c, src/global/dict_sqlite.c,
src/postconf/postconf_main.c, src/global/mail_conf.c,
src/util/dict.h, src/util/dict.c, src/global/dict_memcache.c,
src/util/dict_tcp.c, src/util/dict_unix.c, src/util/dict_pcre.c,
src/util/dict_regexp.c, src/master/trigger_server.c,
src/master/single_server.c, src/master/multi_server.c,
src/master/event_server.c, src/util/dict_test.c,
src/util/dict_surrogate.c, src/util/dict_alloc.c, src/util/msg.c,
src/util/dict_cdb.c, src/util/dict_dbm.c, src/util/msg.h,
src/util/dict_db.c.
Incompatibility: the Postfix SMTP server no longer reports
transcripts of sessions where a client command is rejected
because a table is unavailable. To receive such reports,
add the new "data" class to the notify_classes parameter
value. The reports will be sent to the error_notice_recipient
address as before. This class is also used by the Postfix
SMTP client to report about sessions that fail because a
table is unavailable. Files: global/mail_error.[hc],
smtpd/smtpd_check.c, smtp/smtp_trouble.c.
20120115
Fine tuning: SMTP server error messages. File: smtpd/smtpd.c.
Fine tuning: documentation. Files: proto/MEMCACHE_README.html.
proto/memcache_table.html.
Apply "gradual degradation" also when an unsupported database
*type* is specified. File: util/dict_open.c.
Cleanup: tiny memory leaks after surrogate database opens.
Files: util/dict_cidr.c, util/dict_db.c.
20120117
Cleanup: support for legacy-style database configuration
where parameter names are generated by appending suffixes
to the database name. Files: postconf/postconf_dbms.c.
Other: build without Berkeley DB support (make makefiles
"CCARGS=$CCARGS -DNO_DB"). Files: makedefs, util/sys_defs.h,
proto/DB_README.html, proto/INSTALL.html.
20120120
Compatibility: added file pflogsumm_quickfix.txt with quick
patches for pflogsumm that handle the new default master.cf
entries for the submission and smtps services.
20120121
Cleanup: getopt(3) compatibility in the postconf(1) master.cf
parser. Process "--" as the end-of-options indicator, and
process "-oname=value" as "-o name=value". Files:
util/argv.[hc], postconf/postconf_master.cf,
postconf/postconf_user.c.
20120122
Workaround: log a warning and suggested solution for common
stat()/fstat()/lstat() problems caused by 32-bit overflow.
This is a real stinker that causes Postfix to fail without
any prior warning. File: util/warn_stat.[hc], and everything
that directly calls stat(), fstat() or lstat().
20120127
Bugfix (introduced: Postfix 2.8): the Postfix client sqlite
quoting routine returned the unquoted result instead of the
quoted text. The opportunities for misuse are limited,
because Postfix sqlite files are usually owned by root, and
Postfix daemons usually run with non-root privileges so
they can't corrupt the database. Problem reported by Rob
McGee (rob0). File: global/dict_sqlite.c.
20120130
Bugfix (introduced: Postfix 2.3): the trace service did not
distinguish between DSN SUCCESS notifications for a non-bounce
or a bounce message. This code pre-dates DSN support and
should have been updated when it was re-purposed to handle
DSN SUCCESS notifications. Problem reported by Sabahattin
Gucukoglu. File: bounce/bounce_trace_service.c.
20120202
Bugfix (introduced: Postfix 2.3): the "change header" milter
request could replace the wrong header. A long header name
could match a shorter one, because a length check was done
on the wrong string. Reported by Vladimir Vassiliev. File:
cleanup/cleanup_milter.c.
20120214
Bugfix (introduced: Postfix 2.4): extraneous null assignment
caused core dump when postlog emitted the "usage" message.
Reported by Kant (fnord.hammer). File: postlog/postlog.c.
20120217
Bugfix (introduced 20111219): sendmail -bs segfault, due
to a missing guard statement after an smtpd_check_rewrite()
call was moved closer to the command processor loop. Fix
by Bartek Szady. File: smtpd/smtpd.c.
20120220
Cleanup: documentation of how to use only system-supplied
certificates with *CAfile and *CApath. File: proto/postconf.proto.
Cleanup: documentation of smtp_sasl_mechanism_filter. File:
proto/postconf.proto.
20120222
Cleanup: when multiple DNSBLs block an SMTP client, the
postscreen "reject" message now gives credit to the DNSBL
with the largest weight, instead of the DNSBL that replies
first. File: postscreen/postscreeb_dnsbl.c.
Cleanup: memcache_table(5) manpage. File proto/memcache_table.
20120225
Cleanup: eliminated the build-time Perl dependency. File:
bounce/annotate.sh.
Cleanup: when -DNO_DB support was added, the makedefs script
was not updated to skip the Linux Berkeley DB tests.
FreeBSD9 is now a supported platform. Files: makedefs,
util/sys_defs.h.
20120226
Cleanup: documentation in postfix-install.
20120229
Feature: smtpd_log_access_permit_actions to enable logging
of specific permit-like actions in Postfix SMTP server
access lists. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c.
20120306
To improve the interaction with start-up scripts, "postfix
start" now waits for master daemon process initialization
to complete, and returns a non-zero exit status if daemon
initialization failed or if it did not complete in a
reasonable amount of time. This involves a new "-w" master
option. Files: conf/postfix-script, master/master.c,
master/master.h. master/master_monitor.c.
20120307
postconf -X option to exclude parameters from main.cf
(require two-finger action, because this is irreversible).
Files: postconf/postconf.[hc], postconf/postconf_edit.c.
20120317
Feature: Sendmail-style socketmap. Files: util/dict_sockmap.[hc],
util/netstring.[hc], proto/DATABASE_README.html,
postconf/postconf.c.
20120330
Workaround: specify "\c" at the start of an smtpd_reject_footer
template to suppress the line break between the reply text
and the footer text. Files: global/smtp_reply_footer.c,
proto/postconf.proto.
20120401
Bugfix (introduced Postfix 2.6): irrelevant memory leak
that was introduced with postconf -#. File:
postconf/postconf_edit.c.
Bitrot: shut up useless warnings about Cyrus SASL call-back
function pointer type mis-matches. Files: xsasl/xsasl_cyrus.h,
xsasl/xsasl_cyrus_server.c, xsasl/xsasl_client.c.
20120404
Cleanup: added smtpd_sender_login_maps to the default
proxy_read_maps value. Files: global/mail_params.h,
proxymap/proxymap.c.
Cleanup: weed out stale TODO's from the WISHLIST, and moved
some CYA text from WISHLIST into the code. Files: WISHLIST,
smtpd/smtpd_proxy.c.
20120407
Bugfix (introduced: 20120330): don't replace
by when a reply footer starts
with \c and contains no \n. File: global/smtp_reply_footer.c.
20120422
Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the
known TLS protocol list so that protocols can be turned off
selectively to work around implementation bugs. Based on
a patch by Victor Duchovni. Files: proto/TLS_README.html,
proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c,
tls/tls_server.c.
20120425
Workaround: bugs in 10-year old gcc versions break compilation
with #ifdef inside a macro invocation (NOT: definition).
Files: tls/tls.h, tls/tls_client.c, tls/tls_server.c.
20120426
Bugfix (introduced Postfix 2.9): the postconf command flagged
parameters defined in master.cf as "unused" when they were
used only in main.cf. Problem reported by Michael Tokarev.
Files: postconf/postconf_user.c, postconf/test4b.ref,
postconf Makefile.in.
20120513
Cleanup: report both the first and last line number when a
malformed main.cf entry spans multiple lines, instead of
reporting the last line number only. File: util/dict.c,
util/line_number.[hc].
20120516
Workaround: apparently, FreeBSD 8.3 kqueue notifications
sometimes break when a dnsblog(8) process loses an accept()
race on a shared socket, resulting in repeated "connect to
private/dnsblog service: Connection refused" warnings. This
condition is unique to dnsblog(8). The postscreen(8) daemon
closes a postscreen-to-dnsblog connection as soon as it
receives a dnsblog(8) reply, resulting in hundreds or
thousands of connection requests per second. All other
multi-server daemons such as anvil(8) or proxymap(8) have
connection lifetimes ranging from 5s to 1000s depending on
server load. The workaround is for dnsblog to use the
single_server driver instead of the multi_server driver.
This one-line code change eliminates the accept() race
without any Postfix performance impact. Problem reported
by Sahil Tandon. File: dnsblog/dnsblog.c.
Logging: postscreen now logs a warning when a dnsblog(8)
request takes longer than the hard-coded time limit of 10s.
File: postscreen/postscreen_dnsbl.c.
20120517
Workaround: to avoid crashes when the OpenSSL library is
updated without "postfix reload", the Postfix TLS session
cache ID now includes the OpenSSL library version number.
Note: this problem cannot be fixed in tlsmgr(8). Code by
Victor Duchovni. Files: tls/tls_server.c, tls_client.c.
20120520
Bugfix (introduced Postfix 2.4): the event_drain() function
was comparing bitmasks incorrectly causing the program to
always wait for the full time limit. This error affected
the unused postkick command, but only after s/fifo/unix/
in master.cf. File: util/events.c.
Cleanup: laptop users have always been able to avoid
unnecessary disk spin-up by doing s/fifo/unix/ in master.cf
(this is currently not supported on Solaris systems).
However, to make this work reliably, the "postqueue -f"
command must wait until its requests have reached the pickup
and qmgr servers before closing the UNIX-domain request
sockets. Files: postqueue/postqueue.c, postqueue/Makefile.in.
20120522
Robustness: set LC_ALL=C in post-install to avoid surprises
when parsing output from Postfix or non-Postfix commands.
File: postfix-install.
20120611
Bugfix (introduced: 20031216-21): with soft_bounce=yes, the
SMTP client did not move on to the next MX host or fallback
relay after a 5xx reply. File: smtp/smtp_trouble.c.
20120527-8
Infrastructure: limited support to shrink VSTREAM buffers.
The change takes place when reading from (a stream for the
first time | an empty buffer) or when writing to (a stream
for the first time | a full buffer). TODO: the change should
also happen after purging or flushing a buffer. File:
util/vstream.c.
20120531-617
Feature: haproxy support in postscreen(8) and smtpd(8). To
enable, specify "smtpd_upstream_proxy_protocol = haproxy"
or "postscreen_upstream_proxy_protocol = haproxy". Files:
mantools/postlink, proto/postconf.proto, global/Makefile.in,
global/haproxy_srvr.c, global/haproxy_srvr.h, global/mail_params.h,
global/mail_proto.h, master/single_server.c, master/multi_server.c,
master/event_server.c, postscreen/Makefile.in,
postscreen/postscreen.c, postscreen/postscreen.h,
postscreen/postscreen_endpt.c, postscreen/postscreen_haproxy.c,
postscreen/postscreen_haproxy.h, postscreen/postscreen_send.c,
postscreen/postscreen_state.c, smtpd/Makefile.in, smtpd/smtpd.h,
smtpd/smtpd_peer.c, smtpd/smtpd_sasl_glue.c, smtpd/smtpd_haproxy.c,
util/Makefile.in, util/listen.h, util/recv_pass_attr.c,
util/stream_listen.c, util/sys_defs.h, util/unix_pass_listen.c.
20120618
Cleanup: made the postscreen-to-smtpd haproxy attribute
transmission more robust for Solaris. Files: util/sys_defs.h,
util/connect.h, util/steam_listen.c, postscreen/postscreen_send.c.
Cleanup: simplified the "stream used" workaround. Files:
util/vstream.h, master/event_server.c, master/multi_server.c.
20120621
Cleanup: simplified workarounds for Solaris streams versus
UNIX-domain sockets. Files: util/pass_accept.c (new),
util/pass_trigger.c (new), util/stream_pass_connect.c
(deleted), util/unix_pass_listen.c (deleted),
util/unix_pass_trigger.c (deleted), updated header files,
and replaced PASS_XXX macros by pass_xxx function calls.
Cleanup: don't clobber errno when logging a problem.
File util/msg_output.c.
20120627
Bugfix (introduced: 20120531-617): in the postscreen module
for HAproxy sypport, a VSTREAM buffer size request was not
LP64-clean. File: postscreen/postscreen_haproxy.c.
Cleanup: avoid single-character reads in the postscreen
HAproxy module. File: postscreen/postscreen_haproxy.c.
20120628
Workaround: heuristic to detect missing (ssize_t) type-cast
in VSTREAM buffer size requests. File: util/vstream.c.
20120629
Workaround: "sendmail -bl" emulation. File: sendmail/sendmail.c.
20120630
Cleanup: sub-optimal hash performance on systems where the
"char" type is signed. Files: util/htable.c, util/binhash.c.
20120702
Bugfix (introduced: 19990127): the BIFF client leaked an
unprivileged UDP socket. Fix by Jaroslav Skarvada. File:
local/biff_notify.c.
20120713
Bugfix (introduced: 20120527-8): infrastructure to specify
a smaller-than-default VSTREAM buffer, without the complex
run-time checks. File: util/vstream.c, vstream_tweak.c.
20120714
Cleanup: semantics of requests to query or modify the VSTREAM
buffer size that will be used with the next read(2) or
write(2) operation. Files: util/vstream.c, util/vstream.h,
util/vstream_tweak.c.
20120717
Documentation: update to RFC5321.
20120730
Bugfix (introduced: 20000314): AUTH is not allowed after
MAIL. Timo Sirainen. Files: smtpd/smtpd.c, smtpd/smtpd.h,
smtpd/smtpd_sasl_proto.c.
20120801
Documentation: point of what virtual_xxx parameters are
specific to the virtual(8) delivery agent, and will have
no effect when mail is delivered with a different program.
Files: proto/postconf.proto, proto/VIRTUAL_README.html.
20120824
Feature: support for "sendmail -R hdrs|full". Jan Kundr?t.
File: sendmail/sendmail.c.
20120902
Documentation: updated TUNING_README with new pointers to
the STRESS_README and POSTSCREEN_README documents. Miscellaneous
documentation clarifications based on postfix-users discussions.
20120903
Bugfix (introduced 20120317): the socketmap client should
not share unrelated client endpoint handles. File:
util/dict_sockmap.c.
20120907
Cleanup (for change 20120824): the DSN RET attribute should
not be stored once per recipient. It is a message property
just like DSN ENVID. File: sendmail/sendmail.c.
20120911
Documentation: more explicit enumeration of what happens
when setting a per-destination recipient limit value to 1.
File: proto/postconf.proto.
20120918
Documentation: clarified the bounce/queue_life-time parameter
descriptions. File: proto/postconf.proto.
20120920
Documentation: the postscreen_whitelist_interfaces parameter
syntax was defined only by example. File: proto/postconf.proto.
20120923
Infrastructure: cleaned up the support for database
lock-on-open. This is needed for databases that are not
multi-updater safe. Files: util/dict_alloc.c, util/dict.c,
util/dict_open.c, util/dict.h. tls/tls_scache.c.
20120924
Documentation: some people are read-challenged distribute
their own incorrect understanding of master.cf syntax.
File: proto/master.
Cleanup: don't emulate UNIX-domain sockets over FIFOs on
Solaris systems less than 10 years old. This allows us to
globally s/fifo/unix/ in master.cf. Files: makedefs,
util/sys_defs.h.
Laptop-friendliness: avoid disk spin-up on idle systems by
s/fifo/unix/ in master.cf. Files: conf/master.cf.
20120928-30
Feature: smtpd_relay_restrictions, proposed long ago by
Victor. The idea is to separate the mail relay policy from
the spam blocking policy, so that a permissive spam blocking
policy under smtpd_recipient_restrictions will no longer
unexpectedly result in a permissive mail relay policy.
This involves a change in default settings. Similar to the
way that local_recipient_maps was introduced, there is a
safety net that prevents unexpected mail bounces when a
site upgrades to Postfix 2.10 or later, and there is no
change in documented smtpd_recipient_restrictions behavior.
See the RELEASE_NOTES file for details. Files:
global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
proto/postconf.proto, proto/SMTPD_ACCESS_README.html,
mantools/postlink, conf/post-install, RELEASE_NOTES.
20120931-1001
Documentation: updated the remainder of the README files
and manual pages that discuss smtpd_recipient_restrictions.
20121001
Cleanup: prepend 5.1.1 status code to "User unknown in
virtual alias table". File: trivial-rewrite/resolve.c.
20121003
Bugfix: the postscreen_access_list feature was case-sensitive
in the first character of permit, reject, etc. Reported by
Francis Picabia. File: global/server_acl.c.
20121009
Documentation: interaction between delay_warning_time,
notify_classes and delay_notice_recipient. File:
proto/postconf.proto.
20101009
Human factors: log a warning that the postcat option -m
without -h or -b has no effect. File: postcat/postcat.c.
20121010
Bugfix (introduced: Postfix 2.5): memory leak in program
initialization. Reported by Coverity. File: tls/tls_misc.c.
Bugfix (introduced: Postfix 2.3): memory leak in the unused
oqmgr program. Reported by Coverity. File: oqmgr/qmgr_message.c.
20121011
Documentation: how to enable /etc/hosts multi-record lookups
with main.cf settings. File: proto/LINUX_README.html.
Documentation: clarified the postscreen-tlsproxy interface.
File: tlsproxy/tlsproxy.c.
20121012
Documentation: a simpler null-client example. File:
proto/STANDARD_CONFIGURATION_README.html
20121013
Cleanup: to compute the LDAP connection cache lookup key,
join the numeric fields with null, just like string fields.
Viktor Dukhovni. File: global/dict_ldap.c.
20121015
Documentation: added section on regular-expression tables
to the aliases(5) manpage. File: proto/aliases.
Documentation: why "smtp_address_preference = any" is the
preferred setting. File: proto/postconf.proto.
20121022
Bugfix (introduced 20101009) don't complain about stray -m
option if none of -[bhm] is specified. Ralf Hildebrandt.
File: postmap/postmap.c.
20121029
Workaround: strip datalink suffix from IPv6 addresses
returned by the system getaddrinfo() routine. Such suffixes
mess up the default mynetworks value, host name/address
verification and possibly more. This change obsoletes the
20101108 change that removes datalink suffixes in the SMTP
and QMQP servers. Files: util/myaddrinfo.c, smtpd/smtpd_peer.c,
qmqpd/qmqpd_peer.c.
20121031
Bugfix: smtpd_relay_restrictions compatibility shim did not
detect "empty" value. Sahil Tandon. The same problem existed
with the inet_protocols shim. File: conf/post-install.
20121105
Cleanup: the postscreen(8) "deep protocol" tests now log
the SMTP command that precedes a protocol violation. Files:
postscreen/postscreen_smtpd.c, proto/POSTSCREEN_README.html.
Bugfix (introduced: Postfix 1.1): wrong string termination
when handling an MBOX From_ line at the start of a message.
File: qmqpd/qmqpd.c.
20121110
Cleanup: specify $(WARN) on the MacOS X compiler command
line to suppress "nested comment" and possibly other unwanted
warnings. Problem reported by Jim Reid. File: makedefs,
Makefile.in.
20121119
Documentation: added a note that key_format is required
when postscreen(8) and verify(8) share the same memcache
(with different persistent backup databases, or course)
otherwise automatic cache cleanup breaks due to a name
collision for the "last cache cleanup" database record.
File: proto/memcache.
20121122
Cleanup: the safety-check for smtpd_recipient_restrictions
and smtpd_relay_restrictions now detects permit before
reject. File: smtpd/smtpd_check.c.
Cleanup: the safety-check for smtpd_recipient_restrictions
and smtpd_relay_restrictions is no longer case-sensitive.
File: smtpd/smtpd_check.c.
20121123
Cleanup: consistent escaping of commands in postscreen deep
protocol test logging. File: postscreen/postscreen_smtpd.c.
20121124
Documentation: the bounce behavior for automatically-added
BCC recipients has changed with Postfix 2.3 when DSN support
was introduced. File: proto/postconf.proto.
20121203
Documentation: added explicit example for -o name=value.
File: proto/master.
20121210
Bugfix (introduced: Postfix 2.9) nesting count error while
stripping the optional [] around a DNS[BW]L address pattern.
This part of the code is not documented and had escaped
testing. Files: util/ip_match.c, util/ip_match.in,
util/ip_match.ref.
20121215
Bugfix (introduced: 19980218, when recipient_delimiter
support was added): The error message for unknown local
users (or missing required aliases) should report the user
name instead of the full localpart which may contain an
address extension. Problem reported by Christian Holler.
File: local/unknown.c.
20121221
Feature: "postconf -x" support to expand $name in main.cf
parameter values. Files: postconf/postconf_main.c,
postconf/postconf.h, postconf/postconf_node.c, postconf/postconf.c.
20121222
Feature: postconf support to warn about an attempt to modify
a read-only parameter (process_name etc.) in main.cf or
master.cf. Files: postconf/postconf_readonly.c,
postconf/postconf_builtin.c.
20121223
Feature: postconf support to warn about an undefined $name
in a parameter value in main.cf or master.cf (except for
backwards-compatibility parameters such as $virtual_maps)
Files: postconf/postconf_user.c, postconf_dbms.c,
postconf_builtin.c, util/dict_ht.c, util/htable.c.
Feature: "postconf -Mx" support to expand $name in master.cf
parameter values. Files: postconf/postconf_master.c,
postconf/postconf_lookup.c, postconf/postconf_main.c,
postconf/postconf.c.
20121224
Feature: "postconf -Mn" support to print only master.cf
entries that have "-o name=value" parameter setttings.
Files: postconf/postconf_master.c.
20121226
Miscellaneous cleanups of postconf internal APIs, identifiers
and comments. No changes in behavior.
Bugfix (omission in feature 20111203): the SMTP server only
supported time-dependent address-verification sender addresses
with RCPT TO but not with MAIL FROM. File: smtpd/smtpd.c.
20121227
Feature: "postconf -o name=value" support to override main.cf
settings (for example, "postconf -x -o stress=whatever"
shows effective settings under overload). Files:
postconf/postconf.c, postconf/postconf_main.c.
20121230
Cleanup: postconf(1) master.cf options parser. Files:
postconf/postconf_master.c, postconf/postconf_user.c.
Bugfix (omission in feature 20111106): the postconf(1)
master.cf options parser didn't support "clusters" of
command-line option letters. Files: postconf/postconf_master.c,
postconf/test40.ref.
20130105
Undo a change made around 20121224, and always whitelist
configuration parameter names for legacy-style proxy:ldap:prefix
etc. lookup tables. Files: postconf/postconf_dbms.c,
postconf/test28.ref, postconf/test29.ref, postconf/Makefile.in.
20130107
Factor out the master.cf line parser so that it can be
reused for "postconf -Me". File: postconf/postconf_master.c.
20130113
Feature: master.cf attribute namespace. "postconf -F" shows
individual master.cf fields as "service/type/attribute =
value", where attribute is "service", "type", "private",
"unprivileged", "wakeup", "process_limit", or "command".
20130121
Bugfix (introduced 20120307): the postconf -X option erased
other options. File: postconf/postconf.c.
20130131
Bugfix: the local(8) delivery agent dereferenced a null
pointer while delivering to null command (for example, "|"
in a .forward file). Reported by Gilles Chehade.
20130203
Bugfix: the undocumented OpenSSL X509_pubkey_digest()
function is unsuitable for computing certificate PUBLIC KEY
fingerprints. Postfix now provides a correct procedure
that accounts for the algorithm and parameters in addition
to the key data. Specify "tls_legacy_public_key_fingerprints
= yes" if you need backwards compatibility. Fix by Victor
Duchovni, BC added by Wietse. Files: tls/tls_verify.c,
tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
20130210
Bugfix: an error handler for smtp_tls_policy_maps lookups
was never invoked. File: smtp/smtp_session.c.
20130212
Cleanup: logfile message formatting (X: subject_CN=X,
issuer_CN=X, fingerprint=X, pkey_fingerprint=X). File:
tls/tls_client.c.
20130315
Feature: LMDB (memory-mapped persistent file) support by
Howard Chu. This implementation has unexpected failure modes
that don't exist with other Postfix databases, so don't
just yet abandon CDB. See LMDB_README for details. Files:
proto/postconf.proto, proto/LMDB_README.html,
proto/DATABASE_README.html, proto/INSTALL.html util/dict_lmdb.[hc],
util/dict_open.c, global/mkmap_lmdb.[hc], global/mkmap_open.c,
postconf/postconf.c.
20130316
Cleanup: new Postfix dictionary API flag to control the use
of (LMDB) bulk database transactions. With this, LMDB
databases no longer fail to commit any transactions with
tlsmgr(8), and LMDB databases no longer perform glacially
slow with postmap -i/postalias -i. Files: util/dict.h,
util/dict_lmdb.c, postmap/postmap.c, postalias/postalias.c.
20130317
Debugging: generalized setting of dictionary API flags.
File: util/dict.[hc], util/dict_test.c.
Robustness: Postfix programs can now recover from LMDB
"database full" errors without requiring human intervention.
When a program opens an LMDB file larger than lmdb_map_size/3,
it logs a warning and uses a larger size limit instead.
Files: util/dict_lmdb.c, proto/LMDB_README.html.
20130318
Portability: botched #ifdef. File: util/dict_lmdb.c.
20130319
Postfix support for LMDB databases is suspended due to the
existence of a hard limit (an "out of storage" failure mode
that cannot be resolved by increasing the database size).
Postfix may support LMDB again when it no longer limits the
size of Postfix transactions, whether the limit is built
into LMDB itself, or implicit by requiring an unbounded
amount of memory to handle a large transaction.
20130322
Documentation: smtp_skip_5xx_greeting wording updated to
reflect text in RFC 2821, which appears to say that a 554
greeting is not a hard delivery error (note that RFC 2821
was published later than smtp_skip_5xx_greeting). File:
proto/postconf.proto.
20130324
Workaround: MacOS 10.8 (Darwin 12) getrlimit(RLIMIT_NOFILE)
incorrectly reports that rlim_max, the hard limit on the
number of open files per process, is equal to RLIM_INFINITY
(i.e. no limit is enforced). In reality, setrlimit(RLIMIT_NOFILE)
rejects requests where rlim_cur, the current limit, contains
any value > kern.maxfilesperproc. Axel Luttgens. File:
util/open_limit.c.
Portability: MacOS 10.8 (Darwin 12) kqueue support works.
Axel Luttgens. Files: makedefs.
20130324
Support for anonymous certificates. Viktor Dukhovni. File:
tls/tls_verify.c.
Feature: support for DNSSEC-validated lookups and TLSA
RRsets. Viktor Dukhovni. Files: dns/Makefile.in, dns/dns.h,
dns/dns_lookup.c, dns/dns_rr.c, dns/dns_strtype.c,
dns/test_dns_lookup.c,
Cleanup: the personality switch between "smtp" and "lmtp".
This streamlines the switch in the SMTP/LMTP protocol, DNS
MX lookups, and configuration parameter names in error
messages. Viktor Dukhovni. Files: smtp/smtp.c, smtp/smtp.h,
smtp/smtp_chat.c, smtp/smtp_connect.c, smtp/smtp_proto.c,
smtp/smtp_rcpt.c, smtp/smtp_sasl_glue.c, smtp/smtp_sasl_proto.c,
smtp/smtp_session.c, smtp/smtp_state.c.
Feature: replace disable_dns_lookups with smtp_dns_support_level,
enable secure DNSSEC lookups in the Postfix SMTP client,
and use the DNSSEC-validated remote SMTP server name to
select the SMTP and TLS policies. Viktor Dukhovni. Files:
dns/Makefile.in, dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
dns/dns_strtype.c, dns/test_dns_lookup.c.
20130325
Portability: on MacOS X, use kqueue() for event handling
but use select() instead of poll() for read/write timeouts
(with a workaround to handle file decriptors >=FD_SETSIZE).
Files: util/sys_defs.h, util/readable.c, util/writable.c,
util/read_wait.c, util/write_wait.c.
Portability: support for NetBSD 5.x, NetBSD 6.x and DragonFly
BSD. Viktor Dukhovni. Files: makedefs, util/sys_defs.h.
20130326
Cleanup: new module that consolidates all system-dependent
code to enforce read/write timeouts. This includes a final
workaround for MacOS X that uses poll() first, and select()
if that fails. This makes their /dev/urandom workaround
unnecessary. Files: util/poll_fd.c, util/iostuff.h. Removed:
util/readable.c, util/writable.c, util/read_wait.c,
util/write_wait.c.
Cleanup: refactor TLS digest functions, improved signature
for TLS session cache. Viktor Dukhovni. Files: smtp/smtp.c,
smtp/smtp_proto.c, smtpd/smtpd.c, tls/Makefile.in, tls/tls.h,
tls/tls_client.c, tls/tls_fprint.c, tls/tls_level.c,
tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c,
tlsproxy/tlsproxy.c.
20130327
Cleanup: final polish for MacOSX workarounds; replaced
#ifdef MacOSX by feature test as required by PORTING document.
Files: util/poll_fd.c, util/open_limit.c.
Export tls_fprint() and tls_digest_encode() for use in DANE.
Viktor Dukhovni. Files: tls/tls.h, tls/tls_fprint.c.
20130331
Refactoring: TLS verification callback processing in
preparation for DANE support. Viktor Dukhovni. Files:
tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_verify.c.
Refactoring: split off SMTP client per-session TLS policy
data and code in preparation for DANE support. Viktor
Dukhovni. Files: smtp/Makefile.in, smtp/smtp.h,
smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_reuse.c,
smtp/smtp_session.c, smtp/smtp_tls_sess.c.
Cleanup: "zero time limit" corner case in read_wait() and
write_wait() emulation. Files: util/poll_fd.c, util/iostuff.h.
20130401
Refactoring: allow smtp_session_alloc() to fail gracefully
and report an error.
20130403
Documentation: in smtpd.c, the comment that justifies the
454 reply for "TLS unavailable" cited the wrong RFC.
20130404
Human factors: warning when a main.cf parameter has multiple
entries with different values. File: util/dict.c.
20130405
Feature: the recipient_delimiter parameter can now specify
a set of characters. A user name is now separated from its
address extension by the first character that matches the
recipient_delimiter set. Files: proto/postconf.proto,
src/global/mail_addr_find.c, src/global/mail_params.c,
src/global/split_addr.c, src/global/split_addr.h,
src/global/strip_addr.c, src/global/strip_addr.h,
src/global/strip_addr.ref, src/local/bounce_workaround.c,
src/local/local.c, src/local/local_expand.c, src/local/recipient.c,
src/local/resolve.c, src/oqmgr/qmgr_message.c, src/pipe/pipe.c,
src/qmgr/qmgr_message.c, src/smtpd/smtpd.c,
src/smtpd/smtpd_check.c, src/trivial-rewrite/transport.c,
src/trivial-rewrite/trivial-rewrite.c.
Feature: support for trust anchors, i.e. CA certificates
or public keys that will be used instead of conventional
root certificates, and revised fingerprint support. This
can be used by itself, and this provides support for an
upcoming DANE implementation. Victor Duchovni. Files:
mantools/postlink, proto/TLS_README.html, proto/postconf.proto,
global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
smtp/smtp_session.c, smtp/smtp_state.c, smtp/smtp_tls_sess.c,
tls/Makefile.in, tls/tls.h, tls/tls_client.c, tls/tls_dane.c,
tls/tls_fprint.c, tls/tls_misc.c, tls/tls_verify.c,
util/argv.c, util/argv.h.
20130409
Documentation: pointers to other actions under "ACCEPT
ACTIONS" and "REJECT ACTIONS". File: proto/access.
20130410
Cleanup: more uniform permutation in dns_rr() by Victor
Duchovni & Son. File: dns/dns_rr.c.
20130411
Documentation: clarified text about result formats. Files:
proto/canonical, proto/virtual.
20130414
Cleanup: the SMTP client connection management code now
maintains iterator state with a structure that contains
next-hop, host name, address, port and other information.
This iterator structure replaces random variables that were
updated by add-hoc code, and replaces random function
argument lists. The more structured approach is easier to
maintain and has already paid off by exposing opportunities
to improve SMTP connection cache usage. Wietse Venema.
Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_session.c,
smtp_reuse.c.
Cleanup: eliminated minor false SMTP connection cache-sharing
problems due to mis-aligned lookup keys for caches and
lookup tables (for example some used the nexthop, and some
the domain name). Information that is used in more than
one lookup key is now generated by a centralized function.
This replaces ad-hoc code in random places that was
concatenating ad-hoc data to construct lookup keys. The
more structured approach is easier to maintain and makes
future cache-sharing issues easier to prevent. Wietse
Venema. Files: smtp/smtp.h, smtp/smtp_connect.c, smtp_reuse.c,
smtp_key.c, smtp_tls_sess.c.
Cleanup and fix of non-production code: the trust anchor-digest
code and smtp_sess_tls_required() function. Victor Duchovni.
Files: smtp/smtp_connect.c, smtp/smtp_proto.c,
smtp/smtp_tls_sess.c, tls/tls.h, tls/tls_client.c,
tls/tls_dane.c, tls/tls_level.c, tls/tls_verify.c.
20130417
Cleanup and fix of non-production code: add the SASL
credentials or absence thereof to the connection cache
endpoint label; better reuse of SASL-authenticated connections
over UNIX-domains sockets, however unlikely these may be;
a first step towards refinement of connection cache lookup
by IP address for plaintext or SASL-unauthenticated connections.
Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_reuse.c,
smtp/smtp_key.c, smtp/smtp_tls_sess.s.
20130418
Cleanup: configurable field delimiter and optional "not
available" field place holder for cache and table lookup
keys; automatic base64 encoding for key fields that contain
these. Files: smtp/smtp_key,c, smtp/smtp_reuse.c,
smtp/smtp_proto.c, smtp/smtp_tls_sess.c.
20130420-21
Documentation: "dane" TLS security level and parameters.
Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
proto/postconf.proto.
Feature: implemented and enabled DNS-based DANE security
level. Viktor Dukhovni. Files: global/mail_params.h,
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
smtp/smtp_proto.c, smtp/smtp_tls_sess.c, tls/tls.h,
tls/tls_client.c, tls/tls_dane.c, tls/tls_fprint.c,
tls/tls_level.c, tls/tls_misc.c, util/Makefile.in,
util/ctable.c, util/ctable.h, util/timecmp.c, util/timecmp.h.
Cleanup: rename (unchanged) smtp_tls_sess.c to smtp_tls_policy.c.
Viktor Dukhovni. Files: smtp/Makefile.in, smtp/smtp_tls_policy.c,
smtp/smtp_tls_sess.c.
Portability: OpenSSL workarounds for versions before 0.9.7
are removed from the source code. Viktor Dukhovni. Files:
tls/tls.h, tls/tls_bio_ops.c, tls/tls_client.c.
Non-production fixes: when falling back from opportunistic
TLS to plaintext, don't modify the cached TLS policy "retry
as plaintext" and "level" members. Files: smtp/smtp_session.c.
Non-production fixes: move TLS policy lookup to the main
connection iterator loop, so that the policy is known before
attempting connection reuse and before SMTP connection
creation. Temporarily link session->tls to state->tls.
Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_reuse.c,
smtp/smtp_tls_policy.c.
20130422
Feature: smtptls-finger test program for SMTP over TLS.
Viktor Dukhovni. Files: Makefile.in, html/Makefile.in,
man/Makefile.in, mantools/postlink, posttls-finger/.indent.pro,
posttls-finger/Makefile.in, posttls-finger/posttls-finger.c,
posttls-finger/tlsmgrmem.c, posttls-finger/tlsmgrmem.h,
tls/tls.h, tls/tls_misc.c.
20130423
Bugfix (introduced: Postfix 2.0): when myhostname is not
listed in mydestination, the trivial-rewrite resolver may
log "do not list in both mydestination
and ". The fix is
to re-resolve a domain-less address after adding $myhostname
as the surrogate domain, so that it pops out with the right
address-class label. Problem reported by Quanah Gibson-Mount.
File: trivial-rewrite/resolve.c.
20130425
Non-production fixes: revert to using proxies (sender,
nexthop, hostname) to distinguish between different SASL
credentials for connections to the same IP address and port.
Files: smtp/smtp.h smtp/smtp_connect.c, smtp/smtp_key.c.
Non-production cleanup: documentation, identifiers. Viktor
Dukhovni. Files: proto/postconf.proto, src/dns/dns.h,
src/dns/dns_lookup.c, src/dns/dns_rr.c, src/dns/test_dns_lookup.c,
src/global/mail_proto.h, src/posttls-finger/posttls-finger.c,
src/smtp/smtp.h, src/smtp/smtp_addr.c, src/smtp/smtp_connect.c,
src/smtp/smtp_session.c, src/smtp/smtp_tls_policy.c,
src/smtpd/smtpd_check.c, src/tls/tls.h, src/tls/tls_client.c,
src/tls/tls_dane.c, src/tls/tls_fprint.c, src/tls/tls_misc.c,
src/tls/tls_proxy_clnt.c, src/tls/tls_proxy_print.c,
src/tls/tls_proxy_scan.c, src/tls/tls_server.c,
src/tls/tls_verify.c.
20130426
Non-production fixes: refinement of SASL-dependent context
for connection-cache reuse, documentation. Viktor Dukhovni
and Wietse Venema. Files: smtp/smtp.h, smtp/smtp_key.c,
tls/tls_client.c.
20130506
Non-production bugfix: macros must use distinct names for
temporary variables, to avoid name collision problems.
Problem report: Ralf Hildebrandt. Problem fix: Viktor
Dukhovni. File: smtp/smtp.h.
Non-production cleanup: simplified "dane" user interface,
replacing one "dane" security level plus multiple fall-back
options, with two "dane" security levels, one opportunistic
and one mandatory. Viktor Dukhovni. Files: proto/TLS_README.html,
proto/postconf.proto, mantools/postlink, proto/TLS_README.html,
proto/postconf.proto, global/mail_params.h,
posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c,
smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_level.c.
20130512
Feature: allow an SMTP client to skip postscreen(8) tests
before or after the 220 greeting, based on its DNSBL score.
Suggested by Rob McGee (/dev/rob0). Files: mantools/postlink,
proto/postconf.proto, global/mail_params.h,
postscreen/postscreen.c, postscreen/postscreen.h,
postscreen/postscreen_early.c, postscreen/postscreen_state.c,
postscreen/postscreen_tests.c.
20130513
Bugfix (introduced: 20130512): postscreen logged no "PASS
NEW" event when the pregreet tests were turned off and the
postscreen_dnsbl_whitelist_treshold feature was turned on.
Reported by Rob McGee (/dev/rob0). Files: postscreen/postscreen.h,
postscreen/postscreen_early.c.
Bugfix (introduced: 20130512): postscreen panic because the
logic for dnsbl result retrieval was changed. Reported by
Noel Jones. File: postscreen/postscreen_early.c.
20130517
Cleanup: just like the postscreen DNS block test will use
partial scores when some DNS lookup result is unavailable,
the postscreen_dnsbl_whitelist_treshold feature will now
use partial scores instead of ignoring them. File:
postscreen/postscreen_early.c.
20130518
Bugfix (introduced: 1997): memory leak after error while
forwarding mail through the cleanup server. Viktor found
one, Wietse eliminated the rest. File: local/forward.c.
Feature: posttls-finger protocol and cipher grade selection
options. Leave protocol debug flags active across reconnects,
only suppress redundant logging of the certificate details.
Viktor Dukhovni. File: posttls-finger/posttls-finger.c.
Robustness: send SNI even when trying to reuse a DANE
session, because a new session may be negotiated anyway.
Viktor Dukhovni. File: tls/tls_client.c.
Cleanup: eliminate variable that is redundant with respect
to more authoritative state. Viktor Dukhovni. File:
posttls-finger/posttls-finger.c.
Feature: new tls_ssl_options parameter to enable OpenSSL
features (as opposed to tls_disable_workarounds which is
disables bug workarounds that are on by default). Viktor
Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto,
src/global/mail_params.h, src/tls/tls.h, src/tls/tls_client.c,
src/tls/tls_misc.c.
20130520
Documentation: removed resolve_null_domain from the list
of smtpd(8) parameters. File: smtpd/smtpd.c.
20130523
Documentation: add cidr: and texthash: to the list of maps
that don't have automatic change detection. File:
proto/DATABASE_README.html.
Documentation: define the netmask format of CIDR maps.
File: proto/cidr_table.
20130530
Cleanup: replace alloca() with mymalloc()/myfree() for
better error handling. Reported by Bill Parker. File:
util/dict_ni.c (does anyone still use this code?).
20130531
Feature: tls_wildcard_matches_multiple_labels (default:
yes) to match multiple DNS labels with "*" in wildcard
certificates. Viktor Dukhovni. Files: proto/postconf.proto,
mantools/postlink, global/mail_params.h, tls/tls_client.c,
tls/tls_misc.c.
20130607
Bugfix (DANE support): with multiple TLSA RR that carry "x
0 0" certificates or "x 1 0" keys, Postfix failed to reset
the cert/key pointer before calling d2i_mumble(), causing
OpenSSL to clobber the previous cert or key. Viktor Dukhovni.
tls/tls_dane.c.
Robustness: check that TLSA-supplied certs have valid keys.
It is not clear whether that check is performed in d2i().
Viktor Dukhovni. tls/tls_dane.c.
20130608
Cleanup (DANE support): be more explicit in the logging of
object digests. Viktor Dukhovni. tls/tls_dane.c.
20100613
Workaround: unhelpful down-stream maintainers fail to install
the new smtpd_relay_restrictions safety net, causing breakage
that could have been avoided. We now hard-code the safety
net instead. Files: global/mail_params.h, conf/post-install,
RELEASE_NOTES_2.10.
Bugfix (DANE support): when TLSA records are insecure,
report that none are found. Viktor Dukhovni. Files:
posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
tls/tls_dane.c.
20130615
TLS Interoperability: turn on SHA-2 digests by force. This
improves interoperability with clients and servers that
deploy SHA-2 digests without the required support for
TLSv1.2-style digest negotiation. Based on patch by Viktor
Dukhovni. Files: tls/tls_client.c, tls/tls_server.c.
20130616
Workaround: The Postfix SMTP server TLS session cache was
broken because OpenSSL now enables session tickets by
default, resulting in different ticket encryption key for
each smtpd(8) process. the workaround turns off session
tickets. In 2.11 we'll enable session tickets properly.
Viktor Dukhovni. File: tls/tls_server.c.
Updated DANE support (trust in DNS instead of PKI). With
OpenSSL 1.0.2 (under development) trusted certificates don't
need to be self-signed roots. Otherwise we use an ephemeral
root certificate to sign the trust anchor. Viktor Dukhovni.
Files: posttls-finger/posttls-finger.c, smtp/smtp_proto.c,
smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
tls/tls_dane.c, tls/tls_fprint.c, tls/tls_misc.c,
tls/tls_verify.c.
20130619
Documentation: troff lint. Patch by ES Raymond's bot. File:
proto/header_checks.
Cleanup: enforce smtpd_client_recipient_rate_limit for VRFY
commands. File: smtpd/smtpd.c.
20130622
Bugfix: typo in the 20130613 smtpd_relay_restrictions default
setting. File: global/mail_params.h.
20130623
Cleanup: configurable tlsmgr(8) service name. Files:
mantools/postlink, proto/postconf.proto, tls/tls_mgr.c,
tls/tls_misc.c, tlsproxy/tls-proxy.c, smtp/smtp.c,
smtpd/smtpd.c.
20130629
Cleanup: documentation. Files: proto/CONNECTION_CACHE_README.html,
proto/SCHEDULER_README.html.
20130708
Cleanup: postscreen_upstream_proxy_protocol setting. Files:
global/mail_params.h, postscreen/postscreen_endpt.c.
20130709
Cleanup: qmgr documentation clarification by Patrik Rak.
Files: proto/SCHEDULER_README.html, qmgr/qmgr_job.c.
Cleanup: re-indented code. File: qmgr/qmgr_job.c.
Logging: minimal DNAME support. Viktor Dukhovni. dns/dns.h,
dns/dns_lookup.c, dns/dns_strtype.c, dns/test_dns_lookup.c.
20130710
Workaround: smtp_connection_reuse_count_limit (default 0,
i.e. unlimited) for sites that must deal with hostile
connection reuse policies. The documentation comes with a
warning that this feature introduces a "fatal attractor"
failure mode. Files: global/mail_params.h, mantools/postlink,
proto/postconf.proto, smtp/smtp.c, smtp/smtp_params.c,
smtp/lmtp_params.c, smtp/smtp.h.
Workaround: FreeBSD9 nroff outputs ANSI escape sequences
instead of overstrike sequences. To make matters worse, it
uses the ESC[0m sequence sometimes for end-of-bold and
sometimes for end-of-italic. File: mantools/man2html.
20130714
Cleanup: added smtpd_relay_restrictions entries to the
default master.cf file, so that main.cf settings won't
affect the submission and smtps services. Simon Matter.
File: conf/master.cf.
20130728
Cleanup: wrong function name in error message. John Fawcett.
File: util/vstring_vstream.c.
20130801
Cleanup: with ``make makefiles CCARGS="-DHAS_DB...'', the
makedefs script no longer tries to locate the Linux Berkeley
DB include and library files. Instead it assumes that the
locations are given on the command line, as shown in the
DB_README examples. Leo Baltus. File: makedefs.
20130805
Documentation: clarified reject_non_fqdn_helo_hostname.
File: proto/postconf.proto.
20130809
Cleanup: the lmdb_map_size parameter is now a long integer.
Howard Chu. Files: global/mail_params.[hc].
20130815
Documentation: added pointer to Dovecot 2 configuration.
File: proto/SASL_README.html
20130818
Update: LMDB client updated to LMDB 0.9.7, which hopefully
fixes the unrecoverable "transaction full" error. With a
new MDB_MAP_FULL workaround by Howard Chu that ensures that
postfix will make progress as long as the disk is not full.
File: util/dict_lmdb.c.
20130822
The status of LMDB databases is "not recommended". Unlike
other Postfix databases, LMDB does not grow beyond a specified
limit even when the file system has room. This show-stopper
bug breaks applications whose requirements grow with load:
postscreen(8), greylisting, tlsmgr(8) and verify(8).
20130825
Bitrot: Arrange for shared keys in SMTP server session
tickets. Otherwise, with clients that enable session
tickets, the SMTP session cache is per-process and largely
ineffective. Older releases should add SSL_OP_NO_TICKET
to the SSL options bit mask in the SMTP server only. The
session ticket key validity interval (sum of initial issuing
and retired key validation intervals) must not exceed the
SSL session lifetime. Otherwise, clients may send valid
tickets for expired sessions, which the OpenSSL server code
mishandles (does not send a replacement ticket, patch
pending...).
We set the session lifetime to 2 times the configured cache
lifetime which is also the ticket issuing and retired
validation lifetime, so ticketed sessions last 1 to 2 times
the configured session lifetime and never longer than a
session's expiration time.
Code by Viktor Dukhovni. Files: .indent.pro, mantools/postlink,
proto/TLS_README.html, proto/postconf.proto, global/mail_params.h,
posttls-finger/posttls-finger.c, posttls-finger/tlsmgrmem.c,
smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_mgr.c,
tls/tls_mgr.h, tls/tls_scache.c, tls/tls_scache.h,
tls/tls_server.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c.
Robustness: Search for TLSA RRs at the resolved server name
(rname) and failing that request server name (qname), and
use whichever was found as the TLSA base domain for certificate
matching.
When we find a DNSSEC validated MX RRset, and the initial
next-hop domain is a CNAME, include both the initial and
final (the one with the actual MX RRs) domains in the list
of valid server certificate names.
When we find no MX records, then the initial next-hop domain
is obtained securely from the recipient domain or transport
next-hop. Without MX records, this is a destination hostname,
so we should generally do a TLSA lookup. If however the
address lookup yields an insecure result, and its rname is
equal to its qname (no CNAMEs), we reasonably assume that
the its child "_port._tcp" sub-domain is likewise insecure
(security here would require DLV just for this sub-domain).
This allows us to skip futile TLSA queries for most non-MX
destinations (those that are in insecure zones and are not
CNAMEs). This heuristic can be disabled by setting the new
main.cf parameter smtp_tls_force_insecure_host_tlsa_lookup
to "yes", the default is "no".
Finally, with MX hostnames, if the MX RRset is secure, we
look for TLSA RRs at the qname only when the MX host is an
alias with an insecure rname. If both the qname and the
rname are secure, as before we prefer the rname, but when
nothing is found there, fall back to the qname.
Code by Viktor Dukhovni. Files: mantools/postlink,
proto/postconf.proto, src/global/mail_params.h,
src/posttls-finger/posttls-finger.c, src/smtp/lmtp_params.c,
src/smtp/smtp.c, src/smtp/smtp.h, src/smtp/smtp_addr.c,
src/smtp/smtp_addr.h, src/smtp/smtp_connect.c,
src/smtp/smtp_params.c, src/smtp/smtp_tls_policy.c,
src/tls/tls.h, src/tls/tls_dane.c.
20130826
Documentation: re-ordered STRESS_README, now that all
supported releases have stress-adaptive behavior built in.
File: proto/STRESS_README.html.
20130903
Cleanup: made the default_database_type compile-time
configurable. Files: util/sys_defs.h, makedefs, proto/INSTALL.
20130916
Feature: reject_known_sender_login_mismatch, which applies
reject_sender_login_mismatch only to MAIL FROM addresses
that are known in $smtpd_sender_login_maps. Viktor & Wietse.
Files: mantools/postlink, proto/SASL_README.html,
proto/postconf.proto, global/mail_params.h, smtpd/smtpd_check.c.
20130927
Cleanup: no more LMDB "database full" errors. Postfix now
requires LMDB >= 0.9.8 which supports on-the-fly database
resizing. When a database becomes full, its size limit is
automatically doubled, and other processes automatically
pick up the new database size limit. Files: util/dict.h,
util/dict_open.c, util/dict_alloc.c, util/dict_lmdb.c,
postmap/postmap.c, postalias/postalias.c, proto/LMDB_README.html,
proto/postconf.proto.
20130928
Cleanup: the lmdb_max_readers property is now configurable.
This is a hard limit built into the OpenLDAP library that
causes requests to fail when the number of open read
transactions exceeds the limit. When this happens the LMDB
client logs an MDB_READERS_FULL warning and continues with
reduced performance. Files: util/dict_lmdb.c, util/dict_lmdb.h,
global/mail_params.h, global/mail_params.c, proto/postconf.proto,
proto/LMDB_README.html.
20130929
Security violation: LMDB opens files with read/write access
for lock management purposes. This gives unprivileged
daemon processes read/write file handles for root-owned
files under /etc/postfix. This also breaks when a non-root
process needs to access a root-owned database. Even if
LMDB lock files were world-writable, and kept in a dedicated
directory, they would still violate the principle of least
privilege. For all these reasons, support to create LMDB
files is removed from the postmap and postalias commands.
LMDB files can still be created by unprivileged Postfix
daemon processes under the postfix-owned data_directory.
Files: proto/LMDB_README.html, global/mkmap.c.
20131001
Cleanup: LMDB support is forbidden due to problems with
LMDB lock management. These problems hinder error recovery
in multi-programmed systems, and prohibit database sharing
between privileged writer processes and unprivileged reader
processes.
20131009
Documentation: inet_protols description was not updated
when smtp_address_preference was added. File: proto/postconf.proto
20131013
Documentation: why postscreen(8) uses hash-table lookups
instead of direct pointers to find the DNSBL lookup result
for a specific session. File: postscreen/postscreen_early.c.
20131022
Cleanup: add more &code; to postconf2man. Someone has been
writing documentation without checking the result, File:
mantools/postconf2man.
Documentation: in the discard(8) manpage, the reason is not
a host or domain name. File: discard/discard.c.
20131025
Documentation: specify the expected result format with
"list" tables. File: proto/DATABASE_README.html.
20131026
Future proofing: API changes in the PCRE library. File:
util/dict_pcre.c.
20131028
Feature: check_sasl_access to block hijacked logins. Files:
mantools/postlink, proto/postconf.proto, global/mail_params.h,
smtpd/smtpd_check.c, smtpd/smtpd_dsn_fix.h.
20131029-31
Cleanup: slmdb(3) simplified LMDB API that hides recoverable
LMDB errors from applications so that they can focus on
their own job. Files: util/slmdb.[hc].
Cleanup: LMDB functionality restored, after elimination of
1) world-writable lockfiles, 2) hard limits on the number
of concurrent readers, and 3) hard-coded database file inode
numbers in lockfiles that can prevent automatic crash
recovery. Files: proto/LMDB_README.html, proto/postconf.proto,
mantools/postlink, util/dict_lmdb.c.
20131101
Cleanup: restore ability to build without LMDB support;
further slmdb API streamlining. Files: util/slmdb.[hc],
util/dict_lmdb.c.
Bugfix: uninitialized variable. File: util/slmdb.c.
Documentation: added SASL_README example for check_sasl_access.
File: proto/SASL_README.html.
20131102-3
Security violation: by default, LMDB 0.9.9 writes uninitialized
heap memory to a world-readable database file, as chunks
of up to 4096 bytes. This is a huge memory disclosure
vulnerability: memory content that a program does not intend
to share ends up in a world-readable file. The content of
uninitialized heap memory depends on program execution
history. That history includes code execution in other
libraries that are linked into the program.
This is a problem whenever the user who writes the database
file differs from the user who reads the database file. For
example, a privileged writer and an unprivileged reader.
In the case of Postfix, the postmap(1) and postalias(1)
commands would leak uninitialized heap memory, as chunks
of up to 4096 bytes, from a root-privileged process that
writes to a database file, to unprivileged processes that
read from that database file.
To work around this problem the postmap(1) and postalias(1)
commands disable the use of malloc() in LMDB. However, that
does not address several disclosures of stack memory. Other
Postfix databases do not need this workaround: those databases
are maintained by Postfix daemon processes, and are accessible
only by the postfix user. File: util/dict_lmdb.c.
20131102-3
Cleanup: expand TAB characters when generating documentation.
This was primarily an issue with non-HTML output, but it does
not hurt to do this also for HTML. Files: proto/Makefile.in,
proto/MULTI_INSTANCE_README.html.
20131104
Feature: ${queue_id} macro support for the pipe(8) delivery
agent by Andreas Schulze. File: pipe/pipe.c.
20131107
Cleanup: after 16 years the SKIP() and TRIM() macros were
triggering compiler warnings. Files: global/mail_params.c,
smtpstone/smtp-sink.c, util/mac_parse.c, util/split_nameval.c.
20131110
Bugfix (introduced Oct 26 1997): don't clobber errno before
expanding %m. File: util/vbuf_print.c.
20131114
Cleanup: LMDB >= 0.9.10 does not need the MDB_WRITEMAP
workaround to avoid heap memory information leaks. File:
util/dict_lmdb.c.
20131114
Cleanup: Coverity found a harmless memory leak in the
postconf master.cf parser. Reported by Christos Zoulas,
NetBSD. File: postconf/postconf_master.c.
Cleanup: graceful degradation after database open() error.
Several instances of that code introduced a harmless memory
leak, and Coverity complained about one of them (Christos
Zoulas, NetBSD). Instead of adding random code in random
places, restructured dict_foo_open() routines with consistent
code to dispose of memory or file handles. Files: dict_thash.c,
dict_sockmap.c, dict_regexp.c, dict_pcre.c, dict_lmdb.c,
dict_dbm.c, dict_cidr.c, dict_cdb.c.
Cleanup: warning message after canonical/virtal/etc.
table lookup error. Files: cleanup/cleanup_addr.c,
cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
cleanup/cleanup_masquerade.c, cleanup/cleanup_message.c,
cleanup/cleanup_milter.c.
20131116
Feature: MySQL client support for option_file, option_group,
tls_cert_file, tls_key_file, tls_CAfile, tls_CApath,
tls_verify_cert. See mysql_table(5). Code by Gareth Palmer.
Files: proto/mysql_table, global/dict_mysql.c.
Cleanup: DANE support. Keep the attributes of TA certificates
obtained via "IN TLSA 2 0 X" RRs, while continuing to only
use the key from "IN TLSA 2 1 X" RRs. This means in the
"2 0 X" case that we re-sign the TA certificate in place,
rather than synthesize a vanilla cert around just the key.
Viktor Dukhovni. File: tls/tls_dane.c.
Bugfix: posttls-finger parsing of destination and optional
match values. Viktor Dukhovni. File:
posttls-finger/posttls-finger.c.
Cleanup: When wrap_signed is false (OpenSSL 1.0.2 some day),
we don't have to sign trust anchors, and don't generate a
key to do so. Thus don't attempt to re-sign trust-anchor
certificates (IN TLSA 2 0 X) in this case. Viktor Dukhovni.
File: tls/tls_dane.c.
Feature: configurable DANE digest algorithm priority. Use
only the most-preferred, shared, digest algorithm for any
give (usage, selector) combination. Viktor Dukhovni.
mantools/postlink, proto/postconf.proto, global/mail_params.h,
tls/tls_dane.c, tls/tls_misc.c.
Bugfix: FreeBSD nroff workaround messed up. File:
mantools/postlink.
20131118
Cleanup: FreeBSD nroff workaround. Files: man/Makefile.in,
proto/Makefile.in.
Cleanup: the smtpd_proxy_filter client now sends QUIT before
closing the connection to a content filter. Files:
smtpd/smtpd_proxy.c, smtpd/smtpd.c.
Portability: C99 va_copy() compatibility, in case some
implementation does not permit multiple va_start() calls
on the same argument list. Files: global/memcache_proto.c,
milter/milter8.c, smtpstone/smtp-source.c, util/attr_clnt.c,
util/concatenate.c, util/dict_surrogate.c, util/netstring.c,
util/compat_va_copy.h.
Cleanup: comment formatting. Viktor Dukhovni. File: dns/dns.h.
Cleanup: removed redundant sort operation. Viktor Dukhovni.
File: tls/tls_dane.c.
20131119
Feature: a Postfix LMDB database can now be used as shared
persistent cache with multiple postscreen(8) or verify(8)
daemons (but not both), without the need for a shared
proxymap server. Files: util/dict.h, util/dict_alloc.c,
util/dict_open.c, util/dict_lmdb.c.
Internal: DNS client support to report reply RCODE information,
in addition to the simplified DNS_NOTFOUND, DNS_RETRY etc.
Portability note: this requires the C99 __VA_ARGS__ feature.
Files: dns/dns.h. dns/dns_lookup.c, dns/test_dns_lookup.c.
20131120
Cleanup: reduced the code footprint for the LMDB < 0.9.10
heap-to-file information leak workaround, and simplified
the implementation to "good enough". Files: util/dict.h,
util/dict.c, util/dict_lmdb.c, postalias/postalias.c,
postmap/postmap.c.
Cleanup: reduced the code footprint for the handling of
multi-writer safe maps. A map only needs to assert that it
is multi-writer safe, and the rest just happens. Files:
util/dict.h, util/dict_open.c, util/dict_lmdb.c,
global/dict_memcache.c.
Cleanup: Postfix daemons no longer restart when a multi-writer
safe map is updated. File: util/dict.c.
Documentation: sharing an LMDB cache between multiple
verify(8) or postscreen(8) servers (but not both). Files:
proto/ADDRESS_VERIFICATION_README.html,
proto/POSTSCREEN_README.html.
Cleanup: improve suppression of TLSA lookups in insecure
zones. This is now applied not only to non-MX destinations,
but also to each MX record. Viktor Dukhovni. Files:
src/posttls-finger/posttls-finger.c, src/smtp/smtp_tls_policy.c,
src/tls/tls.h, src/tls/tls_dane.c.
Workaround: increased the 5s connection timeout to 30s.
Viktor Dukhovni. File: posttls-finger/posttls-finger.c.
20131121
Documentation: new socketmap_table(5) and lmdb_table(5)
manpages. Files: mantools/postlink, conf/postfix-files,
html/Makefile.in, man/Makefile.in, proto/DATABASE_README.html,
postconf/postconf.c, proto/socketmap_table, proto/lmdb_table.
20131122
Documentation: missing database hyperlinks, refined text
about partial lookup keys. Files: mantools/postlink,
proto/DATABASE_README.html, proto/lmdb_table,
proto/socketmap_table.
20131123
Feature: support for NOTIFY parameter in the Milter
SMFIR_ADDRCPT_PAR request. Contributed by by Andrew Ayer.
Wietse added support for ORCPT. Files: cleanup/cleanup.h,
cleanup/cleanup_milter.c, cleanup/cleanup_state.c,
global/xtext.c, global/xtext.h, milter/test-milter.c.
20131122
Feature: "postconf -Fe service/type/attribute = value" edits
master.cf attribute values. The -e is optional. Example:
use "postconf -F "*/*/chroot = n" to turn off chroot on all
master.cf services. Files: postconf/postconf.h,
postconf/postconf.c, postconf/postcof_master.c,
postconf/postconf_edit.c.
20131124
Cleanup: remove extra blank line from ccformat output,
making it compatible with the script that Wietse actually
uses (this line was part of a test to detect file truncation,
but it is now obsolete). File: mantools/ccformat.
Feature: master.cf parameter namespace. "postconf -P" shows
master.cf parameter settings as "service/type/parameter =
value". This is applicable only to parameter settings in
master.cf. Files: postconf/postconf.h, postconf/postconf.c,
postconf/postcof_master.c, postconf/postconf_print.c.
Incompatibility: the master_service_disable syntax has
changed: use "service/type" instead of "service.type". The
new form is consistent with master.cf parameter namespaces.
The old form is still supported to avoid breaking existing
configurations. Files: global/master_service.c,
master/master_ent.c.
20131125
Feature: change, add or delete "-o parameter=value" setting
in master.cf. Examples: "postconf -P smtp/inet/parameter=value"
(add or modify "-o name=value" setting) and "postconf -P
smtp/inet/parameter" (delete "-o parameter=value" setting).
Files: util/argv.[hc], postconf/postconf.h,
postconf/postconf_edit.c, postconf_master.c.
20131126
Cleanup: Leave SSLv3 enabled with DANE. Viktor Dukhovni.
Files: proto/TLS_README.html proto/postconf.proto
tls/tls_client.c.
Cleanup: DANE support: Drop support for usage 0. It SHOULD
NOT be supported in DANE with SMTP, and we already don't
support digest TLSA RRs in this case, while full content
TLSA RRs are not recommended for DNS bloat reasons. Viktor
Dukhovni. Files: proto/postconf.proto src/global/mail_params.h
src/smtp/smtp.c src/tls/tls_dane.c src/tls/tls_misc.c.
Feature: TLS support: Support future digest algorithms
without re-compilation. Viktor Dukhovni. Files: .indent.pro
proto/postconf.proto src/tls/tls_dane.c.
Feature: DNS support: New configurable digest agility.
Viktor Dukhovni. Files: .indent.pro proto/TLS_README.html
proto/postconf.proto src/global/mail_params.h src/tls/tls_dane.c
src/tls/tls_misc.c.
20131127
Bugfix (introduced: 20090106): the postconf '-#' option
erased prior options. File: postconf/postconf.c.
20131129
Bugfix: Makefile example in MULTI_INSTANCE_README. Viktor
Dukhovni. File: proto/MULTI_INSTANCE_README.html.
20131130
Cleanup: simplify fingerprint security level implementation
in new DANE code. Viktor Dukhovni. Files: src/tls/tls.h
src/smtp/smtp_tls_policy.c src/tls/tls_dane.c
src/posttls-finger/posttls-finger.c.
20131209
Cleanup: safe_strtoul() did not report an error for empty
or all-space input (the code to report this was in the wrong
place). This was not a problem as long as safe_strtoul()
was used only for output from safe_ultostr(). Files:
global/safe_ultostr.c, global/safe_ultostr.in,
global/safe_ultostr.ref.
20131210
Documentation: updated description of SSL protocol controls.
In particular, enabled protocols are part of a contiguous
range. Viktor Dukhovni. Files: proto/TLS_README.html,
proto/postconf.proto.
Bugfix: DANE support: handle OpenSSL memory allocation
error. Viktor Dukhovni. File: tls/tls_dane.c.
Cleanup: LMDB_README was not installed. File: conf/postfix-files.
20131214
Portability: on some platforms posttls-finger now requires
explicitly linking libdl. File: posttls-finger/Makefile.in.
Cleanup: DANE support: extension gymnastics. Viktor Dukhovni.
File: tls/tls_dane.c.
Bugfix: DANE support: the wrap_cert() and wrap_key() calls
should never fail, but some callers ignored the return
value. The only failure is for lack of memory, so we use
msg_fatal() internally and change wrap_cert() and wrap_key()
to return void. Viktor Dukhovni. File: tls/tls_dane.c.
Bugfix: DANE support: avoid making DANE certificates with
replaced public-keys appear as if they were self-signed.
Viktor Dukhovni. File: tls/tls_dane.c.
Cleanup: DANE support: simplify grow_chain() to always apply
trust consistently. Viktor Dukhovni. File: tls/tls_dane.c.
Bugfix: DANE support: backport fixes from OpenSSL DANE
testing. Discard errors generated by raw TA key signature
checks. Record the tadepth as zero with self-signed depth
0 TAs. Robustness: Though it should never happen, don't
update the tadepth if already set. Viktor Dukhovni. Files:
tls/tls_dane.c, tls/tls_server.c.
20131215
Cleanup: OpenSSL "const" declarations have changed over
time. Viktor Dukhovni. Files: src/tls/tls.h, src/tls/tls_client.c,
src/tls/tls_dane.c, src/tls/tls_server.c.
20131216
Cleanup: TLS support. Eliminate calls of deprecated functions
before they are removed from OpenSSL. CRYPTO_thread_id is
deprecated and we don't need it. Replace the deprecated
ERR_remove_state() call with ERR_remove_thread_state(), and
use RSA_generate_key_ex(). Viktor Dukhovni. Files:
posttls-finger/posttls-finger.c, tls/tls_misc.c, tls/tls_rsa.c.
Cleanup: DANE support: Reduce #ifdef clutter to improve
redability and maintability. Viktor Dukhovni. File:
tls/tls_dane.c.
Future proofing: Tolerate disappearance of named bug-workaround
bits without invalidating user configurations. When support
for a bug workaround is removed from OpenSSL, the corresponding
bit is defined as zero (i.e. NOOP) intstead of causing
programs to break. Viktor Dukhovni. File: tls/tls_misc.c.
20131217
Portability: RSA_generate_key_ex() is not available on all
supported platforms, so this change is made conditional.
Enforce that this function will be used only for creating
a 512-bit ephemeral RSA key. Viktor Dukhovni. File:
tls/tls_rsa.c.
20131218
Documentation: new document FORWARD_SECRECY_README that
describes how different versions of Postfix >= 2.2 implement
"perfect" forward secrecy. Viktor Dukhovni. File:
proto/FORWARD_SECRECY_README.html, proto/Makefile.in,
conf/postfix-files, html/index.html.
20131219
Cleanup: renamed postconf(1) internal identifiers according
to a consistent scheme, to avoid future name conflicts as
Postfix evolves. This is a no-feature change. Files:
postconf/*.[hc], postconf/extract.awk.
Documentation: linearized the order of exposition in
FORWARD_SECRECY_README. File: proto/FORWARD_SECRECY_README.html.
20131220
Bugfix: DANE support: segfault. Viktor Dukhovni. File:
tls/tls_dane.c.
Documentation: typo in SASL_README. Patrick Ben Koetter.
File: proto/SASL_README.html.
Documentation: increased the *.[0-9].html manpage width
from the historical 65 columns to the more contemporary 78
columns, and future-proofed the pattern that eliminates
redundant text from the "README FILES" section. Files:
mantools/postlink, mantools/man2html, man/Makefile.in.
Documentation: misc manual page cleanups. Files:
postconf/postconf.c, postmulti/postmulti.c.
20131221
Testbed: TLS support. Viktor Dukhovni. Files: tls/Makefile.in,
tls/tls_dane.c, tls/tls_dane.sh, tls/tls_mgr.c, .indent.pro.
Documentation: added section on how to verify that forward
secrecy works. File: proto/FORWARD_SECRECY_README.html.
20131222
Documentation: forward secrecy, with feedback from Adam
Shostack. Viktor Dukhovni and Wietse Venema. File:
proto/FORWARD_SECRECY_README.html.
20131224
Feature: smtpd_sasl_service (until now, this was hard-coded
internally as "smtp"). On request by Michal (sksoft.cz).
Files: global/mail_params.h, proto/postconf.proto,
mantools/postlink, smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c.
Documentation: updated example to Dovecot version 2 syntax.
File: proto/SASL_README/html.
20131228
Cleanup: DANE support: test script. Viktor Dukhovni. File
tls/tls_dane.sh.
Debugging: test driver for LMDB debugging and stress testing.
Shockingly, LMDB terminates the postscreen daemon without
logfile record. File: util/dict_cache.c.
20140102
Bugfix: close the LMDB database cursor's read transaction
before writing with MDB_NOLOCK and before changing the
database memory map size. File: util/slmdb.c.
20140103
Cleanup: eliminated data duplication from the new SMTP_ITERATOR
structure to the old SMTP_SESSION structure. The SMTP_ITERATOR
structure now maintains the sole copy. Files: smtp/smtp.h,
smtp_sasl_auth_cache.c, smtp_reuse.c, smtp_sasl_glue.c,
smtp_rcpt.c, smtp_session.c, smtp_chat.c, smtp_proto.c,
smtp_connect.c.
20140104
Feature: support for optional configuration files
"$daemon-directory/postfix-files.d/*". These are processed
in sorted order after "$daemon-directory/postfix-files",
This avoids breaking "postfix set-permissions" etc. when a
Postfix distribution comes in multiple packages. File:
conf/post-install.
20140107
Feature: LMDB 0.9.11 allows Postfix daemons to log an LMDB
error message, instead of falling out of the sky without
any notification. Files: util/slmdb.[hc], util/dict_lmdb.c.
20140108
Bugfix: every Postfix LMDB transaction is now protected by
an external lock for its entire life time. File: util/slmdb.c.
20140109
Cleanup: turn off DNSSEC lookup after CNAME redirection to
an insecure zone. This is an optimization for resolvers
that do not automatically resolve CNAME chains. Viktor
Dukhovni. File: dns/dns_lookup.c.
Cleanup: do not salt the SMTP TLS policy lookup cache key
with the DNSSEC status. The DNSSEC status will not change
when the same nexthop/host pair is looked up repeatedly.
Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
Robustness: Suppress TLSA lookups only when the qname zone
is insecure, not just because the rname zone is insecure.
This requires an extra T_CNAME lookup for the qname, since
nameservers are often "too helpful" and report CNAME records
together with the CNAME targets. When the targets are
insecure the whole reply is marked as insecure. Viktor
Dukhovni. File: tls/tls_dane.c.
Cleanup: Unify/simplify reporting of configuration or other
conditions that prevent DANE security. Viktor Dukhovni.
Files: global/dsn_buf.[hc], tls/tls_dane.c, smtp/smtp_tls_policy.c.
20140110-15
Miscellaneous documentation cleanups.
20140116
Workaround: prepend "-I. -I../../include" to CCARGS, to
avoid name clashes with non-Postfix header files. File:
makedefs.
20140125
Cleanup: assorted documentation glitches.
20140209
Workaround: the Postfix SMTP client now also falls back to
plaintext when TLS fails after the TLS protocol handshake.
Files: smtp/smtp.h, smtp/smtp_connect.c, smtp/smtp_trouble.c.
Testbed: unsupported HANGUP access map action that drops
the connection without responding to the remote SMTP client.
File: smtpd/smtpd_check.c.
20140214
Workaround: apparently some buggy kernels report WIFSTOPPED
events to the parent process (master daemon) instead of the
tracing process (e.g., gdb). File: master/master_spawn.c.
20140218
Workaround: require that a queue file is older than
$minimal_backoff_time, before falling back from failed TLS
to plaintext (both during or after the TLS handshake).
Viktor Dukhovni. Files: smtp/smtp.h, smtp/smtp.c,
smtp/lmtp_params.c, smtp/smtp_params.c.
20140220
Workaround: in case "minimal_backoff_time = $queue_run_delay".
Files: smtp/smtp.c, smtp/smtp_params.c, smtp/lmtp_params.c.
Cleanup: consolidate the code to log the start of a new
mail transaction in one place, so that code can easily be
added to log TLS status information in addition to the
existing client and SASL status information. Files:
smtpd/smtpd_sasl_proto.h, smtpd/smtpd_sasl_proto.c,
smtpd/smtpd.c.
20140223
Workaround: when a session breaks after the TLS handshake,
do not fall back from TLS to plaintext when all recipients
were deferred or rejected during the TLS phase. Files:
smtp/smtp.h, smtp/smtp_rcpt.c.
Logging: the TLS client logged that an "Untrusted" TLS
connection was established instead of "Anonymous". Viktor
Dukhovni. File: tls/tls_client.c.
Documentation: new self-signed certificate example and
updated private CA example. File: proto/TLS_README.html.
20140224
Bugfix (introduced: 20061106): when the "retry" transport
was added to Postfix, it was not given special status like
the "error" transport. The Postfix SMTP server did not defer
mail that resolves to the "retry" transport, and the
trivial-rewrite daemon would override the null nexthop
destination in "retry:" with the current nexthop destination.
Files: smtpd/smtpd_check.c, trivial-rewrite/transport.c.
20140227
Bugfix: Enforce TLS when TLSA records exist, but all are
unusable; Don't leak dane handle when all TLSA records are
unusable. Viktor Dukhovni. File: smtp/smtp_tls_policy.c.
Cleanup: log TLS policy lookup errors as warnings. Viktor
Dukhovni. File: smtp/smtp_connect.c.
20140316
Feature: preliminary support to change arbitrary hard
delivery errors into soft errors and vice versa, or to
replace the descriptive text of non-delivery notifications.
This was originally introduced for sites that want to bounce
mail when no remote SMTP server announces TLS support. New
parameters: {default,smtp,pipe,virtual}_bounce_defer_filter.
Files: proto/postconf.proto, mantools/postlink, global/bounce.[hc],
bounce/defer.[hc], global/ndr_filter.[hc], global/mail_params.[hc],
master/event_server.c, master/multi_server.c,
master/single_server.c, master/trigger_server.c, smtp/smtp.c,
pipe/pipe.c, virtual/virtual.c.
20140317
Feature: local_bounce_defer_filter support. Files:
global/bounce.[hc], global/defer.[hc], local/command.c,
local/file.c, local/bounce_workaround.c, local/local.c,
global/mail_params.h, mantools/postlink.
20140318
Refinement: don't throttle an SMTP destination when the new
smtp_bounce_defer_filter feature turns a soft bounce into
a hard bounce. File: smtp/smtp_trouble.c.
20140320
Feature: support to replace successful delivery status code
and explanatory text. This can be used to to hide local
details such as destination commands or file names when a
remote sender requests confirmation of delivery. As of now
*_bounce_defer_filter is renamed into *_delivery_status_filter.
Files: global/bounce.c, global/bounce.h, global/defer.c,
global/defer.h, global/dsn_filter.c, global/dsn_filter.h,
global/mail_params.c, global/mail_params.h, global/sent.c,
local/local.c, master/event_server.c, master/multi_server.c,
master/single_server.c, master/trigger_server.c, pipe/pipe.c,
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
virtual/virtual.c, mantools/postlink.
20140322
Cleanup: code comments and identifier names to reflect the
evolution from "NDR filter" to "delivery status filter".
Files: global/mail_params.h, smtp/smtp.c, global/dsn_filter.c,
global/dsn_filter.h, local/local.c, pipe/pipe.c,
smtp/lmtp_params.c, smtp/smtp_params.c, virtual/virtual.c,
global/bounce.c.
20140323
Feature: initial merge of Debian-style dynamic linking.
Viktor Dukhovni.
20140406
Bugfix: when testing session caching, stop reconnecting
after encountering a previously-used server (when the session
is re-used or not). Viktor Dukhovni. File:
posttls-finger/posttls-finger.c.
Feature: configurable TLS session-ticket cipher (default:
tls_session_ticket_cipher = aes-128-cbc). Viktor Dukhovni
and Wietse. Files: mantools/postlink, smtpd/smtpd.c,
proto/postconf.proto, global/mail_params.h, tls/tls_misc.c,
tls/tls_scache.h, tls/tls_server.c.
20140416
Cleanup: replace "~0 << positive" with "~0U << positive"
even if we use only the lower bytes. Jeffrey Walton. File:
util/mask_addr.c.
20140407
Documentation: the documentation for Postfix > 2.8 TLS
activity logging was incorrect. Loglevel 0 produces no
logging. Instead, information is logged only with loglevel
1 or higher. Viktor Dukhovni. Files: proto/TLS_README.html,
proto/postconf.proto.
20140501
Cleanup: postscreen_dnsbl_timeout parameter. Files:
mantools/postlink, proto/postconf.proto, global/mail_params.h,
postscreen/postscreen.c, postscreen/postscreen_dnsbl.c.
Cleanup: added table search order information to the
postconf(5) manpage. File: proto/postconf.proto.
20140505
Cleanup: added a client port attribute to the policy
delegation protocol. Jernej Porenta. File: smtpd/smtpd_check.c.
20140507
Bugfix (introduced: Postfix 2.11): with connection caching
enabled (the default), recipients could be given to the
wrong mail server. Root cause: due to an incorrect predicate,
the Postfix SMTP client could save and restore plaintext
connections that should not be cached, under nonsensical
lookup keys that did not distinguish by destination. Problem
reported by Sahil Tandon, predicate error found by Viktor,
redundant connection restore request eliminated by Wietse.
File: smtp/smtp_connect.c.
Cleanup: the macros that control SMTP connection reuse
poorly reflected their purpose. "DEAD" is replaced with
"FORBIDDEN" (no I/O allowed) and "BAD" is replaced with
"THROTTLED" (anything that causes the queue manager to back
off from some destination). Files: smtp.h, smtp_connect.c,
smtp_proto.c, smtp_trouble.c.
Cleanup: enable SMTP connection cache lookup by destination
name while a surge of mail dries up. File: smtp_connect.c.
20140505
Bugfix: the postdrop authorized_submit_users feature requires
that lookup table support is initialized so that it can use
libglobal or dynamicmaps maps. File: postdrop/postdrop.c.
Cleanup: moved dynamicmaps initialization from parameter
inititialization (mail_conf_suck()) to dictionary initialization
(mail_dict_init()). A benefit of this is that dynamicmaps.cf
is no longer read by programs that don't use Postfix lookup
tables. Files: global/mail_conf.[hc], global/mail_dict.c.
Cleanup: move the mail_dict_init() call after the
mail_conf_read() or mail_params_init() call, to prepare for
a configurable dynamicmaps.cf directory. Files:
master/event_server.c, master/multi_server.c,
master/single_server.c, master/trigger_server.c.
20140506
Cleanup: you can now specify "make makefiles parameter=value"
for selected compile-time parameter default overrides. The
old "make makefiles 'CCARGS=-DDEF_MUMBLE=\"mumble\"'"
approach remains supported. File: makedefs.
20140508
Cleanup: dynamicmaps.cf is now installed into $daemon_directory
because the file is shared among Postfix instances just
like postfix-files and other files. Files: conf/dynamicmaps.cf,
Makefile.in, conf/postfix-files.
Cleanup: INSTALL is now plain ASCII instead of README format,
to avoid a chicken-and-egg problem (the instructions to
print/view README-format files are in the INSTALL file).
Documentation: updated INSTALL instructions and RELEASE_NOTES.
20140512
Portability: Berkeley DB6 support. File: util/dict_db.c.
20140514
Cleanup: replace #ifdef/endif containing hard-coded calls
of dynamicmaps functions with an extension mechanism that
dynamicmaps functions invoke instead. Files: util/dict.h,
util/dict_open.c, global/dynamicmaps.[hc], global/mkmap.h,
global/mkmap_open.c.
20140515
Bugfix (introduced: 20140320): missing initialization.
Viktor Dukhovni. File pipe/pipe.c.
Cleanup: mkmap_open() now caches a dynamically-loaded
function. This is useful because postmap/postalias may open
the same database type multiple times. Files: global/mkmap.h,
global/mkmap_open.c.
Security: the dynamicmaps.cf file and its and shared-object
files must not be writable by non-root users. File:
global/dynamicmaps.c.
20140517
Cleanup: dynamic linking and hooking. Files: util/dict.h,
util/load_lib.[hc], global/dynamicmaps.c.
20140518
Preliminary "make plugins" support. Todo: macros to dynamically
remove pluggable maps from compile-time tables in dict_open.c
and mkmap_open.c, and from the OBJS lists in Makefile.in.
20140522
Support for "make shared=yes" and "make dynamicmaps=yes".
New plugin_directory parameter for the location of the
dynamicmaps.cf file and for plugins with a relative pathname.
See RELEASE_NOTES and INSTALL for details. Files: postfix.c,
mail_params.[hc], dynamicmaps.c, mail_dict.c, makedefs,
postfix-files, dynamicmaps.cf, Makefile.in, util/Makefile.in,
global/Makefile.in, postlink, postconf.proto. INSTALL.html,
RELEASE_NOTES.
20140523
Cleanup: don't install plugins for unsupported databases,
and don't make dynamicmaps.cf entries for them. Files:
makedefs, Makefile.in, util/Makefile.in, global/Makefile.in.
Cleanup: added support for symlinks where the "source" is
specified as a relative pathname. File: postfix-install.
Cleanup: moved instructions from RELEASE_NOTES to INSTALL
to avoid duplication. Files: RELEASE_NOTES, proto/INSTALL.html.
Cleanup: include unconditionally so that
dict_lmdb_map_size is always defined. Files: mail_params.c,
dict_test.c.
Cleanup: port for ancient Solaris9 revealed some non-portability.
Files: master/Makefile.in, makedefs, sys_defs.h.
20140524
Cleanup: specify database library dependencies with variables
named AUXLIBS_CDB, AUXLIBS_LDAP, etc. The global AUXLIBS
variable is still supported, but the new variables are
required when building dynamically-loadable building database
plugins. Files: RELEASE_NOTES, INSTALL.html, CDB_README.html,
LDAP_README.html, LMDB_README.html, MYSQL_README.html,
PCRE_README.html, PGSQL_README.html, SQLITE_README.html,
makedefs, util/Makefile.in, global/Makefile.in.
Workaround: reportedly, MacOS can fail to move a symlink
with a relative target across file system boundaries, because
it examines the symlink with stat() instead of lstat().
Files: makedefs, Makefile.in.
Cleanup: use readlink to verify symlink target. File:
postfix-install.
20140528
Cleanup: the configuration file dynamicmaps.cf will now
automatically include files under the directory dynamicmaps.cf.d,
just like the configuration file postfix-files will
automatically include files under the directory postfix-files.d.
See INSTALL section "Building with Postfix shared libraries
and database plugins". File: dynamicmaps.c.
20140530
Cleanup: add shlib_directory and plugin_directory to the
postmulti-script list of shared parameters. Viktor Dukhovni.
File: postmulti-script.
Cleanup: to avoid "postfix set-permission" errors, don't
create postfix-files entries for non-existent database
plugins. Problem reported by Viktor. File: Makefile.in.
Bugfix: we can't use "mv" to replace a symlink-to-directory.
Instead we now create all symlinks in place. Unfortunately
the "ln -n" option is not universally implemented, so we
remove the old symlink first. Problem reported by Viktor.
File: postfix-install.
20140603
Cleanup: use the OpenSSL session id accessor (available
since OpenSSL 0.9.8 or so) instead of groping a session
object directly. Viktor Dukhovni. File: tls_server.c.
20140605
Feature: the pipe(8) daemon logs some command output after
successful delivery as "dsn=2.0.0, status=sent (delivered
via XXX service (YYY))" where XXX is the master.cf service
name, and YYY is command output. Files: pipe/command.c,
pipe.c.
20140613
Feature: the "pipeline" table implements a table pipeline.
Example "pipeline:!type_1:name_1!...!type_n:name_n". The
ASCII character after "pipeline:" will be used as the
separator between the lookup tables that follow (do not use
space, ",", ":" or non-ASCII). Each "pipeline:" query is
given to the first table. Each lookup result becomes the
query for the next table in the pipeline, and the last table
produces the final result. When any table lookup produces
no result, the pipeline produces no result. Files:
dict_pipe.[hc], dict_open.c, postlink, DATABASE_README.html,
postconf.c.
20140617
Feature: the "random" table performs random selection.
Example: "random:!result_1!...!result_n". Each table query
returns a random choice from the specified results. The
ASCII character after "random:" will be used as the separator
between the results that follow (do not use space, ",", ":"
or non-ASCII). Files: dict_random.[hc], dict_open.c,
postlink, DATABASE_README.html, postconf.c.
20140618
Cleanup: INFO action in access(5) tables, for consistency
with header/body_checks. Viktor Dukhovni. Files:
smtpd/smtpd_check.c, proto/access.
20140619
Cleanup: process LaMont Jones feedback for shared-library
and database-plugin builds. Changes: 1) move non-executable
files from $daemon_directory to the default $config_directory
(postfix-files*, dynamicmaps.cf*, main.cf.proto/master.cf.proto
for multi-instance support); 2) add foo.so -> foo.so.version
symlinks; 3) change $shlib_directory and $plugin_directory
defaults to /usr/lib/postfix to reduce sprawl. Files:
conf/main.cf.proto, conf/master.cf.proto, conf/postfix-files.proto,
conf/post-install, conf/postmulti-script, makedefs,
postfix-install, proto/INSTALL.html, global/dynamicmaps.c,
global/dynamicmaps.h, global/mail_dict.c, global/mail_params.h,
postmulti/postmulti.c.
Bugfix (introduced: 2001): qmqpd null pointer bug when it
logs a lost connection while not in a mail transaction.
Reported by Michal Adamek. File: qmqpd/qmqpd.c.
Cleanup: filter non-printable characters in X509 subject
or issuer names. Viktor Dukhovni. File: tls/tls_server.c.
20140620
Cleanup: for compliance with file system policies, some
files have been moved from $daemon-directory to the directory
specified with the new meta_directory parameter which has
the same default value as config_directory. This change
affects non-executable files that are shared among multiple
Postfix instances, such as postfix-files, dynamicmaps.cf,
and multi-instance template files.
For backwards compatibility with Postfix 2.6..2.11, specify
"meta_directory = $daemon_directory" in main.cf before
installing Postfix, or specify "meta_directory = /path/name"
on the "make makefiles", "make install" or "make upgrade"
command line.
Files: Makefile.in, RELEASE_NOTES, conf/post-install,
conf/postfix-files.proto, conf/postmulti-script, makedefs,
mantools/postlink, postfix-install, proto/INSTALL.html,
proto/postconf.proto, global/mail_params.c, global/mail_params.h,
postfix/postfix.c, postmulti/postmulti.c.
Feature: check_xxx_a_access (for xxx in client, reverse_client,
helo, sender, recipient) implements access control on all
A and AAAA IP addresses for the client hostname, helo
parameter, sender domain or recipient domain. Some spam has
sender domains with the same IP address but different MX
hosts. Files: global/mail_params.h, smtpd/smtpd_check.c,
proto/postconf.proto.
20140622
Cleanup: eliminated plugin_directory to reduce configuration
parameter sprawl. Files: Makefile.in, RELEASE_NOTES,
conf/post-install, conf/postfix-files.proto, conf/postfix-script,
conf/postmulti-script, makedefs, mantools/postlink,
postfix-install, proto/INSTALL.html, proto/postconf.proto,
global/Makefile.in, global/mail_dict.c, global/mail_params.c,
global/mail_params.h, global/mail_version.h, postfix/postfix.c,
postmulti/postmulti.c, smtpd/smtpd_check.c, util/Makefile.in.
20140623
Cleanup: eliminated the use of Postfix release versions as
file name suffixes for shared libraries, database plugins
and dynamicmaps.cf. The shared-library version suffixes
were fighting against assumptions and conventions in run-time
linkers, including the assumption that ABIs are preserved
from one version to the next. The Postfix version can now
be embedded in the shlib_directory parameter. As this is
sufficient to permit upgrade of a running Postfix system
without risking that old binaries will link against newer
shared objects, we no longer need a version suffix for
dynamicmaps.cf. Files: Makefile.in, RELEASE_NOTES,
conf/postfix-files.proto, makedefs, proto/INSTALL.html,
proto/postconf.proto, global/mail_params.h, global/mail_version.h,
20140624
Cleanup: the commands "make (makefiles|install|upgrade|package)
parameter=value" now replace the string MAIL_VERSION in a
configuration parameter value with the Postfix release
version. Unfortunately, the more obvious approach, a
parameter value with the unexpanded '$mail_version', produces
inconsistent results with different make implementations.
Files: makedefs, Makefile.in, postfix-install, proto/INSTALL.html,
proto/PACKAGE_README.html
Cleanup: postmulti now requires "postmulti -e init" before
accepting other multi-instance requests. Viktor Dukhovni.
File: conf/postmulti-script.
20140625
Kludge: moved dict_db_cache_size away from dict_db.c in
preparation for Berkeley DB database plugin support (a
similar kludge was implemented for LMDB). Files:
util/dict_db.[hc], util/dict_test.c, global/mail_params.c.
Cleanup: don't leak build directory information via SHLIB_ENV
in makedefs.out. Files: Makefile.in, conf/postfix-files.
20140626
Cleanup: construction debris. Files: Makefile.in,
conf/postfix-script.
Cleanup: replace the result of MAIL_VERSION expansion with
$mail_version in main.cf installation parameter settings,
to permit safe upgrade of a running mail system. File:
postfix-install.
Cleanup: replace the result of MAIL_VERSION expansion with
$mail_version in built-in default installation parameter
settings, for consistency with main.cf. File: makedefs,
postfix-install, conf/post-install.
Cleanup: removed $mail_version from the default shlib_directory
value. Files: global/mail_params.h, proto/INSTALL.html.
Cleanup: in postfix-script, use find instead of ls to
determine permissions or ownership, and group some checks
with "pathname/." and "pathname/*" into one. Downside:
more warnings will now have "/./" in the middle of a pathname.
File: conf/postfix-script.
Cleanup: need to evaluate mail_version before evaluating
parameters that may contain $mail_version. File:
global/mail_params.c.
Cleanup: the postmulti command now exercises the postconf
"-x" option to expand $parameter_name in secondary-instance
parameter values. File: postmulti/postmulti.c.
Cleanup: post-install also needed to replace the result of
MAIL_VERSION expansion with $mail_version, for the same
reasons as postfix-script. Viktor Dukhovni. File:
conf/post-install.
20140627
Bugfix (introduced: 20140626) broken build and broken install
with default shlib_directory. Files: makedefs.
Bugfix (introduced: 20140627) "make install" stopped with
a bogus error when there was no real "make install name=value"
parameter override. Files: conf/post-install.
Cleanup: support MAIL_VERSION magic (see INSTALL) only at
the end of a parameter value. Files: proto/INSTALL.html
makedefs, postfix-install, conf/postfix-files.
Cleanup: use ${mail_version} as the MAIL_VERSION-unexpanded
form. Viktor Dukhovni. Files: makedefs, postfix-install,
conf/postfix-files.
20140630
Cleanup: the pipeline and random lookup tables are now
called pipemap and randmap, respectively. These names are
more specific. The old names remain available, at least
temporarily. Files: util/dict_pipe.[hc], util/dict_random.[hc],
postconf/postconf.c, mantools/postlink, proto/DATABASE_README.html.
Feature: smtpd_policy_service_request_limit to limit the
number of requests per Postfix SMTP server policy connection.
This is a workaround to avoid error-recovery delays with
policy servers that cannot maintain a persistent connection.
Based on code by Markus Benning. Files: global/mail_params.h,
mantools/postlink, proto/SMTPD_POLICY_README.html,
proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c,
util/attr_clnt.[hc].
20140701
Cleanup: documented how Postfix maintains dictionary
provenance. Provenance matters: for example, the owner UID
of an aliases(5) database file determines the execution
privileges for delivery to |command or /file/name. Refined
the algorithm that computes the provenance of a pipemap,
based on the provenance of its constituent lookup tables.
Files: util/dict.[hc], util/dict_pipe.c.
Cleanup: made mail_spool_directory configurable with "make
makefiles mail_spool_directory=/path/name". This allows
Postfix to be built without any pathnames that reference
system directories. This is useful for testing and sandboxing.
Files: global/mail_params.h, makedefs.
Cleanup: configurable attr_clnt(3) retry strategy (try limit
and retry delay). Files: util/attr_clnt.[hc].
Feature: control over SMTPD policy lookup error handling:
smtpd_policy_service_try_limit, smtpd_policy_service_retry_delay,
smtpd_policy_service_default_action determine how many times
to try to send a policy request before giving up, the delay
before resending a failed policy request, and a default
action when giving up. The defaults are backwards-compatible.
Files: global/mail_params.h, mantools/postlink,
proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_check.c.
20140709
Cleanup: bitrot in unused function. File: global/defer.c.
Cleanup: add SYSLIBS minus static libraries while building
Postfix shared-library objects. Files: makedefs, util/Makefile.in,
global/Makefile.in, dns/Makefile.in, master/Makefile.in/.
20140708
Bugfix (introduced 20140701): did not restore jumpbuf while
evaluatingsmtpd_policy_service_default_action. Viktor
Dukhovni. File: smtpd/smtpd_check.c.
Feature: VERY PRELIMINARY support for SMTPUTF8 based on an
initial implementation by Arnt Gulbrandsen, funded by CNNIC.
This implements the syntax of SMTP commands and DSN delivery
status notifications. It does not address the problem that
the same domain name may show up in different forms: an
UTF8-encoded name with non-ASCII charaters, or an IDNA-encoded
(xn--mumble) name with ASCII-only characters. This means
that access policies, mydestination, virtual_*_domains and
relay_domans will have to understand both forms in order
to provide complete coverage. For now, SMTPUTF8 support
must not be enabled except for testing.
20140710
Portability: add '-Wl,--enable-new-dtags' to the linker
command line with building with Postfix shared libraries
on Linux. Viktor Dukhovni. file: makedefs.
20140711
Background: What is SMTPUTF8 autodetection? Postfix cannot
rely solely on the sender's declaration that a message
requires SMTPUTF8 support, because UTF8 may be introduced
during local processing (for example, the client hostname
in Postfix's Received: header, adding @$myorigin or .$mydomain
to an incomplete address, address rewriting, alias expansion,
automatic BCC recipients, local forwarding, and modifications
made by header checks or Milter applications). This means
that some form of autodetection is needed that a message
requires SMTPUTF8 support.
Cleanup: don't try to distinguish between UTF that is already
present in a message or envelope, and UTF8 that is introduced
during local processing (see above). Maintaining this
distinction is too problematic.
Cleanup: mailing list friendliness. Allow delivery of
SMTPUTF8 mail to non-SMTPUTF8 servers when a message has
no UTF8 headers, no UTF8 envelope sender, and when the
specific delivery request contains no UTF8 envelope recipient.
This is needed for mailing lists that may have a mix of
UTF8 and non-UTF8 subscriber addresses. File: global/smtputf8.h,
smtp/smtp_proto.c.
Cleanup: moved all SMTPUTF8 detection to the cleanup server,
so that it can apply equally to sendmail command-line
submission, forwarded mail, postmaster notifications,
delivery status notifications, mail received with the qmqpd
server, address verification probes, as well as UTF8
introduced during local processing (see above). Files:
cleanup/cleanup_out.c, cleanup/cleanup_addr.c.
Cleanup: store the SMTPUTF8 message (i.e. non-recipient)
flags in the first queue file record, so that the queue
manager can find the information without having to read
every queue file record. Files: cleanup/cleanup_final.c,
*qmgr/qmgr_message.c.
20140713
Interoperability: new parameter smtputf8_autodetect_classes
for selective autodetection that a message requires UTF8SMTP
support. During the initial SMTPUTF8 rollout, this is limited
by default to Postfix sendmail command-line submissions and
address verification probes. Sites that introduce UTF8
during local processing (see above) will have to enable
SMTPUTF8 autodetection for all mail sources. This feature
shares infrastructure with the older internal_filter_classes
feature. Files: bounce/bounce_notify_service.c,
bounce/bounce_notify_verp.c, bounce/bounce_one_service.c,
bounce/bounce_trace_service.c, bounce/bounce_warn_service.c,
global/int_filt.c, global/mail_proto.h, global/smtputf8.c,
local/forward.c, pickup/pickup.c, qmqpd/qmqpd.c, smtp/smtp_chat.c,
smtpd/smtpd.c, smtpd/smtpd_chat.c, verify/verify.c.
Feature: preliminary message/global support. This does not
yet parse encoded message/global (such as message/global
sent through an non-8BITMIME system). Such mail cannot yet
be inspected with header_checks. File: global/mime_state.c.
20140714
Cleanup: update the "smtputf8" delivery request flags when
VERP expansion causes an UTF8 recipient address to appear
in the envelope sender address. Files: *qmgr/qmgr_deliver.c.
Cleanup: emit the correct content transfer encoding name
when downgrading message/global as quoted-printable. File:
global/mime_state.c.
Cleanup: generate a bounce message with MIME type *global*
only when the original message requested SMTPUTF8 support.
File: bounce/bounce_notify_util.c.
Cleanup: propagate the "SMTPUTF8 support requested" flag
when bouncing a message or when forwarding a message through
a local alias or .forward file. Files: local/forward.c,
bounce/bounce_notify_util.c, src/global/post_mail.[hc], and
specify a dummy argument SMTPUTF8_FLAGS_NONE in all other
programs that programs that invoke post_mail_fopen*(),
20140715
Cleanup: change extract_addr() API to indicate that an
address is parsed in SMTPUTF8 context. File: smtpd/smtpd.c.
Cleanup: shared-library build fixes. Viktor Dukhovni. Files:
makedefs, dns/Makefile.in, global/Makefile.in, master/Makefile.in,
tls/Makefile.in, util/Makefile.in.
First general release with SMTPUTF8 support; see RELEASE_NOTES
for an initial writeup. The last pre-SMTPUTF8 release is
snapshot 20140713.
20140716
Paranoia: validate UTF8 before exposing it to libicuuc.
File: util/midna.c.
Typo: Postfix did not warn when smtputf8_enable=yes while
UTF-8 support is not compiled in. File: global/mail_params.c.
Cleanup: hard-coded GCC dependencies. Eray Aslan. File:
makedefs.
20140717
Safety: manipulate unsigned characters while decoding.
Files: global/xtext.c, global/uxtext.c.
Infrastructure: ACE label to UTF-8 conversion. Files:
util/midna.[hc].
Infrastructure: macro expansion with printable() filter.
Files: util/mac_expand.[hc].
Feature: when expanding myhostname or mydomain in bounce
template messages, and smtputf8_enable=yes, convert ACE
(xn--mumble) labels into UTF-8. bounce/bounce_template.c.
20140720
Cleanup: charset selection and content-transfer encoding
in bounce messages (work in progress). The proper solution
requires separate handling of the returned-message MIME
properties and of the (boiler-plate text, delivery status)
MIME properties. File: bounce/bounce_notify_util.c.
20140722
Documentation: the TLS_README example for creating a
self-signed certificate was incomplete. Also, added
"smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1" settings
to cookbook recipes, so that TLS handshake results will be
logged. Viktor Dukhovni. File: proto/TLS_README.html.
Documentation: update Perl MIME::Base64 example. File:
proto/SASL_README.html.
Documentation: update pointer to Bennett Todd's SMTP proxy.
File: proto/SMTPD_PROXY_README.html.
20140725
Documentation: describe what features are controlled by
parent_domain_matches_subdomains, both in the description
of the controlled feature, and in the description of
parent_domain_matches_subdomains. File: proto/postconf.proto.
Cleanup: smtpd_client_event_limit_exceptions is now controlled
with parent_domain_matches_subdomains, with backwards-compatible
default (specify .example.com in order to match subdomains
of example.com). Files: smtpd/smtpd.c.
Documentation: SMTPUTF8_README, an updated version of text
that was originally part of the RELEASE_NOTES file. Files:
proto/SMTPUTF8_README.html, proto/Makefile.in, html/index.html.
20140731
Feature: the Postfix SMTP server now logs at the end of a
session how many times each SMTP command was successfully
invoked, followed by the total number of invocations if it
is different. File: smtpd/smtpd.c.
20140802
Workaround: detect mis-configuration where Postfix talks
to the Dovecot master socket instead of the Dovecot userdb
socket. Timo Sirainen. File: xsasl/xsasl_dovecot_server.c.
20140904
Logging: the MySQL client now logs a warning when a match
against the "domain" list fails due to table lookup error
(the underlying mechanism already logs a warning, but it
has less context information). File: global/dict_mysql.c.
20140907
Feature: with "confirm_delay_cleared = yes", Postfix informs
the sender when delayed mail leaves the queue. This can
result in a sudden burst of notifications at the end of a
prolonged network outage, and is therefore disabled by
default. Files: mantools/postlink, proto/postconf.proto,
global/deliver_request.h, global/mail_params.h, global/sent.c,
*qmgr/qmgr.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
20140908-14
Feature: for the first time in 17 years, support for
${name?if-nonempty:if-empty} macro expressions, and for
logical expressions ${logical-expr?if-true:if-false}. In
preparation for configurable message headers and logging.
Files: util/mac_expand.c.
20140914
Bugfix (introduced: 19971026): a zero precision value in
%.*s and $.s was implemented as if no precision
value was specified, i.e. print the entire string. This was
not harmful, it just looked weird. File: util/vbuf_print.c.
20140917
Feature: RFC 7372 enhanced status code for unknown SMTP
client hostnames. File: smtpd/smtpd_check.c
Bugfix: the accept() calls in test progams escaped attention
when Postfix 2.2 was ported to IPv6. Problem found by Mark
Martinec. Files: smtpstone/smtp-sink.c, smtpstone/qmqp-sink.c.
20140918
Cleanup: log a warning when the cleanup server detects too
many hops. smtpd(8) does not log any of the CLEANUP_STAT_XXX
results. The pickup server logs some because there is no
client to send the problem description to. This logic of
who logs what needs to be revisited. File:
cleanup/cleanup_message.c.
20140919
Usability: randmap and pipemap syntax, for example,
pipemap:{type_1:name_1, ..., type_n:name_n}. This required
small updates to code that parses input into lookup table
names. Files: global/data_redirect.c, global/maps.c,
global/server_acl.c, postconf/postconf.c, postconf/postconf_dbms.c,
postconf/test58.ref, proto/DATABASE_README.html,
proxymap/proxymap.c, smtpd/smtpd_check.c, util/argv.h,
util/balpar.c, util/dict_pipe.c, util/dict_random.c,
util/match_list.c, util/mystrtok.c, util/argv_splitq.c,
util/stringops.h.
Cleanup: added PRINTFLIKE() to enable missing format string
checks. Files: bounce/bounce_template.h, global/memcache_proto.h,
global/dict_memcache, postconf/postconf.h, util/dict.h,
util/msg.h.
20140920
Bugfix (introduced: 20080212): incorrect client name in
reject messages from check_reverse_client_hostname_access
and check_reverse_client_hostname_{a,mx,ns}_access. They
replied with the verified client name, instead of the name
that was rejected. Problem reported by Reindl Harald. File:
smtpd/smtpd_check.c.
20140921
Cleanup: postconf code to determine the default mydomain
value had not evolved since 1997, while the rest of Postfix
changed in 2000. File: postconf/postconf-dbms.c.
20140922
Cleanup: the confirm_delay_cleared feature now sends no
notification when the sender requests NOTIFY options that
do not include NOTIFY=DELAY. Files: global/deliver_request,h,
global/sent.c, *qmgr/qmgr_active.c, *qmgr/qmgr_message.c.
Bugfix (introduced: yesterday): missing print arguments.
File: postconf/postconf_dbms.c.
Cleanup: simplified "nested" lookup table checks.
Cleanup: replace stress-dependent main.cf defaults with the
ternary form: "${stress?{x}:{y}}" File: global/mail_params.h,
proto/postconf.proto, postscreen/postscreen.c (comments).
20140923
Cleanup: dict_db and dict_lmdb global settings. Files:
global/mail_params.c, util/dict_open.c.
Feature: unionmap, based on contribution by Roel van Meer.
Files: mantools/postlink, postconf/postconf.c (manpage),
proto/DATABASE_README.html, util/dict_open.c, util/dict_union.[hc].
20140924
Bugfix (introduced: 20060117): the escape function didn't
correctly convert non-ASCII. File: util/unescape.c.
Bugfix (introduced: 201407): missing conversions for non-ASCII
domain names in permit_mx_backup, check_mumble_{a,mx,ns}_access
and reject_unknown_{sender,recipient}_domain. Mark Martinec.
File: smtpd/smtpd_check.c.
20140925
Cleanup: support for per-Milter settings, for example:
smtpd_milters = {inet:host:port, default_action=accept,
...}. Specify the Milter endpoint address followed by zero
or more attribute=value pairs separated by comma or space.
The supported attributes are command_timeout, connect_timeout,
content_timeout, default_action, and protocol. These have
the same names as the corresponding main.cf parameters,
minus the "milter_" prefix. Files: global/mail_conf_over.c,
global/mail_conf_str.c, global/mail_conf_time.c,
global/mail_conf.h, milter/milters.c.
20140927
Cleanup: specify { name = value } in per-Milter settings,
to support space around the "=" or comma/space within the
value. Files: global/attr_over.[hc].
Cleanup: "postconf -n" now only shows config_directory when
an override is in effect (environment, -c or -o).
Cleanup: support for master.cf arguments inside {}, to
protect arguments that contain whitespace. File:
master/master_ent.c, postconf/postconf_master.c,
postconf/test59.ref.
Cleanup: support for per-policy client settings, for example:
check_policy_service {inet:host:port, default_action=dunno,
timeout=50s, ...}. Specify the policy server endpoint address
followed by zero or more attribute=value pairs separated
by comma or space. Specify { name = value } for attributes
that contain whitespace; otherwise, space is not allowed
around the "=". The supported attributes are default_action,
max_idle, max_ttl, request_limit, retry_delay, timeout, and
try_limit. These have the same names as the corresponding
main.cf parameters, minus the "smtpd_policy_service_" prefix.
Files: global/mail_conf_int.c, global/mail_conf.h,
global/attr_override.[hc], smtpd/smtpd_check.c.
20140928
Cleanup: extpar.c module to reduce code duplication. Files:
global/attr_override.c, master/master_ent.c, milter/milter.c,
postconf/postconf_dbms.c, postconf/postconf_master.c,
smtpd/smtpd_check.c, util/extpar.c, util/stringops.h.
Cleanup: the table-driven code for per-Milter and per-policy
overrides now updates stack-based variables, instead of
(ugh) statically-allocated variables. Files:
global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c.
Documentation: added advanced configuration sections for
how to use per-Milter and per-policy settings. Files:
proto/SMTPD_POLICY_README.html, proto/MILTER_README.html.
Cleanup: force LANG=C to prevent groff from outputting
non-ASCII cruft into the HTML-ized manpages. Files:
html/Makefile.in, proto/Makefile.in, many HTML output files.
20140929
Cleanup: the table-driven code for per-Milter and per-policy
overrides now updates arbitrary variables, so that it can
also be used for, say, TLS policies. Files:
global/attr_override.[hc], smtpd/smtpd_check.c, milter/milter.c.
Documentation: support for "{ argument with whitespace }"
in master(5) and pipe(8). Files: proto/master, src/pipe/pipe.c.
Documentation: in ADDRES_VERIFY_README, replaced "nearest
MTA" with "preferred MTA". The SMTP client was changed years
ago to try alternate MXes after a 4XX SMTP server response.
File: proto/ADDRES_VERIFY_README.html.
20141001
Safety: backwards-compatibility safety net that forces
Postfix to run with backwards-compatible default settings
after an upgrade to a newer Postfix version. Postfix logs
all uses of those backwards-compatible default settings so
that the system administator can determine whether or not
some backwards-compatible default settings need to be made
permanent in main.cf or master.cf. All this is controlled
with a new compatibility_level parameter, default value 0.
Files: global/mail_params.[hc], trivial-rewrite/rewrite.c,
master/master_ent.c, smtpd/smtpd.c, postfix/postfix.c.
New defaults for master.cf chroot (n), append_dot_mydomain
(no) and smtputf8_enable (yes). File: global/mail_params.h,
global/mail_params.c, smtp/smtp.c (manpage), smtpd/smtpd.c
(manpage), trivial-rewrite/trivial-rewrite.c.
Simple relational expression evaluator so that main.cf
defaults can be made dependent on comparisons with the
compatibility_level parameter value. File: util/mac_expand.c.
Bugfix: do not reset the mail transaction after receiving
a non-ASCII recipient. File: smtpd/smtpd.c.
20141002
Cleanup: moved the details of BC safety-net messages from
RELEASE_NOTES to postconf(5) manpage, and changed the wording
of the BC messages. Files: RELEASE_NOTES, proto/postconf.proto,
master/master_ent.c, smtpd/smtpd.c, trivial-rewrite/rewrite.c.
20141003
Workaround: kludge for multiple paragraphs of text in
indented paragraphs. Files: mantools/postconf2html,
mantools/postconf2man, proto/Makefile.in, proto/postconf.proto
20141005
Cleanup: CHARSET_COMMA_SP, CHARSET_SPACE and CHARSET_BRACE
to prepare for the elimination of ad-hoc string constants.
File: util/sys_defs.h.
Cleanup: allow "{ name=value }" to protect whitespace in
import_environment and export_environment. Files:
proto/postconf.proto, global/mail_parm_split.c, global
/mail_parm_split.h, global/mail_stream.c, local/command.c,
master/master.c, pipe/pipe.c, postdrop/postdrop.c,
postfix/postfix.c, postmulti/postmulti.c, postqueue/postqueue.c,
spawn/spawn.c.
20141006
Backwards compatibility: log a helpful message when "localhost"
is missing from mydestination. Files: trivial_rewrite/rewrite.c,
trivial_rewrite/resolve.c, trivial-rewrite/trivial-rewrite.h,
proto/postconf.proto.
Cleanup: message_drop_header for configurable header dropping
(default: bcc, content-length, resent-bcc, return-path).
The list of supported header names covers RFC 5321, 5322,
MIME RFCs, and some historical names. File: global/header_opts.c,
global/mail_params.[hc], cleanup/cleanup.c (manpage),
proto/postconf.proto, mantools/postlink.
20141008
New defaults: "relayhost=" and "mynetworks_style = host",
plus a backwards-compatibility safety net that warns when
the change in defaults could result in rejection of mail
(with mynetworks_style this requires that Postfix evaluates
both old and new default values). Files: proto/postconf.proto,
global/flush_clnt.c, global/mail_params.c, global/mail_params.h,
global/mynetworks.c, global/mynetworks.h, global/server_acl.c,
postconf/postconf_builtin.c, smtpd/smtpd.c, smtpd/smtpd_check.c.
20141009
Documentation: moved the gory details from postconf(5) to
a new COMPATIBILITY_README document. Files: proto/postconf.proto,
proto/COMPATIBILITY_README.html html/index.html.
Documentation: update the conf/main.cf compatibility_level
setting for new Postfix installs, and updated a reminder
in mail_params.h.
20141010
Cleanup: make "const char myname[]" declarations static.
global/attr_override.c, global/bounce.c, global/dsn_filter.c,
global/dynamicmaps.c, global/mkmap_open.c, global/smtputf8.c,
smtp/smtp_key.c, smtpd/smtpd_check.c, util/dict_pipe.c,
util/dict_union.c, util/mac_expand.c, util/midna.c,
util/valid_utf8_hostname.c.
Documentation: summarize the user-specified "make makefiles"
settings at the top of makedefs.out. This file now has so
many internal variables that people would get lost.
20141011
Cleanup: replaced cryptic macros X_SMTP() and SMTP_X() with
more descripive names: LMTP_SMTP_SUFFIX() and VAR_LMTP_SMTP().
Files: smtp/smtp.c, smtp/smtp.h, smtp/smtp_chat.c,
smtp/smtp_connect.c, smtp/smtp_proto.c, smtp/smtp_sasl_glue.c,
smtp/smtp_sasl_proto.c, smtp/smtp_tls_policy.c.
20141012
Cleanup: missing format-string checks. Files: master/master_ent.c,
posttls-finger/posttls-finger.c, smtpd/smtpd_proxy.c.
Bugfix (introduced: Postfix 2.3): the PREPEND access/policy
action added headers ABOVE Postfix's own Received: header,
exposing Postfix's own Received: header to Milters (protocol
violation) and hiding the PREPENDed header from Milters.
The latter caused problems for DMARC implementations with
SPF policy plus DKIM Milter. PREPENDed headers are now
added BELOW Postfix's own Received: header and remain visible
to Milters. File: smtpd/smtpd.c.
20141013
Cleanup: configuration file line numbers in error/warning
messages could point to comment lines before or after the
problem. Files: util/readlline.[hc], master/master_ent.c,
postalias/postalias.c, postmap/postmap.c, util/dict.c,
util/dict_cidr.c, util/dict_pcre.e, util/dict_regexp.c,
util/dict_thash.c, postconf/postconf_master.c.
20141014
Portability: Darwin 11.x needs to link with -lresolv. Viktor
Dukhovni. File: makedefs.
Documentation: ICU (unicode) library package names. File:
proto/SMTPUTF*_README.html.
20141015
Cleanup: master.cf line number reporting made more consistent
with similar code elsewhere. File: master/master_ent.c.
Backed out SMTP client TLS fallback due to multiple problems.
20141018
Bugfix (introduced: Postfix 2.3): when a Milter inserted a
header ABOVE Postfix's own Received: header, Postfix would
expose its own Received: header to Milters (violating
protocol) and hide the Milter-inserted header from Milters
(wtf). Files: cleanup/cleanup.h, cleanup/cleanup_message.c,
cleanup/cleanup_state.c, milter/milter.[hc], milter/milter8.c.
Cleanup: revert the workaround that places headers inserted
with PREPEND actions or policy requests BELOW Postfix's own
Received: message header. File: smtpd/smtpd.c.
20141019
Cleanup: replace dozens and dozens of ad-hoc string constants
with CHARS_SPACE, CHARS_COMMA_SP, and CHARS_BRACE. Files:
52, too many files to mention here.
Bugfix: the recently-introduced randmap, pipemap, and
unionmap did not check for all possible forms of "empty
list". Files: util/dict_random.c, util/dict_pipe.c,
util/dict_union.c.
Documentation: word smithing. File: proto/master.
Cleanup: the last remaining remnants of the withdrawn
smtp_tls_fallback_level feature. Files: mantools/postlink,
global/mail_params.h.
20141021
Per IETF TLS WG consensus, the tls_session_ticket_cipher
default setting was changed from aes-128-cbc to aes-256-cbc.
Take that, you quantum computer attackers! Viktor Dukhovni.
Files: proto/postconf.proto, global/mail_params.h.
20141024
Cleanup: added $smtpd_mumble_restrictions to the proxy_read_maps
default setting. File: global/mail_params.h.
Documentation: different header/body checks for MX service
and SMTP submissions. File: proto/BUILTIN_FILTER_README.html.
Cleanup: don't send "bare" original recipient in SMTP DSN
attributes. File: cleanup/cleanup_addr.c.
Feature: smtp-sink -N option to suppress DSN announcement.
File: smtpstone/smtp-sink.c.
20141025
Bugfix (introduced: Postfix 2,11): core dump when
smtp_policy_maps specifies an invalid TLS level. Viktor
Dukhovni. File: smtp/smtp_tls_policy.c.
20141103
Logging: when a connection is closed, log the request counts
for unimplemented STARTTLS or AUTH commands separately,
instead of logging such commands as "unknown". File:
smtpd/smtpd.c.
20141106
Cleanup: set errno to ETIMEDOUT after postscreen handshake
timeout event, so that warnings report the correct error.
File: tlsproxy/tlsproxy.c.
20141112
Documentation: 24 identical typos. File: proto/postconf.proto.
Workaround: support space after "MAIL FROM:" and "RCPT TO:"
in smtpd_command_filter examples. Reportedly, cashedge.com's
software (used by banks) needs this (source: Claus Assmann).
File: proto/postconf.proto.
20141117
Cleanup: use ~0U instead of (unsigned) -1. Based on
complaints from the BEAM static analyzer. Files:
global/mynetworks.c, postconf/postconf.c, util/cidr_match.c.
Cleanup: forgot the "do" in "do { stuff } while (0)" macros.
Luckily, this had caused no problem. Based on complaints
from the BEAM static analyzer. Files: util/dict_cdb.c,
util/dict_dbm.c, util/dict_lmdb.c, util/dict_pcre.c,
util/dict_regexp.c, util/dict_sockmap.c, util/dict_thash.c.
Bugfix (introduced: Postfix 2.9): lockfile descriptor leak
after error. Based on complaints from the BEAM static
analyzer. File: util/dict_db.c.
Bugfix (introduced: Postfix 1.1): don't "set" the null byte
element in the base64 and base32 decoding maps. Based on
complaints from the BEAM static analyzer. Files: util/base64_code,
util/base32_code.c.
Cleanup: don't exit(0) after failing to run showq(8). Based
on complaints from the BEAM static analyzer. File:
postqueue/postqueue.c.
Bugfix: memory leak when getaddrinfo() returns a result
that is neither IPv4 nor IPv6. Based on complaints from
the BEAM static analyzer. File: smtp/smtp_addr.c.
Cleanup: use more meaningful name for global variable so
that it isn't shadowed by a local variable. Based on
complaints from the BEAM static analyzer. smtpstone/smtp-sink.c.
20141119
Cleanup: base64 test driver. File: base64_code.c.
Cleanup: make the CONST_CHAR_STAR typedef project-wide.
Files: global/attr_override.h, util/sys_defs.h.
Feature: BCC action in header/body_checks and milter_header_checks.
Files: proto/header_checks, cleanup/cleanup.h,
cleanup/cleanup_extracted.c, cleanup/cleanup_message.c,
cleanup/cleanup_milter.c, cleanup/cleanup_milter.in16a,
cleanup/cleanup_milter.ref16a1, cleanup/cleanup_milter.ref16a2,
cleanup/cleanup_milter.reg16a, cleanup/cleanup_state.c,
cleanup/test-queue-file16, global/attr_override.h,
global/cleanup_strflags.c, global/cleanup_user.h,
util/sys_defs.h.
Cleanup: don't write back-to-back queue file pointer records
when the "add recipient" action was a NOOP (e.g., because
the recipient was a duplicate). File: cleanup/cleanup_milter.c.
20141120
Documentation: COMPATIBILITY_README now has "purpose of
this document" section, plus a separate section for turning
off the safety net. File: proto/COMPATIBILITY_README.html
20131121
Cleanup: replace mua_mumble with msa_mumble in master.cf
submission and smtps service parameter overrides. File:
proto/BUILTIN_FILTER_README.html.
Feature: "static:{ text with whitespace }". This could be
used as check_mumble_access static:{reject text...} at the
end of smtpd_mumble_restrictions. Files: util/dict_static.c,
util/Makefile.in, util/dict_static_test.ref,
proto/DATABASE_README.html. postconf/postconf.c (manpage).
20141126
Feature: "inline:{key=value, { key = text with comma/space}}"
avoids the need to create a database for just a few entries.
Files: util/dict_inline.[hc], mantools/postlink,
proto/DATABASE_README.html. postconf/postconf.c (manpage),
util/dict_inline.[hc], util/dict_open.c, util/Makefile.in,
util/dict_inline_test.ref.
Cleanup: report nullmx DNS records as "domain does not
accept mail", instead of "invalid DNS response". The Postfix
SMTP client already bounced mail for such domains, and the
Postfix SMTP server already rejected such domains with
reject_unknown_sender/recipient_domain. This introduces a
new SMTP server configuration parameter nullmx_reject_code
(default: 556). Files: src/dns/dns_lookup.[hc], dns/Makefile,in,
dns/nullmx_test.ref, src/smtp/smtp_addr.c, smtpd/smtpd_check.c,
smtpd/smtpd_check_nullmx.in, smtpd/smtpd_check_nullmx.ref,
mantools/postlink, proto/postconf.proto, smtpd/smtpd.c.
Cleanup: added some missing libdns tests: dns/Makefile,in,
dns/mxonly_test,ref, dns/nxdomain_test.ref
Cleanup: libglobal "make test" had suffered from bitrot.
Files: global/mime_state.c, global/header_body_checks.c.
20141127
Feature: DNS reply filter, configured with smtp_dns_reply_filter,
smtpd_dns_reply_filter, and lmtp_dns_reply_filter. Files:
mantools/postlink, proto/postconf.proto, dns/dns.h,
dns/dns_lookup.c, dns/dns_rr_filter.c, dns/dns_strrecord.c,
dns/error.ref, dns/error.reg, dns/mxonly_test.ref, dns/no-a.ref,
dns/no-a.reg, dns/no-aaaa.ref, dns/no-aaaa.reg, dns/no-mx.ref,
dns/no-mx.reg, dns/nullmx_test.ref, dns/test_dns_lookup.c,
global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
smtp/smtp_addr.c, smtp/smtp_params.c, smtpd/smtpd.c,
smtpd/smtpd_check.c, smtpd/smtpd_dns_filter.{in,ref}.
20141130
Cleanup: when searching multiple DNS record types for a
specific name, and not all queries return the same result
status, do not blindly return the last query's rcode and
diagnostic text. Instead, return rcode and text that is
consistent with the aggregate result status.
Cleanup: un-broke several smtpd regression tests (work in
progress, with three more to go). Files: smtpd/smtpd_check.c,
smtpd/smtpd_server.{in,ref}, smtpd/smtpd_exp.{in,ref}.
smtpd/smtpd_dnswl.{in,ref}.
Documentation: added note on Milter-signing bounces.
20141201
Bugfix (introduced: 20141130): memory leak. File: dns_lookup.c.
Cleanup: un-broke several dns regression tests by sorting
getaddrinfo() results by address family. Files: dns/dns_rr_eq_sa.c,
dns/dns_rr_eq_sa.ref, dns/dns_sa_to_rr.c, dns/dns_sa_to_rr.ref.
Cleanup: missing #ifdef in smtpd_check test driver. File:
smtpd/smtpd_check.c.
Cleanup: fix google.com regexp in smtp_dns_reply_filter
example. Viktor Dukhovni. File: proto/postconf.proto.
Cleanup: in the ASCII form of DNS resource records, add
space after the TLSA match-type field. Viktor Dukhovni.
File: dns/dns_strrecord.c.
20141202
Cleanup: to increase clarity. rename DNS result status from
DNS_UNAVAIL to DNS_NULLMX. If someone uses the same zero-length
name trick with some other resource type, then we will worry
about that later. Files: smtpd/smtpd_check.c, smtp/smtp_addr.c,
dns/dns.h, dns/dns_lookup.c.
Cleanup: eliminate TLS state duplication from state->tls
to session->tls. Viktor Dukhovni. Files: src/smtp/smtp.h,
src/smtp/smtp_connect.c, src/smtp/smtp_proto.c,
src/smtp/smtp_reuse.c, src/smtp/smtp_session.c.
20141203
Feature: support to match UTF8 domain names against ASCII
names in TLS certificates. Viktor Dukhovni. Files:
posttls-finger/posttls-finger.c, tls/tls_client.c.
20141206
Cleanup: use (char *) only for strings, not for data. The
"void *" type was not fully portable during initial Postfix
development, but we no longer have that problem. Also started
the migration of data structure sizes/counters to ssize_t/size_t
(the IBM Beam analyzer identified lots of unnecessary 64-bit
to 32-bit conversions). The transformation and verification
were mostly mechanical with manual supervision. Files:
anvil/anvil.c, bounce/bounce.c, bounce/bounce_notify_util.c,
bounce/bounce_template.c, bounce/bounce_templates.c,
cleanup/cleanup_message.c, cleanup/cleanup_region.c,
cleanup/cleanup_state.c, dns/dns_lookup.c, dns/dns_rr.c,
dns/dns_rr_eq_sa.c, dns/dns_rr_to_sa.c, dns/test_dns_lookup.c,
flush/flush.c, global/abounce.c, global/abounce.h,
global/been_here.c, global/bounce_log.c, global/clnt_stream.c,
global/db_common.c, global/deliver_request.c,
global/delivered_hdr.c, global/dict_ldap.c, global/dict_mysql.c,
global/dict_pgsql.c, global/dsn.c, global/dsn_buf.c,
global/dsn_filter.c, global/dynamicmaps.c,
global/header_body_checks.c, global/header_opts.c,
global/mail_addr_crunch.c, global/mail_stream.c,
global/mail_version.c, global/maps.c, global/mbox_open.c,
global/mime_state.c, global/mkmap_open.c, global/msg_stats_scan.c,
global/mypwd.c, global/post_mail.c, global/rcpt_buf.c,
global/recipient_list.c, global/scache_clnt.c,
global/scache_multi.c, global/scache_single.c,
global/smtp_reply_footer.c, global/smtp_reply_footer.h,
global/tok822_node.c, local/biff_notify.c, local/forward.c,
local/local_expand.c, local/unknown.c, master/event_server.c,
master/master.c, master/master_avail.c, master/master_ent.c,
master/master_monitor.c, master/master_proto.c,
master/master_sig.c, master/master_spawn.c, master/master_status.c,
master/master_vars.c, master/master_wakeup.c,
master/multi_server.c, master/single_server.c,
master/trigger_server.c, milter/milter.c, milter/milter8.c,
milter/milter_macros.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c,
oqmgr/qmgr_deliver.c, oqmgr/qmgr_entry.c, oqmgr/qmgr_message.c,
oqmgr/qmgr_queue.c, oqmgr/qmgr_transport.c, pipe/pipe.c,
postalias/postalias.c, postconf/postconf.h,
postconf/postconf_builtin.c, postconf/postconf_edit.c,
postconf/postconf_lookup.c, postconf/postconf_main.c,
postconf/postconf_master.c, postconf/postconf_node.c,
postconf/postconf_service.c, postconf/postconf_user.c,
postmap/postmap.c, postmulti/postmulti.c, postscreen/postscreen.c,
postscreen/postscreen.h, postscreen/postscreen_dnsbl.c,
postscreen/postscreen_early.c, postscreen/postscreen_expand.c,
postscreen/postscreen_haproxy.c, postscreen/postscreen_send.c,
postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c,
postscreen/postscreen_state.c, posttls-finger/posttls-finger.c,
posttls-finger/tlsmgrmem.c, proxymap/proxymap.c, qmgr/qmgr.c,
qmgr/qmgr_active.c, qmgr/qmgr_deliver.c, qmgr/qmgr_entry.c,
qmgr/qmgr_job.c, qmgr/qmgr_message.c, qmgr/qmgr_peer.c,
qmgr/qmgr_queue.c, qmgr/qmgr_transport.c, qmqpd/qmqpd_peer.c,
qmqpd/qmqpd_state.c, scache/scache.c, sendmail/sendmail.c,
showq/showq.c, smtp/smtp_chat.c, smtp/smtp_connect.c,
smtp/smtp_proto.c, smtp/smtp_reuse.c, smtp/smtp_session.c,
smtp/smtp_state.c, smtp/smtp_tls_policy.c, smtpd/smtpd.c,
smtpd/smtpd_chat.c, smtpd/smtpd_check.c, smtpd/smtpd_expand.c,
smtpd/smtpd_expand.h, smtpd/smtpd_peer.c, smtpd/smtpd_proxy.c,
smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c,
smtpstone/smtp-sink.c, smtpstone/smtp-source.c, tls/tls_dane.c,
tls/tls_mgr.c, tls/tls_misc.c, tls/tls_prng_dev.c,
tls/tls_prng_egd.c, tls/tls_prng_exch.c, tls/tls_prng_file.c,
tls/tls_proxy_clnt.c, tls/tls_scache.c, tls/tls_server.c,
tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c, tlsproxy/tlsproxy_state.c,
trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c,
util/argv.c, util/attr_clnt.c, util/attr_print0.c,
util/attr_print64.c, util/attr_print_plain.c, util/attr_scan0.c,
util/attr_scan64.c, util/attr_scan_plain.c, util/auto_clnt.c,
util/binhash.c, util/binhash.h, util/ctable.c, util/ctable.h,
util/dict.c, util/dict.h, util/dict_alloc.c, util/dict_cache.c,
util/dict_cache.h, util/dict_cidr.c, util/dict_db.c,
util/dict_ht.c, util/dict_open.c, util/dict_pcre.c,
util/dict_regexp.c, util/dict_sockmap.c, util/dict_surrogate.c,
util/dict_thash.c, util/edit_file.c, util/events.c,
util/events.h, util/fifo_trigger.c, util/find_inet.c,
util/htable.c, util/htable.h, util/inet_addr_host.c,
util/inet_addr_list.c, util/inet_addr_local.c, util/inet_listen.c,
util/inet_proto.c, util/inet_trigger.c, util/inet_windowsize.c,
util/iostuff.h, util/line_wrap.c, util/line_wrap.h,
util/mac_expand.c, util/mac_expand.h, util/mac_parse.c,
util/mac_parse.h, util/match_list.c, util/msg_output.c,
util/mvect.c, util/myaddrinfo.c, util/myflock.c, util/mymalloc.c,
util/mymalloc.h, util/nbbio.c, util/nbbio.h, util/netstring.c,
util/nvtable.c, util/nvtable.h, util/pass_trigger.c,
util/sane_accept.c, util/sane_connect.c, util/scan_dir.c,
util/sock_addr.c, util/stream_trigger.c, util/sys_compat.c,
util/sys_defs.h, util/timecmp.c, util/timed_connect.c,
util/timed_write.c, util/unix_connect.c, util/unix_listen.c,
util/unix_recv_fd.c, util/unix_send_fd.c, util/unix_trigger.c,
util/vbuf.c, util/vbuf.h, util/vstream.c, util/vstream_tweak.c,
util/vstring.c, util/watchdog.c, verify/verify.c,
xsasl/xsasl_cyrus_client.c, xsasl/xsasl_cyrus_server.c,
xsasl/xsasl_dovecot_server.c.
Cleanup: removed unnecessary casts. File: global/cfg_parser.c.
Cleanup: dont cast away "const". File: global/dict_sqlite.c.
20141208
Bugfix (introduced: 20141207): in new #ifdef, && should be
||. File: smtpd.c.
20141210
Cleanup: the "inline" table now supports case-insensitive
search, and an iterator. File: util/dict_inline.c.
Cleanup: minuscule memory leaks in graceful degradation
after lookup table open error. Files: util/dict_inline.c,
util/dict_static.c.
20141211
Cleanup: memory leaks in unit-test driver programs (i.e.
code used only during development). Files:
cleanup/cleanup_milter.c, util/base64_code.c.
Bugfix (introduced 20141001): mac_expand() error message
with "??" due to dangling pointer. File: util/mac_expand.c.
Portability: unit-test driver programs. Files: util/myaddrinfo.c,
util/myaddrinfo.ref.
Portability: Clang support. Files: makedefs, util/sys_defs.h.
Portability: FreeBSD 10 support. Files: makedefs,
util/sys_defs.h.
Cleanup: in makedefs, the CC and WARN features are now
independent. File: makedefs.
Shut up some Clang format-string nags: util/events.c.
Cleanup: eliminated unnecessary 64->32bit (and back)
conversions on LP64 platforms. Files: util/htable.c,
util/binhash.c util/mvect.[hc], util/name_mask.c,
util/sane_time.c, util/unix_listen.c, util/unix_connect.c,
util/stringops.h, util/trimblanks.c, and dependent code in
smtpd/smtpd_token.c.
Cleanup: unused inet_proto_init() results. Files:
global/mail_params.c, postconf/postconf_builtin.c,
smtpstone/qmqp-sink.c, smtpstone/qmqp-source.c,
smtpstone/smtp-source.c/
Shut up some Clang nags about unused functions in network
interface API selection. File: util/inet_addr_local.c.
Portability: a historical compiler lacks printf-like
format-string checks for function pointers. Files: util/msg.h,
bounce/bounce_template.h.
20141212
Shut up some Clang format-string nags: util/line_number.c,
sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c.
Cleanup: eliminated unnecessary 64->32bit (and back)
conversions on LP64 platforms. Files: dict_memcache.c,
header_body_checks.[hc], log_adhoc.c, pipe_command.c,
record.[hc], smtp_reply_footer.c, split_addr.c.
cleanup/cleanup_milter.c, master/mail_server.h,
src/master/trigger_server.c, oqmgr/qmgr.c, qmgr/qmgr.c,
pickup/pickup.c.
Cleanup: nullmx SMTP reply codes 550 and 556, and enhanced
status codes X.1.10 and X.7.27. The nullmx SMTP reply codes
are no longer configurable. Files: global/mail_params.h,
smtpd/smtpd.c, smtpd/smtpd_check.c.
Portability: default table owner UID for testing. Files:
util/dict_alloc.c, util/dict_open.c.
Shut up Clang unused assignment nag: global/mail_queue.h.
sendmail/sendmail.c, smtpd/smtpd_proxy.c, smtp/smtp_sasl_proto.c.
20141214
Bugfix (introduced: 20141212): typo in Clang function pointer
format check, making it a noop. Viktor Dukhovni. File:
util/sys_defs.h.
Maintainability: compile-time argument typechecking for
variadic attribute-value read/write functions. Files:
anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c,
dnsblog/dnsblog.c, flush/flush.c, global/abounce.c,
global/anvil_clnt.c, global/bounce.c, global/defer.c,
global/deliver_pass.c, global/deliver_request.c,
global/dict_proxy.c, global/dsb_scan.c, global/dsn_print.c,
global/flush_clnt.c, global/mail_command_client.c,
global/mail_stream.c, global/msg_stats_print.c,
global/msg_stats_scan.c, global/post_mail.c, global/rcpt_buf.c,
global/rcpt_print.c, global/resolve_clnt.c, global/rewrite_clnt.c,
global/scache_clnt.c, global/trace.c, global/verify_clnt.c,
local/forward.c, milter/milter.c, milter/milter8.c,
milter/milter_macros.c, oqmgr/qmgr_deliver.c, pickup/pickup.c,
postdrop/postdrop.c, postscreen/postscreen_dnsbl.c,
postscreen/postscreen_send.c, postscreen/postscreen_starttls.c,
proxymap/proxymap.c, qmgr/qmgr_deliver.c, qmqpd/qmqpd.c,
scache/scache.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
tls/tls_mgr.c, tls/tls_proxy_clnt.c, tls/tls_proxy_print.c,
tls/tls_proxy_scan.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
trivial-rewrite/resolve.c, trivial-rewrite/rewrite.c,
trivial-rewrite/trivial-rewrite.c, util/attr.h.
20141217
Replaced compile-time argument typechecking based on inline
functions with an implementation based on ternary expressions
with unreachable assignments to dummy variables. This
should produce the exact same result as the approach based
on inline functions (which were standardized with C99).
Files: util/check_arg.h, util/attr.h, util/attr.c.
20141221
Portability: proof-of-concept template for OpenBSD build
with shared libpostfix etc. libraries. File: makedefs.
20141223
Cleanup: compile-time variadic argument type checking for
attribute-value APIs of vstream, vstream_popen, vstring,
pipe_command, spawn_command, attr_override, and mail_server
skeletons. Based on mostly automatic conversion and checking,
with a manual inspection of the remainder. Files:
anvil/anvil.c, bounce/bounce.c, cleanup/cleanup.c,
cleanup/cleanup_api.c, discard/discard.c, dnsblog/dnsblog.c,
error/error.c, flush/flush.c, global/attr_override.c,
global/attr_override.h, global/mail_connect.c, global/mail_queue.c,
global/mail_stream.c, global/mail_stream.h, global/pipe_command.c,
global/pipe_command.h, global/smtp_stream.c, global/timed_ipc.c,
local/command.c, local/local.c, master/event_server.c,
master/mail_server.h, master/multi_server.c,
master/single_server.c, milter/milter.c, milter/milter8.c,
oqmgr/qmgr.c, oqmgr/qmgr_transport.c, pickup/pickup.c,
pipe/pipe.c, postalias/postalias.c, postcat/postcat.c,
postdrop/postdrop.c, postmap/postmap.c, postscreen/postscreen.c,
postscreen/postscreen_dnsbl.c, postscreen/postscreen_haproxy.c,
postscreen/postscreen_starttls.c, posttls-finger/posttls-finger.c,
proxymap/proxymap.c, qmgr/qmgr.c, qmgr/qmgr_transport.c,
qmqpd/qmqpd.c, scache/scache.c, showq/showq.c, smtp/smtp.c,
smtpd/smtpd.c, smtpd/smtpd_check.c, smtpd/smtpd_proxy.c,
smtpstone/smtp-source.c, spawn/spawn.c, tls/tls_proxy_clnt.c,
tls/tls_stream.c, tlsmgr/tlsmgr.c, tlsproxy/tlsproxy.c,
trivial-rewrite/trivial-rewrite.c, util/auto_clnt.c,
util/ctable.c, util/dict_cache.c, util/dict_cache.h,
util/dict_lmdb.c, util/dict_tcp.c, util/netstring.c,
util/recv_pass_attr.c, util/slmdb.c, util/slmdb.h,
util/spawn_command.c, util/spawn_command.h, util/vstream.c,
util/vstream.h, util/vstream_popen.c, util/vstream_tweak.c,
util/vstring.c, util/vstring.h, verify/verify.c,
virtual/virtual.c, xsasl/xsasl_dovecot_server.c.
20141224
Cleanup: the compile-time argument typechecks for attribute-value
APIs are now by default implemented with inline functions.
Compile with -DNO_INLINE to implement the argument typechecks
with ternary operators and unreachable assignments. Files:
util/check_arg.h and its consumers.
20141226
NetBSD6/7 dynamic linking support. Viktor Dukhovni.
Cleanup: instead of making up new names, use a consistent
CA_ prefix for macros that implement compile-time argument
typechecks for non-protocol attribute-value APIs. This
transformation and its verification are mechanical.
Bugfix (introduced: Postfix 1.1, but latent before 3.0):
"postfix-install: daemon_directory: not found" error with
an ancient Solaris shell. Fixed by ALSO resetting IFS after
the end of a ``while IFS=foo command'' loop; counter to
expectation, the IFS reset in the loop body executed in a
child process. Background: some shells implement "IFS=foo
command" as a permanent IFS change; this was allowed by
standards at some point in time. File: postfix-install.
20141227
Feature: smtp_address_verify_target (default: rcpt) that
determines what protocol stage decides if a recipient is
valid. Specify "data" for servers that reject recipients
after the DATA command. Files: mantools/postlink,
proto/postconf.proto, proto/ADDRESS_VERIFICATION_README.html,
global/mail_params.h, smtp/lmtp_params.c, smtp/smtp.c,
smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c.
20141228
Cleanup: the IDNA conversion routines now accept both ASCII
and UTF8 inputs. The functions als verify that either their
result is a valid ASCII domain name or that it converts
into a valid ASCII domain name. Files: util/midna.c,
util/midna_test.in, util/midna_test.ref.
20141230
Cleanup: s/midna/midna_domain/ for better specificity,
because we also need functions that act only on the domain
portion of an email address. Files: bounce/bounce_template.c,
global/midna_adomain.c, posttls-finger/posttls-finger.c,
smtp/smtp_addr.c, smtpd/smtpd_check.c, tls/tls_client.c,
util/midna_domain.[hc], util/valid_utf8_hostname.c.
Infrastructure: function midna_adomain_to_utf8() (and
midna_adomain_to_ascii) to convert the domain portion of
an email address before table lookup. Files:
global/midna_adomain.[hc].
20141230-20140109
What is described here is the result of four iterations to
deal with malformed UTF-8 without massively contaminating
every Postfix program with new error-handling code paths,
in particular without triggering fatal errors that didn't
happen before.
Infrastructure: function casefold() to support caseless
string comparison, primarily for table lookups. This function
supports two modes: case folding a la lowercase() for ASCII
byte values, and UTF-8 case folding. As recommended at
http://www.w3.org/International/wiki/Case_folding for
caseless string comparison, this uses the en_US locale to
avoid surprises. The implementatin handles the entire RFC
3629 Unicode range (code points U+0000..U+10FFFF including
surrogates) and is chroot(2) safe. Files: casefold.c,
stringops.h.
Infrastructure: revised the midna_domain_to_ascii and
midna_domain_to_utf8 domain name conversion functions after
careful reading of the UTS #46 specification, and after
observing that ICU 4.8 library functions indeed implement
this spec, at least with default options. In particular,
midna_domain_to_utf8 takes an UTF-8 domain name and verifies
that its A-label form will pass the valid_hostname() test.
File: util/midna_domain.c.
Infrastructure: handle UTF-8 errors in lookup table keys
or values without massively contaminating every Postfix
program with new error-handling code paths, in particular
without triggering fatal errors that didn't happen before.
The lookup/update/delete functions log a warning and ignore
a request with a bad key (it cannot exist); the update
functions ignore a request to store a bad value (it cannot
exist); and the lookup function reports a bad value as a
configuration error (it should not exist, but there it is).
Table iterators still report all (key, value) pairs in a
table. Files: util/dict.h, util/dict_open.c, util/dict_utf8.c,
global/mkmap_open.c.
Note that with SMTPUTF8 turned on, each table-driven mechanism
(access, aliases, etc.) needs to make its own decision
whether UTF-8 syntax is required. We cannot blindly require
that everything has valid UTF-8 syntax. That would make
header/body_checks useless for content inspection, because
headers may be malformed and bodies may contain legitimate
binary content that isn't UTF-8.
Note that with SMTPUTF8 turned off, Postfix must remain
8-bit clean as it always has been. Table operations must
not complain that something violates UTF-8 syntax rules.
UTF-8 sanitization in the Postfix SMTP server. With
smtputf8_enable=yes, SMTP commands with UTF-8 syntax errors
are rejected, table lookup results with invalid UTF-8 syntax
are handled as configuration errors, and UTF-8 syntax errors
in policy server replies result in execution of the policy
server's default action.
20150102
Cleanup: propagate DICT_ERR_CONFIG through the proxymap
protocol. Files: global/dict_proxy.[hc], proxymap/proxymap.c.
20150106
Robustness: don't segfault due to excessive recursion in
tok822_free_tree() after a faulty configuration runs into
the virtual_alias_recursion_limit. File: global/tok822_tree.c.
20150109
Cleanup: the dict debug module now proxies dict flags.
File: util/dict_debug.c.
With "smtputf8_enable = yes", the postmap and postalias
commands now enable UTF-8 by default (use "-u" to disable)
with one exception: UTF-8 remains disabled for header/body_checks
emulation (use "-U" to enable). Files: postmap/postmap.c,
postalias/postalias.c.
20150110
Cleanup: the "inline" and "texthash" implementations now
reuse the "internal" database instead of reinventing the
wheel. Files: util/dict_inline.c, util/dict_thash.c.
As a first step, with "smtputf8_enable = yes" all features
based on Postfix matchlists enable UTF-8 syntax checks and
UTF-8 casefolding for table patterns, but NOT YET for string
patterns. The list of features includes authorized_flush_users,
authorized_mailq_users, authorized_submit_users, debug_peer_list,
fast_flush_domains, mydestination, permit_mx_backup_networks,
qmqpd_authorized_clients, smtp_connection_cache_destinations,
smtpd_authorized_verp_clients, smtpd_authorized_xclient_hosts,
smtpd_authorized_xforward_hosts,
smtpd_client_event_limit_exceptions,
smtpd_log_access_permit_actions, smtpd_sasl_exceptions_networks,
the "domains" feature in ldap_table(5), memcache_table(5)
mysql_table(5), pgsql_table(5) and sqlite_table(5),
virtual_alias_domains, virtual_mailbox_domains.
20150111
Cleanup: simplified the interposition layer that adds UTF-8
support to Postfix lookup tables. Files: util/dict_utf8.c.
With "smtputf8_enable = yes", Enable UTF-8 syntax checks
and UTF-8 casefolding for SMTP server access maps, alias_maps,
canonical_maps, fallback_transport_maps,
lmtp_tls_session_cache_database, local_recipient_maps,
mailbox_command_maps, mailbox_transport_maps, rbl_reply_maps,
recipient_bcc_maps, recipient_canonical_maps, relay_recipient_maps,
relocated_maps, sender_bcc_maps, sender_canonical_maps,
sender_dependent_relayhost_maps, sender_dependent_transport_maps,
smtp_generic_maps, smtp_sasl_auth_cache_name,
smtp_sasl_password_maps, smtp_tls_per_site, smtp_tls_policy_maps,
smtp_tls_session_cache_database, smtpd_sender_login_maps,
smtpd_tls_session_cache_database, transport_maps,
virtual_alias_maps, virtual_gid_maps, virtual_mailbox_maps,
virtual_uid_maps.
20150112
Infrastructure: support for UTF-8 casefolding in match_lists.
Instead of using strcasecmp(), casefold all fixed-string
patterns during initialization, casefold a search string
at the beginning of the search, and use strcmp() for
comparison. Files: util/casefold.c util/dict.h, util/dict_utf8.c,
util/match_list.c, util/match_list.h, util/match_ops.c,
util/stringops.h, global/addr_match_list.c, global/domain_list.c,
global/namadr_list.c, global/string_list.c.
20150113
Cleanup: show the configuration parameter name in error
messages while parsing or searching match_list-based features
such as mydestination, relay_domains and a few dozen more.
Files: cleanup/cleanup_init.c, flush/flush.c,
global/addr_match_list.c, global/debug_peer.c,
global/domain_list.c, global/flush_clnt.c,
global/match_parent_style.c, global/namadr_list.c,
global/resolve_local.c, global/string_list.c, global/user_acl.[hc],
postdrop/postdrop.c, postqueue/postqueue.c,
postscreen/postscreen.c, qmqpd/qmqpd.c, sendmail/sendmail.c.,
smtp/smtp.c, smtp/smtp_sasl_glue.c, smtpd/smtpd.c,
smtpd/smtpd_check.c, trivial-rewrite/resolve.c,
util/match_list.[hc], util/match_ops.c.
Cleanup: apply printable() to all bounce(8) service
string-valued protocol fields. File: bounce/bounce.c.
Apparenly the UCI 4.8 ucasemap_utf8FoldCase() function does
not complain about UTF-8 syntax errors, so we add our own
redundant check. File: util/casefold.c.
20150115
Bitrot: prepare for future changes in OpenSSL. Viktor
Dukhovni. Files: tls/tls.h, tls/tls_dh.c, tls/tls_misc.c,
tls/tls_rsa.c, tls/tls_server.c.
Documentation: "avoid hash files here, use btree or lmdb
instead". File: proto/ADDRESS_VERIFICATION_README.html.
Safety: virtual_alias_address_length_limit (default: 1000)
to stop aliasing loops that exponentially increase the
address length with each iteration. Files: global/mail_params.h,
mantools/postlink, proto/postconf.proto, cleanup/cleanup.c,
cleanup/cleanup_init.c, cleanup/cleanup_map1n.c.
20150116
TLS wrappermode in the Postfix smtp(8) client. This introduces
a new parameter "smtp_tls_wrappermode" (default: no). Files:
global/mail_params.h, mantools/postlink, proto/postconf.proto,
smtp/lmtp_params.c, smtp/smtp.[hc], smtp/smtp_connect.c,
smtp/smtp_params.c, smtp/smtp_proto.c.
TLS wrappermode in posttls-finger(1), and some DANE-related
cleanups. This introduces a new option "-w". Viktor Dukhovni.
Files: posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
tls/tls.h, tls/tls_client.c, tls/tls_fprint.c.
20150117
Cleanup: missing " in \%s\" in postscreen(8) fatal error
messages. Iain Hibbert. File: postconf/postconf_master.c.
20150118
Bugfix (introduced: 20140731): when a connection timed out
before any command was received, the Postfix SMTP server
"disconnect from" logging would show the content of the
last SMTP server response (421 4.4.2 $myhostname error:
timeout exceeded) instead of per-command statistics, because
there were no statistics to report. The Postfix SMTP server
now always logs the total number of commands (commands=x/y)
even when the client did not send any. This helps logfile
analyzers to recognize sessions without commands. File:
smtpd/smtpd.c.
20150120
Bugfix (introduced: 20141230-20140109): do not reallocate
a dictionary handle after it is initialized. This breaks
CDB. Problem reported by Andreas Schulze. Files: util/dict.h,
util/dict_alloc.c, util/dict_utf8.c.
Cleanup: simplified the dict_utf8 wrapper implementation.
Files: util/dict.h, util/dict_alloc.c, util/dict_utf8.c.
20150121
Cleanup: undo changes in check_mumble_access() that replaced
error handling with longjmp() calls. This could introduce
memory leaks in check_mumble_access() callers. Files:
smtpd/smtpd_check.c, smtpd/smtpd_error.ref.
20150122
Cleanup: miscellaneous cruft, typos, comments, error messages.
proto/COMPATIBILITY_README.html, global/addr_match_list.c,
global/domain_list.c, global/namadr_list.c, global/string_list.c,
global/user_acl.c, postalias/postalias.c, postmap/postmap.c,
tls/tls_client.c, util/dict_alloc.c, util/dict_open.c,
util/match_list.c.
20150124
Workaround: nroff has been improved so that "-" comes out as
some non-ASCII character, unlike HTML where it comes out
as itself. Andreas Schulze. This requires jumping a few
hops to generate HTML and nroff input from the same source
text. Files; mantools/srctoman, mantools/postconf2man.
Cleanup: UTF-8 support in masquerade_domains. File:
cleanup/cleanup_masquerade.c.
20150125
Cleanup: simplified the casefold() API: no input-dependent
failure modes. Files: cleanup/cleanup_masquerade.c,
util/casefold.c, util/dict_utf8.c, util/match_list.c,
util/strcasecmp_utf8.c, util/stringops.h.
Cleanup: replaced str*casecmp() calls with UTF8-enabled
versions. Files: bounce/bounce.c, bounce/bounce_append_service.c,
bounce/bounce_notify_service.c, bounce/bounce_notify_verp.c,
bounce/bounce_one_service.c, bounce/bounce_trace_service.c,
bounce/bounce_warn_service.c, cleanup/cleanup_addr.c,
cleanup/cleanup_map11.c, cleanup/cleanup_map1n.c,
global/log_adhoc.c, global/mail_addr_find.c, global/mail_params.c,
global/split_addr.c, global/verify.c, global/verify_sender_addr.c,
local/alias.c, local/recipient.c, oqmgr/qmgr_message.c,
qmgr/qmgr_message.c, smtp/smtp_tls_policy.c, smtpd/smtpd_check.c,
smtpd/smtpd_milter.c, trivial-rewrite/resolve.c,
util/strcasecmp_utf8.c, util/stringops.h.
20150126
Portability: added missing #ifdef STRCASECMP_IN_STRINGS_H
for platforms that require it. Files: dns/dns_rr_filter.c,
milter/milter8.c, posttls-finger/posttls-finger.c,
tls/tls_dane.c, tlsproxy/tlsproxy.c, util/dict_test.c.
Cleanup: replaced lowercase() calls with UTF-8-enabled
versions. Files: flush/flush.c, global/been_here.c,
global/delivered_hdr.c, global/fold_addr.c, global/fold_addr.h,
local/forward.c, local/recipient.c, pipe/pipe.c,
smtpd/smtpd_resolve.c, util/casefold.c, util/stringops.h,
virtual/recipient.c.
20150127
Cleanup: simplified the 20150125 and 20150126 APIs, replacing
the most-common use cases with convenience macros that have
fewer arguments. Files: anything that implements or invokes
casefold*() or str*casecmp().
Documentation: missing words and typos. Matthew Selsky. Files:
proto/SMTPUTF8_README.html, util/dict_open.c, util/vstream.c.
20150128
Bugfix: the ICU casemapping API can report success, while
producing output that is not null-terminated. But we can
deal with that. File: util/casefold.c.
Cleanup: unnecessary buffers. File: util/strcasecmp_utf8.c.
Cleanup: whitespace in source-code documentation has gotten
damaged through the years. Files: util/iostuff.h,
util/msg_vstream.h, util/msg_syslog.h, util/msg_output.h,
util/msg.h, util/inet_proto.c, trivial-rewrite/trivial-rewrite.c,
tls/tls.h, postconf/postconf.c, master/multi_server.c,
master/event_server.c, global/memcache_proto.h,
global/dict_mysql.c, global/dict_ldap.c, discard/discard.c,
error/error.c, global/dict_proxy.c, global/mail_conf_int.c,
global/match_parent_style.c, global/scache.c, global/scache.h,
qmgr/qmgr_entry.c, qmgr/qmgr_peer.c, smtp/smtp_rcpt.c,
smtpd/smtpd_peer.c, tls/tls_mgr.c, util/attr_scan0.c,
util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c.
Cleanup: typos. Files: proto/socketmap_table, proto/mysql_table,
global/dict_mysql.c, proto/lmdb_table, smtpstone/smtp-sink.c,
posttls-finger/posttls-finger.c.
Bugfix: restart the Postfix SMTP server SASL client after
XCLIENT may have changed the client IP address. Matthew
Via. File: smtpd/smtpd.c.
20150129
More whitespace in source-code comment regressions. Viktor
(mostly) and Wietse. smtpd/smtpd_proxy.c, util/format_tv.c,
util/line_wrap.c, util/slmdb.c, qmgr/qmgr_peer.c,
smtp/smtp_rcpt.c, smtpd/smtpd_peer.c, tls/tls_mgr.c,
trivial-rewrite/trivial-rewrite.c, util/attr_scan0.c,
util/dict_tcp.c, util/hex_code.c, util/valid_hostname.c,
discard/discard.c, error/error.c, global/dict_proxy.c,
global/mail_conf_int.c, global/match_parent_style.c,
global/scache.c, qmgr/qmgr_entry.c, global/dict_ldap.c,
global/dict_mysql.c, posttls-finger/posttls-finger.c,
smtp/smtp.c, tls/tls_certkey.c.
Cleanup: avoid hidden buffer allocation in casefold().
Files: local/forward.c, local/recipient.c, virtual/recipient.c.
Cleanup: HTML validator errors. Files: proto/postconf.proto,
proto/TLS_README.html, proto/MILTER_README.html.
Great rename from 2.12 to 3.0. Lots of files, 99% mechanical.
Cleanup: HTML entities in *roff manpage source. File:
mantools/fixman, proto/postconf.proto, smtpd/smtpd.c,
trivial-rewrite/trivial-rewrite.c.
20150201
Usability: in error messages, print the CAfile and CApath
value in double quotes, to clue in people who specify quoted
pathnames in main.cf. Viktor Dukhovni. Files: tls/tls_certkey.c
and testing code in posttls-finger/posttls-finger.c.
20150202
Cleanup: make posttls-finger -k/-K documentation consistent
with behavior. File: posttls-finger/posttls-finger.c.
20150203
Cleanup: API minimization, by making some functions static.
Files: util/dict.h, util/dict_utf8.c.
20150205
Preliminary feature: support for building position-independent
executables (PIE), tested on Fedora Core 20, Ubuntu 14.04,
FreeBSD 9 and 10, and NetBSD 6. See INSTALL section 4.3 for
details and limitations. Files: makedefs, proto/INSTALL.html,
RELEASE_NOTES-3.0.
20150208
Cleanup: after many years, the access(5) map BCC action is
part of the stable release. Files: smtpd/smtpd_check.c,
proto/acces.
20150210
Cleanup: socketmap documentation. File: proto/socketmap_table.
20150211
Cleanup: strncasecmp_utf8() streamlining. Files: util/stringops.h,
util/allascii.c, util/strcasecmp_utf8.c.
20150212
Cleanup: in code after reading main.cf, removed bogus guard
before re-evaluating the mail_task() syslog prefix. File:
postlog/postlog.c.
20150214
Bugfix (introduced: Postfix 3.0): missing #ifdef USE_TLS
inside #ifdef USE_SASL_AUTH broke the build. Viktor Dukhovni.
File: smtpd/smtpd.c.
Cleanup: missing errno logging in bounce daemon clients.
This made troubleshooting significantly more difficult.
File: global/mail_command_client.c.
20150216
Cleanup: documented that mail_connect() produces no errno
logging. The functions that call it should log the error
(and the majority does). File: global/mail_connect.c.
Cleanup: added errno logging after mail_connect() failure.
Files: global/post_mail.c, local/forward.c.
Cleanup: in code after reading main.cf, removed bogus guard
before re-evaluating the mail_task() syslog prefix. Files:
postalias/postalias.c, postdrop/postdrop.c, postmap/postmap.c,
postqueue/postqueue.c, postsuper/postsuper.c, sendmail/sendmail.c.
20150218
Documentation: header/body_checks additional text about whether
an action stops further inspection of the input stream. File:
proto/header_checks.
Robustness: reject installation pathnames with whitespace.
File: postfix-install.
20150217
Cleanup: missing include. File: util/allascii.c.
20150221
Bugfix (introduced: Postfix 3.0): don't append '.' to the
DNS resource record value, when converting TXT records to
the string form that is used used by xxx_dns_reply_filter.
File: dns/dns_strrecord.c.
20150313
Documentation: incorrect Postfix version number for
postscreen_dnsbl_timeout. Quanah Gibson-Mount. File:
postscreen/postscreen.c.
20150320
Cleanup: better sorting order for the default tls_*_cipherlist
settings. OpenSSL does not order "ALL" quite right: some
MEDIUM ciphers (SEED and IDEA) sneak up above some 128-bit
HIGH ciphers. Also previously, when we prefer "aNULL" we
moved MEDIUM with aNULL above same bit-length HIGH but not
aNULL. Viktor Dukhovni. File: global/mail_params.h.
20150324
Bugfix (introduced: Postfix 2.6): sender_dependent_relayhost_maps
ignored the relayhost setting in the case of a DUNNO lookup
result. It would use the recipient domain instead. Viktor
Dukhovni. Wietse took the pieces of code that enforce the
precedence of a sender-dependent relayhost, the global
relayhost, and the recipient domain, and put that code
together in once place so that it is easier to maintain.
File: trivial-rewrite/resolve.c.
20150326
Feature: lmtp_fallback_relay, limited to TCP destinations
only. Viktor Dukhovni. Wietse updated the postlink, smtp.c,
and smtp-only files, and added a warning when lmtp_fallback_relay
is specified for a non-TCP destination. Files: mantools/postlink,
smtp/smtp.c, smtp/smtp-only, smtp/smtp_connect.c,
smtp/smtp_params.c, global/mail_params.h, proto/postconf.proto.
20150328
Bugfix (introduced: Postfix 1.1.0): post-install expanded
macros in parameter values when trying to detect parameter
overrides, causing unnecessary main.cf updates during Postfix
start-up. Julian Reich, Viktor Dukhovni, and Wietse. File:
conf/post-install.
20150330
Bitrot: prepare for future changes in OpenSSL API. Viktor
Dukhovni. File: tls_dane.c.
Safety: instead of bouncing mail, report a soft error when
SASL infrastucture breaks. Viktor Dukhovni, Emmanuel Fuste.
Files: smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h,
xsasl/xsasl_cyrus_server.c, xsasl/xsasl_dovecot_server.c.
20150401
Documentation: update the mydestination default value in
the stock main.cf file. File: conf/main.cf.
20150404
Documentation: add "postconf -m" output to problem reports. File:
proto/DEBUG_README.html.
20150418
Portability: use the icu-config utility to locate the ICU
include and library files. With this, Postfix builds out
of the box on MacOS X. File: makedefs.
20150421
Bugfix (introduced: 19970309): reset errno before calling
readdir(), in order to distinguish between end-of-directory and
an error condition. File: scandir.c.
20150426
Cleanup: when transmitting an attribute-value sequence
between Postfix processes, a hash table may now appear at
any position instead of only at the end. Files:
util/attr_scan{0,64,plain}.c, util/attr_print{0,64,plain}.c,
util/attr_scan{0,64,plain}.ref.
Feature: milter_macro_defaults, an optional list of macro
name=value pairs that specify default values for Milter
macros. When a macro is to be sent to a Milter application,
Postfix will send its default value when no value is available
from the mail delivery context. For example, with
"milter_macro_defaults = auth_type=TLS", Postfix will send
an auth_type of "TLS" unless a remote client authenticates
with SASL. Files: mantools/postlink, proto/MILTER_README.html,
proto/postconf.proto, cleanup/cleanup.c, cleanup/cleanup_init.c,
cleanup/cleanup_milter.c, global/mail_params.h, milter/milter.c,
milter/milter.h, smtpd/smtpd.c, smtpd/smtpd_milter.c.
20150501
Support for Linux 4.*, and some simplification for future
makedefs files. Files: makedefs, util/sys_defs.h.
20150502
Cleanup: updated the examples in MILTER_README. File:
proto/MILTER_README.html
20150529
Support for DNS reply TTL values in dnsblog and postscreen.
Files: dnsblog/dnsblog.c, postscreen/postscreen_early.c,
postscreen/postscreen_dnsbl.c.
20150607
Support for DNS reply TTL values for "not found" responses
(negative reply caching). The postscreen daemon needs this to
accurately whitelist an SMTP client that is not found on any
DNSBL. Files: dns/dns_lookup.c, dns/dns_strrecord.c, dns/dns.h,
dns/test_dns_lookup.c.
20150615
Two new parameters to limit how long a DNSBL or DNSWL lookup
result remains valid: postscreen_dnsbl_max_ttl is an upper
limit for the TTL from a DNS query, and postscreen_dnsbl_min_ttl
is a lower limit. The old postscreen_dnsbl_ttl provides a
backwards-compatible default for postscreen_dnsbl_max_ttl.
Files: global/mail_params.h, postscreen/postscreen.c,
postscreen/postscreen_early.c, mantools/postlink,
proto/postconf.proto.
20150616
Refinement: the postscreen daemon now computes two combined
DNS reply TTLs: one combined TTL for replies that the client
should be blocked, and one combined TTL for replies that the
client should be allowed. This is more conservative than
simply combining all reply TTLs into one number. File:
postscreen/postscreen_dnsbl.c.
20150621
Feature: default_transport_rate_delay (and the transport-specific
*transport*_transport_rate_delay) to enforce a destination-
independent rate limit on deliveries. Files: mantools/postlink,
proto/postconf.proto, *qmgr/qmgr.h, *qmgr/qmgr_transport.c,
*qmgr/qmgr_deliver.c, *qmgr/qmgr.c.
20150707
Workaround: some DNS servers reply with NXDOMAIN for type
NS queries with names that actually have an A record. This
broke check_mumble_ns_access. File: smtpd/smtpd_check.c.
20150711
Workaround: conditional time default value can result in
multiple time unit suffixes. Files: global/conv_time.c
global/mail_conf_time.c.
20150712
Cleanup: configurable workaround (dns_ncache_ttl_fix_enable)
in case some future libc change breaks a promise made by
current resolver(3) documentation. Files: global/mail_params.[hc].
Cleanup: removed unused libdns dependencies. No-one remembers
why they were introduced. Files: postscreen/Makefile.in,
qmqpd/Makefile.in, smtpd/Makefile.in, tlsmgr/Makefile.in.
Cleanup: code indentation. Viktor Dukhovni. File:
smtp/smtp_addr.c.
Workaround: With Solaris10, write_wait() hangs in poll()
until timeout, when invoked after peekfd() has received an
ECONNRESET error indication. This happens when a client
sends QUIT and closes the connection immediately. File:
util/peekfd.c.
20150715
Security: updated default Diffie-Hellman export (512 bit)
primes and non-export (from 1024 to 2048 bit) primes, and
updated text on non-export DH primes. Viktor Dukhovni.
Files: tls/tls_dh.c, proto/FORWARD_SECRECY_README.html.
20150718
Security: opportunistic TLS by default uses "medium" or
stronger ciphers instead of "export" or stronger. See the
RELEASE_NOTES file for how to get the old settings back.
Files: global/mail_params.h, proto/TLS_README.html,
proto/postconf.proto, and files derived from those.
20150719
Security: Postfix TLS support by default no longer uses
SSLv2 or SSLv3. See the RELEASE_NOTES file for how to get
the old settings back. Files: global/mail_params.h,
proto/postconf.proto, and files derived from those.
20150722
Cleanup: the COMPATIBILITY_README* files were not installed.
File: conf/postfix-files.
20150726
Cleanup: some lost edits for the SASL_README file. File:
proto/SASL_README.html.
20150816
Workaround: updated the 20150707 fix for DNS servers that
reply with NXDOMAIN for type NS queries instead of (NOERROR,
zero answers). File: smtpd/smtpd_check.c.
20150829
Documentation: TLS session tickets are preferred over the
local server-side smtpd_tls_session_cache_database storage.
TLS session tickets are supported as of OpenSSL 0.9.8h (May
2008). Files: mantools/postlink, proto/TLS_README.html,
proto/postconf.proto.
20150831
Cleanup: obsolete comments in Makefile.init.
20150903
Workaround: disable DNSSEC support for AIX 7x and earlier.
The AIX 6/7 resolver(5) API defines RES_USE_DNSSEC without
defining the "ad" bit. Viktor Dukhovni. Files: makedefs,
proto/INSTALL.html, dns/dns.h.
20150912
Future-proofing and code cleanup: exploit GCC and Clang
"warn_unused_result" feature to flag missing error checks.
Files: util/sys_defs.h, util/attr.h, util/edit_file.h,
util/listen.h, util/lstat_as.h, util/mac_expand.h,
util/mac_parse.h, util/myaddrinfo.h, util/myflock.h,
util/sane_fsops.h, util/sane_socketpair.h, util/stat_as.h,
util/base32_code.h, util/base64_code.h, util/hex_code.h,
util/timed_wait.h, util/vstream.h, src/util/vstring_vstream.h.
Cleanup: incomplete error check. Found with WARN_UNUSED_RESULT
check. File: util/recv_pass_attr.c.
Future-proofing: added type mis-match detection for
ATTR_TYPE_FUNC function-pointer arguments. File: util/attr.h.
Cleanup: don't ignore seek-to-end-of-file errors. File:
global/record.c.
Cleanup: use vstream_fpurge() to purge VSTREAM buffers,
instead of calling vstream_fseek() and ignoring ESPIPE
errors. File: smtpstone/qmqp-sink.c.
20150913
Feature: SMTPD policy service "policy_context" attribute
and smtpd_policy_service_policy_context main.cf parameter.
Originally, to share the same SMTPD policy service endpoint
among multiple check_policy_service clients. Markus Benning.
Files: mantools/postlink, proto/SMTPD_POLICY_README.html,
proto/postconf.proto, global/mail_params.h, global/mail_proto.h,
smtpd/smtpd.c, smtpd/smtpd_check.c.
20150923
Bugfix (introduced: 20120531-617): the Postfix SMTP server
used a larger-than-1 VSTREAM buffer to read the HAProxy
connection hand-off information. This broke TLS wrappermode,
as the TLS helo packet would end up in the plaintext VSTREAM
buffer. Reported by Lukas Erlacher. File: smtpd/smtpd_haproxy.c.
20150924
Cleanup (introduced: 20060510, exposed 20150912): eliminated
a harmless warning message "seek error after reading END
record: Illegal seek" from the cleanup server after a
check_sender_access DISCARD action. File: cleanup/cleanup.c.
Bugfix (introduced: 20090216-24): incorrect postmulti error
message. Reported by Patrik Koetter. Fix by Viktor Dukhovni.
File: postmulti/postmulti.c.
Workaround: don't create a new instance when the template
main.cf and master.cf files are missing, as happens on
Debian-like systems. Viktor Dukhovni. File: conf/postmulti-script.
20150930
Bugfix (introduced: 20040124): Milter client panic while
adding a header, because the PREPEND action used the same
output function for header_checks and body_checks. Viktor
Dukhovni and Wietse. File: cleanup/cleanup_message.c.
Bugfix (introduced: 20031128): xtext_unquote() did not
propagate error reports from xtext_unquote_append(), causing
the decoder to return partial output, instead of rejecting
malformed input. Fix by Krzysztof Wojta. File: global/xtext.c.
20151003
Bugfix (copied from xtext): uxtext_unquote() did not propagate
error reports from uxtext_unquote_append(), causing the
decoder to return partial output, instead of rejecting
malformed input. Found by searching the code for similar
error patterns as with xtext_unquote(). File: global/uxtext.c.
Cleanup: added missing "negative" unit tests. Files:
global/xtext.c, global/uxtext.c.
20151004
Future proofing: use a real VSTRING in the 20150930 header
PREPEND fix. File: cleanup/cleanup_message.c.
Future proofing: make vstring_import() consistent with
vstring_alloc(). The alternative would be to remove the
function as it is unused and exists only for symmetry with
vstring_export(). File: usr/vstring.c.
20151010
Cleanup: the 20150903 workaround for AIX DNSSEC used the
wrong name in #ifdef. File: dns/dns.h.
20151011
Cleanup: in the PCRE client, turn fatal lookup errors into
warnings, and skip the failing pattern as in dict_regexp.c.
Also, fixed the error text when running into the matcher's
backtracking limit. File: util/dict_pcre.c.
20151017
Feature: smtpd_client_auth_rate_limit enforces a rate
limit on the number of AUTH commands per client IP address.
mantools/postlink, proto/postconf.proto, anvil/anvil.c,
global/anvil_clnt.c, global/anvil_clnt.h, global/mail_params.h,
smtpd/smtpd.c.
20151018
Added RFC 7672 (SMTP security via opportunistic DANE TLS)
and RFC 7505 ("Null MX" No Service Resource Record) to the
lists of supported RFCs in manpages. Viktor Dukhovni. Files:
smtp/smtp.c, smtpd/smtpd.c.
20151031
Bitrot: OpenSSL API cleanups. Viktor Dukhovni. Files:
.indent.pro, tls/tls.h, tls/tls_dane.c, tls/tls_fprint.c,
tls/tls_misc.c, tls/tls_server.c, tls/tls_verify.c.
20151124
Bugfix (introduced: Postfix 3.0): don't throttle a destination
after opportunistic TLS failure. Viktor Dukhovni and Wietse.
Files: smtp/smtp_proto.c, smtp/smtp.h, smtp/smtp_trouble.c.
20151128
Feature: JSON-formatted queue listing with "postqueue -j".
Output is a stream of JSON objects, one per queue file. To
simplify stream-mode parsing, each JSON object is followed by
a newline character. Files: postqueue/postqueue.c,
postqueue/postqueue.h, postqueue/showq_compat.c,
postqueue/showq_json.c, showq/showq.c.
20151216
Bugfix (introduced: 20151128) bogus queue file parsing error.
File: showq/showq.c.
20151226
Cleanup: postlog(1) now pauses for 1s after reporting a
fatal or panic error. This makes behavior of scripts such
as postfix-script consistent with built-in error messages.
File: postlog/postlog.c.
20151227
Robustness: don't allow for whitespace in command-line
arguments. Files; postfix-install, conf/post-install.
Robustness: added a comment to discourage people who keep
adding code that calls gethostbyname() to determine the
default myhostname setting. This is a mistake: all Postfix
programs will hang when the DNS is unavailable. File:
global/mail_params.c.
Safety: a limit on the number of address verification probes
in the active queue (address_verify_pending_request_limit),
by default 1/4 of the active queue maximum size. The queue
manager tempfails probe messages that exceed the limit.
Files: mantools/postlink, proto/postconf.proto, cleanup/cleanup.h,
cleanup/cleanup_envelope.c, cleanup/cleanup_out_recipient.c,
cleanup/cleanup_state.c, global/mail_params.h, global/post_mail.c,
global/post_mail.h, global/verify.c, oqmgr/qmgr.c, oqmgr/qmgr.h,
oqmgr/qmgr_message.c, qmgr/qmgr.c, qmgr/qmgr.h,
qmgr/qmgr_message.c, verify/verify.c.
20160102
Workaround: MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH,
which breaks the build and install. Viktor Dukhovni and
Wietse. Files: makedefs, postfix-install, Makefile.in.
Bitrot: OpenSSL 1.1.0-dev drops support for EXPORT ciphers
and ephemeral RSA. Viktor Dukhovni. Files: tls/tls_client.c,
tls/tls_rsa.c, tls/tls_server.c.
Bugfix: memory leak in tls_set_eecdh_curve(). Viktor Dukhovni.
File: tls/tls_dh.c.
Bugfix (introduced 20150326): when lmtp_fallback_relay
support was added, the code that generates lmtp_mumble
parameters from smtp_mumble parameters wasn't updated. File:
smtp/smtp-only.
Bugfix (introduced 20151017): the smtpd_client_auth_rate_limit
implementation was not guarded with #ifdef USE_SASL_AUTH.
File: smtpd/smtpd.c.
20160103
Feature: enable DANE policies when an MX host has a secure
TLSA DNS record, even if the MX DNS record was obtained
with insecure lookups. The existence of a secure TLSA record
implies that the host wants to talk TLS and not plaintext.
This behavior is controlled with smtp_tls_dane_insecure_mx_policy
(default: "dane", other settings: "encrypt" and "may"; the
latter is backwards-compatible with earlier Postfix releases).
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
src/global/mail_params.h, src/posttls-finger/posttls-finger.c,
src/smtp/smtp-only, src/smtp/smtp.c, src/smtp/smtp.h,
src/smtp/smtp_addr.c, src/smtp/smtp_params.c,
src/smtp/smtp_tls_policy.c, src/tls/tls.h, src/tls/tls_client.c.
20160104
Cleanup: distinct TLS levels for "full" DANE and for DANE
with insecure MX records. Viktor Dukhovni. Files:
posttls-finger/posttls-finger.c, smtp/smtp_tls_policy.c,
tls/tls.h, tls/tls_client.c, tls/tls_level.c.
20160108
Cleanup: smtp_reply_footer() now restores state in case of
input error; unit tests that cover most if not all error
and non-error cases. Files: global/smtp_reply_footer.c,
global/smtp_reply_footer.ref.
20160110
Bitrot: const-ification for OpenSSL 1.1.0. Viktor Dukhovni.
File: tls/tls_misc.c.
20160116
"postconf -H" support (show names without the =value).
Initial use case: mass reversal of TLS-related main.cf
parameters (postconf -nH | grep _tls_ | xargs postconf -X).
This flag also works with "postconf -F" and "postconf -P".
Added missing documentation that -h works with "postconf
-F" and "postconf -P". Files: postconf.c, postconf.h,
postconf_master.c, postconf_main.c.
Robustness: force html2text to produce ASCII output. File:
mantools/html2readme.
Feature: "postfix tls" commands to enable opportunistic TLS
in the Postfix SMTP client or server, or generate or replace
Postfix SMTP server TLS private keys and server certificates.
Viktor Dukhovni, Wietse. Files: conf/postfix-files,
conf/postfix-script, conf/postfix-tls-script, makedefs,
proto/INSTALL.html, proto/postconf.proto, global/mail_params.h,
postfix/postfix.c, tls/tls_misc.c.
Portability: added a tls_random_source default setting for
MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
20160118
Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
security levels ranging from 0 to 5. Level "0" is backwards
compatible, and other levels are increasingly restrictive.
Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.
20160205
Portability: Postfix TLS support uses /dev/urandom if
available and no system-specific setting exists in sys_defs.h.
Files: makedefs, util/sys_defs.h.
20160208
Cleanup: building the INSTALL file had failed, added
hyperlinks for "postfix tls". Files: mantools/postlink.
20160210
Feature: all-default-client and all-default-server subcommands.
Eray Aslan. File: conf/postfix-tls-script.
Bugfix: the postqueue(1) JSON formatter wrote a spurious
comma after the delay reason. Reported by Christian Roessner.
File: postqueue/showq_json.c.
20160212
Cleanup: Bold/Italic cleanup in manpages.
20160213
Added Google credits to external manpages.
20160214
More manpage cleanups. Viktor, Wietse.
20160215
Cleanup: "match_list_match: permit_mynetworks: no match" after
a SUCCESSFUL permit_mynetworks match of a client IP address was
complicating troubleshooting. The fix is to log additional
context to clarify that this "no match" condition is for
smtpd_log_access_permit_actions. File: smtpd/smtpd_check.c.
20160224
Cleanup: un-break some DNS unit tests by replacing non-portable
numerical flags with portable symbolic names in the verbose
command output. Files: dns/dns_str_resflags.c, dns/dns_lookup.c,
dns/Makefile.in, many *.ref files.
20160227
Cleanup: remember multiple BCC actions in access maps.
Files: smtpd/smtpd.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
smtpd/smtpd_state.c, proto/access.
20160228
Documentation: STRESS_README. File: proto/STRESS_README.html.
20160229
Documentation: postmulti manpage. File: postmulti/postmulti.c.
20160305
Future-proofing: detect integer overflow before it happens.
After-the-fact detection relies on assumptions about
undefined behavior that are invalidated by compilers. Files:
util/mymalloc.c, util/vstring.c.
20160310
Bugfix (introduced: Postfix 2.6): the Milter SMFIR_CHGFROM
(replace sender) request lost the sender_bcc_maps address.
Fixed by moving some record keeping to the sender output
function. Files: cleanup/cleanup_envelope.c,
cleanup/cleanup_addr.c, cleanup/cleanup_milter.c,
cleanup/cleanup.h, regression tests.
20160314
Future-proofing: revised off_t integer conversion (detect off_t
overflow before it happens). After-the-fact detection relies
on assumptions about undefined behavior that are invalidated by
compilers. Files: global/off_cvt.c.
Cleanup: include once, instead of making it
system-dependent. File: util/sys_defs.h.
Cleanup: make sorting in "make depend" locale-independent.
Files: */Makefile.in.
Cleanup: postmulti manpage. File: postmulti/postmulti.c.
20160319
Future-proofing: revised format-string width or precision integer
conversion (detect integer overflow before it happens), plus
some tests to ensure that format-string widths and precisions
are parsed correctly, and that output buffers are sized
correctly. Files: util/vbuf_print.c, util/vbuf_print_test.in,
util/vbuf_print_test.ref.
20160320
Testing: exact-size VSTRING allocation. Files: util/vstring.[hc].
Cleanup: switch to snprintf() for redundancy, keeping
existing code in place to censor unnecessary format-string
features. Specify "make makefiles CCARGS=-DNO_SNPRINTF" for
ancient systems. File: vbuf_print.c, makedefs, util/sys_defs.h,
proto/INSTALL.html.
20160324
Future-proofing: revised netstring length integer conversion
(detect integer overflow before it happens). File:
util/netstring.c.
Cleanup: report unsupported usage of '%ls' and '%lc' in
format strings. File: util/vbuf_print.c.
20160326
Future-proofing: regression test for global/off_cvt.c.
Files: global/off_cvt.in, global/off_cvt.ref.
20160327
Cleanup: postconf(1) manpage. File: postconf/postconf.c.
Cleanup: un-broke regression tests. Files: dns/mxonly_test.ref,
dns/no-mx.ref, smtpd/smtpd_server.ref, smtpd/smtpd_server.in.
Added Postfix version information to the "postconf -m" manpage
section. File: postconf/postconf.c.
20160330
The collate.pl script by Viktor Dukhovni for grouping Postfix
logfile records into "sessions" based on queue ID and process
ID information. Files: auxiliary/collate/*.
20160407
Treat SASL_FAIL and SASL_NOMEM as temporary errors.
Markus Benning. File: xsasl/xsasl_cyrus_server.c.
20160410
Bugfix (introduced: Postfix 2.6): the "bad filetype"
header_checks pattern falsely rejected Content-Mumble headers
with ``name="example"; x-apple-part-url="example.com"''.
Fixed by respecting the ";" separator between content
attribute values. Reported by Cedric Knight. File:
proto/header_checks.
20160515
Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h,
dns/dns_str_resflags.c.
20160521
Bugfix (introduced: Postfix beta): the never-used function
mvect_free() attempted to free memory that it has not
allocated. File: util/mvect.c.
Cleanup: existing if/endif support for pcre and regexp
tables, in preparation for new if/endif support for cidr
tables. Files: util/dict_regexp.c, util/dict_pcre.c.
20160526
Feature: cidr tables now support if/endif and negation (by
prepending "!" to a pattern), just like regexp and pcre
tables. The primarily purpose is to improve readability of
complex tables. Files: util/cidr_match.[hc], util/dict_cidr.c,
proto/cidr_table.
Cleanup: make regexp: and pcre: parser warning messages more
similar. Files: dict_regexp.c, dict_pcre.c.
20160601
Cleanup: moved parsing of '!' operators from cidr_match.c
to dict_cidr.c. Files: util/cidr_match.[hc], util/dict_cidr.c,
util/match_ops.c.
20160604
Cleanup: made parsing of '!' operators in regexp and pcre
tables consistent with cidr tables. Files: util/dict_regexp.c,
util/dict_pcre.c.
20160605
Cleanup: integer wrap-around detection in the MySQL and
PostgreSQL clients. This is totally non-critical because
Postfix strings are size-limited by design. Files:
global/dict_mysqql.c, global/dict_pgsql.c.
20160607
Documentation: dnsblog.
20160609
Documentation: postsuper(1) manpage text for multiple -[dhH]
options. File: postsuper/postsuper.c.
20160611
Cleanup: Postfix SMTP server local IP address and port
attributes in the policy delegation protocol (attribute
names: server_address, server_port), in the Milter protocol
(macro names: {daemon_addr}, {daemon_port}) and in the
XCLIENT protocol (attribute names: DESTADDR, DESTPORT).
Files: proto/MILTER_README.html, proto/SMTPD_POLICY_README.html,
cleanup/cleanup.h, cleanup/cleanup_milter.c, global/mail_proto.h,
milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c,
smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c.
20160612
Bugfix (introduced: 20090211): missing server address
conversion for non-proxy, non-postscreen connections. File:
smtpd/smtpd_peer.c.
Bugfix (introduced: 20160611) missing server port conversion
for non-proxy, non-postscreen connections, because there was
no server address conversion. File: smtpd/smtpd_peer.c.
20160618
Bugfix (introduced: 20091121): with the introduction of
sender_dependent_default_transport_maps, the SMTP daemon
was not updated. This resulted in false rejects with
sender-dependent "error" transports. Based on a fix by
Russell Yanofsky. Files: global/resolve_clnt.c,
global/resolve_clnt.h, smtpd/smtpd_check.c, smtpd/smtpd_check.h,
smtpd/smtpd_milter.c, smtpd/smtpd_resolve.c, smtpd/smtpd_resolve.h.
20160619
Refinements to the 20160618 fix. For more consistent results
with sender address validation, use the recipient address
(if available) as the sender-dependent address resolver
context. For better caching, pass sender context with all
attempts to resolve an email address. File: smtpd/smtpd.c,
smtpd/smtpd_check.c, smtpd/smtpd_milter.c.
20160625
Cleanup: the Postfix SMTP server now passes network address
and port information to the Cyrus SASL library. Build with
``make makefiles "CCARGS=$CCARGS -DNO_IP_CYRUS_SASL_AUTH"''
for backwards compatibility. Files: makedefs,
smtpd/smtpd_sasl_glue.c, xsasl/xsasl.h, xsasl/xsasl_cyrus_server.c,
xsasl/xsasl_server.c.
Cleanup: dnsblog manpage. File: dnsblog/dnsblog.c.
20160717
Bugfix (introduced: Postfix 1.1): the virtual(8) delivery
agent discarded the error result from vstream_fseek().
20160728
Bugfix (introduced: 20090614): with concurrent connections
from the same client IP address, and after-220 tests enabled,
postscreen could overwrite the cached "all tests completed"
result of one connection that completed the after-220 tests,
with the "some tests not completed" result of a concurrent
connection where the client hung up before completing the
after-220 tests. Files: postscreen_misc.c, postscreen_state.c,
postscreen.h, postscreen_tests.c, postscreen.c, postscreen_smtpd.c,
postscreen_early.c.
20160730
Cleanup: don't try to optimize away postscreen cache updates.
File: postscreen_misc.c.
Cleanup: removed compatibility crutches that emulated a
historical data organization from four years ago. Files:
postscreen/postscreen.[hc], postscreen/postscreen_early.c,
postscreen/postscreen_smtpd.c, postscreen/postscreen_tests.c.
20160808
Cleanup: preserve the new file mtimes when installing Postfix.
Ondřej Lysoněk. File: postfix-install.
REVERTED 20160828.
20160819
Bugfix (introduced: Postfix 3.0): the makedefs script ignored
readme_directory=pathname overrides. Fix by Todd C. Olson.
File: makedefs.
20160821
Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
documentation says aes-256-cbc, but the implementation was
using aes-128-cbc (note that Postfix session ticket keys
are rotated after 1/2 hour, to limit the impact of attacks
on session ticket keys).
20160828
Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
Viktor Dukhovni. Files: posttls-finger/posttls-finger.c,
tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
tls/tls_client.c.
Cleanup: disable reuse of ECDH ephemeral keys. Viktor
Dukhovni. File: tls/tls_misc.h.
20160908
Documentation: add a pointer to hosts(5) and services(5)
for symbolic host and port syntax. File: proto/master.
20160911
Bugfix (introduced: Postfix 3.0): the SMTP daemon did not
reset a previous session's command counts before rejecting
a client that exceeds request or concurrency rates. File:
smtpd/smtpd.c.
20160912
Feature: preserve the new file mtimes when installing
Postfix. Ondřej Lysoněk. Wietse made this conditional on
the presence of a new -keep-new-mtime flag. File: postfix-install.
[this flag was renamed to "-keep-build-mtime" on 20161126]
20160917
Bugfix (introduced: Postfix 3.0): the unionmap did not
propagate table lookup errors. Based on patch by Roel van
Meer. Files: util/dict_union.c, util/dict_union_test.*.
Cleanup: added unit test for pipemap. Files: util/dict_pipe.c,
util/dict_pipe_test.*.
Documentation: added a note about the order of search
patterns and table lookup order. Files: proto/canonical,
proto/generic, proto/virtual.
Documentation: bitrot in postsuper(1) example. Different
groff versions produce different results; some systems no
longer support historical "tail -number" command syntax.
Fix by Geert Stappers. File: postsuper/postsuper.c.
20160918
Logging: the Postfix SMTP server logs the sasl_username
after rejected SMTP commands. As before, the SMTP server
does not forward SASL login information to other Postfix
subsystems, and it does not receive SASL login information
in XFORWARD commands. File/smtpd/smtpd.c.
20160925
Bugfix (introduced: Postfix 2.11): changed the default MySQL
option_group value to "client" to enable the reading of
"client" option group settings in the MySQL option file.
This fixes false "not found" errors with Postfix queries
that contain UTF8-encoded text. Fix by John Fawcett.
Specify an empty option_group value to get backwards-compatible
behavior. Files: global/dict_mysql.c, proto/mysql_table.
20161007
Bitrot: API for the ersatz inet_ntop() function, when
compiling with -DNO_IPV6 (which exists only for debugging).
Files: util/sys_defs.h, util/sys_compat.c.
20161008
Feature: smtp_tcp_port, similar to the existing lmtp_tcp_port.
Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, smtp/smtp.c, smtp/smtp_connect.c,
smtp/smtp_params.c.
Feature: "PASS" and "STRIP" actions in header/body_checks.
"STRIP" is similar to "IGNORE" but also logs the action,
and "PASS" disables header, body, and Milter inspection for
the remainder of the message content. Contributed by Hobbit.
Files: cleanup/cleanup_message.c, global/header_body_checks.c.
20161024
Feature: smtpd_milter_maps, per-client Milter configuration
that overrides smtpd_milters, and that has the same syntax.
Files: mantools/postlink, proto/MILTER_README.html,
proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
smtpd/smtpd.h, smtpd/smtpd_sasl_proto.c, smtpd/smtpd_state.c.
20161103
Cleanup: error reporting for IDNA (non-ASCII domain name)
conversion errors. File: util/midna_domain.c.
Cleanup: non-transitional conversion of UTF8 to/from ASCII
domain name labels used in DNS queries. This disables
'transitional' compatibility between IDNA2003 and IDNA2008,
and affects some corner cases such as German sz and Greek
zeta. Specify "enable_idna2003_compatibility = yes" to
restore historical behavior. Files: util/midna_domain.[hc],
mantools/postlink, global/mail_params.[hc], proto/postconf.proto,
proto/SMTPUTF8_README.html.
20161105
Bugfix (introduced: Postfix 1.1): the postsuper command did
not count a successful rename operation after error recovery.
Problem reported by Markus Schönhaber. File: postsuper/postsuper.c.
Cleanup: error reporting for IDNA (non-ASCII domain name)
conversion errors, and enable_idna2003_compatibility
configuration. File: util/midna_domain.c.
20161106
Documentation: specify the minimum ICU library version (4.6).
File: proto/SMTPUTF8_README.html.
20161109
Portability: force LC_ALL=C in dict_utf8 test. This should
probably be in every shell script.
20161120
Documentation: clarified the syntax of $name and ${name...}
in parameter values, and some wordsmithing. Files:
proto/postconf.html.prolog, proto/postconf.man.prolog.
20161123
Documentation: clarified reject_non_fqdn_{sender,recipient}.
The syntax check applies only for domains that are actually
specified, not for missing domains. File: proto/postconf.proto.
20161126
Cleanup: the postfix-install option "-keep-new-mtime" was
renamed to "-keep-build-mtime". File: postfix-install.
Feature: "make makefiles POSTFIX_INSTALL_OPTS=-keep-build-mtime"
to set the installed file mtimes to their build time instead
of their installation time. Based on code by Ondřej Lysoněk.
Wietse added a guard to prevent POSTFIX_INSTALL_OPTS from
passing arbitrary options. Files: makedefs, Makefile.in,
proto/INSTALL.html.
20161201
Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf
submission service example. File: conf/master.cf.
20161202
Documentation: typos in postconf(1) manpage. File:
postconf/postconf.c.
20161204
Cleanup: properly report numerical conversion errors in
${{number} relational-operator ${number}}, and wordsmithing.
File: util/mac_expand.c.
Updated auxiliary/collate/collate.pl with Viktor's suggestion
in <98D25E24-EAB1-42BB-82FD-794F5DDD4E7F@dukhovni.org> for
better tracking of message flows.
Cleanup: remove tentative features that were implemented
before the DANE spec was finalized: support for certificate
usage PKIX-EE(1), the ability to disable digest agility
(Postfix now behaves as if "tls_dane_digest_agility = on"),
and the ability to disable support for "TLSA 2 [01] [12]"
records that specify the digest of a trust anchor (Postfix
now behaves as if "tls_dane_trust_anchor_digest_enable =
yes). Viktor Dukhovni. Files: mantools/postlink,
proto/postconf.proto, proto/TLS_README.html, tls/tls.h,
tls/tls_dane.c, smtp/smtp.c.
Bugfix (introduced: Postfix 3.1): cut-and-paste error in
the "postfix tls deploy-server-cert" command, causing the
wrong certfile and keyfile to be used. Viktor Dukhovni.
File: conf/postfix-tls-script.
Robustness: create a new keyfile when "postfix tls
new-server-cert" is invoked, and main.cf specifies a
non-existent keyfile. Viktor Dukhovni. File:
conf/postfix-tls-script.
20161205
Cleanup: log the sender address when rejecting a too large
message size in a "MAIL FROM: SIZE=nnn" command.
File: smtpd/smtpd.c.
20161206
Bugfix (introduced: Postfix 3.0): when receiving a MAIL
FROM...SMTPUTF8 command while smtpd_delay_reject=no, enable
SMTPUTF8 support before processing smtpd_sender_restrictions.
Problem reported by Viktor Dukhovni. File: smtpd/smtpd.c.
Bugfix (introduced: Postfix 3.0): when receiving a
VRFY...SMTPUTF8 command, enable SMTPUTF8 support while
processing smtpd_recipient_restrictions. File: smtpd/smtpd.c.
20161220
Bugfix (introduced: Postfix 2.1.0): the Postfix SMTP daemon
did not query sender_canonical_maps when rejecting unknown
senders with "smtpd_reject_unlisted_recipient = yes" or
with reject_unlisted_sender. Stephen R. van den Berg (Mr.
procmail). Files: smtpd/smtpd.c, smtpd/smtpd_check.c.
20161217
Enable elliptic curve negotiation with OpenSSL >= 1.0.2.
This changes the default smtpd_tls_eecdh_grade setting to
"auto", and introduces a new parameter tls_eecdh_auto_curves
with the names of curves that may be negotiated. The default
tls_eecdh_auto_curves setting is determined at compile time,
and depends on the Postfix and OpenSSL versions. At runtime,
Postfix will skip curve names that aren't supported by the
OpenSSL library. Viktor Dukhovni. Files: mantools/postlink,
proto/FORWARD_SECRECY_README.html, proto/TLS_README.html,
proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
tls/tls.h, tls/tls_client.c, tls/tls_dh.c, tls/tls_misc.c,
tls/tls_server.c.
Feature: stored-procedure support for MySQL databases.
John Fawcett. Files: global/dict_mysql.c, proto/mysql_table.
20161223
Bugfix (introduced: Postfix 3.2 snapshots): the makedefs
script produced a garbled CCARGS setting when no suitable
ICU library was found. File: makedefs.
20161225
Cleanup: simplified handling of unsupported curve names in
the tls_eecdh_auto_curves parameter value. File: tls/tls_dh.c.
Cleanup: simplified code structure in the MySQL client
support for stored procedures. File: global/dict_mysql.c.
20161226
Cleanup: more MySQL client code simplification, better error
messages, new per-database "require_result_set" parameter
(default: yes) which can be set to "no" to avoid the need
for dummy SELECT statements in stored procedures. Files:
global/dict_mysql.c, proto/mysql_table, postconf/postconf_dbms.c.
Portability: SSL_CTX_set_ecdh_auto() is part of the deprecated
OpenSSL API, so it must be used under #ifdef. Viktor Dukhovni.
File: src/tls/tls_dh.c.
20161227
Safety: the sendmail -C option must specify an authorized
configuration directory: the default configuration directory,
a directory that is listed in the default main.cf file with
alternate_config_directories or multi_instance_directories,
or the command must be invoked with root priveleges. This
mitigates a problem with the PHP mail() function. Files:
global/mail_conf.[hc], sendmail/sendmail.c.
20161228
Documentation: moved the "BACKWARDS COMPATIBILITY" sections
to the end of ldap_table, mysql_table, pgsql_table, and
sqlite_table, renamed to "OBSOLETE MAIN.CF PARAMETERS".
20161231
Bugfix (introduced: 20160521): segfault (null pointer) in
cidr, pcre, and regexp table when an input does not match
an ENDIF-less IF operator. Found during code maintenance.
File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c.
20170101
Portability; SunOS5 builds broke after moving the sys/types.h
include statement to the top of sys_defs.h.
Portability: declaration after code is GNU dialect. File:
util/vbuf_print.c.
Portability: compatibility macros for SSLv23_client_method()
etc. deprecation. Files: tls/tls.h, tls/tls_client.c,
tls/tls_dane.c, tls_server.c.
201606-20170108
Cleanup: handling of address extensions with email addresses
that contain spaces. The virtual_alias_maps, canonical_maps,
and smtp_generic_maps features now correctly propagate an
address extension from "aa bb+ext"@example.com to "cc
dd+ext"@other.example, instead of producing broken output.
Files updated to support conversion between unquoted and
quoted address forms, as required for addresses that contain
spaces: global/mail_addr_map.*, global/mail_addr_find.* and
global/mail_addr_crunch.*.
Files updated to enable these address conversions to correctly
propagate address extensions: cleanup/cleanup_map11.c
(canonical_maps), cleanup/cleanup_map1n.c (virtual_alias_maps),
and smtp/smtp_generic.c (smtp_generic_maps).
Files updated to rename functions to better reflect their
input and output forms: global/split_addr.*, global/strip_addr.*.
Files updated to support quoted lookup keys: util/dict_inline.c,
util/dict_thash.c, postmap/postmap.c.
Files updated to invoke a backwards-compatible mail_addr_find()
version that disables quoted/unquoted address conversions:
smtp/smtp/smtp_sasl_glue.c (smtp_sasl_password_maps),
smtpd/smtpd_check.c (SMTP server address validation),
cleanup/cleanup_addr.c (sender_bcc_maps and recipient_bcc_maps),
virtual/mailbox.c (user-related table lookups),
trivial-rewrite/transport.c (transport_maps),
trivial-rewrite/resolve.c (sender_dependent_mumble_maps,
relocated_maps). These features may be migrated later to
enable quoted-form address lookup keys, for consistency
with other Postfix features.
20170109
Cleanup: reduce the number of modified files relative to
the last regular release, to make a back-port more feasible.
This renames the new mail_addr_find() to mail_addr_find_opt(),
and renames the backwards_compatibility mail_addr_find_noconv()
to its old name mail_addr_find(). Added backwards-compatible
aliases {split,strip}_addr() for {split,strip}_addr_local().
To ensure correctness these edits were done mechanically,
and verified mechanically.
20170111
Documentation: when (smtp|lmtp)_delivery_status_filter is
applied. File: proto/postconf.proto.
20170114
Cleanup: careful handling of local-parts that contain '@',
as they are converted into quoted form. Files:
global/mail_addr_find.*, global/quote_822_local.*,
global/quote_flags.*.
Cleanup: added unit tests for malformed inputs. Files:
util/dict_thash{in,ref}.
Cleanup: minimize the patch size of the quoting fixes, and
a preliminary back-port to Postfix 3.1.4.
20170115
Cleanup: enable "externalized" address lookup by default,
with legacy-style "internalized" lookup for backwards
compatibility, for sender_bcc_maps, recipient_bcc_maps,
smtp_sasl_passwd_maps, smtpd_sender_login_maps, relocated_maps,
sender_dependent_mumble_maps, virtual_{mailbox,uid,gid}_maps.
File: global/mail_addr_find.c.
Cleanup: enable "externalized" address lookup by default,
with legacy-style "internalized" lookup for backwards
compatibility, for transport_maps. Files: global/mail_addr_find.*,
trivial-rewrite/transport.*.
Cleanup: mail_addr_find_() now has a configurable strategy
for full and partial address lookup, so that it may also
be used for localpart lookup in access maps.
20170116:
Cleanup: parent domain matching is now implemented in the
mail_addr_find() engine. Simplified the transport_maps
lookup to just one mail_addr_find_() call. Files:
global/mail_addr_find.*, trivial-rewrite/transport.*.
Cleanup: enabled "externalized" address lookup by default,
with legacy-style "internalized" lookup for backwards
compatibility, for check_sender_access and check_recipient_access.
This now uses 'user@' lookup support in the mail_addr_find()
engine. File: global/mail_addr_find.*, smtpd/smtpd_check.c.
20170122
Cleanup: separated the database query form from the address
form that is input to mail_addr_find_() or mail_addr_map*(),
in attempt to make code more obviously correct. Files:
global/mail_addr_find.c, global/mail_addr_map.c.
Abandoned an experiment that used internal-form queries for
all maps, because it would be very difficult to test. The
tests inputs would have to compensate for multiple levels
of unquoting by postmap, C compilers, or shell interpreters.
Cleanup: moved the backwards-compatibility lookup strategy
(try the external address form first, then the internal
address form if it is different) inside the loop that
iterates over full and partial address forms. File:
global/mail_addr_find.c.
20170125
Cleanup: mail_addr_find test scripting. Eliminate main.cf
dependencies, and allow all tests to run in one process.
Files: global/mail_addr_find.*
20170127
Cleanup: mail_addr_find and mail_addr_form named constants.
Files: global/mail_addr_form.h, mail_addr_find.h, and
dependents.
20170128
Cleanup: smtp_generic_maps implementation. Reduced the
number of internal<->external form address conversions,
added more rigorous tests, and eliminated the main.cf and
trivial-rewrite dependencies. Files: smtp_map11.*.
20170129
Cleanup: bogus UTC timezone setting for postqueue/mailq
command output, and other environment settings for root and
non-root users in set-gid programs. File: postqueue/postqueue.c
(enforce import_environment name=value overrides for root
users), util/msg_syslog_init.c (don't override non-existent
TZ settings with UTC), util/unsafe.c (exclude uid==0, euid==0
super-user from privilege escalation concerns).
20170131
Cleanup: more complete VALGRIND coverage for test build targets
and scripts. Files: postalias/fail_test.in, postmap/fail_test.in,
postmap/quote_test.in, util/dict_pipe_test.in,
util/dict_union_test.in, util/dict_utf8_test.in.
20170201
Portability: unsetenv() for ancient platforms. File:
makedefs, util/sys_compat.c.
20170205
Cleanup: security checks for config_directory overrides.
File: global/mail_conf.c.
Cleanup: enforce import_environment name=value settings in
command-line utilities, for consistency with Postfix daemons (but
without removing environment variables). This is not enforced
in the postconf command which must be able to process main.cf
files with incomplete settings. Files: postalias/postalias.c,
postcat/postcat.c, postkick/postkick.c, postlock/postlock.c,
postlog/postlog.c, postmap/postmap.c, postsuper/postsuper.c,
posttls-finger/posttls-finger.c, sendmail/sendmail.c,
util/clean_env.[hc].
20170206
Bugfix (introduced: Postfix 3.0): check_mumble_a_access
did not handle [ipaddress], unlike check_mumble_mx_access.
When check_mumble_a_access was introduced, some condition
was not updated. Reported by James (postfix_tracker). File:
smtpd/smtpd_check.c.
20170207
Cleanup: rephrased paranoia precondition. File: global/mail_conf.c.
20170211
Cleanup: rephrased paranoia precondition. File: util/unsafe.c.
20170218
Cleanup: typofixes from klemens. The only change in compiled
code is in one identical mysql error message that also
appears in the pgsql client. Files: about 50.
20170221
Compatibility fix (introduced: Postfix 3.1): some Milter
applications do not recognize macros sent as {name} when macros
have single-character names. Postfix now sends such macros
without {} as it has done historically. Viktor Dukhovni. File:
milter/milter.c.
20170228
Documentation: re-word scary warnings at the top of SASL_README
and TLS_README.
20170402
Bugfix (introduced: Postfix 3.2): restore the SMTP server
receive override options at the end of an SMTP session,
after the options may have been modified by an smtpd_milter_maps
setting of "DISABLE". Problem report by Christian Rößner,
root cause analysis by Viktor Dukhovni. File: smtpd/smtpd.c.
20170430
Safety net: append a null byte to vstring buffers, so that
C-style string operations won't scribble past the end. File:
vstring.[hc].
20170505
Workaround for a current problem where some destination
announces primarily IPv6 MX addresses, the smtp_address_limit
eliminates most or all IPv4 addresses, and the destination
is not reachable over IPv6. This workaround is enabled with
"smtp_balance_mx_inet_protocols = yes", which is the default.
Files: smtp/smtp.c, smtp/smtp_params.c, smtp/smtp_addr.c,
global/mail_params.h, proto/postconf.proto.
20170506
A last-minute cosmetic fix had introduced a bug in
smtp/smtp_addr.c.
20170512
Bugfix (introduced: Postfix 2.0): the MIME nesting level
counter was not initialized (i.e. left at the memory fill
pattern 0xffffffff which equals -1). This broke unit tests
with a different memory allocator. Changing the value to
zero would break backwards compatibility (reject mail that
was previously not rejected). Files: global/mime_state.c.
20170531
Bugfix (introduced: Postfix 3.2): after the table lookup
overhaul, the check_sender_access and check_recipient_access
features ignored the parent_domain_matches_subdomains
setting. Reported by Henrik Larsson. File: smtpd/smtpd_check.c.
Workaround (introduced: Postfix 3.2): mail_addr_find() logs
a warning that it does not support both parent-domain and
dot-parent-domain style lookups in the same call. File:
global/mail_addr_find.c
20170610
Workaround (introduced: Postfix 3.0 20140718): prevent MIME
downgrade of Postfix-generated message/delivery-status.
It's supposed to be 7bit, therefore quoted-printable encoding
is not expected. Problem reported by Griff. File:
bounce/bounce_notify_util.c.
Documentation: indicate that the transport_mumble parameters
are implemented by the queue manager, not by delivery agents.
Files: mantools/postlink, local/local.c, pipe/pipe.c,
*qmgr/qmgr.c, smtp/smtp.c, virtual/virtual.c.
20170611
Security: Berkeley DB 2 and later try to read settings from
a file DB_CONFIG in the current directory. This undocumented
feature may introduce undisclosed vulnerabilities resulting
in privilege escalation with Postfix set-gid programs
(postdrop, postqueue) before they chdir to the Postfix queue
directory, and with the postmap and postalias commands
depending on whether the user's current directory is writable
by other users. This fix does not change Postfix behavior
for Berkeley DB < 3, but reduces file create performance
for Berkeley DB 3 .. 4.6. File: util/dict_db.c.
20170617
Cleanup: the postconf command warns about unknown parameter
names in a database configuration file, specified as an
absolute pathname (for example, ldap:/path/to/file). This
code was mostly written in January 2017, and it still is a
partial implementation. Files: postconf/postconf_dbms.c,
postconf/Makefile.in, postconf/test66.ref.
20170618
Cleanup: added missing "defined(__GLIBC__)" guards for
GLIBC version tests. File: util/sys_defs.h.
20170620
Bugfix (introduced: Postfix 3.2) extension propagation was
broken with "recipient_delimiter = .". This change reverts
a change that was trying to be too clever. Files:
global/mail_adr_crunch.c, global/mail_addr_crunch.ref.
20170704
Typos (introduced: Postfix 2.10): in comments about
IPv4-in-IPv6 addresses, replace :ffff::1.2.3.4 with the
correct form ::ffff:1.2.3.4. Incorrect or misleading comments
are worse than no comments. Files: smtpd/smtpd_haproxy.c,
postscreen/postscreen_haproxy.c.
20170721
Bitrot: updated postconf LDAP database configuration check with
SASL and TLS-related parameters. Reported by Ralf Hildebrandt.
File: postconf/postconf_dbms.c.
20170722
Cleanup: don't log the 'delay_dotcrlf' workaround for CISCO
PIX bugs before the smtp_pix_workaround_threshold_time has
passed. Reported by Ralf Hildebrandt. File: smtp/smtp_proto.c.
20170727
Cleanup: the postconf command now uses mechanically-generated
lists of DBMS parameter names. This eliminates false positives
with mysql databases. Files: postconf/Makefile.in,
postconf/extract_cfg.sh, postconf/postconf_dbms.c.
Cleanup: removed `#if 0/#endif' dead code from dict_ldap.c,
to avoid spurious output from the extract_cfg.sh parameter name
extraction tool.
20170728
Documentation: added warnings that "enable_original_recipient
= no" prevents Postfix <= 3.2 from saving the address
verification result under the original probe destination
address, if it is changed by aliasing or canonical mapping.
Files: proto/ADDRESS_VERIFICATION_README.html,
proto/postconf.proto.
Cleanup: don't store an empty address in the verify cache
(this could happen with "enable_original_recipient = no").
File: global/verify.c.
20170729
Cleanup: the setting "enable_original_recipient = no" no
longer breaks address verification for aliased addresses.
This does not change the behavior of the X-Original-To
header and of recipient deduplication. The fix is to always
store the original recipient in queue files. Some other
changes were needed to move ownership of the var_enable_orcpt
parameter from the cleanup daemon to the global library.
Files: cleanup/cleanup_init.c, cleanup/cleanup_milter.c,
cleanup_out_recipient.c, global/mail_params.c, global/mail_copy.c,
proto/postconf.proto proto/ADDRESS_VERIFICATION_README.html,
local/local.c, virtual/virtual.c, pipe/pipe.c.
20170730
Bugfix (introduced: yesterday): revert global/verify.c code
to always store the verify result under the original address,
and to conditionally store it under the rewritten address.
File: global/verify.c.
20170827
Safety: in vstream_buf_space(), add a sanity check to reject
negative request sizes, instead of letting the program fail
later. File: util/vstream.c
Bugfix: in tests that enable the VSTRING_FLAG_EXACT flag,
vstring_buf_put_ready() could fail to extend the buffer,
causing infinite recursion in VBUF_PUT(). File: util/vstring.c.
20170830
Bugfix: in vbuf_print(), save the parser-produced format
string before calling msg_panic(), so that the panic message
will not display its own format string. File: util/vbuf_print.c.
20170831
Undefined behavior (introduced Postfix 1.0): after subtracting
a larger unsigned integer from a smaller one, do not assign
the result to a signed integer. File: postqueue/showq_compat.c.
20170910
Safety: restore sanity checks for dynamically-specified
width and precision in format strings (%*, %.*, and %*.*).
These checks were lost with the Postfix 3.2 rewrite of
the vbuf_print formatter. File: vbuf_print.c.
Bugfix (introduced: postfix-alpha): improve the 'fatal:
invalid option' message to show the optopt value instead of
the getopt() result. Files: master/*server.c.
20170923
Bugfix (introduced: Postfix 3.2): panic in the postqueue
command after output write error while listing the queue.
This change restores a write error check that was lost with
the Postfix 3.2 rewrite of the vbuf_print formatter.
Problem reported by Andreas Schulze. File: util/vbuf_print.c.
20170924
Cleanup: terminate early after output write error. Files:
showq/show_compat.c, showq/show_json.c.
20171009
Bugfix (introduced: Postfix 3.1): DANE support. Postfix
builds with OpenSSL 1.0.0 or 1.0.1 failed to send email to
some sites with "TLSA 2 X X" records associated with an
intermediate CA certificate. Problem report and initial
fix by Erwan Legrand. File: src/tls/tls_dane.c.
20171024
Bugfix (introduced: Postfix 3.0) missing dynamicmaps support
in the Postfix sendmail command broke authorized_submit_users
with a dynamically-loaded map type. File: sendmail/sendmail.c.
20171116
Bugfix (introduced: Postfix 2.1): don't log warnings
that some restriction returns OK, when the access map
DISCARD feature is in effect. File: smtpd/smtpd_check.c.
20171209
Documentation: the effects of owner_request_special and
reset_owner_alias on alias expansion. Files: proto/aliases,
proto/postconf.proto.
20171215
Bugfix (introduced: 20170611): the DB_CONFIG bugfix broke
Berkeley DB configurations with a relative pathname. File:
util/dict_db.c.
20171218
Workaround: reportedly, some res_query(3) implementation
can return -1 with h_errno==0. Instead of terminating with
a panic, the Postfix DNS client now logs a warning and sets
h_errno to TRY_AGAIN. File: dns/dns_lookup.c.
Cleanup: allow XCLIENT before STARTTLS, when TLS is required.
File: smtpd/smtpd.c.
20171219
Feature: preliminary support to run Postfix in the foreground.
This requires that multi-instance support is disabled.
Files: conf/postfix-script, postfix/postfix.c.
20171223
Feature: Milters can now send RET and ENVID arguments in
SMFIR_CHGFROM requests. Files: cleanup/Makefile.in,
cleanup/cleanup.h, cleanup/cleanup_envelope.c,
cleanup/cleanup_milter.c, cleanup/cleanup_milter.in13h,
cleanup/cleanup_milter.in13i, cleanup/cleanup_milter.ref13c,
cleanup/cleanup_milter.ref13d, cleanup/cleanup_milter.ref13f,
cleanup/cleanup_milter.ref13g, cleanup/cleanup_milter.ref13h,
cleanup/cleanup_milter.ref13i, cleanup/cleanup_state.c,
cleanup/test-queue-file13h, cleanup/test-queue-file13i,
oqmgr/qmgr_message.c, qmgr/qmgr_message.c.
20171226
Documentation patches by Sven Neuhaus. Files:
proto/FORWARD_SECRECY_README.html, proto/MILTER_README.html,
proto/SMTPD_ACCESS_README.html.
20171227
Feature: postgresql:// URI support by Magosányi Árpád.
Files: global/dict_pgsql.c, proto/pgsql_table.
Cleanup: added employer attributions for non-trivial changes
after Wietse changed employers.
20180106
Compatibility: with compatibility_level < 1, the SMTP server
now warns for mail that would be blocked by the Postfix
2.10 smtpd_relay_restrictions feature. This extends the
safety net for sites that upgrade from earlier Postfix
versions (questions on the postfix-users list show a steady
trickle). Files: proto/COMPATIBILITY_README.html,
global/mail_params[hc], smtpd/smtpd_check.c.
Cleanup: reset compatibility_level warnings after 'postfix
reload'. This is relevant primarily for the master daemon.
File: global/mail_params.c.
Cleanup: missing mailbox seek-to-end error check in the
local(8) delivery agent. File: local/mailbox.c.
Cleanup: incorrect mailbox seek-to-end error message in the
virtual(8) delivery agent. File: virtual/mailbox.c.
20180107
Cleanup: Postfix-generated From: headers with 'full name'
information are now formatted as "From: name " by
default. Specify "header_from_format = obsolete" for the
earlier form "From: address (name)". Files: proto/postconf.proto,
cleanup/cleanup.h, cleanup_init.c, cleanup_message.c,
mail_params.h.
20180113
Bugfix: "postconf -M" commands did not warn about unused
name=value settings in master.cf. File: postconf/postconf.c.
Bugfix: "postconf -xM" now expands $process_name using the
daemon file name in master.cf, instead of the "postconf"
command process name. Files: postconf/postconf.h,
postconf/postconf_lookup.c, postconf/postconf_master.c.
Feature: read-only service_name parameter that contains the
master.cf service name. This allows, for example, setting
the syslog_name with "-o syslog_name=postfix/$service_name"
for the "submission" and "smtps" services. Files:
proto/postconf.proto global/mail_params.h, global/mail_params.c,
master/single_server.c, master/multi_server.c,
master/trigger_server.c, master/event_server.c,
postconf/postconf_master.c, postconf/postconf_builtin.c,
and daemon manpages.
20180114
Paranoia: censor the postqueue process name, similar to the
set-gid postdrop program. File: postqueue/postqueue.c.
Cleanup: the new "service_name" parameter is applicable
only to Postfix daemons configured in master.cf; hyperlink
the parameter name in documentation. Files: proto/postconf.proto,
mantools/postlink, daemon manpages.
Cleanup: allow whitespace between $[{(], parameter name,
and [:?)}]. This allows making complex expressions more
readable with line breaks. File: util/mac_expand.c.
Cleanup: don't initialize the service_name parameter with
the process_name value. Files: postconf/postconf.[hc],
postconf/postconf_builtin.c.
20180121
Bugfix (introduced: 20180106): too many arguments for format
string. File: local/mailbox.c.
20180128
Documentation: the tcp_table(5) manpage now documents the
absence of substring lookups. File: proto/tcp_table.
20180203
Licence: in addition to the historical IBM Public License
1.0, this software is now also distributed with the more
recent Eclipse Public License 2.0. Recipients can choose
to take the software under the license of their choice.
Those who are more comfortable with the IPL can continue
with that license. File: LICENSE.
20180217
Cleanup: added 22 missing *_maps parameters to the default
proxy_read_maps setting. Files: global/mail_params.h,
mantools/missing-proxy-read-maps.
20180218
Cleanup: back-ported the missing-proxy-read-maps script to
older Postfix releases, and added error checks. Undid some
of the 20180217 changes in mail_params.h that are no longer
needed.
Bugfix (introduced: 20120117): postconf should scan only
built-in or service-defined parameters for ldap, *sql, etc.
database names. Problem reported by Christian Rößner. Files:
postconf/postconf_user.c.
20180224
Workaround: postconf build did not abort if the m4 command
is not installed (on a system that does have the make command,
the awk command, the perl command, and the C compiler?!).
File: postconf/extract_cfg.sh.
20180303
Portability: slight differences between MySQL and MariaDB.
Olli Hauer. File: global/dict_mysql.c.
20180306
Bugfix (introduced: 19990302): when luser_relay specifies
a non-existent local address, the luser_relay feature becomes
a black hole. Reported by Jørgen Thomsen. File: local/unknown.c.
Portability: FreeBSD 11 is supported. Files: makedefs,
util/sys_defs.h.
20180403
Containers: "postfix start-fg" will now attempt to run the
master daemon as PID 1, and "postfix stop" will use a
stronger signal if the master does not stop. Files:
conf/postfix-script, master/master.c, master/master_sig.c,
postfix/postfix.c.
20180404
Containers: "postfix start-fg" running as PID=1 will now
properly terminate after "postfix stop". With assistance
from Andreas Schulze and Eray Aslan. Files: master/master.c,
master/master.h, master/master_sig.c.
20180421
Documentation: in the protocol description mention early
on that a policy server must not close the connection unless
there is an error. File: proto/SMTPD_POLICY_README.html.
20180422
Undocumented: when running in PID=1 mode on Linux, a signal
won't be delivered unless the process specifies a handler.
Conveniently, _exit() can be used directly as a signal
handler. This changes the wait status that a parent would
see, but in the case of PID=1 mode on Linux, no-one would
care. Viktor Dukhovni. File: util/killme_after.c.
Bugfix (introduced: Postfix 2.8): missing tls_server_start()
error propagation in tlsproxy(8) resulting in segfault after
TLS handshake error. Found during code maintenance. File:
tlsproxy/tlsproxy.c.
Connection reuse for TLS-encrypted SMTP sessions. This is
work-in-progress, #ifdef USE_TLSPROXY, to avoid contamination
of existing code.
The idea is to have smtp(8) talk plaintext while tlsproxy(8)
converts between local plaintext and remote ciphertext.
Then, smtp(8) can save plaintext connections to the cache,
and scache(8) holds the handles to the tlsproxy(8) processes.
This preliminary implementation does not yet support proxying
of DANE attributes from smtp(8) to tlsproxy(8). tlsproxy(8)
does not have permissions to read private key files that
smtp(8) can read. And the name of a connection cache entry
does not yet depend on whether the cached connection uses
TLS, nor does it depend on DANE information.
Files: global/mail_proto.h, postscreen/postscreen_starttls.c,
posttls-finger/posttls-finger.c, smtp/smtp.c, smtp/smtp.h,
smtp/smtp_params.c, smtp/smtp_proto.c, smtp/smtp_session.c,
smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_proxy.h,
tls/tls_proxy_client_init_print.c,
tls/tls_proxy_client_init_scan.c,
tls/tls_proxy_client_start_print.c,
tls/tls_proxy_client_start_scan.c, tls/tls_proxy_clnt.c,
tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
tls/tls_proxy_server_init_print.c,
tls/tls_proxy_server_init_scan.c,
tls/tls_proxy_server_start_print.c,
tls/tls_proxy_server_start_scan.c, tlsproxy/tlsproxy.c,
tlsproxy/tlsproxy.h, tlsproxy/tlsproxy_state.c, util/argv_attr.h,
util/argv_attr_print.c, util/argv_attr_scan.c.
20180425
Cleanup: dnsblog proccesses now retire voluntarily after
max_use*max_idle seconds. Files: master/mail_server.h,
master/single_server.c, dnsblog/dnsblog.c.
20180429
Documentation: smtpd_relay_restrictions was incorrectly
listed before smtpd_recipient_restrictions. File:
proto/SMTPD_ACCESS_README.html.
20180509
Bugfix (introduced: 20170617): postconf(1) command segfault
if unable to open a Postfix database configuration file due
to a file permission error. Report by Andreas Hasenack, fix
by Viktor Dukhovni. File: postconf/postconf_dbms.c.
20180519
Documentation: updated descriptions of PID 1 mode in manpages
and source-code comments. Files: postfix/postfix.c,
master/master.c, master/master_sig.c, util/killme_after.c.
Documentation: document non-iterative lookup behavior
in postmap(1) and postalias(1) manpages. Files: postmap/postmap.c,
postalias/postalias.c.
Cleanup: the init-mode change should not forbid the combined
use of -D, -d and -w. File: master/master.c.
20180520
Documentation: add backscatter remediation to the virtual(5)
and canonical(5) manpages. Files: proto/virtual, proto/canonical.
Bugfix (introduced: 20180425): broken implementation of
voluntary dnsblog retirement after max_use*max_idle seconds.
File: master/single_server.c.
20180531
Documentation: bash syntax to eliminate or view default
settings in "postconf -n" output. File: postconf/postconf.c.
Contributed by various postfix-users list members.
20180603
TLS reuse: serializer/deserializer support for TLS_DANE and
related data structures. Files: tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, util/argv_attr.h,
util/argv_attr_print.c, util/argv_attr_scan.c.
TLS reuse: posttls-finger -X test flag for quick tests.
File: posttls-finger/posttls-finger.c.
TLS reuse: smtp_use_tlsproxy boolean parameter. This is a
preliminary implementation that should support override via
smtp_tls_policy_maps. Files: smtp.c, smtp_connect.c,
smtp_params.c, smtp_proto.c, smtp_session.c.
TLS reuse: the SMTP client now includes the requested TLS
security level in the scache(8) key.
TLS reuse: address-based reuse is allowed only for TLS
levels that require no certificate checks. Perhaps it still
makes sense to save such sessions for reuse by less sensitive
deliveries. Files: smtp/smtp.h smtp/smtp_reuse.c.
20180604
TLS reuse: smtp_tls_connection_reuse boolean parameter, and
corresponding override with "connection_reuse" boolean
attribute in smtp_policy_maps. Files: global/mail_params.h,
smtp.c, smtp.h, smtp_params.c, smtp_proto.c, smtp_session.c,
smtp_tls_policy.c. proto/postconf.proto. mantools/postlink.
20180605
TLS reuse: updated TLS_README and CONNECTION_CACHE_README,
added comments in tlsproxy.c to explain why it works.
20180617
Bugfix (introduced: Postfix 2.11): minor memory leak when
minting issuer certs. This affects a tiny minority of use
cases. Fix by Viktor Dukhovni, based on a fix by Juan
Altmayer Pizzorno for Viktor's ssl_dane library.
Cleanup: support for longer timeouts after the TLS handshake,
so that the tlsproxy server won't time out too soon, while
the SMTP client waits for the end-of-data response. This
tlxproxy timeout is a redundant safety feature for the case
that the SMTP client does not enforce the SMTP-level time
limit. Files: tls/tls_proxy.h, tls/tls_proxy_clnt.c,
tlsproxy/tlsproxy.c, posttls-finger/posttls-finger.c,
postcreen/postscreen_starttls.c, smtp/smtp_proto.c.
Cleanup: earlier purging of unexpected plaintext. Files:
posttls-finger/posttls-finger.c, smtp/smtp_proto.c.
Release: first production snapshot with multiple outbound
deliveries per TLS-encrypted connection.
20180618
Quick tlsproxy workaround: after the remote TLS peer shuts
down TLS, allow unsent inbound plaintext to trickle out
before tearing down the proxied connection. This addresses
a sporadic "lost connection after end-of-data" error in the
Postfix SMTP client, and addresses a sporadic "lost connection
after sending QUIT" error with "posttls-finger -X". File:
tlsproxy/tlsproxy.c.
20180619
Segfault: don't lookup the TLS security level for nexthop-based
connection cache storage keys. The combination of (service,
nexthop, etc.) should be stable enough over the time range
of interest, and the policy is still enforced on an individual
connection to an MX host, before that connection is stored
under a nexthop- or host-based storage key. Files:
smtp/smtp_connect.c, smtp/smtp.h.
20180620
TLS connection reuse: save and restore the TLS level for a
reused connection, so that the reused connection will be
saved under a key that matches the connection's original
TLS level. This was not a problem for destinations that
require certificate verification, because we currently reuse
connections that require certificate checks only if they
are looked up by their nexthop destination. File:
smtp/smtp_session.c.
TLS connection reuse: with TLS level > encrypt, prohibit
sharing of the same connection endpoint under different
nexthops, by making the nexthop part of the endpoint-based
connection cache lookup key. File: smtp/smtp.h.
20180623
TLS connection reuse: replaced random logic with TLS_MUST_MATCH()
when deciding under what conditions an authenticated
connection may be reused. Files: smtp/smtp_proto.c,
smtp/smtp.h.
TLS connection reuse: a tlsproxy(8) process will retire
after max_idle*max_use, or some sane constant if either is
set to zero. Files: master/event_server.c, tlsproxy/tlsproxy.c.
Documentation: automatic retirement. File: master/single_server.c.
Documentation: the connection caching limitation for SMTP
over TLS is now obsolete. File: proto/CONNECTION_CACHE_README.html.
20180701
Incompatibility: the tlsproxy(8) daemon now requires a zero
process limit in master.cf (this setting is provided with
the default master.cf file). See RELEASE_NOTES for how to
change the tlsproxy process limit. File: tlsproxy/tlsproxy.c.
20180707
Bugfix (introduced: Postfix 3.0): with smtputf8_enable=yes,
table lookups could casefold the search string when searching
a lookup table that does not use fixed-string keys (regexp,
pcre, tcp, etc.). Historically, Postfix would not case-fold
the search string with such tables. File: util/dict_utf8.c.
Cleanup: removed unimplemented VSTRING support to enforce
a buffer size limit (by returning an error of sorts). In
practice, the limit was enforced in smtp_get(). Also made
the VSTRING inplementation more VSTREAM-compatible. Files:
util/vstring.[hc], posttls-finger/posttls-finger.c,
smtpstone/smtp-source.c.
Cleanup: unused variable. File: postqueue/postqueue.c.
Feature: VSTREAM support to "open" a VSTRING for read, write
or append mode, enabling the reuse of existing stream-based
code to serialize/deserialize Postfix data structures to/from
memory. File: vstream.[hc].
Cleanup: "make manpages" now generates a makedefs(1) manpage
for publication on the web. Also cleaned up some makedefs(1)
content. Files: man/Makefile.in, man/man1/makedefs.1,
html/Makefile.in, html/makedefs.1.html.
20180708
Cleanup: VSTREAM support to "open" a VSTRING: added
vstream_ftell() support; documented what changes are needed
before this can support vstream_fseek(), without breaking a
VSTRING during vstream_fflush(); added a simple 'allow'
filter for vstream_control() requests; added a unit test.
File: util/vstream.c.
20180812
Feature: smtpd_reject_footer_maps (as well as the postscreen
variant postscreen_reject_footer_maps). This is indexed
with the SMTP server response text, and overrides the footer
specified with smtpd_reject_footer. Files: global/mail_params.h,
mantools/postlink, postscreen/postscreen.c,
postscreen/postscreen_send.c, postscreen/postscreen_smtpd.c,
proto/postconf.proto, smtpd/smtpd.c, smtpd/smtpd_chat.c.
Minor wordsmithing. File: makedefs.
20180823
Bugfix (introduced: 20180812): postscreen_send.c did not
build without warnings. Viktor Dukhovni.
20180824
Cleanup: with SMTPUTF8 turned off, the MySQL and PgSQL maps
accept only well-formed UTF-8 queries, and return NOT FOUND
otherwise. This was in introduced in Postfix 3.0 for LDAP
and SQLite, with no complaints coming forth. Files:
global/dict_mysql.c, global/dict_pgsql.c.
20180805-20180825 Chunking support
Cleanup: vbuf_get() now sets the EOF flag, so that reading
from a VSTRING stream works as expected. File: util/vbuf.c.
Cleanup: added an append-mode flag to functions that read
a VSTRING from a stream. The historical APIs are preserved
in the form of aliases. Files: util/vstring_vstream.[hc],
global/smtp_stream.[hc].
SMTP server support for CHUNKING (BDAT) per RFC 3030. The
SMTP server is the only program that knows the difference
between mail received with BDAT or DATA. Both use the same
smtpd_data_restrictions and smtpd_end_of_data_restrictions,
both send one Milter DATA event per mail transaction, and
both send one DATA command ending in .
to an smtpd_proxy_filter. Files: global/ehlo_mask.h,
global/smtp_stream.c, global/smtp_stream.c, global/smtp_stream.h,
postscreen/postscreen_smtpd.c, smtpd/smtpd.c, smtpd/smtpd.h,
smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_state.c.
Cleanup: the postscreen(8) daemon now hangs up after receiving
the DATA command. Justification: it should never receive DATA
from a legitimate client, because 1) postscreen(8) rejects all
recipients, and 2) postscreen(8) does not announce PIPELINING.
This makes postscreen(8) DATA and BDAT behavior more
consistent. File: postscreen/postscreen_smtpd.c.
BDAT final touches: report accurate BDAT byte counts after
timeout or lost connection; send DATA instead of BDAT in
policy delegation protocol. Files: smtpd/smtpd.[hc],
smtpd/smtpd_check.c.
BDAT final touches: if the BDAT EHLO announcement is disabled,
then smtpd(8) and postscreen(8) will not accept BDAT commands.
Files: smtpd/smtpd.c, postscreen/postscreen_smtpd.c.
20180826
Cleanup: with GSSAPI, the Postfix SMTP client's initial
SASL response may be as large as 12288 bytes. When the "AUTH
" command would exceed the SMTP
command length of 512 bytes, send the initial response
during the SASL dialog. Viktor Dukhovni. File:
smtp/smtp_sasl_glue.c.
Cleanup: prepare the Postfix SMTP server needs to receive
SASL responses that exceed the line_length_limit value.
This introduces a new parameter smtpd_sasl_response_limit
(default: 12288). Viktor Dukhovni. Files: mantools/postlink,
proto/postconf.proto, global/mail_params.h, smtpd/smtpd.c,
smtpd/smtpd_chat.c, smtpd/smtpd_chat.h, smtpd/smtpd_sasl_glue.c.
20180827
Miscellaneous documentation updates, and a correction in
the byte count for sending a large SASL initial response.
20181014
Cleanup: figured out why vstring_get() did not return
VSTREAM_EOF in APPEND mode. File: util/vstring_vstream.c.
20180903
Bugfix (introduced: 20180825): postscreen falsely claimed
that the remote SMTP client was pipelining after sending
BDAT. Found by Ralf Hildebrandt. File:
postscreen/postscreen_smtpd.c.
20180904
Bugfix (introduced: 20180812): parameter name error
(postscreen_reject_footer should have been
postscreen_reject_footer_maps). Noel Jones (finder) and
Viktor Dukhovni (fixer).
20181104
Multiple 'bit rot' fixes for OpenSSL API changes, including
support to disable TLSv1.3, to avoid issuing multiple session
tickets, and to allow OpenSSL >= 1.1.0 run-time micro version
bumps without complaining about library version mismatches.
Viktor Dukhovni. Files: proto/postconf.proto,
proto/TLS_README.html, tls/tls.h, tls/tls_dane.c,
tls/tls_server.c, tls/tls_misc.c
20181105
Feature: "postmap -F" reads a source file with (key, filename)
entries, and creates database records with (key, base64-encoded
filecontent). This feature will be used for SNI lookup
table support, where each key will be a domainname, and
each value will contain a sequence of (private key, certificate
hierarchy) for that domainname. The same 'value is filename'
behavior is implemented in cidr:, inline:, pcre:, randmap:,
regexp:, and static: maps if the application sets the flag
DICT_FLAG_RHS_IS_FILE. In the forseeable future, this will
be used for specific TLS features. Files: postmap/postmap.c,
util/dict.c, util/dict.h, util/dict_cidr.c, util/dict_file.c,
util/dict_inline.c, util/dict_pcre.c, util/dict_random.c,
util/dict_regexp.c, util/dict_static.c.
20181106
Bugfix (introduced: 3.0): smtpd_discard_ehlo_keywords could
not disable "SMTPUTF8". because the lookup table was using
"EHLO_MASK_SMTPUTF8" instead. File: global/ehlo_mask.c.
Documentation: the postmap(1) manpage no longer refers to
compatibility with Sendmail's makemap command. File:
postmap/postmap.c.
Cleanup: don't use ssize_t for boolean result. File:
global/smtp_stream.c.
Cleanup: memory leak caused by missing dbenv->close() call
after failing to open a Berkeley DB table. File: util/dict_db.c.
20181112
Improved logging of TLS 1.3 summary information, and improved
reporting of the same info in Received: message headers.
Viktor Dukhovni. Files: proto/FORWARD_SECRECY_README.html,
smtpd/smtpd.c, tls/tls.h, tls/tls_client.c, tls/tls_misc.c,
tls/tls_proxy.h, tls/tls_proxy_context_print.c,
tls/tls_proxy_context_scan.c, tls/tls_server.c.
20181116
Library function to log TLS 1.3 summary information, and
some wordsmithing of TLS context member names. Viktor
Dukhovni. Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h,
tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
tls/tls_client.c, tls/tls_server.c, smtpd/smtpd.c,
posttls-finger/posttls-finger.c.
Cleanup: vstream_memopen() flags handling. File:
util/vstream.c.
Cleanup: the SMTP client now uses 'attr_print_plain'
serialization and 'attr_scan_plain' deserialization for
connection cache lookup keys, which now contain a serialized
version of the TLS context. File: smtp/smtp_session.c.
20181117
The Postfix SMTP client now logs whether an SMTP-over-TLS
connection is newly established ("TLS connection established")
or whether the connection is reused ("TLS connection reused").
Files: smtp/smtp.h, smtp/smtp_proto.c, smtp/smtp_session.c.
(20181117-nonprod) Unified summary logging in the SMTP
client, SMTP server, and posttls-finger. Viktor Dukhovni.
Files: tls/tls.h, tls/tls_misc.c, tls/tls_proxy.h,
tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
tls/tls_client.c, src/tls/tls_server.c, smtpd/smtpd.c,
posttls-finger/posttls-finger.c.
(20181117-nonprod) Improved logging of TLS 1.3 summary
information. On the server side this also affects the TLS
information optionally recorded in "Received" headers.
Viktor Dukhovni. Files: smtpd/smtpd.c, tls/tls.h,
tls/tls_client.c, tls/tls_misc.c, tls/tls_proxy.h,
tls/tls_proxy_context_print.c, tls/tls_proxy_context_scan.c,
tls/tls_server.c.
(20181117-nonprod) FORWARD_SECRECY examples with TLS 1.3
logging. Viktor Dukhovni. File: proto/FORWARD_SECRECY_README.html.
20181118
Cleanup, no behavior change: updated comments concerning
connection reuse, and updated some identifiers to reflect
current reality. Files: smtp_reuse.c, smtp_key.c, smtp_proto.c,
smtp_tls_policy.c, smtp.h, smtp_connect.c.
20181119
Bitrot: makedefs will use "pkg-config" to locate ICU build
information, falling back to "icu-config" if "pkg-config"
is not found. File: makedefs.
20181122
Cleanup: tlsproxy loads the same TLS client configuration
at pre-jail time as the Postfix SMTP client, so that secret
keys can remain read-only for root. This is sufficient for
MTAs that have a fixed TLS client identity. tlsproxy will
log a warning if it is requested to assume a different TLS
client identity, and will log suggestions for a workaround.
The long-term solution is to stop loading certs/keys from
files, and to use the same approach as planned for server-side
SNI support: open a cert/key map at pre-jail time, and read
cert/key information on-the-fly at post-jail time. Files:
proto/postconf.proto, mantools/postlink, global/mail_params.h,
tlsproxy/tlsproxy.c.
20181123
Cleanup: tlsproxy now logs better instructions when a
tls_client_init request specifies an unexpected client
identity, and the test for that condition is now moved to
the right place. File: tlsproxy/tlsproxy.c.
20181124
Documentation: clarified the behavior of whitespace within
"{}". Files: proto/DATABASE_README.html, proto/postconf.proto,
pipe/pipe.c, postconf/postconf.c,
20181125
Cleanup: dict_file_to_xxx() takes a list of file names
separated by CHARS_COMMA_SP. Shoe-horned into the existing
API, make it nicer when there is time. File: util/dict_file.c.
20181127
Cleanup: encapsulated clumsy 'read into VSTRING' code with
easier-to-use vstream_fread_buf() and vstream_fread_app()
primitives. Files: global/memcache_proto.c, global/record.c,
global/smtp_stream.c, global/smtp_stream.h, global/uxtext.c,
global/xtext.c, milter/milter8.c, util/dict_file.c,
util/hex_quote.c, util/netstring.c, util/vstream.c,
util/vstream.h. Verified with "make tests".
Cleanup: simplified the smtp_fread() API (introduced for
BDAT support), and changed the name to smtp_fread_buf().
Files: global/smtp_stream.c, smtpd/smtpd.c. Verified with
~megabyte BDAT commands.
Cleanup: simplified a tlsproxy-internal API. File:
tlsproxy/tlsproxy.c.
20181128
Initial support for key/certificate chain files that will
replace the proliferation of separate parameters for
RSA/DSA/ECC/etc. key and certificate files. Viktor
Dukhovni.
20181201
Cleanup: replaced the remaining unsafe VSTRING_AT_OFFSET()
calls with safe vstring_set_payload_size() calls, in code
that directly writes into VSTRING. Files: tls/tls_session.c,
tlsmgr/tlsmgr.c, util/casefold.c, util/vstring.c, util/vstring.h,
xsasl/xsasl_cyrus_client.c.
Cleanup: postscreen_command_time_limit did not need to be
a 'raw' parameter. This makes "postconf -x" behavior more
consistent. Files: global/mail_params.h, postscreen/postscreen.c.
Documentation: added text that the following parameter
values are not subject to Postfix parameter $name expansion:
default_rbl_reply, command_execution_directory, luser_relay,
smtpd_reject_footer. These have their own documented $name
substitution mechanism. File: proto/postconf.proto.
20181202
Bugfix: posttls-finger reported an error for UNIX-domain
connections, even if they did not fail. Found by Coverity.
File: posttls-finger/posttls-finger.c.
20181208
Documentation: add even more redundancy to the rate-delay
description. File: proto/postconf.proto.
20181210
Cleanup: code deduplication. File: util/dict_file.c.
20181226
Cleanup: code deduplication and better encapsulation with
PSC_DEL_CLIENT_STATE() and PSC_DEL_SERVER_STATE() macros.
Files: postscreen/postscreen.h, postscreen/postscreen_state.c.
Documentation: POSTSCREEN_README did not describe the
postscreen_post_queue_limit, and attributed the wrong reject
message to the postscreen_pre_queue_limit. Problem reported
by Michael Orlitzky. File: proto/POSTSCREEN_README.html.
(20181226-nonprod) Compatibility: removed support for OpenSSL
1.0.1 (not supported since December 31, 2016) and earlier
releases. This eliminated a large number of #ifdefs with
bitrot workarounds. Viktor Dukhovni. Files: global/mail_params.h,
posttls-finger/posttls-finger.c, tls/tls.h, tls/tls_certkey.c,
tls/tls_client.c, tls/tls_dane.c, tls/tls_dh.c, tls/tls_misc.c,
tls/tls_proxy_client_scan.c, tls/tls_rsa.c, tls/tls_server.c,
tls/tls_session.c.
(20181226-nonprod) Use the OpenSSL 1.0.2 and later API for
setting ECDHE curves. Viktor Dukhovni. Files: tls/tls.h,
tls/tls_client.c, tls/tls_dh.c.
(20181226-nonprod) Documentation update for TLS support.
Viktor Dukhovni. Files: mantools/postlink, proto/TLS_README.html,
proto/postconf.proto, src/sendmail/sendmail.c, src/smtpd/smtpd.c.
20181229
Explicit maps_file_find() and dict_file_lookup() methods
that decode base64 content. Decoding content is not built
into the dict->lookup() method, because that would complicate
the implementation of map nesting (inline, thash), map
composition (pipemap, unionmap), and map proxying. For
consistency, decoding base64 file content is also not built
into the maps_find() method. Files: util/dict.h.
util/dict_file.c, global/maps.[hc], postmap/postmap.c.
20190106
Documentation: documented the SRC_RHS_IS_FILE flag in
dict_open.c, and updated the -F description in the postmap
manpage. Files: util/dict_open.c, postmap/postmap.c.
(20190106-nonprod) Feature: support for files that combine
multiple (key, certificate, trust chain) instances in one
file, to avoid separate files for RSA, DSA, Elliptic Curve,
and so on. Viktor Dukhovni. Files: .indent.pro,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/lmtp_params.c, smtp/smtp.c, smtp/smtp_params.c,
smtp/smtp_proto.c, smtpd/smtpd.c, tls/tls.h, tls/tls_certkey.c,
tls/tls_client.c, tls/tls_proxy.h, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy_server_print.c,
tls/tls_proxy_server_scan.c, tls/tls_server.c, tlsproxy/tlsproxy.c.
(20190106-nonprod) Create a second, no-key no-cert, SSL_CTX
for use with SNI. Viktor Dukhovni. Files: src/tls/tls.h,
src/tls/tls_client.c, src/tls/tls_misc.c, src/tls/tls_server.c.
(20190106-nonprod) Server-side SNI support. Viktor Dukhovni.
Files: src/global/mail_params.h, src/smtp/smtp.c,
src/smtpd/smtpd.c, src/tls/tls.h, src/tls/tls_certkey.c,
src/tls/tls_misc.c, src/tlsproxy/tlsproxy.c,
(20190106-nonprod) Configurable client-side SNI signal.
Viktor Dukhovni. Files: global/mail_params.h,
posttls-finger/posttls-finger.c, smtp/lmtp_params.c,
smtp/smtp.c, smtp/smtp.h, smtp/smtp_params.c, smtp/smtp_proto.c,
smtp/smtp_tls_policy.c, tls/tls.h, tls/tls_client.c,
tls/tls_proxy.h, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c.
20190121
Logging: support for internal logging file, without using
syslog (it uses the new postlogd daemon instead). This
solves a usability problem for MacOS, may help getting
around systemd, and solves 99% of the problem for logging
to stdout in a container (hopefully we have 100% soon).
Enable by setting, for example, "maillog_file =
/var/log/postfix.log"). This works fine for daemons, and
with some limitations for non-daemon programs. See
RELEASE_NOTES for more details. Files: conf/master.cf,
conf/post-install, conf/postfix-files, conf/postfix-script,
mantools/postlink, proto/master, proto/postconf.proto,
global/mail_params.c, global/mail_params.h, global/mail_proto.h,
global/maillog_client.c, global/maillog_client.h,
master/dgram_server.c, master/event_server.c, master/mail_server.h,
master/master.c, master/master.h, master/master_ent.c,
master/master_listen.c, master/master_proto.h,
master/master_wakeup.c, master/multi_server.c,
master/single_server.c, master/trigger_server.c,
postalias/postalias.c, postconf/postconf_master.c,
postdrop/postdrop.c, postfix/postfix.c, postkick/postkick.c,
postlog/postlog.c, postlogd/postlogd.c, postmap/postmap.c,
postmulti/postmulti.c, postqueue/postqueue.c,
postsuper/postsuper.c, sendmail/sendmail.c, util/connect.h,
util/listen.h, util/logwriter.c, util/logwriter.h,
util/msg_logger.c, util/msg_logger.h, util/msg_output.c,
util/msg_output.h, util/unix_dgram_connect.c,
util/unix_dgram_listen.c.
Cleanup: cert/key/chain loading, plus unit tests to exercise
non-error and error cases. Viktor Dukhovni. Files: tls/*.pem,
tls*.pem.ref, tls/tls_certkey.c.
20190126
Safety: Postfix programs will log to either syslog or postlog
but not both; and postlogd forwards postlog logging to
syslog, when a configuration change removes the maillog_file
pathname, but some programs still use the old configuration.
Files: util/msg_syslog.[hc], util/msg_logger.c,
global/maillog_client.c, postlogd/postlogd.c,
Bugfix (introduced: Postfix 20110109, Postfix 2.10): watchdog
pipe file descriptor leak. This pipe provides one source
of liveness, data from this pipe is discarded, and therefore
this does not enable privilege escalation or DOS. File:
util/watchdog.c.
Feature: stdout logging support; requires "postfix start-fg"
and "maillog_file = /dev/stdout". Files: master/master.c,
conf/postfix-script.
20190127
Safety: when maillog_file is specified, 'postfix check' now
requires that the postlog service is enabled in master.cf.
Otherwise 'postfix start' etc. will log a fatal error. File:
conf/postfix-script.
Documentation: added policy_context example. File:
proto/SMTPD_POLICY_README.html.
20190128
Testing: run libtls tests under Valgrind. File tls/Makefile.in.
20190129
Safety: require that $maillog_file matches one of the
pathname prefixes specified in $maillog_file_prefixes. The
maillog file is created by root, and the prefixes limit the
damage from a single configuration error. Files:
global/mail_params.[hc], global/maillog_client.c.
20191201
Feature: "postfix logrotate" command with configurable
compression program and datestamp filename suffix. File:
conf/postfix-script.
20190202
Cleanup: log a warning when the client sends a malformed
SNI; log an info message when the client sends a valid SNI
that does not match the SNI lookup tables; update the
FORWARD_SECRECY_README logging examples. Viktor Dukhovni.
Files: proto/FORWARD_SECRECY_README.html, tls/tls.h,
tls/tls_client.c, tls/tls_misc.c.
20190208
Debugging: the master(8) daemon now logs a warning if a
master.cf entry is defined multiple times. File:
src/master/master_conf.c.
20190209
Debugging: tlsproxy(8) now logs more details about unexpected
configuration differences between the Postfix SMTP client
and the tlsproxy(8) daemon.
20190210
Documentation: Postfix 3.4.0 RELEASE NOTES.
Documentation: added BDAT_README.
Documentation: global TLS settings. Files: mantools/postlink,
smtp/smtp.c, tlsproxy/tlsproxy.c.
20190211
Cleanup: removed obsolete parameters: tls_dane_digest_agility,
tls_dane_trust_anchor_digest_enable; removed openssl_path
parameter from configuration difference checks in tlsproxy.
Files: global/mail_params.h, tls/tls_misc.c,
tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h.
20190212
Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c,
posttls-finger/posttls-finger.c.
20190217
Cleanup: when the master daemon runs with PID=1 (init mode),
reap orhpan processes from non-Postfix code running in the
same container, instead of terminating with a panic. File:
master/master_spawn.c.
20190218
Bugfix: tlsproxy did not enable DANE-style PKI because
libtls seems to have to accreted multiple init functions
instead of reusing the tls_client_init() and tls_client_start()
API. And some functions that do initialization don't even
have init in their name! Problem report by Andreas Schulze.
Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c.
Workaround: Postfix libtls makes DANE-specific changes to
the shared SSL_CTX. To avoid false sharing, tlsproxy needs
to label the SSL_CTX cache with DANE bits until we can
remove the code that modifies SSL_CTX. File: tlsproxy/tlsproxy.c.
Cleanup: Postfix libtls changed the shared SSL_CTX to
override ciphers. instead of changing the SSL handle. To
avoid false sharing in tlsproxy, the changes are now made
to the SSL handle. Viktor Dukhovni. Files: tls/tls.h,
tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c.
20190219
Bugfix: in the Postfix SMTP client, TLS wrappermode was not
tested in tlsproxy mode. It needed some setup for buffering
and timeouts. Problem report by Andreas Schulze. File:
smtp/smtp_proto.c.
20190226
Documentation: postconf(1) and DATABASE_README were out of
sync. Added a note that this should be deduplicated. File:
proto/DATABASE_README.html.
20190227
Documentation: strict_smtputf8 in SMTPUTF8_README.
20190304
Bugfix: a reversed test broke TLS configurations that specify
the same filename for a private key and certificate. Reported
by Mike Kazantsev. Fix by Viktor Dukhovni. Wietse fixed the
test. Files: tls/tls_certkey.c, tls/Makefile.in.
20190310
Bitrot: LINUX5s support, after some sanity checks with a
rawhide prerelease version. Files: makedefs, util/sys_defs.h.
Bugfix (introduced: 20181226): broken DANE trust anchor
file support, caused by left-over debris from the 20181226
TLS library overhaul. By intrigeri. File: tls/tls_dane.c.
Bugfix (introduced: Postfix-1.0.1): null pointer read, while
logging a warning after reading a corrupted bounce log file.
File: global/bounce_log.c.
Bugfix (introduced: Postfix-2.9.0): null pointer read, while
logging a warning after a postscreen_command_filter read
error. File: postscreen/postscreen_smtpd.c.
20190312
Bugfix (introduced: Postfix 2.2): reject_multi_recipient_bounce
has been producing false rejects starting with the Postfix
2.2 smtpd_end_of_data_restrictons, and for the same reasons,
did the same with the Postfix 3.4 BDAT command. The latter
was reported by Andreas Schulze. File: smtpd/smtpd_check.c.
20190319
With message_size_limit=0 (which is NOT DOCUMENTED), BDAT
chunks were always too large. Reported by Thorben Thuermer.
fix by Viktor Dukhovni. File: src/smtpd/smtpd.c.
20190328
Bugfix (introduced: Postfix 3.0): LMTP connections over
UNIX-domain sockets were cached but not reused, due to a
cache lookup key mismatch. Therefore, idle cached connections
could exhaust LMTP server resources, resulting in two-second
pauses between email deliveries. This problem was investigated
by Juliana Rodrigueiro. File: smtp/smtp_connect.c.
20190331
Documentation: tlsext_padding is not a tls_ssl_options
feature. File: proto/postconf.proto.
20190401
Portability: to avoid a compile-time error on Solaris, added
"#undef sun" to util/unix_dgram_connect.c.
20190403
Bugfix (introduced: Postfix 2.3): a censoring filter broke
multiline Milter responses for header/body events. Problem
report by Andreas Thienemann. Files: util/printable.c,
util/stringops.h, smtpd/smtpd.c.
Bugfix (introduced: Postfix 3.3): "smtp_mx_address_limit = 0"
no longer meant 'unlimited'. Problem report by Luc Pardon.
File: smtp/smtp_addr.c.
20190427
Cleanup: normalize the IP address string forms received with
XCLIENT, XFORWARD, and HaProxy, for consistency with address
information for direct connections to Postfix, and add unit
tests. This casefolds and removes redundant nulls from the
string representation of an IPv6 address, normalizes the
"IPv6:" address prefix of RFC 2821 IPv6 address forms, and
converts IPv4 address octets with leading zeros (octal form)
into decimal form. Files: global/haproxy.c,
global/normalize_mailhost_addr.[hc], smtpd/smtpd.c.
Incompatibility: this may change the appearance of logging,
and the way that check_client_access will match subnets of
an IPv6 address.
20190428
Cleanup: replace "(whatever *) 0" with meaningfully-named
constants. Sheesh. File: smtpd/smtpd.c.
Documentation: BASIC_CONFIGURATION_README example default
setting was not updated after Postfix 3.0 change. File:
proto/BASIC_CONFIGURATION_README.html
20190505
Workaround: uClibc has no res_send. Log a warning if this
code path would be used, and ignore dns_ncache_ttl_fix_enable.
Files: util/sys_defs.h, dns/dns_lookup.c, TODO: makedefs
and INSTALL documentation.
20190516
Initial search order support for check_ccert_access. The
default behavior is backwards-compatible. This is work in
progress; see the RELEASE_NOTES for examples. Files:
global/map_search.[hc], smtpd/smtpd_check.c.
20190517
Bugfix: postconf mis-parsed text starting with "{" such as
"check_ccert_access { inline:{a=b} { search_order=c,d } }".
Fixed by adding another level of recursion. File:
postconf/postconf_dbms.c.
20190525
Infrastructure: reject_deliver_request() to reject an entire
delivery request and bounce or defer all its recipients.
File: global/reject_deliver_request.c.
20190609
Infrastructure: byte_mask() to convert "flags=mumble" into
a byte mask. This is similar to name_mask(). Files:
util/byte_mask.[hc] and tests.
20190615
Dovecot usability: SMTP/LMTP client support for 'D', 'O',
'R', 'X' flags similar to the pipe(8) daemon, to produce
Delivered-To, X-Original-To, and Return-Path headers, and
to indicate final delivery. Files: smtp/smtp.c, smtp/smtp.h,
smtp/smtp_misc.c, smtp/smtp_proto.c, smtp/smtp_rcpt.c.
Workaround for implementations that hang Postfix while
shutting down a TLS session, until Postfix times out. With
"tls_fast_shutdown_enable = yes" (the default), Postfix no
longer waits for the TLS peer to respond to a TLS 'close'
request. This is recommended with TLSv1.0 and later. Files:
global/mail_params.h, tls/tls_session.c, and documentation.
20190618
Documentation: corrected comments about the code change to
not wait for the TLS peer's response after sending a TLS
'close' notification. Viktor Dukhovni. Files: HISTORY,
RELEASE_NOTES, proto/postconf.proto smtp/smtp.c smtpd/smtpd.c
tlsproxy/tlsproxy.c
20190621
Workaround: don't reuse an SMTP connection after an SMTP
protocol error. This limits the impact of, for example,
pipelining synchronization errors. File: smtp/smtp_trouble.c.
Bugfix (introduced: Postfix 3.0): the code to reset Postfix
SMTP server command counts was not called after a HaProxy
handshake failure, causing stale numbers to be reported.
The command counts are now reset in the function that reports
the counts. Problem report by Joseph Ward. File: smtpd/smtpd.c.
20190719
Bitrot: OpenBSD stopped having /dev/arandom 8 years ago.
Brad Smith. File: util/sys_defs.h.
20190723
Bugfix: the documentation said tls_fast_shutdown_enable,
but the code said tls_fast_shutdown. Viktor Dukhovni. Changed
the code because no-one is expected to override the default.
File: global/mail_params.h.
20190724
Cleanup: proxymap(8) support for table search order syntax.
File: proxymap/proxymap.c.
Safety: vstring_set_payload_size() now checks that the
payload has not overwritten the safety terminator at the
end of the VSTRING buffer. File: util/vstring.c.
20190813
Documentation: access(5) map network address pattern syntax.
File: proto/access.
20190820
Workaround for poor TCP loopback performance on LINUX, where
getsockopt(..., TCP_MAXSEG, ..) reports a TCP maximal segment
size that is 1/2 to 1/3 of the MTU. For example, with kernel
5.1.16-300.fc30.x86_64 the TCP client and server announce
an mss of 65495 in the TCP handshake, but getsockopt()
returns 32741 (less than half). As a matter of principle,
Postfix won't turn on client-side TCP_NODELAY because that
hides application performance bugs, and because that still
suffers from server-side delayed ACKs. Instead, Postfix
avoids sending "small" writes back-to-back, by choosing a
VSTREAM buffer size that is a multiple of the reported MSS.
This workaround bumps the multiplier from 2x to 4x. File:
util/vstream_tweak.c.
20190825
Bugfix (introduced: 20051222): the Dovecot client could
segfault (null pointer read) or cause an SMTP server assertion
to fail when talking to a fake Dovecot server. The client
now logs a proper error instead. Problem reported by Tim
Düsterhus. File: xsasl/xsasl_dovecot_server.c.
20190908
Documentation: updated postconf(5) description of the
tls_server_sni_maps configuration parameter. Viktor Dukhovni.
File: proto/postconf.proto.
20190914
Bugfix (introduced: Postfix 3.4): don't whitewash OpenSSL
error results after a plaintext output error. The code could
loop, and with some OpenSSL error results could flood the
log with error messages (see below for a specific case).
Problem reported by Andreas Schulze. File: tlsproxy/tlsproxy.c.
Bitrot: don't invoke SSL_shutdown() when the SSL engine
thinks it is processing a TLS handshake. The commit at
https://github.com/openssl/openssl/commit/64193c8218540499984cd63cda41f3cd491f3f59
changed the error status, incompatibly, from SSL_ERROR_NONE
into SSL_ERROR_SSL. File: tlsproxy/tlsproxxy.c.
20190918
Cleanup: the nbbio(3) library now accepts a sequence of
nbbio_enable_read() calls or a sequence of nbbio_enable_write()
calls. This allows tlsproxy(8) to reset an I/O timer after
each event without having to make an nbbio_disable_readwrite()
call. Files: util/nbbio.c, tlsproxy/tlsproxy.c.
20191013
Cleanup: code pattern ENFORCING_SIZE_LIMIT() for more
consistent enforcement of the 'no size limit' case (it now
requires "> 0" where previous code used "!= 0" or "> 0").
More relevant, this explicit pattern will help finding code
that does not implement the 'no size limit' case with
var_message_limit, etc. Files: cleanup/cleanup_init.c,
local/local.c, postdrop/postdrop.c, postscreen/postscreen_smtpd.c,
sendmail/sendmail.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
util/netstring.c, util/sys_defs.h, virtual/virtual.c.
Cleanup; with message_size_limit>0, local(8) and virtual(8)
mailbox size limit checks would produce a misleading error
message when the mailbox size was unlimited. Files:
local/local.c, virtual/virtual.c.
Cleanup: queue_minfree changed from 'int' to 'long'. File:
global/mail_params.h, src/smtpd/smtpd.c.
Attribution: updated AUTHOR in file headers. Files:
global/bounce_log.c, global/deliver_request.h, smtp/smtp_chat.c,
smtp/smtp_rcpt.c, tls/tls_certkey.c, util/nbbio.c,
util/vstream_tweak.c.
20191014
Bugfix (introduced: Postfix 2.8): don't gratuitously enable
all after-220 tests when only one such test is enabled.
This made selective tests impossible with 'good' clients.
File: postscreen/postscreen_smtpd.c.
Bugfix: the 20180903 postscreen fix for a misleading
"PIPELINING after BDAT" warning looked at the wrong variable.
The warning now says "BDAT without valid RCPT", and the
error is no longer treated as a command PIPELINING error
(but sending BDAT is still a client error, because postscreen
rejects all RCPT commands and does not announce PIPELINING
support). File: postscreen/postscreen_smtpd.c.
20190922
Documentation: replaced the link to "Suite B" cryptography
with a link to web.archive.org. File: proto/postconf.proto.
20191109
Cleanup: Postfix daemon processes now log the from= and to=
addresses in external (quoted) form in non-debug logging
(info, warning, etc.). This is consistent with the address
form that Postfix 3.2 and later prefer for table lookups.
It is therefore the more useful form for non-debug logging.
Files: cleanup/cleanup.c, cleanup/cleanup_message.c,
cleanup/cleanup_milter.c, global/info_log_addr_form.c,
global/info_log_addr_form.h, global/log_adhoc.c,
global/mail_params.c, global/mail_params.h, global/opened.c,
local/local.c, oqmgr/qmgr.c, oqmgr/qmgr_active.c,
pickup/pickup.c, pipe/pipe.c, postscreen/postscreen.c,
postscreen/postscreen_smtpd.c, proto/postconf.proto,
qmgr/qmgr.c, qmgr/qmgr_active.c, smtp/smtp.c, smtpd/smtpd.c,
smtpd/smtpd_check.c, virtual/virtual.c.
Usability: the parser for key/certificate chain files
rejected inputs that contain an EC PARAMETERS object. While
this is technically correct (the documentation says what
types are allowed) this is surprising behavior because the
legacy cert/key parameters will accept such inputs. For
now, the parser skips object types that it does not know
about usability, and logs a warning because ignoring inputs
is not kosher. Viktor and Wietse. File: tls/tls_certkey.c.
20191201
Compatibility: added '_' to the milter_connect_macros default
value. Reportedly some software produces an ugly warning
message if Postfix does not send the macro, and there is
no harm in sending it. File: global/mail_params.h.
20191214
Bugfix (introduced: Postfix 3.1): support for
smtp_dns_resolver_options was broken while adding support
for negative DNS response caching in postscreen. Postfix
was inadvertently changed to call res_query() instead of
res_search(). Reported by Jaroslav Skarvada. File:
dns/dns_lookup.c.
Bugfix: sanitize server responses before storing them in
the verify database, to avoid Postfix warnings about malformed
UTF8. File: verify/verify.c.
20191215
Future proofing: the Postfix DNS library logs a warning if
the DNS_REQ_FLAG_NCACHE_TTL dns_lookup flag is set and the
RES_DNSRCH or RES_DEFNAMES resolver flags are set, and
disables those resolver flags. File: dns/dns_lookup.c.
20191230
Documentation: added the 'X' flag (final delivery) to the
pipe-based final delivery examples in the default master.cf
file. File: conf/master.cf
20201005
Workaround: postlog clients open the socket before entering
the chroot jail and before dropping privileges. This is needed
on MacOS and would not hurt otherwise. Files: util/msg_logger.[hc],
global/maillog_client.c.
20200108
UI cleanup: SMTP (and LMTP) client support for a list of
nexthop destinations separated by comma or whitespace. These
will be tried in the specified order. The list form can be
specified in relayhost, transport_maps, default_transport,
and sender_dependent_default_transport_maps. Examples:
"relayhost = foo.example, bar.example", and "default_transport
= smtp:foo.example, bar.example". Files: smtp/smtp.c,
smtp/smtp_connect.c, trivial-rewrite/resolve.c, proto/transport,
proto/postconf.proto, global/mail_params.c.
20200112
[initially released as part of postfix-20200101-nonprod]
Refactored the haproxy infrastructure in preparation for
haproxy version 2 support. This is necessary because version
2 introduces a dependency of the reader on the parser.
Additionally, version 2 introduces support for non-proxied
connections (used by health checks). Files: global/haproxy_srvr.c,
smtpd/smtpd_peer.c, smtpd/smtpd_haproxy.c, smtpd/smtpd.h,
postscreen/postscreen.h, postscreen/postscreen_endpt.c,
postscreen/postscreen_haproxy.c, postscreen/postscreen_haproxy.h,
global/haproxy_srvr.h. Initial release 3.5-20200101-nonprod.
[initially released as part of postfix-20200105-nonprod]
Support for the haproxy v2 protocol. The haproxy v2 protocol
support is limited to TCP over IPv4 and TCP over IPv6. It
also supports non-proxied connections (typically used for
heartbeat tests). File: global/haproxy_srvr.c.
[initially released as part of postfix-20200105-nonprod]
Cleanup: after haproxy handshake error, the Postfix SMTP
daemon now logs the proxy connection information instead
of unknown/unknown, and replies with "421 4.3.0 $myhostname
Server local error" instead of just hanging up. Error
details are logged to the maillog file. File: smtpd/smtpd.c.
Cleanup: miscellaneous comments, constants, error checks,
no normal behavior change. Files: global/haproxy_srvr.c,
postscreen/postscreen_haproxy.c.
20200126
Cleanup: missing 'extern' declarations in some header files.
Eray Aslan. Files: global/mail_params.h, postconf/postconf.h,
smtpd/smtpd_expand.h, trivial-rewrite/trivial-rewrite.h
Typos: Viktor Dukhovni. File: HISTORY.
Documentation: haproxy2 support. File: proto/postconf.proto.
20200120
[initially released as part of postfix-20200125-nonprod]
Feature: forced message expiration. The "postsuper -e"
option sets an 'expired' bit on one or more messages selected
by their message ID. The queue manager returns a message
as undeliverable when it moves the message to the active
queue. Messages in the hold queue stay in that queue.
If a force-expired message was deferred, then it is returned
with the reason for the delay. Otherwise, the message is
returned with "message is administratively expired". Design
by Wietse; Viktor suggested using the group execute permission
bit. Files: global/mail_queue.h, *qmgr/qmgr.h, *qmgr/qmgr_active.c,
*qmgr/qmgr_message.c, postsuper/Makefile.in, postsuper/postsuper.c.
20200125
[initially released as part of postfix-20200125-nonprod]
Added support for "postsuper -f" to expire and optionally
release a message. Restructured the postsuper command so
that it will execute actions in the order of the -[defhr]
flags, instead of using an invisible fixed internal order.
The -e and -f options are idempotent (just like -h and -H).
Adjusted the summary at the end to make this more clear.
File: postsuper/postsuper.c.
20200126
[initially released as part of postfix-20200126-nonprod]
Updated the mailq/postqueue commands to make forced message
expiration status available. In ASCII ouput this is indicated
with "#" appended to the queue file name, and in JSON output
this is indicated with the boolean "force_expired" attribute.
Files: showq/showq.c, postqueue/showq_compat.c,
postqueue/showq_json.c.
[initially released as part of postfix-20200126-nonprod]
Cleanup: minor tweaks to comments and code.
Safety: give maildrop queue files more time (week instead
of day) to reach completion, in case a message is submitted
by a really long-running program. File: postsuper/postsuper.c.
Cleanup: postsuper manpage indentation, word abbreviation.
Files: mantools/postlink, postsuper/postsuper.c.
20200202
Cleanup: nags about strcpy()/sprintf() from naive checkers.
Files: global/mail_conf_int.c, global/mail_conf_long.c,
global/mail_conf_nint.c, global/mail_conf_time.c,
global/maillog_client.c, util/mymalloc.c.
Documentation: rephrased the postconf(5) manual page entry
for milter_default_action. File: proto/postconf.proto.
Bugfix (introduced: Postfix 2.5): Milter SMTP connect event
macros were evaluated before the Postfix-to-Milter connection
had been negotiated. Problem reported by David Bürgin.
Files: milter/milter.h, milter/milter.c, milter/milter8.c
20200308
Cleanup: spellchecks, attributions. Files: HISTORY,
auxiliary/name-addr-test/gethostbyaddr.c,
auxiliary/name-addr-test/getnameinfo.c, proto/postconf.proto,
global/haproxy_srvr.c, global/mail_version.h, global/map_search.c,
global/map_search.h, postsuper/postsuper.c, smtp/smtp.c,
smtp/smtp_misc.c, smtpd/smtpd.c, smtpd/smtpd_check.c,
smtpd/smtpd_expand.h, tls/tls_client.c, tls/tls_server.c,
tlsproxy/tlsproxy.c, trivial-rewrite/trivial-rewrite.h,
util/byte_mask.c, util/vstream_tweak.c.
Cleanup: bitrot in tests. File: cleanup/cleanup_milter.c.
Cleanup: harmless memory leak in postconf. File:
postconf/postconf_master.c.
Bugfix (introduced: Postfix 2.3): panic with Postfix
multi-Milter configuration during MAIL FROM. Milter client
state was not properly reset after one of the Milters failed.
Reported by WeiYu Wu.
20200312
Usability: the Postfix SMTP server now logs a warning when
a configuration requests access control by client certificate,
but "smtpd_tls_ask_ccert = no". Files: proto/postconf.proto,
smtpd/smtpd_check.c.
20200316
Removed the issuer_cn and subject_cn matches from
check_ccert_access. Files: smtpd/smtpd_check.c,
proto/postconf.proto.
20200416
Workaround for broken builds after an incompatible change
in GCC 10. Files: makedefs, Makefile.in.
Workaround for broken DANE support after an incompatible
change in GLIBC 2.31. This avoids the need for new options
in /etc/resolv.conf. Files: dns/dns.h, dns/dns_lookup.c.
20200419
Bugfix: segfault in the tlsproxy client role when the server
role was disabled. This typically happens on systems that
do not receive mail, after configuring connection reuse for
outbound TLS. Found during program maintenance. File:
tlsproxy/tlsproxy.c.
20200420
Noise suppression: shut up a compiler that special-cases
string literals. Viktor Dukhovni. File milter/milter.c.
20200422
Security: disable DANE support on Alpine Linux because
libc-musl provides no indication whether DNS responses are
authentic. This broke DANE support without a clear explanation.
File: makedefs.
20200505
Noise suppression: shut up a compiler that special-cases
string literals. Viktor Dukhovni. File smtpd/smtpd_check.c.
20200509
Bugfix (introduced: Postfix 3.5): maillog_file_rotate_suffix
default value used the minute instead of the month. Reported
by Larry Stone. Files: conf/postfix-tls-script,
proto/MAILLOG_README.html, proto/postconf.proto.
global/mail_params.h, postfix/postfix.c.
20200510
Bitrot: avoid U_FILE_ACCESS_ERROR after chroot(), by
initializing the ICU library before making the chroot()
call. Files: util/midna_domain.[hc], global/mail_params.c.
20200511
Noise suppression: avoid "SSL_Shutdown:shutdown while in
init" warnings. File: tls/tls_session.c.
20200515
Bugfix (introduced: Postfix 2.2): a TLS error for a PostgreSQL
client caused a false 'lost connection' error for an SMTP
over TLS session in the same Postfix process. Reported by
Alexander Vasarab, diagnosed by Viktor Dukhovni. File:
tls/tls_bio_ops.c.
Bugfix (introduced: Postfix 2.8): a TLS error for one TLS
session may cause a false 'lost connection' error for a
concurrent TLS session in the same tlsproxy process. File:
tlsproxy/tlsproxy.c.
20200530
Bugfix (introduced: Postfix 3.1): "postfix tls deploy-server-cert"
did not handle a missing optional argument. File:
conf/postfix-tls-script.
20200610
Bugfix (introduced: Postfix 3.4): in the Postfix SMTP server,
the SNI callback reported an error when it was called a
second time. This happened after the server-side TLS engine
sent a TLSv1.3 HelloRetryRequest (HRR) to a remote SMTP
client. Reported by Ján Máté, fixed by Viktor Dukhovni.
File: tls/tls_misc.c.
20200617
Bugfix (introduced: Postfix 3.4): the connection_reuse
attribute in smtp_tls_policy_maps resulted in an "invalid
attribute name" error. Fix by Thorsten Habich. File:
smtp/smtp_tls_policy.c.
20200619
Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
reuse was broken for configurations that use explicit trust
anchors. Reported by Thorsten Habich. Cause: the tlsproxy
client was sending a zero certificate length. File:
tls/tls_proxy_client_print.c.
20200620
Bugfix (introduced: Postfix 3.4): SMTP over TLS connection
reuse was broken for configurations that use explicit trust
anchors. Reported by Thorsten Habich. Fixed by calling DANE
initialization unconditionally (WTF). File: tlsproxy/tlsproxy.c.
20200626
Bugfix (introduced: Postfix 2.11): The Postfix smtp(8)
client did not send the right SNI name when the TLSA base
domain was a secure CNAME expansion of the MX hostname (or
non-MX nexthop domain). Domains with CNAME expanded MX hosts
are not conformant with RFC5321, and so are rare. Even more
rare are MX hosts with TLSA records for their CNAME expansion.
For this to matter, the remote SMTP server would also have
to select its certificate based on the SNI name in such a
way that the original MX host would yield a different
certificate. Among the ~2 million hosts in the DANE survey,
none meet the conditions for returning a different certificate
for the expanded CNAME. Therefore, sending the correct SNI
name should not break existing mail flows. Fixed by Viktor
Dukhovni. File: src/tls/tls_client.c.
20200710
Bugfix (introduced: Postfix 3.0): minor memory leaks in the
Postfix TLS library, found during tests. File: tls/tls_misc.c.
20200712
Bugfix (introduced: Postfix 3.0): 4kbyte per session memory
leak in the Postfix TLS library, found during tests. File:
tls/tls_misc.c.
20200724
Workaround for distros that override Postfix protocol
settings in a system-wide OpenSSL configuration file, causing
interoperability problems after an OS update. File:
tls/tls_client.c, tls/tls_server.c.
20200726
Bugfix (introduced: Postfix 3.5.5): part of a memory leak
fix was backported to the wrong place. File: tls/tls_misc.c.
The Postfix 3.5.5 workaround did not explicitly override
the system-wide OpenSSL configuration of allowed TLS protocol
versions, for sessions where the remote SMTP client sends
SNI. It's better to be safe than sorry. File: tls/tls_server.c.
20200821
Bugfix (introduced: Postfix 3.4, already fixed in Postfix
3.6): tlsproxy(8) was using the wrong DANE macro for
connections with DANE trust anchors or with non-DANE trust
anchors (WTF: Thorsten Habich found this bug in the use
case that has nothing to do with DANE). This resulted in a
global certificate verify function pointer race, between
TLS handshakes that use TLS trust achors and handshakes
that use PKI. No memory was corrupted in the course of all
this. Viktor Dukhovni. File: tlsproxy/tlsproxy.c.
Cleanup: the posttls-finger '-X' option reported a false
conflict with '-r'. File: posttls-finger/posttls-finger.c.
20200830
Bugfix (introduced: Postfix 2.0): smtp_sasl_mechanism_filter
ignored table lookup errors, treating them as 'not found'.
Found during Postfix 3.6 development. File: smtp/smtp_sasl_proto.c.
202000920
Bugfix (introduced: Postfix 2.3): when deleting a recipient
with a milter, delete the recipient from the duplicate
filter, so that the recipient can be added back. Backported
from Postfix 3.6. Files: global/been_here.[hc],
cleanup/cleanup_milter.c.
20200925
Bugfix (introduced: before Postfix alpha): the code that
looks for Delivered-To: headers ignored headers longer than
$line_length_limit. Backported from Postfix 3.6. File:
global/delivered_hdr.c.
20201011
Bugfix (introduced: Postfix 2.8): save a copy of the
postscreen_dnsbl_reply_map lookup result. This has no effect
when the recommended texthash: look table is used, but it
may avoid stale data with other lookup tables. File:
postscreen/postscreen_dnsbl.c.
20201022
Bugfix (introduced: Postfix 2.2): after processing an
XCCLIENT command, the smtps service was waiting for a TLS
handshake. Found by Aki Tuomi. File: smtpd/smtpd.c.
20201025
Bugfix (introduced: Postfix 2.3): static maps did not free
their casefolding buffer. File: util/dict_static.c.
20201104
Bugfix (introduced: Postfix 3.5): the Postfix SMTP client
broke message headers longer than $line_length_limit, causing
subsequent header content to become message body content.
Reported by Andreas Weigel, fix by Viktor Dukhovni. File:
smtp/smtp_proto.c.
20210116
Feature: when a Postfix program makes a DNS query that
requests DNSSEC validation (usually for Postfix DANE support)
but the DNS response is not DNSSEC validated, Postfix will
send a DNS query configured with the "dnssec_probe" parameter
to determine if DNSSEC support is available, and logs a
warning if it is not. By default, the probe has type "ns"
and domain name ".". The probe is sent once per process
lifetime. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_sec.c,
test_dns_lookup.c, global/mail_params.[hc], mantools/postlink.
The makedefs script no longer disables DNSSEC when Postfix
is built with libc-musl. Instead Postfix will rely on the
new dnssec_probe feature, and will log a warning when Postfix
requests DNSSEC validation, but the infrastructure does not
validate DNSSEC signatures. File: makedefs.
The default "smtp_tls_dane_insecure_mx_policy = dane" was
causing unnecessary dnssec_probe activity. The default is now
"dane" when smtp_tls_security_level is "dane", otherwise it is
"may". File: global/mail_params.h.
20210411
Missing null pointer checks (introduced: Postfix 3.4) after
an internal I/O error during the smtp(8) to tlsproxy(8)
handshake. Found by Coverity, reported by Jaroslav Skarvada.
Based on fix by Viktor Dukhovni. File: tls/tls_proxy_client_scan.c.
Null pointer bug (introduced: Postfix 3.0) and memory leak
(introduced: Postfix 3.4) after an inline: table syntax
error in main.cf or master.cf. Found by Coverity, reported
by Jaroslav Skarvada. Based on fix by Viktor Dukhovni. File:
util/dict_inline.c.
Incomplete null pointer check (introduced: Postfix 2.10)
after truncated HaProxy version 1 handshake message. Found
by Coverity, reported by Jaroslav Skarvada. Fix by Viktor
Dukhovni. File: global/haproxy_srvr.c.
Missing null pointer check (introduced: Postfix alpha) after
null argv[0] value. File: global/mail_task.c.
20210601
Bugfix (introduced: Postfix 2.11): the command "postmap
lmdb:/file/name" handled duplicate keys ungracefully,
discarding entries stored up to and including the duplicate
key, and causing a double free() call with lmdb versions
0.9.17 and later. Reported by Adi Prasaja; double free()
root cause analysis by Howard Chu. File: util/slmdb.c.
20210609
Typo (introduced: Postfix 3.4): silent_discard should be
silent-discard. File: proto/BDAT_README.html.
20210612
Support for Postfix 3.6 compatibility_level syntax, to avoid
fatal runtime errors when rolling back from Postfix 3.6 to
an earlier supported version, or when sharing Postfix 3.6
configuration files with an earlier supported Postfix
version. File: global/mail_params.c.
20210615
Bugfix (introduced: Postfix 3.4): the texthash: map
implementation did not support "postmap -F" behavior.
Reported by Christopher Gurnee, who also found the missing
code in the postmap source. File: util/dict_thash.c.
20210623
Bugfix (introduced: 1999, Postfix 2.11) latent false "Result too
large" (ERANGE) errors because an strtol() call had no 'errno
= 0' statement before the call. Back-ported from Postfix 3.6.
Files: postscreen/postscreen_tests.c, util/mac_expand.c.
20210705
Bugfix (introduced: Postfix 3.3): "null pointer read" error
in the cleanup daemon when "header_from_format = standard"
(the default as of Postfix 3.3) and email was submitted
with /usr/sbin/sendmail without From: header, and an all-space
full name was specified in 1) the password file, 2) with
"sendmail -F", or 3) with the NAME environment variable.
Found by Renaud Metrich. File: cleanup/cleanup_message.c.
20210708
Bugfix (introduced: 1999): the Postfix SMTP server was
sending all session transcripts to the error_notice_recipient,
instead of sending transcripts of bounced mail to the
bounce_notice_recipient. File: smtpd/smtpd_chat.c.
20210713
Bugfix (introduced: Postfix 2.4): false "too many reverse
jump" warnings in the showq daemon. The loop detection code
was comparing memory addresses instead of queue file names.
It now properly compares strings. Reported by Mehmet Avcioglu.
File: global/record.c.
20210811
Bitrot: OpenSSL 3.x requires const. File: tls/tls_misc.c.
20210925
Bugfix (bug introduced: Postfix 2.10): postconf -x produced
incorrect output, because different functions were implicitly
sharing a buffer for intermediate results. Reported
by raf, root cause analysis by Viktor Dukhovni. File:
postconf/postconf_builtin.c.
20211030
Bugfix (problem introduced: Postfix 2.11): check_ccert_access
worked as expected, but produced a spurious warning when
Postfix was built without SASL support. Fix by Brad Barden.
File: smtpd/smtpd_check.c.
20211105
Bugfix (introduced: Postfix 2.4): queue file corruption
after a Milter (for example, MIMEDefang) made a request to
replace the message body with a copy of that message body
plus additional text (for example, a SpamAssassin report).
The most likely impacts were a) the queue manager reporting
a fatal error resulting in email delivery delays, or b) the
queue manager reporting the corruption and moving the message
to the corrupt queue for damaged messages.
However, a determined adversary could craft an email message
that would trigger the bug, and insert a content filter
destination or a redirect email address into its queue file.
Postfix would then deliver the message headers there, in
most cases without delivering the message body. With enough
experimentation, an attacker could make Postfix deliver
both the message headers and body.
The details of a successful attack depend on the Milter
implementation, and on the Postfix and Milter configuration
details; these can be determined remotely through
experimentation. Failed experiments may be detected when
the queue manager terminates with a fatal error, or when
the queue manager moves damaged files to the "corrupt" queue
as evidence.
Technical details: when Postfix executes a "replace body"
Milter request it will reuse queue file storage that was
used by the existing email message body. If the new body
is larger, Postfix will append body content to the end of
the queue file. The corruption happened when a Milter (for
example, MIMEDefang) made a request to replace the body of
a message with a new body that contained a copy of the
original body plus some new text, and the original body
contained a line longer than $line_length_limit bytes (for
example, an image encoded in base64 without hard or soft
line breaks). In queue files, Postfix stores a long text
line as multiple records with up to $line_length_limit bytes
each. Unfortunately, Postfix's "replace body" support did
not account for the additional queue file space needed to
store the second etc. record headers. And thus, the last
record(s) of a long text line could overwrite one or more
queue file records immediately after the space that was
previously occupied by the original message body.
Problem report by Benoît Panizzon.
20211115
Bugfix (introduced: 20210708): duplicate bounce_notice_recipient
entries in postconf output. The fix to send SMTP session
transcripts to bounce_notice_recipient was incomplete.
Reported by Vincent Lefevre. File: smtpd/smtpd.c.
20211216
Bugfix (introduced: Postfix 3.0): the proxymap daemon did
not automatically authorize proxied maps inside pipemap
(example: pipemap:{proxy:maptype:mapname, ...}) or inside
unionmap. Problem reported by Mirko Vogt. Files:
proxymap/proxymap.c.
20211220
Bugfix (introduced: Postfix 2.5): off-by-one error while
writing a string terminator. This code had passed all memory
corruption tests, presumably because it wrote over an
alignment padding byte, or over an adjacent character byte
that was never read. Reported by Robert Siemer. Files:
*qmgr/qmgr_feedback.c.
20211223
Cleanup: added missing _maps parameter names to the
proxy_read_maps default value, based on output from the
mantools/missing-proxy-read-maps script. File:
global/mail_params.h.
20220120
Bitrot: Glibc 2.34 implements closefrom(). File:
util/sys_defs.h.
20220202
Bitrot: Berkeley DB 18 is like Berkeley DB 6. Yasuhiro
Kimura. File: util/dict_db.c.
20220322
Cleanup: added missing _checks, _reply_footer, _reply_filter,
_command_filter, and _delivery_status_filter parameter names
to the proxy_read_maps default value. Files: global/mail_params.h,
mantools/missing-proxy-read-maps.
20220404
Bugfix: in an internal client module, "host or service not
found" was a fatal error, causing the milter_default_action
setting to be ignored. It is now a non-fatal error. The
same client is used by many Postfix clients (smtpd_proxy,
dovecot auth, tcp_table, memcache, socketmap, and so on).
Problem reported by Christian Degenkolb. File: util/inet_connect.c.
20220415
Cleanup (problem introduced: Postfix 3.0): with dynamic map
loading enabled, an attempt to create a map with "postmap
regexp:path" would result in a bogus error message "Is the
postfix-regexp package installed?" instead of "unsupported
map type for this operation". This happened with all built-in
map types (static, cidr, etc.) that have no 'bulk create'
support. Problem reported by Greg Klanderman. File:
global/dynamicmaps.c.
20220417
Cleanup (problem introduced: Postfix 2.7): milter_header_checks
maps are now opened before the cleanup server enters the
chroot jail. Problem reported by Jesper Dybdal. Files:
cleanup/cleanup.h, cleanup/cleanup_init.c,
cleanup/cleanup_milter.c, cleanup/cleanup_state.c.
20220719
Cleanup: Postfix 3.5.0 introduced debug logging noise in
map_search_create(). Files: global/map_search.c.
20220724
Workaround: in a TLS server disable Postfix's 1-element
internal session cache, to work around an OpenSSL 3.0
regression that broke TLS handshakes. It is rarely useful.
Report by Spil Oss, fix by Viktor Dukhovni. File:
tls/tls_server.c.
20220905
Cleanup: Postfix 3.3.0 introduced an uninitialized
verify_append() request status in case of a null original
recipient address. File: global/verify.c.
20220906
Cleanup: Postfix 3.5.16 introduced a missing msg_panic()
argument (in code that never executes). File:
cleanup/cleanup_milter.c.
20221128
Bugfix (introduced: Postfix 2.2): the smtpd_proxy_client
code mis-parsed the last XFORWARD attribute name in the
SMTP server's EHLO response. The result was that the
smtpd_proxy_client code failed to forward the IDENT attribute.
Fix by Andreas Weigel. File: smtpd/smtpd_proxy.c.
20221201
Portability: LINUX6 support. Files: makedefs, util/sys_defs.h.
20221207
Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
lazily bound handles that may fail to work when one attempts
to use them, because no provider search happens until one
constructs an actual operation context. In sufficiently
hostile configurations, Postfix could mistakenly believe
that an algorithm is available, when in fact it is not. A
similar workaround may be needed for EVP_get_cipherbyname().
Fix by Viktor Dukhovni. Files: tls/tls.h, tls/tls_dane.c,
tls/tls_fprint.c, tls/tls_misc.c.
Bugfix (introduced: Postfix 2.11): the checkok() macro in
tls/tls_fprint.c evaluated its argument unconditionally;
it should evaluate the argument only if there was no prior
error. Found during code review. File: tls/tls_fprint.c.
20221215
Foolproofing: postscreen segfault with postscreen_dnsbl_threshold
< 1. It should reject such input with a fatal error instead.
Discovered by Benny Pedersen. File: postscreen/postscreen.c.
20230103
Bugfix (introduced: Postfix 2.7): the verify daemon logged
a garbled cache name when terminating a cache scan in
progress. Reported by Phil Biggs, fix by Viktor Dukhovni.
File: util/dict_cache.c.
Bitrot: fixes for linker warnings from newer Darwin (MacOS)
versions. Viktor Dukhovni. File: makedefs.
20230115
Workaround: STRREF() macro to shut up compiler warnings for
legitimate string comparison expressions. Back-ported from
Postfix 3.6 and later. Files: util/stringops.h, flush/flush.c.
Workaround for a breaking change in OpenSSL 3: always turn
on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
and missed opportunities for TLS session reuse. This is
safe because the SMTP protocol implements application-level
framing, and is therefore not affected by TLS truncation
attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
tls/tls_server.c.
20230125
Portability: the EVP_get_digestbyname change broke OpenSSL
1.0.2 support. File: tls/tls.h.
20230127
Bugfix (introduced: Postfix 3.4): the posttls-finger command
failed to detect that a connection was resumed in the case
that a server did not return a certificate. Viktor Dukhovni.
File: posttls-finger/posttls-finger.c.
Workaround: OpenSSL 3.x EVP_get_cipherbyname() can return
lazily-bound handles. Postfix now checks that the expected
functionality will be available instead of failing later.
Fix by Viktor Dukhovni. File: tls/tls_server.c.
Portability: MacOS support for the postfix-env.sh test
script.
20230314
Bugfix (introduced: Postfix 3.5): check_ccert_access did
not parse inline map specifications. Report and fix by Sean
Gallagher. File: global/map_search.c.
20230330
Safety: the long form "{ name = value }" in import_environment
or export_environment is not documented, but accepted, and
it was stored in the process environment as the invalid
form "name = value", thus not setting or overriding an entry
for "name". This form is now stored as the expected
"name=value". Found during code maintenance. Also refined
the "missing attribute name" detection. Files: clean_env.c,
split_nameval.c.
20230418
Bugfix (introduced: Postfix 3.2): the MySQL client could
return "not found" instead of "error" during the time that
all MySQL server connections were turned down after error.
Found during code maintenance. File: global/dict_mysql.c.
20230428
Bugfix (defect introduced: Postfix 1.0): the command "postconf
.. name=v1 .. name=v2 .." (multiple instances of the same
parameter name) created multiple name=value entries with
the same parameter name. It now logs a warning and skips
the earlier update. Found during code maintenance. File:
postconf/postconf_edit.c
Bugfix (defect introduced: Postfix 3.3): the command "postconf
-M name1/type1='name2 type2 ...'" died with a segmentation
violation when the request matched multiple master.cf
entries. The master.cf file was not damaged. Problem reported
by SATOH Fumiyasu. File: postconf/postconf_master.c.
20230502
Bugfix (defect introduced: Postfix 2.11): the command
"postconf -M name1/type1='name2 type2 ...'" could add a
service definition to master.cf that conflicted with an
already existing service definition. It now replaces all
existing service definitions that match the service pattern
'name1/type1' or the service name and type in 'name2 type2
...' with a single service definition 'name2 type2 ...'.
Problem reported by SATOH Fumiyasu. File: postconf/postconf_edit.c.
20230519
Bitrot: preliminary support for OpenSSL configuration files,
primarily OpenSSL 1.1.1b and later. This introduces new
parameters "tls_config_file" and "tls_config_name", which
can be used to limit collateral damage from OS distributions
that crank up security to 11, increasing the number of
plaintext email deliveries. Details are in the postconf(5)
manpage under "tls_config_file" and "tls_config_name".
Viktor Dukhovni. Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, posttls-finger/posttls-finger.c,
smtp/smtp.c, smtp/smtp_proto.c, tls/tls_client.c, tls/tls.h,
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
20230523
Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
configurations. This information is independent from the
client or server TLS context, and therefore does not belong
in tls_*_init() or tls_*_start() calls. The tlsproxy(8)
server uses TLS_CLIENT_PARAMS to report differences between
its own global TLS settings, and those from its clients.
Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
tls/tls_proxy.h, tlsproxy/tlsproxy.c.
20230524
Cleanup: reverted cosmetic-only changes to minimize the
patch footprint for OpenSSL INI file support; updated daemon
manpages with the new tls_config_file and tls_config_name
configuration parameters. Files: smtp/smtp.c, smtpd/smtpd.c,
tls/tls_client.c, tls/tls.h, tls/tls_server.c, tlsproxy/tlsproxy.c,
20230529
Cleanup: made OpenSSL 'default' INI file support error
handling consistent with OpenSSL default behavior. Viktor
Dukhovni. Files: proto/postconf.proto, tls/tls_misc.c.
20230602
Backwards compatibility for stable releases that originally
had no OpenSSL INI support. Skip the new OpenSSL INI support
code, unless the Postfix configuration actually specifies
non-default tls_config_xxx settings. File: tls/tls_misc.c.
Cleanup: added a multiple initialization guard in the
tls_library_init() function, and made an initialization
error sticky. File: tls/tls_misc.c.
20230605
Security: new parameter smtpd_forbid_unauth_pipelining
(default: no) to disconnect remote SMTP clients that violate
RFC 2920 (or 5321) command pipelining constraints. Files:
global/mail_params.h, smtpd/smtpd.c, proto/postconf.proto.
20230815
Bugfix (bug introduced: 20140218): when opportunistic TLS fails
during or after the handshake, don't require that a probe
message spent a minimum time-in-queue before falling back to
plaintext. Problem reported by Serg. File: smtp/smtp.h.
20230819
Bugfix (defect introduced: 19980207): the valid_hostname()
check in the Postfix DNS client library was blocking unusual
but legitimate wildcard names (*.name) in some DNS lookup
results and lookup requests. Examples:
name class/type value
*.one.example IN CNAME *.other.example
*.other.example IN A 10.0.0.1
*.other.example IN TLSA ..certificate info...
Such syntax is blesed in RFC 1034 section 4.3.3.
This problem was reported first in the context of TLSA
record lookups. Files: util/valid_hostname.[hc],
dns/dns_lookup.c.
20230929
Bugfix (defect introduced Postfix 2.5, 20080104): the Postfix
SMTP server was waiting for a client command instead of
replying immediately, after a client certificate verification
error in TLS wrappermode. Reported by Andreas Kinzler. File:
smtpd/smtpd.c.
20231006
Usability: the Postfix SMTP server now attempts to log the
SASL username after authentication failure. In Postfix
logging, this appends ", sasl_username=xxx" after the reason
for SASL authentication failure. The logging replaces an
unavailable reason with "(reason unavailable)", and replaces
an unavailable sasl_username with "(unavailable)". Based
on code by Jozsef Kadlecsik. Files: xsasl/xsasl_server.c,
xsasl/xsasl_cyrus_server.c, smtpd/smtpd_sasl_glue.c.
20231026
Bugfix (defect introduced: Postfix 2.11): in forward_path,
the expression ${recipient_delimiter} would expand to an
empty string when a recipient address had no recipient
delimiter. Fixed by restoring Postfix 2.10 behavior to use
a configured recipient delimiter value. Reported by Tod
A. Sandman. Files: proto/postconf.proto, local/local_expand.c.
20240109
Security (outbound SMTP smuggling): with the default setting
"cleanup_replace_stray_cr_lf = yes" Postfix will replace
stray or characters in message content with a
space character. This prevents Postfix from enabling
outbound (remote) SMTP smuggling, and it also makes evaluation
of Postfix-added DKIM etc. signatures independent from how
a remote mail server handles stray or characters.
Files: global/mail_params.h, cleanup/cleanup.c,
cleanup/cleanup_message.c, mantools/postlink, proto/postconf.proto.
20240112
Security (inbound SMTP smuggling): with "smtpd_forbid_bare_newline
= normalize" (default "no" for Postfix < 3.9), the Postfix
SMTP server requires the standard End-of-DATA sequence
., and otherwise allows command or message
content lines ending in the non-standard , processing
them as if the client sent the standard .
The alternative setting, "smtpd_forbid_bare_newline = reject"
will reject any command or message that contains a bare
, and is more likely to cause problems with legitimate
clients.
For backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks".
Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c, smtpd/smtpd_check.[hc].
20231102
Bugfix (defect introduced: Postfix 2.3, date 20051222): the
Dovecot auth client did not reset the 'reason' from a
previous Dovecot auth service response, before parsing the
next Dovecot auth server response in the same SMTP session.
Reported by Stephan Bosch, File: xsasl/xsasl_dovecot_server.c.
20231105
Cleanup: Postfix SMTP server response with an empty
authentication failure reason. File: smtpd/smtpd_sasl_glue.c.
20231208
Bugfix (defect introduced: Postfix 3.1, date: 20151128):
"postqueue -j" produced broken JSON when escaping a control
character as \uXXXX. Found during code maintenance. File:
postqueue/showq_json.c.
20231211
Cleanup: posttls-finger certificate match expectations for
all TLS security levels, including warnings for levels that
don't implement certificate matching. Viktor Dukhovni.
File: posttls-finger.c.
20231213
Bugfix (defect introduced: Postfix 2.3): after prepending
a message header with a Postfix access table PREPEND action,
a Milter request to delete or update an existing header
could have no effect, or it could target the wrong instance
of an existing header. Root cause: the fix dated 20141018
for the Postfix Milter client was incomplete. The client
did correctly hide the first, Postfix-generated, Received:
header when sending message header information to a Milter
with the smfi_header() application callback function, but
it was still hiding the first header (instead of the first
Received: header) when handling requests from a Milter to
delete or update an existing header. Problem report by
Carlos Velasco. This change was verified to have no effect
on requests from a Milter to add or insert a header. File:
cleanup/cleanup_milter.c.
20240124
Workaround: tlsmgr logfile spam. Some OS lies under load:
it says that a socket is readable, then it says that the
socket has unread data, and then it says that read returns
EOF, causing Postfix to spam the log with a warning message.
File: tlsmgr/tlsmgr.c.
Bugfix (defect introduced: Postfix 3.4): the SMTP server's
BDAT command handler could be tricked to read $message_size_limit
bytes into memory. Found during code maintenance. File:
smtpd/smtpd.c.
20240209
Performance: eliminate worst-case behavior where the queue
manager defers delivery to all destinations over a specific
delivery transport, after only a single delivery agent
failure. The scheduler now throttles one destination, and
allows deliveries to other destinations to keep making
progress. Files: *qmgr/qmgr_deliver.c.
20240226
Safety: drop and log over-size DNS responses resulting in
more than 100 records. This 20x larger than the number of
server addresses that the Postfix SMTP client is willing
to consider when delivering mail, and is well below the
number of records that could cause a tail recursion crash
in dns_rr_append() as reported by Toshifumi Sakaguchi. This
also limits the number of DNS requests from check_*_*_access
restrictions. Files: dns/dns.h, dns/dns_lookup.c, dns/dns_rr.c,
dns/test_dns_lookup.c, posttls-finger/posttls-finger.c,
smtp/smtp_addr.c, smtpd/smtpd_check.c.