diff options
Diffstat (limited to '')
-rw-r--r-- | RELEASE_NOTES-2.1 | 581 | ||||
-rw-r--r-- | RELEASE_NOTES-2.10 | 268 | ||||
-rw-r--r-- | RELEASE_NOTES-2.11 | 280 |
3 files changed, 1129 insertions, 0 deletions
diff --git a/RELEASE_NOTES-2.1 b/RELEASE_NOTES-2.1 new file mode 100644 index 0000000..c25b28b --- /dev/null +++ b/RELEASE_NOTES-2.1 @@ -0,0 +1,581 @@ +In the text below, incompatible changes are labeled with the Postfix +snapshot that introduced the change. If you upgrade from a later +Postfix version, then you do not have to worry about that particular +incompatibility. + +The official Postfix release is called 2.1.x where 2=major release +number, 1=minor release number, x=patchlevel. Snapshot releases +are called 2.2-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). The mail_release_date configuration parameter +contains the release date (both for official release and snapshot +release). Patches are issued for the official release and change +the patchlevel and the release date. Patches are never issued for +snapshot releases. + +Major changes - critical +------------------------ + +If you run Postfix 2.0 or earlier then you must stop Postfix before +upgrading. The master-child protocols have changed between Postfix +1.1 and 2.0, and version 2.1 sometimes writes queue files that the +2.0 and earlier queue managers complain about. If this happens move +the files from the corrupt directory to the maildrop directory and +give them another chance. + +[Incompat 20021119] The Postfix upgrade procedure will add two new +services to your master.cf file: "trace" and "verify". These servers +can run inside a chroot jail, have no interaction with users, and +don't talk to the network. If Postfix complains that "trace" and +"verify" are not found, you made the error of copying your old +Postfix configuration files over the new ones. Execute "postfix +upgrade-configuration" to repair the Postfix configuration files. + +[Incompat 20040331] Support for the non-standard Errors-To: message +header is removed. This also helps to stop potential attacks that +rely on bouncing mail to a destination that is not directly reachable +by the attacker. Specify "enable_errors_to = yes" to get the old +behavior. + +Queue files written by Postfix 2.1 may contain information that +is incompatible with older Postfix versions: + +[Incompat 20040120] Queue files creates with "sendmail -v" are no +longer compatible with Postfix versions 2.0 and earlier. A new +record type, "killed", was introduced in order to avoid repeated +mail delivery reports from mail that could not be delivered due to +a temporary error condition. + +[Incompat 20030125] This release adds a new queue file record type +for the address specified in "REDIRECT user@domain" actions in +access maps or header/body_checks. Queue files with these records +will be rejected by older Postfix versions. + +[Feature 20040120] The new queue manager nqmgr has become the +default qmgr queue manager. For a limited time the old queue manager +remains available under the name oqmgr. The name nqmgr still works +but will cause a warning to be logged. + +[Incompat 20040413] The Postfix SMTP server no longer accepts mail +from or to an address ending in "@", including address forms that +rewrite into an address that ends in "@"). Specify "resolve_null_domain += yes" to get the old behavior. + +[Incompat 20031226] Postfix no longer allows mail addresses with +bare numeric IP addresses (user@1.2.3.4). This is not configurable. +The form user@[ipaddress] is still allowed. + +[Incompat 20031226] Bounce messages now have a separate queue life +time. This is controlled by the bounce_queue_lifetime parameter. + +[Incompat 20031019] The authorized_verp_clients parameter was +renamed to smtpd_authorized_verp_clients, and the default value +was changed to disable this feature. You now have to turn it on +explicitly. + +Major changes - build environment +--------------------------------- + +[Incompat 20030112] The Postfix build procedure now uses the +pcre-config utility (part of PCRE version 3) to find out the +pathnames of the PCRE include file and object library, instead of +probing /usr/include and/or /usr/lib. To build with PCRE version +2 support you will have to specify pathnames as described in +PCRE_README. To build without PCRE support, specify: make Makefiles +CCARGS="-DNO_PRCE". + +Major changes - documentation +----------------------------- + +[Feature 20040331] Complete documentation rewrite. All parameters +are now described in postconf(5), and all commands and daemons are +shown in their proper context in the OVERVIEW document. +- All documents come as HTML and ASCII text. +- All HTML documents have hyperlinks for every parameter name, + for every Postfix manual page, and for every README file. +- All documents specify what feature is available in what release. +- The sample-*.cf configuration files no longer exist. The information + is now available in HTML documents, README files and UNIX man pages). +- The mumble_table example configuration files no longer exist. + +[Incompat 20040413] The LMTP, Cyrus and Qmail related README files will +not be included in the Postfix version 2.1 distribution. They will +be made available via http://www.postfix.org/, and in Postfix 2.2 +snapshots. + +[Feature 20040413] You can install documentation in HTML format +besides the README files. Installation of README files is now +optional. + +Major changes - access control +------------------------------ + +[Feature 20031215] Easier debugging of SMTPD access restrictions. +The SMTP command "xclient name=xxx addr=yyy" changes Postfix's idea +of the remote client name and address, so that you can pretend to +connect from anywhere on the Internet. Use of this command is +restricted to clients that match the list of names or addresses +specified with the smtpd_authorized_xclient_hosts parameter. By +default, XCLIENT is not accepted from anywhere. More details are +in the XCLIENT_README file. + +[Feature 20030715] Support for multi-valued RBL lookup results. +For example, specify "reject_rbl_client foo.bar.tld=127.0.0.3" to +reject clients that are listed with a "127.0.0.3" address record. +More information is in the postconf(5) manual page. + +[Feature 20030917] New "check_{helo,sender,recipient}_{ns,mx}_access +type:table" restrictions that apply the specified access table to +the NS or MX hosts of the host/domain given in HELO, EHLO, MAIL +FROM or RCPT TO commands. More information is in the postconf(5) +manual page. + +This can be used to block mail from so-called spammer havens (all +domains that are served by the same DNS server, all domains that +resolve to the same MX host), from sender addresses that resolve +to Verisign's wild-card mail responder, or from domains that claim +to have mail servers in reserved networks such as 127.0.0.1. + +Note: OK actions are not allowed for security reasons. Instead of +OK, use DUNNO in order to exclude specific hosts from blacklists. +If an OK result is found for an NS or MX host, Postfix rejects the +SMTP command with "451 Server configuration error". + +[Feature 20040413] Support for a "WARN text..." feature in SMTPD +access tables, just like the WARN feature in header/body_checks. + +[Feature 20040122] New "PREPEND headername: headervalue" action in +Postfix access maps. Primarily intended for tagging mail by for +example, an external SMTPD policy server. See access(5). + +[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks +maps. This action prepends a header or body line immediately before +the line that triggers the action. See header_checks(5) for details. + +[Feature 20030125] New "REDIRECT user@domain" action for access +maps and header/body_checks that overrides all the originally +specified recipients of a message. Wietse would never recommend +that people use this to redirect (bounced) SPAM to the beneficiaries +of an advertisement campaign. See access(5) and header_checks(5). + +[Feature 20031215] The reject_sender_login_mismatch feature (used +with SASL authenticated logins) is now implemented in terms of more +basic restrictions: reject_unauth_sender_login_mismatch (reject +mail when $sender_login_maps lists an owner for the sender address +but the SMTP client is not SASL authenticated) and +reject_auth_sender_login_mismatch (reject mail when the sender +address is not owned by the SASL authenticated user). The +sender_login_maps now support multiple owners per sender address. +See postconf(5) for details. + +Major changes - address verification +------------------------------------ + +[Feature 20021119] Address verification blocks mail from or to +addresses that are not deliverable. This is turned on with the +reject_unverified_sender UCE restriction. Addresses are verified +by probing, that is, by sending mail that is not actually delivered +(SMTP interruptus). Detailed information is in the +ADDRESS_VERIFICATION_README file. + +Address verification can follow a different route than ordinary +mail, typically to avoid sending probes to a relay host. To make +this possible, the address resolver supports multiple personalities. +For more detail see the ADDRESS_VERIFICATION_README file. + +New "sendmail -bv" option. Postfix probes the specified recipient +addresses without actually delivering mail, and sends back an email +delivery report. This is useful for testing address rewriting and +address routing, and shows the final envelope and header addresses. +This feature currently does not access or update the sender address +verification database. + +Major changes - content inspection +---------------------------------- + +[Feature 20030704] The Postfix SMTP server can be configured to +send all mail into a real-time content filter that inspects mail +BEFORE it is queued. See the SMTPD_PROXY_README file for details. + +[Feature 20031022] Improved logging by Postfix daemons behind an +SMTP-based proxy filter. The logging now shows the remote client +name and address, instead of localhost[127.0.0.1]. This uses the +new SMTP command "XFORWARD addr=client-address name=client-hostname", +which specifies remote client information for logging purposes. +This command is restricted to clients that match the list of names +or addresses specified with the smtpd_authorized_xforward_hosts +parameter. By default, XFORWARD is not accepted from anywhere. +For an example, see the SMTPD_PROXY_README file. + +[Feature 20030706] New receive_override_options parameter that +eliminates the need for different cleanup service instances before +and after an external content filter. One parameter controls what +happens before or after the content filter: rejecting unknown +recipients, canonical mapping, virtual alias expansion, masquerading, +automatic BCC recipients and header/body checks. See postconf(5) +for the fine details. + +[Feature 20040124] New "PREPEND text" action in Postfix header/body_checks +maps. This action prepends a header or body line immediately before +the line that triggers the action. See header_checks(5) for details. + +[Feature 20030125] New "REDIRECT user@domain" action for access maps +and header/body_checks that overrides all the originally specified +recipients of a message. Wietse would never recommend that people +use this to redirect (bounced) SPAM to the beneficiaries of an +advertisement campaign. See header_checks(5) and access(5). + +[Incompat 20030915] In header/body_checks actions, the OK action +is being phased out, and the DUNNO action is being phased in. Both +actions still work and do the same thing, but hopefully DUNNO causes +less confusion. See header_checks(5) for details. + +Major changes - policy delegation +--------------------------------- + +[Feature 20030715] Support for SMTP access policy delegation to an +external server. Greylisting and SPF are provided as examples. +See the SMTPD_POLICY_README file for further information. + +Major changes - client rate limiting +------------------------------------ + +Note: this feature is not included with Postfix 2.1, but it is +documented here so that the information will not be lost. + +[Feature 20031111] Preliminary defense against SMTP clients that +hammer an SMTP server with too many connections. By default, the +number of simultaneous connections per client is limited to half +the default process limit, and no limit is imposed on the number +of successive connections per time unit that a client is allowed +to make. + +The new anvil server maintains the connection statistics, and logs +the maximum connection count and connection rate per client every +anvil_status_update_time seconds (10 minutes), or when it terminates +(when there is no work to be done, or when "postfix reload" was +issued). Once you have an idea what the numbers look like, you can +clamp down the limits for your system. + +The relevant main.cf configuration parameters are: smtpd_client- +connection_count_limit for the number of simultaneous connections +per client, and smtpd_client_connection_rate_limit for the number +of successive connections per unit time and client. The time unit +is specified with the anvil_rate_time_unit parameter, and is one +minute by default. + +When Postfix rejects a client, it sends a 450 status code and +disconnects, and logs a warning with the client name/address and +the service name from master.cf. You can, for example, capture this +information with a logfile watching program that updates a firewall +rule (such a watcher program is not included with Postfix). + +To avoid rejecting authorized hosts, the smtpd_client_connection- +limit_exceptions parameter takes a list of network/netmask expressions, +hostnames or .domain names that are excluded from these restrictions. +By default, all clients in $mynetworks are excluded; you will +probably want to use a more restrictive setting. + +For further information, see: smtpd(8) and anvil(8). + +Major changes - configuration management +---------------------------------------- + +[Feature 20040413] New postfix(1) command features: + +- "postfix set-permissions" corrects Postfix file and directory + permissions and allows you to change mail_owner or setgid_group + settings after Postfix is installed. + +- "postfix upgrade-configuration" fixes Postfix systems after people + copy over their old configuration files after installing a new + Postfix system. + +See postfix(1) for details. + +[Incompat 20040120] The format of the postfix-files file has changed. +There is a new type for hard links. With hard or symbolic link +entries, the first field is now the destination pathname and the +"owner" field is now the origin pathname, while "group" and +"permissions" are ignored. + +Major changes - core functionality +---------------------------------- + +[Feature 20030704] New enable_original_recipient parameter (default: +yes) to control whether Postfix keeps track of original recipient +address information. If this is turned off Postfix produces no +X-Original-To: headers and ignores the original recipient when +eliminating duplicates after virtual alias expansion. Code by Victor +Duchovni. + +[Feature 20030417] Automatic BCC recipients depending on sender or +recipient address. The configuration parameters in question are +"sender_bcc_maps" and "recipient_bcc_maps". See postconf(5). + +[Incompat 20030415] Too many people mess up their net/mask patterns, +causing open mail relay problems. Postfix processes now abort when +given a net/mask pattern with a non-zero host portion (for example, +168.100.189.2/28), and suggest to specify the proper net/mask +pattern instead (for example, 168.100.189.0/28). + +[Feature 20030415] Workaround for file system clock drift that +caused Postfix to ignore new mail (this could happen with file +systems mounted from a server). Postfix now logs a warning and +proceeds with only slightly reduced performance, instead of ignoring +new mail. + +Major changes - database support +-------------------------------- + +Liviu Daia took the lead in a revision of the LDAP, MySQL and +PostgreSQL clients. Credits also go to Victor Duchovni and to +Lamont Jones. + +[Feature 20030915] LDAP parameters can now be defined in external +files. Specify the LDAP maps in main.cf as + ldap:/path/to/ldap.cf +and write the LDAP parameters in /path/to/ldap.cf, without the +"ldapsource_" prefix. This makes it possible to securely store +bind passwords for plain auth outside of main.cf (which must be +world readable). The old syntax still works, for backwards +compatibility. + +[Feature 20030915] Support for LDAP URLs in the LDAP parameter +"server_host", if Postfix is linked against OpenLDAP. LDAP hosts, +ports, and connection protocols to be used as LDAP sources can be +specified as a blank-separated list of LDAP URLs in "server_host". +As with OpenLDAP, specifying a port in a LDAP URL overrides +"server_port". Examples: + server_host = ldap://ldap.itd.umich.edu + server_host = ldaps://ldap.itd.umich.edu:636 + server_host = ldapi://%2Fsome%2Fpath + +[Feature 20030915] The LDAP SSL scheme ldaps:// is available if +OpenLDAP was compiled with SSL support. New parameters "tls_ca_cert_dir", +"tls_ca_cert_file", "tls_cert", "tls_key", "tls_require_cert", +"tls_random_file", "tls_cipher_suite" control the certificates, +source of random numbers, and cipher suites used for SSL connections. +See LDAP_README for further information. + +[Feature 20030915] Support for STARTTLS command in LDAP, if Postfix +is linked against OpenLDAP and OpenLDAP was compiled with SSL +support. STARTTLS is controlled by the "start_tls" parameter. +The above parameters for certificates, source of random numbers, +and cipher suites also apply. See LDAP_README for further information. + +[Incompat 20030704] Support for client side LDAP caching is gone. +OpenLDAP 2.1.13 and later no longer support it, and the feature +never worked well. Postfix now ignores cache controlling parameters +in an LDAP configuration file and logs a warning. + +[Feature 20030415] PostgreSQL table lookups. Specify "pgsql:/file/name" +where "/file/name" defines the database. See "man pgsql_table" for +examples, and the PGSQL_README file for general information. + +Major changes - internals +------------------------- + +[Incompat 20040120] The format of the postfix-files file has changed. +There is a new type for hard links. With hard or symbolic link +entries, the first field is now the destination pathname and the +"owner" field is now the origin pathname, while "group" and +"permissions" are ignored. + +[Incompat 20040120] The LDAP and SQL client source code is moved +to the global directory in order to eliminate reversed dependencies. + +[Feature 20030606] Complete rewrite of the queue file record reading +loops in the pickup, cleanup and in the queue manager daemons. This +code had deteriorated over time. The new code eliminates an old +problem where the queue manager had to read most queue file records +twice in the case of an alias/include file expansion with more than +qmgr_message_recipient_limit recipients. + +[Feature 20030125] Code cleanup up of queue manager internals. +Queue names are no longer mixed up with the next-hop destination, +and the address resolver loop is now easier to understand. + +[Feature 20030104] Multi-server daemons (servers that accept +simultaneous connections from multiple clients) will now stop +accepting new connections after serving $max_use clients. This +allows multi-server daemons to automatically restart even on busy +mail systems. + +[Feature 20030104] Clients of multi-server daemons such as +trivial-rewrite and the new proxymap service now automatically +disconnect after $ipc_ttl seconds of activity (default: 1000s). +This allows multi-server daemons to automatically restart even on +busy mail systems. + +[Incompat 20021119] The file format of bounce/defer logfiles has +changed from the old one-line ad-hoc format to a more structured +multi-line format. For backwards compatibility, Postfix now creates +bounce/defer logfile entries that contain both the old and the new +format, so that you can go back to an older Postfix release without +losing information. Old Postfix versions will warn about malformed +logfile entries, but should work properly. To disable backwards +compatibility specify "backwards_bounce_logfile_compatibility = +no" in main.cf. + +[Feature 20021119] Both "sendmail -bv" and "sendmail -v" use the +new "trace" daemon that is automatically added to master.cf when +you upgrade. + +Major changes - logging +----------------------- + +[Incompat 20040413] The postmap and postalias commands now report +errors to syslogd in addition to reporting them to the standard +error output. This makes logfile analysis easier. + +[Incompat 20031203] Many SMTPD "reject" logfile entries now show +NOQUEUE instead of a queue ID. This is because Postfix no longer +creates a queue file before the SMTP server has received a valid +recipient. + +Major changes - lookup table support +------------------------------------ + +[Feature 20030704] New CIDR-based lookup table, remotely based on +code by Jozsef Kadlecsik. For details and examples, see "man +cidr_table". + +[Feature 20030704] The TCP-based table lookup protocol is finished. +For details and examples, see "man tcp_table". This will allow you +to implement your own greylisting, or to do your own open proxy +tests before accepting mail. This table will not be included with +Postfix 2.1 because the protocol is obsoleted by the policy delegation +(see elsewhere in this document) which does a much better job. + +[Feature 20030704] Support for !/pattern/ (negative matches) in +PCRE lookup tables by Victor Duchovni. See "man pcre_table" and +"man regexp_table" for more. + +Major changes - resource control +-------------------------------- + +[Incompat 20031022] The Postfix SMTP server no longer accepts mail +when the amount of free queue space is less than 1.5 times the +message_size_limit value. + +Major changes - security +------------------------ + +[Incompat 20040413] The Postfix SMTP server no longer accepts mail +from or to an address ending in "@", including address forms that +rewrite into an address that ends in "@"). Specify "resolve_null_domain += yes" to get the old behavior. + +[Incompat 20040331] Support for the non-standard Errors-To: message +header is removed. This also helps to stop potential attacks that +rely on bouncing mail to a destination that is not directly reachable +by the attacker. Specify ""enable_errors_to = yes" to get the old +behavior. + +[Incompat 20040331] Tarpit delays are reduced. The Postfix SMTP +server no longer delays responses until the client has made +$smtpd_soft_error_limit errors, and the delay is fixed at +$smtpd_error_sleep_time seconds. Postfix still disconnects after +$smtpd_hard_error_limit errors. + +[Incompat 20040120] The SMTP server can reject non-existent sender +addresses in a local, virtual or relay domain; specify +"reject_unlisted_sender=yes" in order to require that a sender +address passes the same "user unknown" test as a recipient would +have to pass. This is optional in Postfix 2.1, likely to be turned +on by default in Postfix 2.2. + +[Incompat 20031226] Postfix no longer allows mail addresses with +bare numeric IP addresses (user@1.2.3.4). This is not configurable. +The form user@[ipaddress] is still allowed. + +[Incompat 20030305] Postfix truncates non-address information in message +address headers (comments, etc.) to 250 characters per address, in +order to protect vulnerable Sendmail systems against exploitation +of a remote buffer overflow problem (CERT advisory CA-2003-07). + +[Incompat 20030227] The smtpd_hard_error_limit and smtpd_soft_error_limit +values now behave as documented, that is, smtpd_hard_error_limit=1 +causes Postfix to disconnect upon the first client error. Previously, +there was an off-by-one error causing Postfix to change behavior +after smtpd_hard/soft_error_limit+1 errors. + +Major changes - smtp client +--------------------------- + +[Incompat 20031223] The SMTP client now tries to connect to an +alternate MX address when a delivery attempt fails **after the +initial SMTP handshake**. This includes both broken connections +and 4XX SMTP replies. To get the old behavior, specify +"smtp_mx_session_limit = 1" in main.cf. + +[Feature 20031223] The SMTP client now tries to connect to an +alternate MX address when a delivery attempt fails after the +initial SMTP handshake. This includes both broken connections +and 4XX SMTP replies. + +As a benefit, fallback_relay now works as promised, not just for +sessions that fail during the initial handshake. + +The new SMTP client connection management is controlled by two new +configuration parameters: + +- smtp_mx_address_limit (default unlimited): the number of MX (mail + exchanger) IP addresses that can result from mail exchanger + lookups. + +- smtp_mx_session_limit (default 2): the number of SMTP sessions + per delivery request before giving up or delivering to a fall-back + relay, ignoring IP addresses that fail to complete the SMTP + initial handshake. + +[Incompat 20031022] Postfix no longer retries delivery when no MX +host has a valid A record, for compatibility with many other MTAs. +This change is made in anticipation of a possible Verisign "wild-card +MX record without A record" for unregistered domains. To get the +old behavior, specify "smtp_defer_if_no_mx_address_found = yes". + +[Incompat 20031022] The Postfix SMTP client no longer looks in +/etc/hosts by default. To get the old behavior, specify +"smtp_host_lookup = dns, native". + +[Feature 20030417] Support for sending mail to hosts not in the +DNS, without having to turn off DNS lookups. The "smtp_host_lookup" +parameter controls how the Postfix SMTP client looks up hosts. In +order to use /etc/hosts besides DNS, specify "smtp_host_lookup = +dns, native". The default is to use DNS only. + +Major changes - user interface +------------------------------ + +[Incompat 20040418] The non-delivery report format has changed. +The "sorry" message and the DSN formatted report now include the +original recipient address, when that address is different from +the final recipient address. This makes it easier to diagnose some +mail delivery problems that happen after mail forwarding. + +[Incompat 20031223] In mailq (queue listing) output, there no longer +is space between a short queue ID and the "*" (delivery in progress) +or ! (mail on hold) status indicator. This makes the output easier +to parse. + +[Incompat 20030417] "sendmail -t" no longer complains when recipients +are given on the command line. Instead, it now adds recipients from +headers to the recipients from the command-line. + +[Incompat 20030126] The maildir file naming algorithm has changed +according to an updated version of http://cr.yp.to/proto/maildir.html. +The name is now TIME.VdevIinum.HOST + +[Incompat 20021119] The behavior of "sendmail -v" has changed. One +-v option now produces one email report with the status of each +recipient. Multiple -v options behave as before: turn on verbose +logging in the sendmail and postdrop commands. + +[Feature 20021119] New "sendmail -bv" option. Postfix probes the +specified recipient addresses without actually delivering mail, +and sends back an email delivery report. This is useful for testing +address rewriting and address routing of both envelope and header +addresses. This feature currently does not access or update the +sender address verification database. + diff --git a/RELEASE_NOTES-2.10 b/RELEASE_NOTES-2.10 new file mode 100644 index 0000000..1140ce1 --- /dev/null +++ b/RELEASE_NOTES-2.10 @@ -0,0 +1,268 @@ +The stable Postfix release is called postfix-2.10.x where 2=major +release number, 10=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.11-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9 +before proceeding. + +Major changes - laptop-friendliness +----------------------------------- + +[Incompat 20120924] Postfix no longer uses FIFOs to emulate UNIX-domain +sockets on Solaris 9 (Vintage 2002!) and later. If you install +Postfix for the first time on an older Solaris system, edit the +master.cf file and replace "unix" with "fifo" for the pickup and +qmgr services. + +[Feature 20120924] the default master.cf file now uses "unix" instead +of "fifo" for the pickup and qmgr services. This avoids periodic +disk drive spin-up. + +Major changes - permit logging +------------------------------ + +[Feature 20120303] [Feature 20120303] New control for "permit" +logging in smtpd_mumble_restrictions (by default, the SMTP server +logs "reject" actions but not "permit" actions). Specify +"smtpd_log_access_permit_actions = static:all" to log all "permit"-style +actions, or specify a list of explicit action names. More details +are in the postconf(5) manpage. + +Major changes - postconf +------------------------ + +[Incompat 20121224] The postconf command produces more warnings: + +- An attempt to modify a read-only parameter (process_name, process_id) + in main.cf or master.cf. + +- An undefined $name in a parameter value in main.cf or master.cf + (except for backwards-compatibility parameters such as $virtual_maps). + +[Feature 20121224] The postconf command has been updated to make +trouble-shooting (and support) easier. In summary, use "postconf +-Mxf" and "postconf -nxf" to review master.cf and main.cf parameter +settings with expanded parameter values. + +- "postconf -x" now expands $name in main.cf and master.cf parameter + values. + +- postconf warns about attempts to modify a read-only parameter + (process_name, process_id) in main.cf or master.cf. + +- postconf warns about an undefined $name in a parameter value in + main.cf or master.cf (except for backwards-compatibility parameters + such as $virtual_maps). + +[Feature 20121227] + +- "postconf -o name=value" overrides main.cf parameter settings. + This can be used, for example, to examine stress-dependent settings + with "postconf -x -o stress=yes". + +Major changes - postscreen +-------------------------- + +[Incompat 20121123] The postscreen deep protocol tests now log the +last command before a protocol error ("UNIMPLEMENTED" when the last +command is not implemented, "CONNECT" when there was no prior +command). The changed logfile messages are: + +NON-SMTP COMMAND from [address]:port after command: text +BARE NEWLINE from [address]:port after command +COMMAND TIME LIMIT from [address]:port after command +COMMAND COUNT LIMIT from [address]:port after command +COMMAND LENGTH LIMIT from [address]:port after command + +Major changes - load-balancer support +------------------------------------- + +[Incompat 20120625] The postscreen(8)-to-smtpd(8) protocol has +changed. To avoid "cannot receive connection attributes" warnings +and dropped connections, execute the command "postfix reload". No +mail will be lost as long as the remote SMTP client tries again +later. + +[Feature 20120625] Support for upstream proxy agent in the postscreen(8) +and smtpd(8) daemons. To enable the haproxy protocol, specify one +of the following: + + postscreen_upstream_proxy_protocol = haproxy + smtpd_upstream_proxy_protocol = haproxy + +Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes +that are behind postscreen. Configure postscreen_upstream_proxy_protocol +instead. + +Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT +protocol with smtpd_authorized_xclient_hosts. This supports SASL +authentication in the proxy agent (Postfix 2.9 and later). + +Major changes - relay safety +---------------------------- + +[Incompat 20130613] New smtpd_relay_restrictions parameter built-in +default settings: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + +This safety net prevents open relay problems due to mistakes +with spam filter rules in smtpd_recipient_restrictions. + +If your site has a complex mail relay policy configured under +smtpd_recipient_restrictions, this safety net may defer mail that +Postfix should accept. + +To fix this safety net, take one of the following actions: + +- Set smtpd_relay_restrictions empty, and keep using the existing + mail relay authorization policy in smtpd_recipient_restrictions. + +- Copy the existing mail relay authorization policy from + smtpd_recipient_restrictions to smtpd_relay_restrictions. + +There is no need to change the value of smtpd_recipient_restrictions. + +[Feature 20130613] This version introduces the smtpd_relay_restrictions +feature for mail relay control. The new built-in default settings +are: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + + smtpd_recipient_restrictions = + ( optional spam blocking rules would go here ) + +For comparison, this is the Postfix before 2.10 default: + + smtpd_recipient_restrictions = + permit_mynetworks + reject_unauth_destination + ( optional spam blocking rules would go here ) + +With Postfix versions before 2.10, the mail relay policy and spam +blocking policy were combined under smtpd_recipient_restrictions, +resulting in error-prone configuration. + +As of Postfix 2.10, the mail relay policy is preferably implemented +with smtpd_relay_restrictions, so that a permissive spam blocking +policy under smtpd_recipient_restrictions will not unexpectedly +result in a permissive mail relay policy. + +As of Postfix 2.10.0 the smtpd_relay_restrictions parameter built-in +default settings are: + + smtpd_relay_restrictions = + permit_mynetworks + permit_sasl_authenticated + defer_unauth_destination + +If your site has a complex mail relay policy configured under +smtpd_recipient_restrictions, this safety net may defer mail that +Postfix should accept. + +To migrate from an earlier Postfix release with the least amount +of pain: + +- Set smtpd_relay_restrictions empty, and keep using the existing + mail relay authorization policy in smtpd_recipient_restrictions. + +- There is no need to change the value of smtpd_recipient_restrictions. + +To take advantage of the new smtpd_relay_restrictions feature: + +- Copy the existing mail relay authorization policy from + smtpd_recipient_restrictions to smtpd_relay_restrictions. + +- There is no need to change the value of smtpd_recipient_restrictions. + +Major changes - start-up +------------------------ + +[Feature 20120306] New master "-w" option, to wait for master daemon +process initialization to complete. This feature returns an error +exit status if master daemon initialization fails, or if it does +not complete in a reasonable amount of time. The exit status is +used by "postfix start" to provide more accurate information to +system start-up scripts. + +Major changes - tls +------------------- + +[Incompat 20130203] Thanks to OpenSSL documentation, the Postfix +2.9.0..2.9.5 SMTP client and server server used an incorrect procedure +to compute TLS certificate PUBLIC-KEY fingerprints (these may be +used in the check_ccert_access and in smtp_tls_policy_maps features). +Support for certificate PUBLIC-KEY finger prints was introduced +with Postfix 2.9; there is no known problem with the certificate +fingerprint algorithms available since Postfix 2.2. + +Certificate PUBLIC-KEY finger prints may be used in the Postfix +SMTP server (with "check_ccert_access") and in the Postfix SMTP +client (with the "fingerprint" security level). + +Specify "tls_legacy_public_key_fingerprints = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. + +To compute the correct PUBLIC-KEY finger prints: + +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl pkey -pubin -outform DER | \ + openssl dgst -sha1 -c + +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl rsa -pubin -outform DER | \ + openssl dgst -md5 -c + +[Feature 20120422] This release adds support to turn off the TLSv1.1 +and TLSv1.2 protocols. Introduced with OpenSSL version 1.0.1, these +are known to cause inter-operability problems with for example +hotmail. + +The radical workaround is to temporarily turn off problematic +protocols globally: + +/etc/postfix/main.cf: + smtp_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtp_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + + smtpd_tls_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + smtpd_tls_mandatory_protocols = !SSLv2, !TLSv1.1, !TLSv1.2 + +However, it may be better to temporarily turn off problematic +protocols for broken sites only: + +/etc/postfix/main.cf: + smtp_tls_policy_maps = hash:/etc/postfix/tls_policy + +/etc/postfix/tls_policy: + example.com may protocols=!SSLv2:!TLSv1.1:!TLSv1.2 + +Important: + +- Note the use of ":" instead of comma or space. Also, note that + there is NO space around the "=" in "protocols=". + +- The smtp_tls_policy_maps lookup key must match the "next-hop" + destination that is given to the Postfix SMTP client. If you + override the next-hop destination with transport_maps, relayhost, + sender_dependent_relayhost_maps, or otherwise, you need to specify + the same destination for the smtp_tls_policy_maps lookup key. diff --git a/RELEASE_NOTES-2.11 b/RELEASE_NOTES-2.11 new file mode 100644 index 0000000..2cf3939 --- /dev/null +++ b/RELEASE_NOTES-2.11 @@ -0,0 +1,280 @@ +The stable Postfix release is called postfix-2.11.x where 2=major +release number, 11=minor release number, x=patchlevel. The stable +release never changes except for patches that address bugs or +emergencies. Patches change the patchlevel and the release date. + +New features are developed in snapshot releases. These are called +postfix-2.12-yyyymmdd where yyyymmdd is the release date (yyyy=year, +mm=month, dd=day). Patches are never issued for snapshot releases; +instead, a new snapshot is released. + +The mail_release_date configuration parameter (format: yyyymmdd) +specifies the release date of a stable release or snapshot release. + +If you upgrade from Postfix 2.9 or earlier, read RELEASE_NOTES-2.10 +before proceeding. + +Major changes - tls +------------------- + +[Documentation 20131218] The new FORWARD_SECRECY_README document +conveniently presents all information about Postfix "perfect" forward +secrecy support in one place: what forward secrecy is, how to tweak +settings, and what you can expect to see when Postfix uses ciphers +with forward secrecy. + +[Feature 20130602] Support for PKI-less TLS server certificate +verification, where the CA public key or the server certificate is +identified via DNSSEC lookup. + +This feature introduces new TLS security levels called "dane" and +"dane-only" (DNS-based Authentication of Named Entities) that use +DNSSEC to look up CA or server certificate information. The details +of DANE core protocols are still evolving, as are the details of +how DANE should be used in the context of SMTP. Postfix implements +what appears to be a "rational" subset of the DANE profiles that +is suitable for SMTP. + +The problem with conventional PKI is that there are literally +hundreds of organizations world-wide that can provide a certificate +in anyone's name. There have been widely-published incidents in +recent history where a certificate authority gave out an inappropriate +certificate (e.g., a certificate in the name of Microsoft to someone +who did not represent Microsoft), where a CA was compromised (e.g., +DigiNotar, Comodo), or where a CA made operational mistakes (e.g., +TURKTRUST). Another concern is that a legitimate CA might be coerced +to provide a certificate that allows its government to play +man-in-the-middle on TLS traffic and observe the plaintext. + +Major changes - LMDB database support +------------------------------------- + +LMDB is a memory-mapped database that was originally developed as +part of OpenLDAP. The Postfix LMDB driver was originally contributed +by Howard Chu, LMDB's creator. + +LMDB can be used for all Postfix lookup tables and caches. It is +the first persistent Postfix database that can be shared among +multiple writers such as postscreen daemons (Postfix already supported +shared non-persistent memcached caches). See lmdb_table(5) and +LMDB_README for further information, including how to access Postfix +LMDB databases with non-Postfix programs. + +Postfix currently requires LMDB version 0.9.11 or later. The minimum +version may change over time in the light of deployment experience. + +Major changes - postscreen whitelisting +--------------------------------------- + +[Feature 20130512] Allow a remote SMTP client to skip postscreen(8) +tests based on its postscreen_dnsbl_sites score. + +Specify a negative "postscreen_dnsbl_whitelist_threshold" value to +enable this feature. When a client passes the threshold value +without having failed other tests, all pending or disabled tests +are flagged as completed. + +This feature can mitigate the email delays due to "after 220 greeting" +protocol tests, which otherwise require that a client reconnects +before it can deliver mail. Some providers such as Google don't +retry from the same IP address. This can result in large email +delivery delays. + +Major changes - recipient_delimiter +----------------------------------- + +[Feature 20130405] The recipient_delimiter parameter can now specify +a set of characters. A user name is now separated from its address +extension by the first character that matches the recipient_delimiter +set. + +For example, specify "recipient_delimiter = +-" to support both the +Postfix-style "+" and the qmail-style "-" extension delimiter. + +As before, this implementation recognizes one delimiter character +per email address, and one address extension per email address. + +Major changes - smtpd access control +------------------------------------ + +[Feature 20131031] The check_sasl_access feature can be used to +block hijacked logins. Like other check_mumble_access features it +queries a lookup table (in this case with the SASL login name), and +it supports the same actions as any Postfix access(5) table. + +[Feature 20130924] The reject_known_sender_login_mismatch feature +applies reject_sender_login_mismatch only to MAIL FROM addresses +that are known in $smtpd_sender_login_maps. + +Major changes - MacOS X +----------------------- + +[Feature 20130325] Full support for kqueue() event handling which +scales better with large numbers of file handles, plus a workaround +for timeout handling on file handles (such as /dev/urandom) that +still do not correctly support poll(). + +Major changes - master +---------------------- + +[Incompat 20131217] The master_service_disable parameter value +syntax has changed: use "service/type" instead of "service.type". +The new form is consistent with postconf(1) namespaces for master.cf. +The old form is still supported to avoid breaking existing +configurations. + +Major changes - milter +---------------------- + +[Feature 20131126] Support for ESMTP parameters "NOTIFY" and "ORCPT" +in the SMFIR_ADDRCPT_PAR (add recipient with parameters) request. +Credits: Andrew Ayer. + +Major changes - mysql +--------------------- + +[Feature 20131117] MySQL client support for option_file, option_group, +tls_cert_file, tls_key_file, tls_CAfile, tls_CApath, tls_verify_cert. +Credits: Gareth Palmer. + +Major changes - postconf +------------------------ + +[Feature 20131217] Support for advanced master.cf query and update +operations. This was implemented primarily to support automated +system management tools. + +The goal is to make all Postfix master.cf details accessible as +lists of "name=value" pairs, where the names are organized into +structured name spaces. This allows other programs to query +information or request updates, without having to worry about the +exact layout of master.cf files. + +Managing master.cf service attributes +------------------------------------- + +First, an example that shows the smtp/inet service in the traditional +form: + + $ postconf -M smtp/inet + smtp inet n - n - - smtpd + +Different variants of this command show different amounts of output. +For example, "postconf -M smtp" enumerates all services that have +a name "smtp" and any service type ("inet", "unix", etc.), and +"postconf -M" enumerates all master.cf services. + +General rule: each name component that is not present becomes a "*" +wildcard. + +Coming back to the above example, the postconf -F option can now +enumerate the smtp/inet service fields as follows: + + $ postconf -F smtp/inet + smtp/inet/service = smtp + smtp/inet/type = inet + smtp/inet/private = n + smtp/inet/unprivileged = - + smtp/inet/chroot = n + smtp/inet/wakeup = - + smtp/inet/process_limit = - + smtp/inet/command = smtpd + +This form makes it very easy to change one field in master.cf. +For example to turn on chroot on the smtp/inet service you use: + + $ postconf -F smtp/inet/chroot=y + $ postfix reload + +Moreover, with "-F" you can specify "*" for service name or service +type to get a wild-card match. For example, to turn off chroot on +all Postfix daemons, use this: + + $ postconf -F '*/*/chroot=n' + $ postfix reload + +Managing master.cf service "-o parameter=value" settings +-------------------------------------------------------- + +For a second example, let's look at the submission service. This +service typically has multiple "-o parameter=value" overrides. First +the traditional view: + + $ postconf -Mf submission + submission inet n - n - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + ... + +The postconf -P option can now enumerate these parameters as follows: + + $ postconf -P submission + submission/inet/smtpd_sasl_auth_enable = yes + submission/inet/smtpd_tls_security_level = encrypt + ... + +Again, this form makes it very easy to modify one parameter +setting. For example, to change the smtpd_tls_security_level setting +for the submission/inet service: + + $ postconf -P 'submission/inet/smtpd_tls_security_level=may' + +You can create or remove a parametername=parametervalue setting: + +Create: + $ postconf -P 'submission/inet/parametername=parametervalue' + +Remove: + $ postconf -PX submission/inet/parametername + +Finally, always execute "postfix reload" after updating master.cf. + +Managing master.cf service entries +---------------------------------- + +Finally, adding master.cf entries is possible, but currently this +does not yet have "advanced" support. It can only be done at the +level of the traditional master.cf file format. + +Suppose that you need to configure a Postfix SMTP client that will +handle slow email deliveries. To implement this you need to clone +the smtp/unix service settings and create a new delay/unix service. + +First, you would enumerate the smtp/unix service like this: + + $ postconf -M smtp/unix + smtp unix - - n - - smtp + +Then you would copy those fields (except the first field) by hand +to create the delay/unix service: + + $ postconf -M delay/unix="delay unix - - n - - smtp" + +To combine the above steps in one command: + + $ postconf -M delay/unix="`postconf -M smtp/unix|awk '{$1 = "delay"}'`" + +This is perhaps not super-convenient for manual cloning, but it +should be sufficient for programmatic configuration management. + +Again, always execute "postfix reload" after updating master.cf. + +Deleting or commenting out master.cf entries +-------------------------------------------- + +The -X (delete entry) and -# (comment out entry) options already +exist for main.cf, and they now also work work for entire master.cf +entries: + +Remove main.cf or master.cf entry: + $ postconf -X parametername + $ postconf -MX delay/unix + +Comment out main.cf or master.cf entry: + $ postconf -# parametername + $ postconf -M# delay/unix + +As with main.cf, there is no support to "undo" master.cf changes +that are made with -X or -#. + +Again, always execute "postfix reload" after updating master.cf. |