From 5e61585d76ae77fd5e9e96ebabb57afa4d74880d Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 14:06:34 +0200 Subject: Adding upstream version 3.5.24. Signed-off-by: Daniel Baumann --- HISTORY | 25435 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 25435 insertions(+) create mode 100644 HISTORY (limited to 'HISTORY') diff --git a/HISTORY b/HISTORY new file mode 100644 index 0000000..715ba3c --- /dev/null +++ b/HISTORY @@ -0,0 +1,25435 @@ +In addition to the names listed below, the following people provided +useful inputs on many occasions: Paul D. Robertson, Simon J. Mudd. +Apologies for any names omitted. + +19980105 + + The compiled-in default value for resolve_smtp_sender was + wrong (from the days that it was a boolean), causing smtpd + to dump core when the variable was not set in main.cf. + + The INSTALL instructions now have separate sections for + the three basic ways of running vmailer. + + The INSTALL instructions now have discusses how to deal + with chrooted processes. + + Ported to RedHat 5.0. My, these people have re-organized + their include files quite a bit, haven't they. + +19980106 + + On RedHat Linux 4.2/5.0, when a FIFO listener opens the + FIFO with mode O_RDONLY, the FIFO remains forever readable + after the writer has closed it. Workaround: open the FIFO + mode O_RDWR. + + Test program: util/fifo_rdonly_bug.c + + Unfortunately, the above fix triggers a bug on BSD/OS 3.1 + where opening the FIFO mode O_RDWR causes select() to claim + that the FIFO is readable even before any data is written + to it, causing read() to block or to fail. + + Test program: util/fifo_rdwr_bug.c + + printfck (check arguments of printf-like function calls) + found a missing argument in local/command.c + + Miscellaneous Makefile cleanups that I didn't finish before + the first alpha release. + +19980107 + + Sometimes the DNS will claim that a domain does not exist, + when in fact it does. Thus, it is a bad idea to reject mail + from apparently non-existent domains. I have changed the + smtpd so that it produces a soft error responses when a + resolve_smtp_sender test fails with HOST_NOT_FOUND. Note: + by default, this test is still disabled. + + The DB and DBM read routines will now automagically figure + out if (key, value) pairs were written including a terminating + null byte or not. The DB and DBM write routines will use + this result to determine how to write, and will fall back + to per-system defaults otherwise. + + Renamed the README to MUSINGS, and wrote up a README that + reflects the current status of the software. + + Added -d (don't disconnect) and -c (show running counter) + option to te smtp-source test program. These tools are + great torture tests for the mail software, and for the + system that it runs on. + + Turned down the process_limit parameter (# of parallel smtp + clients or servers) to avoid unpleasant surprises. You can + crank up the process_limit parameter in main.cf. + +19980111 + + Feature: when run by the superuser, mailq now shows the + mail queue even when the mail system is down. To this end, + mailq (sendmail -bp) runs the showq program directly instead + of connecting to the UNIX-domain service socket, and drops + privileges etc. as usual. + +19980119 + + Bugfix: Edwin Kremer spotted an oversight in the negated + host matching code (for name or address patterns prefixed + by !). + + Bugfix: upon receipt of a SIGHUP signal, the master now + disconnects from its child processes, so that the current + generation of child processes commits suicide, and so that + the next generation of child processes will use the new + configuration settings. + + Bugfix: the smtp server now skips the sender DNS domain + lookup test for foo@[address] + + Bugfix: don't append the local domain to foo@[address] + +19980120 + + Bugfix: old low-priority bug in some list walk code that + caused the master to drop core when a service was turned + off in master.cf. + + Robustness: the mail system should be able to start up and + to accept local postings even while the naming service is + down. For this reason, the mail system no longer uses + gethostbyname() to look up its own machine name. Sites + that use short hostnames will have to specify their FQDN + in main.cf (this will eventually be done by the system + installation/configuration procedure). Should the config + language support backticks so one can say `domainname`? + What about $name stuff between the backtics? + + Security: the master now creates FIFOs and UNIX-domain + sockets as the mail owner instead of as root, for better + protection against subverted mail systems. chmod() is + susceptible to race conditions. fchmod(), although safer, + often does not work on sockets. + + Portability: anticipate that all major UNIXes will create + UNIX-domain sockets with permissions modified by the process + umask (required by POSIX). For this reason, we always + chmod() UNIX-domain sockets, unless the system allows us + to use the safer fchmod() instead. + + Portability: the semi-resident servers now properly handle + EWOULDBLOCK returns from accept() in addition to EGAIN + (on some systems, EAGAIN and EWOULDBLOCK have different + values). + + Bugfix: the semi-resident servers now properly handle EINTR + returns From accept(). + + Bugfix: Edwin Kremer found that mynetworks() would compute + (32 - mask) instead of mask. + +19980121 + + Feature: /etc/vmailer/relocated is used by the local delivery + program and specifies what mail should be bounced with a + "user has moved to XXX" message. The main.cf configuration + parameter is "relocated_maps". Just like the "virtual_maps" + config parameter, this feature is off by default, and the + parameter can have values such as "files" or "files, nis" + (on hosts equipped with NIS). + +19980123 + + Cleanup: virtual domain support moved from the queue manager + to the resolve service, where it belongs. + + Feature: /etc/vmailer/canonical is used by the rewrite + service for all addresses, and maps a canonical address + (user@domain) to another address. Typical use is to generate + Firstname.Lastname@domain addresses, or to clean up dirty + addresses from non-RFC 822 mail systems. The main.cf + configuration parameter is "canonical_maps". Just like + the "virtual_maps" config parameter, this feature is off + by default, and the parameter can have values such as + "files" or "files, nis" (on hosts equipped with NIS). + +19980124 + + HPUX10 port and many little fixes from Pieter Schoenmakers. + + Bugfix: isolated an old mysterious bug that could make the + master deaf for new connections while no child process was + running. A typical result was that no pickup daemon would + be started after the previous one had terminated voluntarily. + + Bugfix: the NIS lookup code did not mystrdup() the NIS map + name and would access free()d memory. + +19980125 + + Bugfix: the vstream routines would sometimes ignore flushing + errors. The error would still be reported by vstream_fclose() + and vstream_ferror(). + + Feature: time limit on delivery to shell commands. Config + parameter: command_time_limit. Default value: 100 sec. The + idea is to prevent one bad .forward file or alias file + entry from slowly using up all local delivery process slots. + +19980126 + + Code cleanup: in preparation for SMTP extensions such as + SIZE, allow an extended SMTP command to have a variable + number of options. + +19980127 + + Bugfix: moved canonical map lookups away from the rewriting + module to the cleanup service, so that canonical map lookups + do not interfere with address rewriting on behalf of other + programs. Back to an older trivial-rewrite program version. + + Bugfix: moved virtual map lookups away from the resolver + back to the queue manager, so that virtual domain lookup + does not interfere with address resolution on behalf of + other programs. Back to an older qmgr program version. + +19980131 + + Feature: integrated and adapted Guido van Rooij's SIZE + option (RFC 1870), carefully avoiding potential problems + due to overflow (by multiplying large numbers) or unsigned + underflow (by subtracting numbers). + + Code cleanup: cleaned up the code that parses the server + response to the HELO/EHLO command, so that we can more + reliably recognize what options a server supports. + +19980201 + + Portability: integrated the IRIX 6 port by Oved Ben-Aroya. + + Portability: the software now figures out by itself if a + server should open its FIFO read-write or read-only, to + avoid getting stuck with a FIFO that stays readable forever. + + Bugfix: the cleanup service would terminate with a fatal + vstream_fseek() error when the queue file was too large. + + Bugfix: the cleanup service could be killed by a signal + when the queue file became too large. + +19980203 + + Portability: some systems have statfs(), some have statvfs(), + and the relevant include files are in a different place on + almost every system. + + Portability: the makedefs script now nukes the -O compiler + flag when building on AIX with IBM's own compiler... + +19980204 + + Portability: HP-UX 9.x support by Pieter Schoenmakers. + + Portability: added SYSV-style ulimit() file size limit + support for HP-UX 9.x. + + Portability: added some #includes that appeared to be + missing according to the Digital UNIX cc compiler. + + Bugfix: sys_defs.h now correctly specifies NIS support for + LINUX2, HPUX9 and HPUX10. + + Security: fixed a file descriptor leak in the local delivery + agent that could give shell commands access to the VMailer + IPC streams. This should not cause a vulnerability, given + the design and implementation of the mailer, but it would + be like asking for trouble. + + Bugfix: the sendmail -B (body type) option did not take a + value. + +19980205 + + Bugfix (SUNOS5): should not have deleted the SVID_GETTOD + definition from util/sys_defs.h. + + Bugfix (HPUX9): forgot to specify whether to use statfs() + or statvfs(). + + Bugfix (HPUX9): don't try to raise the file size ulimit. + + Bugfix (HPUX9): must specify file size limit in 512-blocks. + +19980207 + + Robustness: the master process now raises the file size + limit when it is started with a limit that is less than + VMailer's file size limit. File: util/file_limit.c. + + Security: the dns lookup routines now screen all result + names with valid_hostname(). Bad names are treated as + transient errors. + + Feature: qmail compatibility: when the home_mailbox parameter + is set, mail is delivered to ~/$home_mailbox instead of to + /var[/spool]/mail/username. This hopefully makes it easier + to lure people away from qmail :-) + + Robustness: several testers by accident configured relayhost + the same as myhostname. The programs now explicitly check + for this mistake. + + Bugfix: deliver_request_read() would free unallocated memory + when it received an incomplete delivery request from the + queue manager. + + Robustness: local_destination_concurrency=1 prevents parallel + delivery to the same user (with possibly disastrous effects + when that user has an expensive pipeline in the .forward + or procmail config file). Each transport can have its own + XXX_destination_concurrency parameter, to limit the number + of simultaneous deliveries to the same destination. + +19980208 + + Robustness: added "slow open" mode, to gradually increase + the number of simultaneous connections to the same site as + long as delivery succeeds, and to gradually decrease the + number of connections while delivery fails. Brad Knowles + provided the inspiration to do this. + + This also solves the "thundering herd" problem (making a + bunch of connections to a dead host when it was time to + retry that host). Let's see when other mailers fix this. + + Feature: Added $smtpd_banner and $mail_version, for those + who want to show the world what software version they are + running. + + Bugfix: vmailer-script now properly labels each syslog + entry. + +19980210 + + Portability: merged in NEXTSTEP 3 port from Pieter Schoenmakers + + Bugfix: the local delivery program now checks that a + destination is a regular file before locking it. + +19980211 + + Robustness: the local delivery agent sets HOME, LOGNAME, + and SHELL when delivering to a user shell command. PATH is + always set, and TZ is passed through if it is set. + +19980212 + + Feature: mailq (sendmail -bp) now also lists the maildrop + queue (with mail that hasn't been picked up yet). + +19980213 + + Feature: the smtpd now says: 502 HELP not implemented. This + should impress the heck out of the competition :-) + +19980214 + + Feature: local delivery to configurable system-wide command + (e.g. procmail) avoids the need for per-user ~/.forward + shell commands. Config parameter: mailbox_command. + +19980215 + + Performance: avoid running a shell when a command contains + no shell magic characters or built-in shell commands. This + speeds up delivery to all commands. File: util/exec_command.c. + + Bugfix: the local delivery agent, after reading EOF from + a child process, now sends SIGKILL only when the child does + not terminate within a limited amount of time. This avoids + some problems with procmail. File: util/timed_wait.c. + +19980217 + + Portability: folded in NetInfo support from Pieter + Schoenmakers. + +19980218 + + Feature: new vmlock command to run a command while keeping + an exclusive lock on a mailbox. + + Feature: with "recipient_delimiter = +", mail for local + address "user+foo" is delivered to "foo", with a "Delivered-To: + user+foo@domain" message header. Files: qmgr/qmgr_message.c, + local/recipient.c. This must be the cheapest feature. + +19980219 + + Code cleanup: moved error handling into functions that + should always succeed (non_blocking(), close_on_exec()). + +19980223 + + Bugfix: null pointer bug in the cleanup program after + processing a From: header with no mail address (or with + only a comment). + +19980226 + + Robustness: now detects when getpwnam() returns a name that + differs from the requested name. + + Feature: Added %p support to the vbuf_print formatting + module. + + Code cleanup: revamped the alias/include/.forward loop + detection and duplicate suppression code in the local + delivery agent. This must be the fourth iteration, and + again the code has been simplified. + +19980228 + + Robustness: don't treat anything starting with whitespace + as a header record. Instead, explicitly test for leading + whitespace where we permit it. Files: global/is_header.c, + bounce/bounce_flush_service.c, local/delivered.c. + +19980301 + + Compatibility: the sendmail program now accepts the -N + command-line option (delivery status notification) but + ignores it entirely, just like many other sendmail options. + + Bugfix: dns_lookup.c was too conservative with buffer sizes + and would incorrectly report "malformed name server reply". + +19980302 + + Bugfix: the local delivery agent was not null-byte clean. + +19980307 + + Feature: integrated Pieter Schoenmaker's code for transport + lookup tables that list (transport, nexthop) by destination. + +19980309 + + Bugfix: delivery agents no longer rename corrupt queue + files, because programs might fall over each other doing + so. Instead, when a delivery agent detects queue file + corruption, it chmods the queue file, simulates a soft + error, and lets the queue manager take care of the problem. + + Bugfix: the SMTP server implemented VRFY incorrectly. + + Feature: first shot at a pipe mailer, which can be used to + extend VMailer with external mail transports such as UUCP + (provided that the remote site understands domain addressing, + because VMailer version 1 does not rewrite addresses). + + Cleanup: extended the master/child interface so that the + service name (from master.cf) is passed on to the child. + The pipe mailer needs the service name so it can look up + service-specific configuration parameters (privilege level, + recipient limit, time limit, and so on). + +19980310-12 + + Cleanup: factored out the pipe_command() code, so it can + be shared between pipe mailer and local delivery agent. + +19980314 + + Compatibility: the sendmail program now parses each + command-line recipient as if it were an RFC 822 message + header; some MUAs specify comma-separated recipients in a + command-line argument; and some MUAs even specify "word + word
" forms as command-line arguments. + +19980315 + + Bugfix: VMailer's queue processing randomization wasn't + adequate for unloaded systems with small backlogs. + + Bugfix: smtpd now uses double-buffered stream I/O to prevent + loss of input sent ahead of responses. + +19980316 + + Bugfix: the smtpd anti-relay code didn't treat all hosts + listed in $mydestinations as local, so it would accept mail + only for hosts listed in $relay_domains (default: my own + domain). + + Bugfix: smtpd now replies with 502 when given an unknown + command. + +19980318 + + Cleanup: resolve/rewrite clients now automatically disconnect + after a configurable amount of idle time (ipc_idle). + +19980322 + + Tolerance: VRFY now permits user@domain, even though the + RFC requires that special characters such as @ be escaped. + +19980325 + + Bugfix: a recipient delimiter of "-" could interfere with + special addresses such as owner-xxx or double-bounce. + + Tolerance: the SMTP client now permits blank lines in SMTP + server responses. + + Tolerance: the SMTP client now falls back to SMTP when it + apparently mistook an SMTP server as ESMTP capable. + + Bugfix: eliminated strtok() calls in favor of mystrtok(). + Symptom: master.cf parsing would break if $inet_interfaces + was more than one word. + +19980328 + + Bugfix: user->addr patterns in canonical and virtual tables + matched only $myorigin, not hosts listed in $mydestination + or addresses listed in $inet_interfaces. The man pages + were wrong too. File: global/addr_match.c. + +19980401 + + Robustness: FIFO file permissions now default to 0622. On + some systems, opening a FIFO read-only could deafen the + pickup daemon. Only the listener end (which is opened as + root) needs read access anyway, so there should not be a + loss of functionality by making FIFOs non-readable for + non-mail processes. + +19980402 + + Compatibility: sendmail -I and -c options added. + +19980403 + + Feature: virtual lookups are now recursive. File: + qmgr/qmgr_message.c + +19980405 + + Implemented sendmail -bs (stand-alone) mode. This mode runs + as the user and therefore deposits into the maildrop queue. + +19980406 + + The pickup service now removes malformed maildrop files. + +19980407 + + The pickup service now guards against maildrop files with + time stamps dated into the future. + +19980408 + + Bugfix: in the canonical and virtual maps, foo->address + would match foo@$myorigin only. This has been fixed to also + match hosts listed in main.cf:$mydestination and the + addresses listed in main.cf:$inet_interfaces. + + Bugfix: added double buffering support to the VMailer SMTP + server. This makes the SMTP server robust against SMTP + clients that talk ahead of time, and should have been in + there from day one. + +19980409 + + Bugfix: the VMailer SMTP client now recognizes its own + hostname in the SMTP greeting banner only when that name + appears as the first word on the first line. + +19980410 + + Feature: smtpd now logs the local queue ID along with the + client name/address, and pickup now logs the local queue + ID along with the message owner. + + Bugfix: still didn't do virtual/canonical lookups right + (code used the non-case-folded key instead of the case + folded one). + +19980418 + + Bugfix: the SMTP server did not flush the "250 OK queued + as XXXX" message from the SMTP conversation history. + +19980419 + + Bugfix: qmgr would not notice that a malformed message has + multiple senders, and would leak memory (Tom Ptacek). + +19980421 + + Portability: in the mantools scripts, the expr pattern no + longer has ^ at the beginning, and the scripts now use the + expand program instead of my own detab utility. + +19980425 + + NetBSD 1.x patch by Soren S. Jorvang. + +19980511 + + Feature: the SMTP server now logs the protocol (SMTP or + ESMTP) as part of the Received: header. + + Feature: smtpd now logs the last command when a session is + aborted due to timeout, unexpected EOF, or too many client + errors. + +19980514 + + Bugfix: the queue manager did not update the counter for + in-core message structures, so the in-core message limit + had no effect. This can be bad when you have a large backlog + with many messages eligible for delivery. + + Robustness: the queue manager now also limits the total + number of in-core recipient structures, so that it won't + use excessive amounts of memory on sites that have large + mailing lists. + +19980518 + + Bugfix: the SMTP client did not notice that the DNS client + received a truncated response. As a result, a backup MX + host could incorrectly claim that it was the best MX host + and declare a mailer loop. + + Added start_msg/stop_msg entries to the vmailer startup + script, for easy installation. + + Cleanup: VMailer databases are now explicitly specified as + type:name, for example, hash:/etc/aliases or nis:mail.aliases, + instead of implicitly as "files", "nis" and so on. Test + program: util/dict_open. This change allowed me to + eliminate a lot of redundant code from mkmap_xxx.c, and + from everything that does map lookups. + +19980525 + + Bugfix: local/dotforward.c compared the result of opening + a user's ~/.forward against the wrong error value. + +19980526 + + Bugfix: the smtpd VRFY command could look at free()d memory. + + Robustness: the smtpd program had a fixed limit on the + number of token structures. The code now dynamically + allocates token structures. + + Bugfix: the queue manager still used the deprecated parameter + name xxx_deliver_concurrency for concurrency control, but + the documentation talks about the preferred parameter name + xxx_destination_concurrency. Fix: try xxx_destination_concurrency + first, then fall back to xxx_deliver_concurrency. + +19980621-19980702 + + Cleanup: the string read routines now report the last + character read or VSTREAM_EOF. This change is necessary + for the implementation of the long SMTP line bugfix. + + Bugfix: the smtp server exited the DATA command prematurely + when the client sent long lines. Reason: the smtp server + did not remember that it broke long lines, so that '.' + could appear to be the first character on a line when in + fact it wasn't. + + Bugfix: the queue manager made lots of stupid errors while + reading $qmgr_message_recipient_limit chunks of recipients + from a queue file. This code has been restructured. + +19980706 + + Performance: the cleanup program now always adds return-receipt + and errors-to records to a queue file, so that the queue + manager does not have to plow through huge lists of + recipients. + + Robustness: the initial destination concurrency now defaults + to 2, so that one bad message or one bad connection does + not stop all mail to a site. The configuration parameter + is called initial_destination_concurrency. + + Performance: the per-message recipient limit is now enforced + by the queue manager instead of by the transport. Thus, a + large list of recipients for the same site is now mapped + onto several delivery requests which can be handled in + parallel, instead of being mapped onto one delivery request + that is sent to limited numbers of recipients, one group + after the other. + +19980707 + + Cleanup: the queue manager now does an additional recipient + sort after the recipients have been resolved, so that the + code can do better aggregation of recipients by next hop + destination. + + Feature: lines in the master.cf file can now be continued + in the same manner as lines in the main.cf file, i.e. by + starting the next line with whitespace. + + Feature: the smtp client now warns that a message may be + delivered multiple times when the response to "." is not + received (the problem described in RFC 1047). + + Cleanup: when the queue manager changes its little mind + after contacting a delivery agent (for example, it decides + to skip the host because a transport or host goes bad), + the delivery agent no longer complains about premature EOF. + File: global/deliver_request.c + +19980709 + + Bugfix: when breaking long lines, the SMTP client did not + escape leading dots in secondary etc. line fragments. Fix: + don't break lines. This change makes VMailer line-length + transparent. Files: global/smtp_stream.c, smtp/smtp_proto.c. + +19980712 + + Cleanup: the queue manager to deliver agent protocol now + distinguishes between domain-specific soft errors and + recipient-specific soft errors. Result: many soft errors + with SMTP delivery no longer affect other mail the same + domain. + +19980713 + + Feature: the file modification time stamp of deferred queue + files is set to the nearest wakeup time of their recipient + hosts, or if delivery was deferred due to a non-host problem, + the time stamp is set into the future by the configurable + minimal backoff time. + + Bugfix: the SMTP client and the MAILQ command would report + as message size the total queue file size. That would + grossly overestimate the size of a message with many + recipients. + + Bugfix: the 19980709 fix screwed up locally-posted mail + that didn't end in newline. + +19980714 + + Robustness: the makedefs script now defaults to no optimization + when compiling for purify. + +19980715 + + Robustness: the makedefs script now defaults to no optimization + when compiling with gcc 2.8, until this compiler is known + to be OK. + + Workaround: when sending multiple messages over the same + SMTP connection, some SMTP servers need an RSET command + before the second etc. MAIL FROM command. The VMailer SMTP + client now sends a redundant RSET command just in case. + + The queue manager now logs explicitly when delivery is + deferred because of a "dead" message transport. + +19980716 + + Feature: mailq and mail bounces now finally report why mail + was deferred (the reason was logged to the syslog file + only). Changes were made to the bounce service (generalized + to be usable for defer logs), showq service (to show reasons) + and the queue manager. + + As a result the defer directory (with one log per deferred + message) may contain many files; also, this directory is + accessed each time a message is let into the active queue, + in order to delete its old defer log. This means that hashed + directories are now a must. + +19980718-20 + + Feature: configurable timeout for establishing smtp + connections. Parameter: smtp_connect_timeout (default 0, + which means use the timeout as wired into the kernel). + Inspired by code from Lamont Jones. For a clean but far + from trivial implementation, see util/timed_connect.c + + Cleaned up the interfaces that implement read/write deadlines. + Instead of returning -2, the routines now set errno to + ETIMEDOUT; the readable/writable tests are now separate. + +19980722 + + Feature: the default indexed file type (hash, btree, dbm) + is now configurable with the "database_type" parameter. + The default value for this parameter is system specific. + + Feature: selectively turn on verbose logging for hosts that + match the patterns specified via the "debug_peer_list" + config parameter. Syntax is like the "bad_smtp_clients" + parameter (see global/peer_list.c). The verbose logging + level is specified with "debug_peer_level" (default 2). + + Security: the local delivery agent no longer delivers to + files that have execute permission enabled. + +19980723 + + Workarounds for Solaris 2.x UNIX-domain sockets: they lose + data when you close them immediately after writing to them. + This could screw up the delivery agent to queue manager + protocol. + +19980724 + + Cleanup: spent most of the day cleaning up queue manager + code that defers mail when a site or transport dies, and + fixed a few obscure problems in the process. + +19980726 + + Feature: the admin can now configure what classes of problems + result in mail to the postmaster. Configuration parameter: + "notify_classes". Default is backwards compatible: bounce, + policy, protocol, resource, and software. + +19980726-28 + + Feature: the admin can now configure what smtp server access + control restrictions must be applied, and in what order. + Configuration parameters: smtpd_client_restrictions, + smtpd_helo_restrictions, smtpd_mail_restrictions and + smtpd_rcpt_restrictions. Defaults are intended to be + backwards compatible. The bad_senders and bad_clients lists + are gone and have become db (dbm, nis, etc) maps. Files: + smtpd/smtpd_check.c, config/main.cf. + +19980729-31 + + Feature: hashed queues. Rewrote parts of the mail queue + API. Configuration parameters: "hash_queue_names" specifies + what queue directories will be hashed (default: the defer + log directory), "hash_queue_depth" specifies the number of + subdirectories used for hashing (default 2). + +19980802 + + Bugfix: the pipe mailer should expand command-line arguments + with $recipient once for every recipient (producing one + command-line argument per recipient), instead of replacing + $recipient by of all recipients (i.e. producing only one + command-line argument). This is required for compatibility + with programs that expect to be run from sendmail, such as + uux. Thanks to Ollivier Robert for helping me to get this + right. + + Code cleanup: for the above, cleaned up the macro expansion + code in dict.c and factored out the parsing into a separate + module, mac_parse.c. + +19980803 + + "|command" and /file/name destinations in alias databases + are now executed with the privileges of the database owner + (unless root or vmailer). Thus, with: "alias_maps = + hash:/etc/aliases, hash:/home/majordomo/aliases", and with + /home/majordomo/aliases* owned by the majordomo account, + you no longer need the majordomo set-uid wrapper program, + and you no longer need root privileges in order to install + a new mailing list. + +19980804 + + Added support for the real-time blackhole list. Example: + "client_restrictions = permit_mynetworks, reject_maps_rbl" + + All SMTP server "reject" status codes are now configurable: + unknown_client_reject_code, mynetworks_reject_code, + invalid_hostname_reject_code, unknown_hostname_reject_code, + unknown_address_reject_code, relay_domains_reject_code, + access_map_reject_code, maps_rbl_reject_code. Default values + are documented in the smtpd/smtpd_check.c man page. + +19980806-8 + + Code cleanup: after eye balling line-by line diffs, started + deleting code that duplicated functionality because it was + at the wrong abstraction level (smtp_trouble.c), moved + functionality that was in the wrong place (dictionary + reference counts in maps.c instead of dict.c), simplified + code that was too complex (password-file structure cache) + and fixed some code that was just wrong. + +19980808 + + Robustness: the number of queue manager in-core structures + for dead hosts is limited; the limit scales with the limit + on the number of in-core recipient structures. The idea is + to not run out of memory under conditions of stress. + +19980809 + + Feature: mail to files and commands can now be restricted + by class: alias, forward file or include file. The default + restrictions are: "allow_mail_to_files = alias, forward" + and allow_mail_to_commands = alias, forward". The idea is + to protect against buggy mailing list managers that allow + intruders to subscribe /file/name or "|command". + +19980810-12 + + Cleanup: deleted a couple hundred lines of code from the + local delivery agent. It will never be a great program; + sendmail compatibility is asking a severe toll. + +19980814 + + Cleanup: made the program shut up about some benign error + conditions that were reported by Daniel Eisenbud. + +19980814-7 + + Documentation: made a start of HTML docs that describe all + configuration parameters. + + Feature: while documenting things, added smtpd_helo_required. + +19980817 + + Bugfix: at startup the queue manager now updates the time + stamps of active queue files some time into the future. + This eliminates duplicate deliveries after "vmailer reload". + + Bugfix: the local delivery agent now applies the recipient + delimiter after looking in the alias database, instead of + before. + + Documentation bugfixes by Matt Shibla, Tom Limoncelli, + Eilon Gishri. + +19980819 + + GLIBC fixes from Myrdraal. + + Bugfix: applied showq buffer reallocation workaround in + the wrong place. + + Bugfix: can't use shorts in varargs lists. SunOS 4 has + short uid_t and gid_t. pipe_command() would complain. + + Bugfix: can't use signed char in ctype macros. All ctype + arguments are now casted to unsigned char. Thanks, Casper + Dik. + +19980820 + + Bugfix: save the alias lookup result before looking up the + owner. The previous alpha release did this right. + + Cleanup: mail_trigger() no longer complains when the trigger + FIFO or socket is unavailable. This change is necessary to + shut up the sendmail mail posting program, so that it can + be used on mail clients that mount their maildrop via NFS. + + Experiment: pickup and pipe now run as vmailer most of the + time, and switch to user privileges only temporarily. + Files: util/set_eugid.c global/pipe_command.c pipe/pipe.c + pickup/pickup.c. Is this more secure/ What about someone + manipulating such a process while not root? It still has + ruid == 0. + +19980822 + + Portability: with GNU make, commands such as "(false;true)" + and "while :; do false; done" don't fail. Workaround: use + "set -e" all over the place. Problem found by Jeff Wolfe. + + Feature: "check_XXX_access maptype:mapname" (XXX = client, + helo, sender, recipient). Now you can make recipient and + other SPAM restrictions dependent on client or sender access + tables lookup results. + +19980823 + + Bugfix: smtpd access table lookup keys were case sensitive. + + Added "permit" and "reject" operators. These are useful at + the end of SPAM restriction lists (smtpd_XXX_restrictions). + + Added a first implementation of the permit_mx_backup SPAM + restriction. This permits mail relaying to any domain that + lists this mail system as an MX host (including mail for + the local machine). Thanks to Ollivier Robert for useful + discussions. + +19980824 + + Bugfix: transport table lookup keys were case sensitive. + +19980825 + + Portability: sa_len is some ugly #define on some SGI systems, + so we must rename identifiers (file util/connect.c). + + Bugfix: uucp delivery errors are now sent to the sender. + Thanks, Mark Delany. + + Bugfix: the pipe delivery agent now replaces empty sender + by the mailer daemon address. Mark Delany, again. + + Portability: GNU getopt looks at all command-line arguments. + Fix: insert -- into the pipe/uucp definition in master.cf. + + Bugfix: the smtp server command tokenizer silently discarded + the [] around [text], so that HELO [x.x.x.x] was read as + if the client had sent: HELO x.x.x.x. Thanks, Peter Bivesand. + + Bugfix: the HELO unknown hostname/bad hostname restrictions + would have treated [text] as a domain name anyway. + + Bugfix: the $local_duplicate_filter_limit value was not + picked up by the local delivery agent. This means the local + delivery agent could run out of memory on large mailing + list deliveries. + +19980826 + + Performance: mkmap/mkalias now run with the same speed as + sendmail. VMailer now uses a 4096-entry cache with 1 Mbyte + of memory for DB lookups. File: util/dict_db.c. + +19980902 + + Robustness: the reject_unknown_hostname restriction for + HELO/EHLO hostnames will now permit names that have an MX + record instead of an A record. + +19980903 + + Feature: appending @$myorigin to an unqualified address is + configurable with the boolean append_at_myorigin parameter + (default: yes). + + Feature: appending .$mydomain to user@host is configurable + with the boolean append_dot_mydomain parameter (default: + yes). + + Feature: site!user is rewritten to user@site, under control + of the boolean parameter swap_bangpath (default: yes). + + Feature: permit a naked IP address in HELO commands (i.e. + an address without the enclosing [] as required by the + RFC), by specifying "permit_naked_ip_address" as one of + the restrictions in the "smtpd_helo_restrictions" config + parameter. + +19980904 + + Code cleanup: when an SMTP client aborts a session after + sending MAIL FROM, the cleanup service no longer warns that + it is "skipping further client input". Files: cleanup/*.c. + Thanks, Daniel Eisenbud, for prodding. + + Code cleanup: when an SMTP server disconnects in the middle + of a session, don't try to send QUIT over the non-existing + connection. Files: global/smtp_stream.c, smtp/smtp.c. + Thanks, Daniel Eisenbud, for prodding, again. + + Code cleanup: the VMailer version number has moved from + mail_params.h (which is included by lots of modules) to a + separate file global/mail_version.h, so that a version + change no longer results in massive recompilation. + + Bugfix: Errors-To was flagged as a sender address, so the + address never was picked up. + + Code cleanup: support for Errors-To: headers completed. + +19980905 + + Feature: per-message exponential delivery backoff, by + looking at the amount of time a message has been queued. + Thanks, Mark Delany. + +19980906 + + Code cleanup: ripped out the per-host exponential backoff + code. It was broken by 19980818. It was probably a bad idea + anyway, because it required per-host, in-core, state kept + by the queue manager. All we do now is to keep state for + $minimal_backoff_time seconds, but only for a limited number + of hosts. Daniel Eisenbud spotted the problem. + + Lost feature: the SMTP session transcripts now show who + said what. This feature was inadvertently dropped during + development. Thanks, Daniel Eisenbud, for reminding. + + Documentation: the hard-coded rewriting process of the + trivial-rewrite program is described in html/rewrite.html. + + Feature: the local delivery agent now does alias lookups + before and after chopping off the recipient subaddress. + This allows you to forward user-anything to another user, + without losing the ability to redirect specific user-foo + addresses. + +19980909 + + Feature: the smtp client now logs a warning that a server + sends a greeting banner with the client's hostname, which + could imply a mailer loop. + +19980910 + + Feature: separate canonical maps for sender and recipient + address rewriting, so that you can rewrite an ugly sender + address and still forward mail to that same ugly address + without creating a mailer loop. Files: cleanup_envelope.c, + cleanup_message.c, cleanup_rewrite.c. + +19980911 + + Feature: virtual maps now support multiple addresses on + the right-hand side. In the case of virtual domains this + can eliminate the need for address expansion via local + aliases, making virtual domains much easier to administer. + This required that I moved the virtual table lookups from + the queue manager to the cleanup service, so that every + recipient has an on-disk status record. Files: qmgr.c, + qmgr_message.c, cleanup_envelope.c, cleanup_rewrite.c, + cleanup_virtual.c. + + Feature: sendmail/mailq/newaliases pass on the -v flag to + the program that they end up running, to make debugging a + little easier. + +19980914 + + Bugfix: some anti-spam measures didn't recognize some + addresses as local and would do too much work. File: + smtpd_check.c. + + Bugfix: the smtp sender/recipient table lookup restriction + destroyed global data, so that other restrictions could + break. File: smtpd_check.c. + + Bugfix: after vmailer reload, single-threaded servers could + exit before flushing unwritten data to the client. Example: + cleanup would exit before acking success to pickup, so the + message would be delivered twice. Bug reported by Brian + Candler. + + Cleanup: removed spurious error output from vmailer-script. + Reported by Brian Candler. + + Tolerance: ignore non-numeric SMTP server responses. There's + lot of brain damage out there on the net. + +19980915 + + Feature: the smtp-sink benchmark tool now announces itself + with a neutral name so that it can be run on the same + machine as VMailer, without causing Postfix to complain + about a mailer loop. + + Robustness: on LINUX, vmailer-script now does chattr +S to + force synchronous directory updates. Fix developed with + Chris Wedgwood. + +19980916 + + Bugfix: when transforming an RFC 822 address to external + form, there is no need to quote " characters in comments. + This didn't break anything, it just looked ugly. File: + global/tok822_parse.c + +19980917 + + Workaround: with deliveries to /file/name, use fsync() and + ftruncate() only on regular files. File: local/file.c + + Workaround: the plumbing code in master_spawn.c didn't + check if it was dup2()/close()ing a descriptor to itself + then closing it. Will have to redo the plumbing later. + +19980918 + + Workaround: on multiprocessor Solaris machines, one-second + rollover appears to happen on different CPUs at slightly + different times. Made the queue manager more tolerant for + such things. Problem reported by Daniel Eisenbud. + + Workaround: in preparation for deployment with a network-shared + maildrop directory. make pickup more tolerant against clock + drift between clients and servers. + +19980921 + + New vstream_popen() module that opens a two-way channel + across a socketpair-based pipe. This module isn't being + used yet; it is here only to complete the vstream code. + +19980922 + + Code cleanup: the xxx_server_main() interface for master + child processes now uses a name-value argument list instead + of an ugly and inflexible data structure. + + Bugfix: moved the test if a non-interactive process is run + by hand, so that the "don't do this" error message can be + printed to stderr before any significant processing. + + Bugfix: smtpd now can talk to unix-domain sockets without + bailing out on a peer lookup problem. Files: smtpd/smtpd.c, + util/peer_name.c. + + Safety: by default, the postmaster is no longer informed + of protocol problems, policy violations or bounces. + + Safety: the SMTP server now sleeps before sending a [45]xx + error response, in order to prevent clients from hammering + the server with a connect/error/disconnect loop. Parameter: + smtpd_error_sleep_time (default: 5). + + Feature: the logging facility is compile-time configurable + (e.g., make makefiles "CCARGS=-DLOG_FACILITY=LOG_LOCAL1"). + +19980923 + + Bugfix: changed virtual/canonical map search order from + (user@domain, @domain, user) to (user@domain, user, @domain) + so the search order is most specific to least specific. + File: global/addr_map.c, lots of documentation. + + Bugfix: after the change of 19980910, cleanup_message + extracted recipients from Reply-To: etc. headers. Found + by Lamont Jones. + +19980925 + + Bugfix: the change in virtual/canonical map search order + broke @domain entries; they would never be looked up if + the address matched $myorigin or $mydestinations. Found by + Chip Christian who now regrets asking for the change. + + Bugfix: cleanup initialized an error mask incorrectly, so + that it would keep writing to a file larger than the queue + file size limit, and so it would treat the error as a + recoverable one instead of sending a bounce. Thanks, Pieter + Schoenmakers. + + Bugfix: the "queue file cleanup on fatal error" action was + no longer enabled in the sendmail mail posting agent. + + Feature: the sendmail mail posting program now returns + EX_UNAVAILABLE when the size of the input exceeds the queue + file size limit. NB THIS CHANGE HAS BEEN WITHDRAWN. + +19980926 + + Code cleanup: the dotlock file locking routine is no longer + derived from Eric Allman's 4.3BSD port of mail.local. + + Code cleanup: the retry strategy of the file locking routines + dot_lockfile() and deliver_flock() is now configurable + (deliver_flock_attempts, deliver_flock_delay, deliver_flock_stale). + + Code cleanup: the master.pid lock file is now created with + symlink paranoia, and is properly locked so that PID rollover + will not cause false matches. + + Bugfix: the vbuf_print() formatting engine did not know + about the '+' format specifier. + + Cleanup: replaced unnecessary instances of stdio calls by + vstream ones. + +19980929-19981002 + + Compatibility: added support for "sendmail -q". This required + a change to the queue manager trigger protocol, and a code + reorganization of the way queue scans were done. The queue + manager socket now has become public. + +19981002 + + SMTPD now logs "lost connection after end-of-message" + instead of "lost connection after DATA". + +19981005 + + More bullet proofing: timeouts on all triggers. + +19981006 + + Bugfix: make the number of cleanup processes unlimited, in + order to avoid deadlock. The number of instances needed is + one per smtp/pickup process, and an indeterminate number + per local delivery agent. Thanks, Thanks, David Miller and + Terry Lorrah for cleueing me in. + + Bugfix: "sendmail -t" extracted recipients weren't subjected + to virtual mapping. Daniel Eisenbud strikes again. + +19981007 + + Compatibility: if the first input line ends in CRLF, the + sendmail posting agent will treat all CRLF as LF. Otherwise, + CRLF is left alone. This is a compromise between sendmail + compatibility (all lines end in CRLF) and binary transparency + (some, but not all, lines contain CRLF). + +19981008 + + Robustness: stop recursive virtual expansion when the + left-hand side appears in its own expansion. + +19981009 + + Portability: trigger servers such as pickup and qmgr can + now use either FIFOs or UNIX-domain sockets; hopefully at + least one of them works properly. Trigger clients were + already capable of using either form of local IPC. + +19981011 + + Feature: masquerading. Strip subdomains from domains listed + in $masquerade_domains. Exception: envelope recipients are + left alone, in order to not screw up routing. + +19981015 + + Code cleanup: moved the recipient duplicate filter from + the user-level sendmail posting agent to the semi-resident + cleanup service, so that the filter operates on the output + from address canonicalization and of virtual expansion, + instead of operating on their inputs. + +19981016 + + Bugfix: after kill()ing a bunch of child processes, wait() + sometimes fails before all children have been reaped, and + must be called again, or the master will SIGSEGV later. + Problem reported by Scott Cotton. + + Workaround: don't log a complaint when an SMTP client goes + away without sending QUIT. + +19981018 + + Workaround: Solaris 2.5 ioctl SIOCGIFCONF returns a hard + error (EINVAL) when the result buffer is not large enough. + This can happen on systems with many real or virtual + interfaces. File: util/inet_addr_local.c. Problem reported + by Scott Cotton. + + Workaround: the optional HELO/EHLO hostname syntax check + now allows a single trailing dot. + + Workaround: with UNIX-domain sockets, LINUX connect() blocks + until the server calls accept(). File: qmgr/qmgr_transport.c. + Terry Lorrah and Scott Cotton provided the necessary + evidence. + +19981020 + + Robustness: recursive canonical mapping terminates when + the result stops changing. + + Code cleanup: reorganized the address rewriting and mapping + code in the cleanup service, to make it easier to implement + the previous enhancement. + +19981022 + + Code cleanup: more general queue scanning programming + interface, in preparation for hashed queues. File: + qmgr/qmgr_scan.c. + + Bugfix: a non-FIFO server with a process limit of 1 has a + too short listen queue. Until now this was not a problem + because only FIFO servers had a process limit of 1, and + FIFOs have no listen queue. Fix: always configure a listen + queue of proc_limit or more. File: master/master_listen.c. + +19981023 + + Feature: by popular request, mail delay is logged when + delivering, bouncing or deferring mail. + +19981024 + + Cleanup: double-bounce mail is now absorbed by the queue + manager, instead of the local delivery agent, so that the + mail system will not go mad when no local delivery agent + is configured. + +19981025 + + Cleanup: moved the relocated table from the local delivery + agent to the queue manager, so that the table can also be + used for virtual addresses. + + Code reorg: in order for the queue manager to absorb + recipients, the queue file has to stay open until all + recipients have been assigned to a destination queue. + +19981026 + + vmlogger command, so that vmailer-script logging becomes + consistent with the rest of the VMailer system. + + Code reorg: logger interface now can handle multiple output + handlers (e.g. syslog and stderr stream). + + Bugfix: a first line starting with whitespace is no longer + treated as an extension of our own Received: header. Files: + smtpd/smtpd.c, pickup/pickup.c. + +19981027 + + Bugfix: the bang-path swapping code went into a loop on an + address consisting of just a single !. Eilon Gishri had + the privilege of finding this one. + + Workaround: the non-blocking UNIX-domain socket connect is + now enabled only on systems that need it. It may cause + kernel trouble on Solaris 2.x. + + Bugfix: the resolver didn't implement bangpath swapping, + so that mail for site!user@mydomain would be delivered to + a local user named "site!user". + +19981028 + + Cleanup: a VSTREAM can now use different file descriptors + for reading and writing. This was necessary to prevent + "sendmail -bs" and showq from writing to stdin. Eilon Gishri + observed the problem. + +19981029 + + The RFC 822 address manipulation routines no longer give + special attention to 8-bit data. Files: global/tok822_parse.c, + global/quote_822_local.c. + + Bugfix: host:port and other non-domain stuff is no longer + allowed in mail addresses. File: qmgr/qmgr_message.c. + + Workaround: LINUX accept() wakes up before the three-way + handshake is complete, so it can fail with ECONNRESET. + Files: master/single_server.c, master/multi_server.c. + + Feature: when delivering to user+foo, try ~user/.forward+foo + before trying ~user/.forward. + + Bugfix: smtpd in "sendmail -bs" (stand-alone) mode didn't + clean up when terminated by a signal. + + Bugfix: smtpd in "sendmail -bs" (stand-alone) mode should + not try to enforce spam controls because it cannot access + the address rewriting machinery. + + Cleanup: the percent hack (user%domain -> user@domain) is + now configurable (allow_percent_hack, default: yes). + + Bugfix: daemons in -S (stand-alone) mode didn't change + directory to the queue. This was no problem with daemons + run by the sendmail compatibility program. + +19981030 + + Feature: when virtual/canonical/relocated lookup fails for + an address that contains the optional recipient delimiter + (e.g., user+foo@domain), the search is done again with the + unextended address (e.g., user@domain). File: global/addr_find.c. + + Code reorg: the address searching is now implemented by a + separate module global/addr_find.c, so that the same code + can be used for both (non-mapping) relocated table lookups + and for canonical and virtual mapping. The actual mapping + is still done in the global/addr_map.c module. + + Robustness: the SMTP client now skips hosts that don't send + greeting banner text. File: smtp/smtp_connect.c + + Feature: preliminary support to disable delivered-to. This + is desirable for mailing list managers that don't want to + advertise internal aliases. + + Generic support: when the recipient_feature_delimiter + configuration parameter is set, the local delivery agent + uses it to split the recipient localpart into fields. Any + field that has a known name such as "nodelivered" enables + the corresponding delivery feature. + +19981031 + + Code reorg: address splitting on recipient delimiter is + now centralized in global/split_addr.c, which knows about + all reserved names that should never be split. + + Robustness: when a request for an internal service cannot + be satisfied because the master has terminated, terminate + instead of trying to reach the service every 30 seconds. + + Safety: the local delivery agent now runs as vmailer most + of the time, just like pickup and pipe. Files: local/local.c, + local/mailbox.c + +19981101 + + Compatibility: the tokenizer for alias/forward/etc. + expansion now updates an optional counter with the number + of destinations found; If no destinations is found in a + .forward file, deliver to the mailbox instead. Thanks, + Daniel Eisenbud, for showing the way to go. + + Robustness: the pickup daemon should always include a + posting-time record, even when the sendmail posting agent + didn't. However, just like before, user-provided posting + times will be ignored. Ollivier Robert found this one. + + Robustness: duplicate entries in aliases or maps now cause + a warning instead of a fatal error (and an incomplete file). + + Robustness: mkmap now prints a warning when an entry is in + "key: value" format, which is the format expected for alias + databases, not for maps. + + Portability: on LINUX, prepend "+" to the getopt() options + string so that getopt() will stop at the first non-option + argument. Suggestion by Marco d'Itri. + +19981103 + + Cleaned up the set_eugid() and open_as() implementations, + and added stat_as() and fstat_as() so that the local delivery + agent would look up include files and .forward files with + the right privileges. + +19981104 + + Bugfix: the :include: routine now stat()s/open()s files + included by root-owned aliases as root, not as nobody. + + Bugfix: the master crashed when a service with wakeup timer + was disabled or renamed. Fix: eliminate some pathological + coupling between process management and wakeup management. + + Feature: partial implementation of ETRN (causes a full + deferred queue scan). Thanks Lamont Jones for reminding me + that things can be useful already before they are perfect. + + Cleanup: simplified the SMTPD tokenizer. + + Bugfix: sendmail -bs didn't properly notify the mail system + of new mail. + + Compatibility: the MAIL FROM and RCPT TO commands now accept + the most common address forms without enclosing <>. The <> + is still needed for addresses that contain a "string", an + [address], or a colon (:). + +19981105 + + Bugfix: "master -t" would claim that the master runs when + in fact the pid directory does not exist, causing trouble + with first time startup (reported by several). + + Portability: added a sane_accept() module that maps all + beneficial accept() error results to EAGAIN. According to + private communication with Alan Cox, Linux 2.0.x accept() + can return a variety of error conditions, so we play safe + and allow for any error that may happen because SYN+ACK + could not be sent. + + Portability: NETBSD1 uses dotlock files (Perry Metzger). + + Bugfix: the local delivery agent did not canonicalize + owner-foo sender addresses, so that local users would see + owner-foo instead of owner-foo@$myorigin (Perry Metzger). + + OPENSTEP4 support, similar to NEXTSTEP3 (Gerben Wierda). + +19981106 + + Portability: the master startup would take a long time on + AIX because AIX has a very large per-process open file + limit. Fix is to check the status of only the first couple + hundred file descriptors instead. File: master/master.c. + + Bugfix: mail to user@[net.work.addr.ess] was broken because + of a reversed test. File: qmgr/qmgr_message.c. + +19981107 + + Compatibility: don't clobber the envelope sender address + when an alias has no owner-foo alias (problem diagnosed by + Christophe Kalt). + + Bugfix: mail to local users in include files would be + delivered directly if the alias didn't have an owner-foo + alias, and if the alias database and include file were + owned by root. + + Feature: with user+foo addresses, any +foo address extension + that is not explicitly matched in canonical, virtual or + alias databases is propagated to the table lookup result. + +19981108 + + Bugfix: minor memory leak in the user+foo table lookup + code. + + Configurability: specify virtual.domain in the virtual map, + and mail for unknown@virtual.domain will bounce automatically. + The $relay_domains default value now includes $virtual_maps, + so the SMTP server will accept mail for the domain. Marco + d'Itri put me on the right track. + + Configurability: The mydestinations configuration parameter + now accepts /file/name expressions and type:name lookup + tables. + + Code cleanup: in order to make the previous two enhancements + possible, revised the string/host/address matching engine + so it can handle any mixture of strings, /file/name patterns + and type:name lookup tables. Files: util/match_{list,ops}.c, + global/{domain,namadr,string}_list.c. + +19981110 + + Code cleanup: replaced remaining isxxx() calls by ISXXX(). + +19981111 + + Bugfix: the "bounce unknown virtual user" code was in the + wrong place. Problem tackled with help of Chip Christian. + + Portability: reportedly, Solaris 2.5.1 can hang waiting + for a UNIX-domain connection to be accepted, so it gets + the same workaround that was designed for LINUX. Problem + reported by Scott Cotton. + +19981112 + + Management: "vmailer stop" now allows delivery agents to + finish what they are doing, like "vmailer reload". + + Management; "vmailer abort" causes immediate termination. + + Workaround: zombie processes pile up with HP-UX. Reason: + select() does not return upon SIGCHLD when SA_RESTART is + specified to sigaction(). Workaround: shorten the select() + timer to 10 seconds, #ifdef BRAINDEAD_SELECT_RESTARTS. + Thanks, Lamont Jones. + +19981117 + + Rename: VMailer is now Postfix. Sigh. + +19981118 + + Cleanup: generalized the safe_open() routine so that it is + no longer limited to mailbox files, lock files, etc. + + Bugfix (found during code review): vstream*printf() could + run off the end of a stream buffer after an I/O error, + because vbuf_print() ignored the result from VBUF_SPACE(). + + Bugfix (found during code review): resolve_local() could + clobber its argument, but the docs didn't say so. + +19981121 + + Cleanup: the is_header() routine now allows 8-bit data in + header labels. + +19981123 + + Bugfix (found during code review): the mail_queue_enter() + path argument wasn't optional. File: global/mail_queue.c + +19981124 + + Cleanup: eliminated redundant tests for a zero result from + vstream_fdopen(). Unlike the stdio fdopen() routine, the + vstream_fdopen() routine either succeeds or never returns. + + Bugfix: the queue manager now looks at the clock before + examining a file time stamp, to avoid spurious complaints + about time warps on busy machines. File: qmgr/qmgr_active.c. + +19981125 + + Compatibility: allow trailing dot at the end of user@domain. + Address canonicalization now strips it off. Issue brought + forward by Eilon Gishri. File: trivial-rewrite/rewrite.c. + + Robustness: changed DNS lookup order of MAIL FROM etc. + domains from MX then A to A then MX, just in case the MX + lookup fails with a server error. + + Renamed vmcat, vmlock, vmlogger, vmtrigger to postcat, + postlock, postlog, postkick. Also renamed mkmap and mkalias + to postmap and postalias. + +19981126 + + Workaround: Lamont Jones found a way for HP-UX to terminate + select() after SIGCHLD. The code is #ifdef USE_SIG_RETURN. + Files: util/sys_defs.h, master/master_sig.c. + + Bugfix: the Delivered-To: loop detection code had stopped + working, when long ago the is_header() routine was changed. + File: local/delivered.c. + +19981128 + + Bugfix: postcat opened queue files read-write, where only + read access was needed. File: postcat/postcat.c. + +19981129 + + Safety: added a sleep(1) to all fatal and panic exits. + File: util/msg.c. + +19981201 + + Robustness: postcat now insists that a file starts with a + time record. + + Consistency: added "-c config_dir" command-line options + where appropriate. + +19981202 + + Man pages, on-line version. + +19981203 + + Man pages, html version; overview documentation. + +19981206 + + Sendmail silently accepted the unsupported -qRsite and + -qSsite options. It now prints an error message and + terminates. + + Separated the contributed tree from the IBM code; moved + the LDAP and NEXTSTEP/OPENSTEP code to the contributed + source tree because obviously I didn't write it. + +19981206-9 + + Had to write a postconf configuration utility in order to + reliably find out about all configuration parameters and + their defaults. + + Documentation bugfixes by Matt Shibla, Scott Drassinower, + Greg A. Woods. + +19981209 + + On machines with short hostnames, postconf -d cored while + reporting a fatal error. It should not report that error + in the first place. Thanks, Eilon Gishri. + + Changed the FAQ entry about rejecting mail for *.my.domain + on a firewall. Chip Christian was right, I was wrong. + +19981214 + + Portability: with GNU getopt, optind is not initially 1, + breaking an assumption in sendmail/sendmail.c. Liviu Daia. + + Annoyance: on non-networked systems, don't warn that only + one network interface was found. File: global/inet_addr_local.c. + Reported by several. + + Bugfix: on non-networked systems, the smtp client assumed + that it was running in virtual host mode, and would bind + to the loopback interface. File smtp/smtp_connect.c. Liviu + Daia, again. + +19981220 + + Robustness: when looking up an A or MX record, do not give + up when the A query fails because of a server error. File + dns/dns_lookup.c. Reported by Scott Drassinower. + +19981221 + + Bugfix: "bounce mail for non-existent virtual user" didn't + work when a non-default relay host was configured in main.cf + or in the transport table. File: qmgr/qmgr_message.c. + + Bugfix: the maildrop directory should not be world-readable. + Files: conf/postfix-script, showq/showq.c. + + Documentation: fixed several omissions and errors. + + Documentation: removed references to the broken recipient + feature delimiter configuration parameter. + + Bugfix: write mailbox file as the recipient, so that file + quota work as expected. + + Bugfix: pickup would die when it tried to remove a non-file + in the maildrop directory (Jeff Wolfe). + +19981222 + + Sendmail no longer logs the queue ID when it is unable to + notify the pickup daemon. This is a late addition to the + "unreadable maildrop queue" patch. + + user.lock files are now created as root, so that postfix + needs no group directory write permission. + +19981224 + + Security: allow queue file link counts > 1, to avoid + non-delivery of maildrop files with links to a non-maildrop + directory. Files: global/mail_open_ok.c, and anything + that calls this code (qmgr, pickup, showq). If multiple + hard links are a problem, see the set-gid "postdrop" utility + below. + +19981225 + + Robustness: the queue manager no longer aborts when a queue + file suddenly disappears (e.g. because the file was removed + by hand). + + Feature: when a writable maildrop directory is a problem, + sites can make the new "postdrop" utility set-gid. This + command is never used when the maildrop directory is + world-writable. + + Robustness: make the queue file creation routine more + resistant against denial of service race attack. File: + global/mail_queue.c + +19981226 + + New suid_priv module to enable/disable privileges in a + set-uid/gid program. In the end I decided to not use it. + +19981228 + + Robustness: make the pickup daemon more resistant against + non-file race attack. + + Cleanup: generic mail_stream.c interface for writing queue + file streams to files, daemons or commands. This simplifies + the code in smtpd and in sendmail that must be able to pipe + mail through the postdrop command. The cleanup daemon has + been modified to use the same interface. Result: less code. + + Feature: smtpd now logs the only recipient in Received: + headers. + + Feature: separate command and daemon directories. Both + default to $program_directory. Install conf/postfix-script + if you want to use this feature. + +19981230 + + Patch to avoid conflict with non-writable top-level Makefile + (Lamont Jones). + +19981231 + + Portability: port to UnixWare 7 by Ronald Joe Record, SCO. + +19990104 + + Bugfix: fencepost (Jon Ribbens, Oaktree Internet Solutions + Ltd.) Files: quote_82[12]_local.c. + + Bugfix: wrong default for relay_domains (Juergen Kirschbaum, + Bayerische Landesbank). File: mail_params.h. + + Bugfix: changed 5xx response for "too may recipients" to + 4xx. File: smtpd.c. + +19990106 + + Feature: defer_transports specifies the names of transports + that should be used only when "sendmail -q" (or equivalent) + is issued. For example, "defer_transports = smtp" is useful + for sites that are disconnected most of the time. File: + qmgr_message.c. + +19990107 + + Feature: local_command_shell specifies a non-default shell + for delivery to command by the local delivery agent. For + example, "local_command_shell = /some/where/smrsh -c" + restricts what may appear in "|command" destinations. + File: global/pipe_command.c. + +19990112-16 + + Feature: SMTP command pipelining support based on an initial + version by Jon Ribbens, Oaktree Internet Solutions Ltd. + This one took several days of massaging before I felt + comfortable about it. Files: smtp.c, smtp_proto.c. + + Bugfix: the SMTP server would flush responses one-by-one, + which caused suboptimal performance with pipelined clients. + The vstream routines now flush the write buffer when the + read() routine is called, instead of flushing when the + application changes from writing to reading. Delayed flush + prevents the SMTP server from flushing responses one-by-one + and thus triggering Nagle's algorithm. File: util/vstream.c. + +19990117 + + Bugfixes and enhancements to the smtpstone tools by Drew + Derbyshire, Kendra Electronic Wonderworks: send helo command, + send message headers, format the message content to lines + < 80, work around NT stacks, make "." recognition more + robust. Files: smtp-source.c, smtp-sink.c. + + Strategy: look at the deferred queue only when the incoming + queue is empty; limit the number of recipients read from + a queue file depending on the number of recipients already + in core. Files: qmgr.c, qmgr_message.c. + + Feature: postponed anti-UCE restrictions. The decision to + reject junk mail on the basis of the client name/address, + HELO hostname or sender address can now be postponed until + the RCPT TO command (or HELO or MAIL FROM if you like). + File: smtpd_check.c. + +19990118 + + Feature: incremental updates of alias databases and of + other lookup tables. Both postalias and postmap now take + a -i option for incremental updates from standard input. + Files: global/mkmap_*.c, post{map,alias}/post{map,alias}.c. + + Compatibility: newaliases can now update multiple alias + databases: list them in the "alias_database" parameter in + main.cf. By the same token, postalias can now update multiple + maps in one command. Files: post{map,alias}/post{map,alias}.c + + Feature: mail to <> is now sent to the address specified + with the "empty_address_recipient" configuration parameter + which defaults to MAILER-DAEMON (idea by Lamont Jones, + Hewlett-Packard). File: cleanup/cleanup_envelope.c. + + Compatibility: the transport table now uses .domain.name + to match subdomains, just like sendmail mailer tables (patch + by Lamont Jones, Hewlett-Packard). + + Feature: mailq now ends with a total queue size summary + (Eilon Gishri, Israel Inter University Computation Center). + +19990119 + + Feature: address masquerade exceptions for user names listed + in the "masquerade_exceptions" configuration parameter. + File: cleanup/cleanup_masquerade.c. + + Feature: qmail-style maildir support, based on initial code + by Kevin W. Brown, Quantum Internet Services Inc. + + Workaround: Solaris 2.something connect() fails with + ECONNREFUSED when the system is busy (Chris Cappuccio, + Empire Net). File: global/mail_connect.c. + + Feature: the cleanup service now adds a Return-Path: header + when none is present. This header is needed for some mail + delivery programs (see below). File: cleanup_message.c. + + Feature: the pipe mailer now supports $user, $extension + and $mailbox macros in command-line expansions. This, plus + the Return-Path: header (see above), should be sufficient + to support cyrus IMAP out of the box. Based on initial + code by Joerg Henne, Cogito Informationssysteme GMBH. + File: pipe/pipe.c. + + Bugfix: with address extensions enabled, canonical and + virtual lookups now are done in the proper order: + user+foo@domain, user@domain, user+foo, user, @domain. + File: global/mail_addr_find.c. + +19990119 + + Feature: the local mailer now prepends a Received: message + header with the queue ID to forwarded mail, in order to + make message tracing easier. File: local/forward.c. + + Cleanup: after "postfix reload", no more broken pipe + complaints from resolve/rewrite clients. + +19990121 + + Feature: pickup (again) logs uid and sender address. On + repeated request by Scott Cotton, Internet Consultants + Group, Inc. + + Portability: doze() function for systems without usleep(). + + Cleanup: clients are now consistently logged as host[address]. + +19990122 + + Maildir support changed: specify "home_mailbox = Maildir/". + The magic is the trailing /. Suggested by Daniel Eisenbud, + University of California at Berkeley. + + Maildir support from aliases, :include: and .forward files. + Specify /file/name/ - the trailing / is required. Suggested + by Daniel Eisenbud, University of California at Berkeley. + + Workaround: watchdog timer to prevent the queue manager + from locking up on some systems. + + Bugfix: in Received: headers, the "for " + information was in the wrong place. Pointed out by Jon + Ribbens, Oaktree Internet Solutions Ltd. + +19990124 + + Portability: more workarounds for GNU getopt() by Liviu + Daia, Institute of Mathematics, Romanian Academy. File: + sendmail/sendmail.c. + +19990125 + + Bugfix: Postfix should not masquerade recipient addresses + extracted from message headers. Problem reported by David + Blacka, Network Solutions. File: cleanup/cleanup_message.c. + +19990126 + + Feature: smtpd_etrn_restrictions parameter to restrict who + may use ETRN and what domains may be specified. Example: + "smtpd_etrn_restrictions = permit_mynetworks, reject". + Requested by Jon Ribbens, Oaktree Internet Solutions Ltd. + File: smtpd/smtpd_check.c. + +19990127 + + Bugfix: in an attempt to shave some cycles, the anti junk + mail routines would use the wrong resolved address. This + "optimization" is now turned off. Problem reported by Sam + Eaton, Pavilion Internet Plc. File: smtpd/smtpd_check.c. + + Feature: BIFF notifications. For compatibility reasons + this feature is on by default. This "protocol" can be a + real performance pig. Specify "biff = no" in main.cf if + your machine has lots of shell users. Feature requested by + Dan Farmer - it's one of the things one does for friends. + Files: local/mailbox.c, local/biff_notify.c. + + Bugfix: another case sensitivity problem, this time with + virtual lookups to recognize unknown@virtual.domain. + Problem reported by Bo Kleve, Linkoping University. File: + qmgr/qmgr_message.c. + +19990128 + + Feature: with "soft_bounce = yes", defer delivery instead + of bouncing mail. This is a safety net for configuration + errors with delivery agents. It has no effect on errors in + virtual maps, canonical maps, or in junk mail restrictions. + Feature requested by Bennett Todd. File: global/bounce.c. + +19990129 + + Compatibility: the qmail maildir.5 documentation prescribes + maildir file names of the form time.pid.hostname, which is + wrong because Postfix processes perform multiple deliveries. + Elsewhere the qmail author has documented how maildir files + should be named under such conditions. Postfix has been + changed to be conformant. File: local/maildir.c. + +19990131 + + Feature: special treatment of owner-foo and foo-request + can be turned off. Specify "owner_request_special = no". + Requested by Matthew Green and others. Files: local/alias.c, + global/split_addr.c. This affects canonical, virtual and + alias lookups. + +19990204 + + Portability: signal handling for HP-UX 9 by Lamont Jones + of Hewlett Packard. File: master/master_sig.c. + + Robustness: disable random walk inside a per-site queue to + avoid message starvation under heavy load. File: qmgr_entry.c. + + Robustness: under some conditions the queue manager could + declare a host dead after just one delivery failure. File: + qmgr_queue.c. + +19990212 + + Feature: skip SMTP servers that greet us with a 4XX status + code. Example: "smtp_skip_4xx_greeting = yes". By default, + the Postfix SMTP client defers delivery when a server + declines talking to us. File: smtp/smtp_connect.c. + + Robustness: upon startup the queue manager now moves active + queue files to the incoming queue instead of the deferred + queue, to avoid anomalous delivery delays on systems that + have a huge incoming queue. Files: qmgr/qmgr.c, + qmgr/qmgr_active.c, global/mail_flush.c, conf/postfix-script* + +19990213 + + Robustness: added watchdog timers to avoid getting stuck + on systems with broken select() socket implementations. + File: qmgr_transport.c, qmgr_deliver.c. + +19990218 + + Feature: NFS-friendly delivery to mailbox by avoiding the + use of root privileges as much as possible. With input by + Mike Muus, Army Research Lab, USA. + + Feature: the smtp-sink test server now supports SMTP command + pipelining. To this end we had to generalize the timer and + vstream support. Poor performance is fixed 19990222. + + Cleanup: timer event routines now have the same interface + as read/write event routines (event type + context). File: + util/events.c. + + Feature: new vstream_peek() routine to tell how much unread + data is left in a VSTREAM buffer. This is the vstream + variant of the peekfd() routine for kernel read buffers. + File: util/vstream.c. + + Feature: directory scanning support for hashed mail queue + directories. So far the results are disappointing: with + depth = 2 (16 directories with 16 subdirectories), mailq + takes 5 seconds with an empty queue unless all directories + happen to be cached in memory. We need a bit map before + hashed queue directories become practical. Depth=1 hashing + doesn't slow down mailq much, but doesn't help much either. + Files: util/scan_dir.c, global/mail_scan_dir.c. + +19990221 + + Workaround: with "ignore_mx_lookup_error = yes", the SMTP + client always performs an A lookup when an MX lookup could + not be completed, rather than treating MX lookup failure + as a temporary error condition. Unfortunately there are + many broken DNS servers on the Internet. File: smtp/smtp_addr.c. + +19990222 + + Performance: rewrote the guts of the smtp-sink test server + so it can do pipelining without losing performance. + +19990223 + + Workaround: hotmail.com sometimes drops the connection + after "." (causing misleading diagnostics to be logged) or + waits minutes after receiving QUIT. Solution: do not wait + for the response to QUIT. File: smtp/smtp_proto.c. This + is turned off with: "smtp_skip_quit_response = no". + +19990224 + + Feature: the pipe mailer accepts user=username:groupname, + based on code submitted by Philip A. Prindeville, Mirapoint, + Inc., USA. File: pipe/pipe.c. + + Workaround: use file locking to prevent multiple processes + from select()ing on the same socket. This causes performance + problems on large BSD systems. Files: master/*_server.c. + +19990225 + + Bugfix: with "inet_interfaces = 127.0.0.1", don't bind to + the loopback interface. Problem reported by Steve Bellovin + of AT&T. File: smtp/smtp_addr.c. + + Feature: "postsuper" command to remove stale queue files + to update queues after changes to the queue structure + parameters (hash_queue_names, hash_queue_depth). This + command is to be run from the postfix-script maintenance + shell script. + +19990301 + + Feature: new postconf -h (suppress `name = ' in output) + option to make the program easier to use in, e.g., shell + scripts. + + Feature: dict_unix module so you can add the UNIX passwd + table to the SMTPD access control list. + +19990302 + + Feature: "luser_relay = destination" captures mail for + non-existent local recipients. This works only when the + local delivery agent does mailbox delivery (including + delivery via mailbox_command), not when mailbox delivery + is delegated to another message transport. + + Feature: new reject_non_fqdn_{hostname,sender,recipient} + restrictions to require fully.qualified.domain forms in + HELO, MAIL FROM and RCPT TO commands (while still allowing + the <> sender address). + +19990304 + + Bugfix: backed out the 19990119 change to always insert + Return-Path: if that header is not present. The pipe and + local agents now are responsible for prepending Return-Path:. + Files: cleanup/cleanup_message.c, global/mail_copy.[hc], + pipe/pipe.c, global/header_opts.c. This causes an incompatible + change to the pipe flags parameter, because Return-Path: + now must be requested explicitly. + +19990305 + + Bugfix: showq (the mailq server) incorrectly assumed that + all recipients of a deferred message are listed in the + corresponding defer logfile. It now lists all recipients. + Files: showq/showq.c, cleanup/cleanup_envelope.c (ensure + that sender records always precede recipient records). + + Cleanup: smtpd HELO restrictions validate [numerical] forms. + Files: util/valid_hostname.c, smtpd/smtpd_check.c. Initial + code by Philip A. Prindeville, Mirapoint, Inc., USA. + +19990306 + + Cleanup: re-vamped the valid_hostname module, and added a + maximal label length (63) requirement. + + Feature: fallback_relay parameter to specify extra backup + hosts in case the regular relay hosts are not found or not + available. Files: smtp/smtp_addr.c. + + Feature: "always_bcc = address" specifies where to send a + copy of each message that enters he system. However, if + that copy bounces, the sender will be informed of the + bounce. Files: smtpd/smtpd.c, pickup/pickup.c + + Compatibility: the transport map will now route on top-level + domains, so you can dump all of .bitnet to a bitnet relay. + +19990307 + + Feature: LDAP lookups, updated by Jon Hensley, Merit Network, + USA. + + Feature: regular expression (PCRE) support by Andrew + McNamara, connect.com.au Pty. Ltd., Australia. In order to + use this code specify pcre:/file/name. You can use this + anywhere you would use a DB or DBM file, NIS or LDAP. See: + PCRE_README for how to enable this code. + + Feature: "delay_warning_time = 4" causes Postfix to send + a "your mail is delayed" notice after approx. 4 hours. + Daniel Eisenbud, University of California at Berkeley. + Files: qmgr/qmgr_active.c, qmgr/qmgr_message. Postmaster + notices for delayed mail are disabled by default. In order + to receive postmaster notices, specify "notify_classes = + ... delay ...". + + Cleanup: do not send undeliverable bounced mail to postmaster. + This was causing lots of pain with junk mail from bogus + sender addresses to non-existent recipients. This change + was reversed 19990311. + +19990308 + + Bugfix: the dotforward routine was too eager with throwing + away extension information, so that the Delivered-To: info + would differ for \mailbox and |command. Problem reported + by Rafi Sadowski, Open University, Israel. + + Bugfix: seems I never got around to fix the btree access + method. I finally did. Problem reported by: Matt Smith, + AvTel Communications Inc., USA. + +19990311 + + Back by popular demand: with "notify_classes = 2bounce ..." + Postfix will send undeliverable bounced mail to postmaster. + The default is to not send double bounces. This change + reverses a change made on 19990307. + +19990312 + + Feature: configurable exit handler for server skeletons. + Philip A. Prindeville, Mirapoint, Inc., USA. Files: + master/*server.c. + + Feature: mail_spool_directory configuration parameter to + specify the UNIX mail spool directory. The default setting + is system dependent. + +19990313 + + Cleanup: share file descriptors for resolve and rewrite + client connections. This puts less strain on the trivial-rewrite + service. + + Portability: support for UnixWare 2.1 by Dmitry E. Kiselyov, + Nizhny Novgorod City Health Emergency Station. + + Feature: configurable delays in the smtpstone test programs. + With input by Philip A. Prindeville, Mirapoint, Inc., USA. + Files: smtpstone/*.c. + + Bugfix: a "signal 11" problem in the trivial-rewrite program + that would occasionally happen after "postfix reload". + Reason: some rewrite clients would clobber their input, + and when they had to retransmit the query, the input would + be a zero-length string, which trivial-rewrite isn't supposed + to receive. + +19990314 + + Feature: "mailbox_transport = cyrus" delegates all local + mailbox delivery to a master.cf entry called "cyrus" (the + same trick for procmail), including users not found in the + UNIX passwd database. This gives the flexibility of $name + expansions by the pipe mailer, without losing local aliases + and ~/.forward processing. Result of discussions with Rupa + Schomaker, RS Consulting. + +19990315 + + Feature: the mydestination parameter can now be an empty + string, for hosts that don't receive any mail locally. Be + sure to specify a default route for mail that comes to the + machine or mail will loop. + +19990316 + + Bugfix: the SMTPD check scaffolding didn't apply the same + sanity checks as the production code. Problem reported by + Alain Thivillon, Herve Schauer Consultants, France. File: + smtpd/smtpd_check.c. + + Portability: some systems can have more than 59 seconds in + a minute. Based on a fix by Liviu Daia, Institute of + Mathematics, Romanian Academy. File: global/mail_date.c. + + Enhancement: include the client network address in the + rejected by RBL response. Lamont Jones, Hewlett-Packard. + + Workaround: use fstat() to figure out if the maildrop is + world-writable. access() uses the real uid, which stinks. + + Robustness: don't do partial address lookups (user@, domain, + user, @domain) with regexp-style tables. + + Security: don't allow regexp-style tables to be used for + aliases. It would be too easy to slip in "|command" or + :include: or /file/name. + +19990317 + + Feature: "fallback_transport = cyrus" delegates non-UNIX + recipients to a master.cf entry called "cyrus", allowing + you to have both UNIX and non-UNIX mailboxes side by side. + +19990319 + + Workaround: on 4.4 BSD derivatives, fstat() can return + EBADF on an open file descriptor. Now, that was a surprise. + This caused std{out,err} from cron commands to not be + delivered. + + Bugfix: "local -v" stopped working. + + Workaround: more watchdog timers for postfix-unfriendly + systems. By now every Postfix daemon has one. Call it life + insurance. + + Robustness: increased the maximal time to receive or deliver + mail from $ipc_timeout (default: 3600 seconds) to the more + generous $daemon_timeout (default: 18000 seconds). We don't + want false alarms. + + Portability: IRIX 5.2 does not have usleep(). + +19990320 + + Bugfix: \username was broken. Frank Dziuba was the first + to notice. + +19990321 + + Workaround: from now on, Postfix on Solaris uses stream + pipes instead of UNIX-domain sockets. Despite workarounds, + the latter were causing more trouble than anything else on + all systems combined. + +19990322 + + Portability: the makedefs would mis-identify IRIX 6.5.x as + IRIX 5.x. Fix by Brian Truelsen of Maersk Mc-Kinney Moller + Institute for Production Technology, Denmark. + + Feature: reject_unknown_recipient_domain restriction for + recipient addresses. For the sake of symmetry, we now also + have reject_unknown_sender_domain. This means the old + reject_unknown_address restriction is being phased out. + Suggested by Rask Ingemann Lambertsen, Denmark Technical + University. + + Feature: unknown sender/recipient domain restrictions now + distinguish between soft errors (always: 450) and hard + errors (configurable with the unknown_address_reject_code + parameter, default: 450; use 550 at your own risk). + + Feature: no HELO junk mail restrictions means that no syntax + check will be done on HELO/EHLO hostname arguments. + + Bugfix: the initial Solaris workaround for UNIX-domain + sockets could cause the queue manager to block if Postfix + ran into a delivery agent process limit. After another code + rewrite that problem is eliminated. Thanks to Chris + Cappuccio, Empire Net, for assistance with testing. + +19990323 + + Bugfix: too much forwarding when users list their own name + in their .forward file (e.g. mail to user@localhost would + go through .forward, would be forwarded to user@$myorigin, + and would go through .forward again). Problem reported by + Roman Dolejsi, Prague University of Economics. + +19990324 + + Bugfix: missing map name in check_xxx_access restrictions + could cause a segmentation error. Lamont Jones, Hewlett- + Packard. + + Feature: forward_path configuration parameter (default: + $home/.forward$recipient_delimiter$extension,$home/.forward). + Based on initial code by Philip A. Prindeville, Mirapoint, + Inc., USA. Files: local/dotforward.c. + +19990325 + + Workaround: Solaris NIS alias maps need special entries + (YP_MASTER_NAME, YP_LAST_MODIFIED). What's worse, normal + keys/values include a null byte at the end, but the YP_XXX + ones don't. Problem reported by Walcir Fontanini, state + university of Campinas, Brazil. File: postalias/postalias.c. + + Compatibility: Solaris NIS apparently does include a null + byte at the end of keys and values. File: util/sys_defs.h. + + Feature: library support for config parameters that are + not $name expanded at program start-up. This was needed + for forward_path, and will also be needed to make message + headers customizable. + + Bugfix: pcre didn't handle \\ right. Lamont Jones, Hewlett- + Packard. File: util/dict_pcre.c. + +19990326 + + Compatibility: Postfix now puts two spaces after the sender + in a "From sender date..." header. Found by John A. Martin, + fixed by Lamont Jones, Hewlett-Packard. + + Bugfix: when a recipient appeared multiple times in a local + alias or include expansion, the delivery status could be + left uninitialized, causing the mail to be deferred and + delivered again. File: local/recipient.c. + +19990327 + + Cleanup: the dictionary routines now take an extra flag + argument to control such things as warning about duplicates, + and appending null bytes to key/value. The latter was needed + for a clean implementation of NIS master alias maps support. + + Feature: POSIX regular expressions by Lamont Jones. See + config/sample-regexp.c. Right now, enabled on *BSD and + LINUX only. + +19990328 + + Code cleanup: dictionaries now have flags that say whether + lookup keys are fixed strings or whether keys are subjected + to pattern matching. This is needed to avoid passing partial + addresses to regexp-based lookup tables (user, @domain, + user@, domain). Files: util/dict*.c. + + Bugfix: fixed memory leaks and core dumps in the regexp + and pcre routines (neither handled an empty pattern file). + +19990329 + + Code cleanup: the dictionary I/O routines now do their own + locking depending on dictionary flag settings. This means + that the low-level dict_get() interface can now be used + for safe dictionary lookups. This is needed for 19990328's + partial lookup key support. Files: util/dict*.c. global/maps.c. + + Feature: regular expression matches are no longer limited + to user@domain address forms in access/canonical/virtual + maps, but can also be used for domains in transport maps. + This needed the partial lookup key support to avoid passing + partial addresses to regexp-based lookup tables (user, + @domain, user@, domain). Files: global/maps.c + global/mail_addr_find.c. + + Feature: new dictionary types can be registered with + dict_open_register(). File: util/dict_open.c. + +19990330 + + Bug fix: match_list membership dictionary lookups were case + sensitive when they should not. Patch by Lutz Jaenicke, + BTU Cottbus, Germany. + +19990402 + + Feature: $domain macro support in forward_path. Philip A. + Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c. + + Feature: if an address extension (+foo) is explicitly + matched by the .forward+foo file name, do not propagate + the extension to recipient addresses. This is more consistent + with the way aliases are expanded. File: local/dotforward.c. + +19990404 + + Bugfix: after receiving mail, the SMTP server didn't reset + the cleanup error flag, so that multiple deliveries over + the same SMTP session could fail due to errors with previous + deliveries. Found by Lamont Jones, Hewlett-Packard. + +19990405 + + Feature: MIME-encapsulated bounces. Philip A. Prindeville, + Mirapoint, Inc., USA. File: bounce/bounce_notify_service.c + + Cleanup: vstreams now properly look at the EOF flag before + attempting to read, eliminating the need for typing Ctrl-D + twice to test programs; the EOF flag is reset after each + unget or seek operation. Files: util/vstream.c, util/vbuf.c. + + Feature: in preparation for configurable message headers + the mac_parse() routine now balances the parentheses in + ${name} or $(name). We need this in order to support + conditional expressions such as ${name?text} where `text' + contains other ${name} expressions. + +19990406 + + Cleanup: changed MIME header information to make bounces + more RFC 1892 compliant. + +19990407 + + Feature: "best_mx_transport = local" delivers mail locally + if the local machine is the best mail exchanger (by default, + mail is bounced with a "mail loops back to myself" error). + + Config: in order to make feature tracking easier the source + code distribution now has a copy of the default settings + in conf/main.cf.default. + + Feature: separate configurable postmaster addresses for + single bounces (bounce_notice_recipient), double bounces + (2bounce_notice_recipient), delayed mail (delay_notice_recipient), + and for other mailer errors (error_notice_recipient). The + default for all is "postmaster". + +19990408 + + Workaround: on Solaris 2.x, the master appears to lose its + exclusive lock on the master.pid file, so keep grabbing + the lock each time the master wakes up from select(). + + Robustness: don't flush VSTREAM buffers after I/O error. + This prevents surprises when calling vstream_fclose() after + truncating a mailbox to its original size. + + Portability: on LINUX systems, if exists, don't + look for . + + Workaround: specify "sun_mailtool_compatibility = yes" to + avoid clashes with the mailtool application. This disables + kernel locks on mailbox files. Use only where needed. + + Portability: renamed readline to readlline, to avoid clashes + with mysql. + +19990409 + + Bugfix: ignore temp queue files that aren't old enough. + Problem reported by Vivek Khera, Khera Communications, Inc. + + Bugfix: fixed typo in dict_db.c that caused processes to + not release DB shared locks. + + Feature: auto-detection of changes to DB or DBM lookup + tables. This avoids the need to run "postfix reload" after + change to the smtp access table and other tables. + + Feature: regular expression checks for message headers. + This requires support for POSIX or for PCRE regular + expressions. Specify "header_checks = regexp:/file/name" + or "header_checks = pcre:/file/name", and specify + "/^header-name: badstuff/ REJECT" in the pattern file + (patterns are case-insensitive by default). Code by Lamont + Jones, Hewlett-Packard. It is to be expected that full + content filtering will be delegated to an external command. + +19990410 + + Bugfix: auto-detection of changes to DB or DBM lookup tables + wasn't done for TCP connections. + +19990410 + + Feature: $recipient expansion in forward_path. Philip A. + Prindeville, Mirapoint, Inc., USA. File: local/dotforward.c + + Feature: the smtp client consistently treats a numerical + hostname as an address. File: smtp/smtp_addr.c. + +19990414 + + Compatibility: support comment lines starting with # in + $mydestination include files. This makes Postfix more + compatible with sendmail.cw files. File: util/match_list.c. + + Feature: if your machines have short host names, specify + "mydomain = domain.name", and you no longer have to specify + "myhostname = host.domain.name". Files: global/mail_params.c, + postconf/postconf.c. + +19990420 + + Cleanup: bounce mail when a mailbox goes over file quota, + instead of deferring delivery. File: local/mailbox.c. + +19990421 + + Feature: auto-detection of changes to DB or DBM lookup + tables now includes the case where a file is unlinked. + Philip A. Prindeville, Mirapoint, Inc., USA. File: + util/dict.c. + +19990422 + + Robustness: Lotus mail sends MAIL FROM: <@> instead of <>. + Problem reported by Erik Toubro Nielsen, IFAD, Denmark. + Files: trivial-rewrite/rewrite.c (@ becomes empty address) + and global/rewrite_clnt.c (allow empty response). + + Bugfix: showq could segfault when writing to a broken pipe. + Problem reported by Bryan Fullerton, Canadian Broadcasting + Corporation. Files: util/vbuf_print.c. + + Cleanup: got rid of the "fatal: write error: Broken pipe" + message when mailq output is piped into a program that + terminates early. + + Cleanup: bounce messages are multipart/mixed with the error + report as part of the first message segment, because users + had trouble extracting the delivery error report from the + attachment. + +19990423 + + Cleanup: the default junk mail reject code is now 554 + (service unavailable) rather than 550 (user unknown). + + Folded in the updated dict_ldap.c module by John Hensley, + Merit Network, USA. + + Folded in the vstream_popen.c updates by Philip A. + Prindeville, Mirapoint, Inc., USA. This copies a lot of + code from pipe_command(); the next step is to trim that + module. + +19990425 + + Workaround: renamed config.h to mail_conf.h etc. in order + to avoid name collisions with LINUX (yes, they have a system + include file called config.h). For compatibility with people + who have written software for Postfix, there's a config.h + that aliases the old names to the new ones. That file will + go away eventually. + +19990426 + + Feature: error mailer, in order to easily bounce mail for + specific destinations. In the transport table, specify: + "host.domain error:host.domain is unavailable". Too bad + that the transport table triggers on destination domain + only; it would be nice to bounce specific users as well. + +19990427 + + Cleanup: "disable_dns_lookups = yes" now should disable + all DNS lookups by the SMTP client. + +19990428 + + Bugfix: with DBM files, Postfix was watching the "dir" file + modification time for changes. It should be watching the + "pag" file instead. + +19990429 + + Cleanup: all callbacks in the master to server API now pass + on the service name and the application-specific argument + vector. Files: master/*server.c. + +19990504 + + Feature: conditional macro expansion. ${name?text} expands + to text when name is defined, otherwise the result is empty. + ${name:text} expands to text when name is undefined, + otherwise the result is empty. File: util/mac_expand.c. + + Feature: conditional macro expansion of the forward_path + configuration parameters of $user, $home, $shell, $recipient, + $extension, $domain, $mailbox and $recipient_delimiter. + Files: local/dotforward.c, local/local_expand.c. + +19990506 + + Cleanup: eliminated misleading warnings about unknown HELO + etc. SMTPD restrictions when the HELO etc. information is + not available. File: smtpd/smtpd_check.c. + +19990507 + + Feature: all smtpd reject messages now contain the MAIL + FROM and RCPT TO addresses, if available. + +19990508 + + Feature: conditional macro expansion of the luser_relay + configuration parameter. It is no longer possible to specify + /file/name or "|command" destinations. File: local/unknown.c. + + Cleanup: changed the mac_parse interface so that the + application callback routine can return status information. + Updated the dict_regexp and dict_pcre modules accordingly. + + Cleanup: changed the mac_expand interface so that the caller + provides an attribute lookup routine, instead of having to + provide a copy of all attributes upfront. Files: + util/mac_expand.c, local/local_expand.c. + + Feature: control over how address extensions are propagated + to other addresses. By default, propagation of unmatched + address extensions is now restricted to canonical and + virtual mappings. Specify "propagate_unmatched_extensions + = canonical, virtual, alias, forward, include" to restore + previous behavior. + +19990509 + + Feature: USER, EXTENSION, DOMAIN, RECIPIENT (entire address) + and MAILBOX (address localpart) environment variables are + exported to shell commands (including mailbox_command). + + Feature: new command_expansion_filter parameter to control + what characters may appear in message attributes that are + exported via environment variables. + + Cleanup: SMTPD reject messages are more informative, and + more complete sender/recipient information is logged for + the local sysadmin. + +19990510 + + Bugfix: missing MIME header in postmaster bounce notices. + Found by Samuel Tardieu, Ecole Nationale Superieure des + Telecommunications, France. + + Feature: UCE restrictions are always delayed until RCPT + TO, VRFY or ETRN. To change back to the default specify + "smtpd_delay_reject = no" in /etc/postfix/main.cf. + + Bugfix: missing duplicate filter call. This caused too many + deliveries when a user is listed multiple times in an alias. + Reported by Hideyuki Suzuki, School of Engineering, University + of Tokyo. Backed out on 19990512 because it caused problems. + Fixed 19990513 but needs further study. + + Feature: it is now possible to move queue files back into + the maildrop queue, so that they can benefit from changes + in canonical and virtual mappings. In order to make this + possible, some restrictions on queue file contents were + relaxed. Files: pickup/pickup.c, cleanup/cleanup_extracted.c. + + Feature: made a start with integrating Joerg Henne's + dictionary extensions to remove entries and to iterate over + entries. That code is almost four months old by now. + +19990511 + + Feature: added a "undeliverable postmaster notification + discarded" warning when mail is dropped on the floor. + Requested by Michael Hasenstein, SuSE, Germany. + +19990517 + + Bugfix: reject_non_fqdn_sender/recipient would pass + user@[ip_address] regardless of destination. Eric Cholet + had the honor of suffering from this one. + +19990527 + + More SMTP client logging for easier debugging: the smtp + client now logs hostname[ip.addr], and logs every failed + attempt to reach an MX host, not just the last one. + +19990601 + + Bugfix: emit a blank line before a MIME boundary; the line + is part of the boundary. File: bounce/bounce_notify_service.c. + Wolfgang Segmuller, IBM Research. + +19990610 + + Bugfix: the "is this the loopback interface" test was + broken. Reported by Claus Fischer @microworld.com. File: + smtp/smtp_connect.c. + + Usability: added helpful warnings about restrictions that + are being ignored after check_relay_domains, etc. + + Portability: Reliant Unix support by Gert-Jan Looy, Siemens, + the Netherlands. + +19990611 + + Robustness: the postfix-script start-up procedure now + detects a missing master program, avoiding misleading + warnings that the mail system is already running. Fix + suggested by David E. Smith @technopagan.org. + + Portability: Mac OS X Server Port by Mark Miller @swoon.net. + + Feature: on systems that use dotlock files for mailbox + locking, the local delivery agent now will attempt to use + dotlock files when delivering to user-specified files. + Dotlock files for user-specified destinations are created + with the privileges of the user. For backwards compatibility, + Postfix will attempt to create dotlocks for user-specified + destinations only when the user has parent directory write + permission. + + Feature: specify "expand_owner_alias = yes" in order to + use the right-hand side of an owner- alias, instead of + using the left-hand side address. Needed by Juergen Georgi. + +19990622 + + Bugfix: the local delivery agent did not set user attributes + when delivering to root, so that forward_path did not expand + properly. Found by Jozsef Kadlecsik, KFKI Research Institute + for Particle and Nuclear Physics, Hungary. File: + local/dotforward.c. + + Bugfix: the unix:passwd.byname mechanism is not suitable + for smtpd access control - the user name would have to end + in @, or the access control software would have to be + changed. Removed the example from the RELEASE_NOTES file. + +19990623 + + Bugfix: the smtp server did not reset the error flag after + ".". Found by James Ponder, Oaktree Internet Solutions Ltd. + File: smtpd/smtpd.c. + + Bugfix: fencepost error in the doze() routine (an usleep() + replacement for systems without one). Found by Simon J + Mudd. File: util/doze.c. + +19990624 + + Portability: support for AIX 3.2.5 (!) by Florian Lohoff + @rfc822.org. + + Portability: Ultrix 4.3 support by Christian von Roques + @pond.sub.org. + + Feature: mysql support by Scott Cotton and Joshua Marcus, + Internet Consultants Group, Inc. Files: util/dict_myqsl.*. + +19990627 + + Bugfix: Postfix is now distributed under the new IBM Public + License (version 1, dated June 14, 1999). + + Feature: the Delivered-To: header can be turned off for + delivery to command or file/mailbox. The default setting + is: "prepend_delivered_header = command, file, forward". + Turning off the Delivered-To: header when forwarding mail + is not recommended. + +19990628 + + Feature: the postlock command now returns EX_TEMPFAIL when + the destination file is locked by another process. + +19990705 + + Workaround: in the SMTP client, move the "mail loops back + to myself test" from the 220 greeting to the HELO response. + This change does not weaken the test, and makes Postfix + more robust against broken software that greets with the + client hostname. + +19990706 + + Workaround: in the INSTALL file, use `&&' instead of `;' + in (cd path; tar ...) pipelines because some UNIX re-invented + shells don't bail out when cd fails. Matthias Andree + @stud.uni-dortmund.de. + +19990709 + + Bugfix: $user was not set when delivering to a non-user. + Found by Vladimir Ulogov @ rohan.control.att.com when + configuring a luser_relay that contained $user. + +19990714 + + Robustness: add PATH statement to Solaris2 chroot setup + script to avoid running the ucb commands. Problem found by + Panagiotis Astithas @ ece.ntua.gr. + +19990721 + + Bugfix: don't claim a "mail loops to myself" error when + the best MX host was not found in the DNS. Found by Andrew + McNamara, connect.com.au Pty Ltd. File: smtp/smtp_addr.c. + +19990810 + + Feature: added "-c config_dir" support to the postconf + command. This probably means that "-f file" will never be + implemented. + +19990812 + + Bugfix: showq didn't print properly when listing a maildrop + file. Fix by: Andrew McNamara, connect.com.au Pty Ltd. + File: showq/showq.c. + + Feature: added SENDER to the list of parameters exported + to external commands. File: local/command.c. Code by: Lars + Hecking, National Microelectronics Research Centre, Ireland. + +19990813 + + Bugfix: sendmail -t (extract recipients from headers) did + not work when the always_bcc feature was turned on. Reported + by: Denis Shaposhnikov @ neva.vlink.ru. + +19990813 + Bugfix: "sendmail -bd" returns a bogus exit status (the + child process ID). Fix by Lamont Jones of Hewlett-Packard. + File: sendmail/sendmail.c. + +19990824 + + Bugfix: null pointer dereference while rejecting VRFY before + MAIL FROM. Found by Laurent Wacrenier @ fr.clara.net. + +19990826 + + Portability: more MacOS X Server patches; some NEXTSTEP/OPENSTEP + code that had been removed for the first public beta release; + NEXTSTEP/OPENSTEP now defaults to netinfo for the aliases + database. Submitted by Gerben Wierda. + + Portability: workaround for a FreeBSD 3.x active network + interface without IP address by Pierre Beyssac @ enst.fr. + File: inet_addr_local.c. + +19990831 + + Workaround: sendmail now prints a warning when installed + set-uid or when run by a set-uid command. Reportedly, the + linuxconf software turns on the set-uid bit, which could + open up a security loophole. File: sendmail/sendmail.c. + + Bugfix: Postfix daemons now temporarily lock DB/DBM files + while opening them, in order to avoid "invalid argument" + errors because some other process is changing the file. + Files: util/dict_db.c, util/dict_dbm.c. + + Robustness: Postfix locks queue files during delivery, to + prevent duplicate delivery when "postfix reload" is + immediately followed by "sendmail -q". This involves a + change of the deliver_request interface: delivery agents + no longer need to open and close queue files explicitly. + Files: global/deliver_request.c, pipe/pipe.c, smtp/smtp.c, + local/local.c, qmgr/qmgr_active.c, qmgr/qmgr_message.c. + + Feature: reject_unauth_destination SMTP recipient restriction + that rejects destinations not in $relay_domains. By Lamont + Jones of Hewlett-Packard. File: smtpd/smtpd_check.c. + + Security: do not allow weird characters in the expansion + of $names that appear in $forward_path. Just like with + shell commands, replace bad characters in expansions by + underscores. Configuration parameter: forward_expansion_filter. + +19990902 + + Documentation: added a sample postfix alias to the examples + in the INSTALL document and in the conf/aliases file. + Reminded by Simon J. Mudd @ alltrading.com. + +19990903 + + Bugfix: in case of some error conditions the pickup daemon + could leak small amounts of memory. + +19990905 + + Bugfix: no more "skipping further client input" warnings + when a message header is rejected. + + Feature: reject_unauth_pipelining SMTP restriction that + rejects mail from clients that improperly use SMTP command + pipelining. + + Robustness: the LDAP client by default no longer looks up + names containing "*". See the lookup_wildcards feature in + LDAP_README. Update by John Hensley. + + Documentation: address masquerading with exceptions FAQ by + Jim Seymour @ jimsun.LinxNet.com. + + Bugfix: mysql reconnect after disconnect by Scott Cotton + Internet Consultants Group, Inc. File: util/dict_myqsl.c. + + Portability: the Postfix to PCRE interface now expects + version 2.08. Postfix is no longer compatible with PCRE + versions before 2.6. + +19990906 + + Feature: INSTALL.sh script that makes Postfix installation + a bit less painful. This script can be used for installing + and for upgrading Postfix. It replaces files instead of + overwriting them, and leaves existing configuration and + queue files intact. + +19990907 + + Bugfix: reject_non_fqdn_sender used the wrong test to see + if a sender address was given and could dump core. This + must have been broken ever since the UCE tests were moved + to the RCPT TO stage in 19990510. + + Bugfix: check_sender_access was recognized as a valid + restriction name only if a sender had been specified. + +19990908 + + Portability: Unixware has only after sendmail + is installed. Changed postlock.c to use global/sys_exits.h. + +19990909 + + Performance: added one-entry cache to the address rewriting + client and to the address resolving client. This is because + UCE restrictions tend to produce the same query repeatedly. + Files: global/rewrite_clnt.c, global/resolve_clnt.c. + + Feature: the UCE restrictions are now fully recursive so + you can have per-client/helo/sender/recipient restrictions. + Instead of OK, REJECT or [45]xx, you can specify a sequence + of restrictions on the right-hand side of an SMTPD access + table. This means you can no longer use canonical/virtual/alias + maps as SMTPD access tables. But the loss is compensated + for. File: smtpd/smtpd_access.c. + + Feature: restriction classes, essentially a short-hand for + restriction lists. These short hands are useful mostly on + the right-hand side of SMTPD access tables. You must use + restriction classes in order to have lookup tables on the + right-hand side of an SMTPD access table. File: + smtpd/smtpd_access.c. + + Feature: "permit_recipient_map maptype:mapname" permits a + recipient address when it matches the specified table. + Lookups are done just as with canonical/virtual maps. With + this, you can also use passwd/aliases as SMTPD access maps. + File: smtpd/smtpd_access.c. + +19990910 + + Changed "permit_address_map" into "permit_recipient_map" + and added a test for the case that they specify a lookup + table on the right-hand side of an SMTPD access map. File: + smtpd/smtpd_access.c. + + Cleanup: removed spurious sender address checks for <>. + File: smtpd/smtpd_check.c. + + Cleanup: the smtp client now consistently logs host[address] + for all connection attempts. + +19990919 + + Feature: in an SMTPD access map, an all-numeric right-hand + side now means OK, for better cooperation with out-of-band + authentication mechanisms. + +19990922 + + Security: recipient addresses must not start with '-', in + order to protect external commands. The old behavior is + re-instated when main.cf specifies: "allow_min_user = + yes". Credits to Mads Kiilerich @ Kiilerich.com. File: + qmgr/qmgr_message.c. + + Bugfix: after 19990831, the queue manager would throw away + defer logs after deferring mail to known-to-be-dead hosts + or message transports. This means that in some cases, mailq + would not show why mail is delayed, and that delayed mail + could be sent back with recipients missing from the error + report. Reported by Giulio Orsero @ tiscalinet.it. + +19990923 + + Bugfix: the above bugfix broke bounces of mail with bad + address syntax and relocated users. Problem diagnosed by + Dick Porter @ acm.org. + + Documentation: added DO NOT EDIT THIS FILE. EDIT MAIN.CF + INSTEAD notices to the sample-xxx.cf files. + +19991007 + + Compatibility: ignore the sendmail -U (initial user + submission) option. Thomas Quinot @ cuivre.fr.eu.org. + +19991103 + + Code cleanup: don't send postmaster notifications when an + SMTP client sends a DATA command while no recipients were + accepted. This can happen when a pipelined client runs + into an UCE block. File: smtpd/smtpd.c. + +19991104 + + Robustness: do not apply UCE header checks to mail that is + generated by Postfix (bounces, forwarded mail etc.). Files: + smtpd/smtpd.c, pickup/pickup.c, cleanup/cleanup_message.c. + + Robustness: new generic watchdog module that can deal with + clocks that jump occasionally. Files: util/watchdog.c, + master/master.c, master/{single,multi,trigger}_server.c. + This hopefully ends the false watchdog alarms that happen + when clocks are set or when laptops are resumed. + + Code cleanup: BSMTP requires dot quoting as per RFC 821. + Based on code by Florian Lohoff @ rfc822.org. Files: + global/mail_copy.[hc], pipe/pipe.c. + +19991105 + + Bugfix: the crufty code in inet_addr_local() did not find + IP aliases. File: util/inet_addr_local.c. + + Portability: the INSTALL.sh utility did not find users or + groups in NIS or Netinfo tables. The script no longer + searches the /etc/passwd and /etc/group files. Instead it + now queries the unix:passwd.byname and unix:group.byname + maps. For this, a -q (query) option was added to postmap + (and to postalias, for symmetry). Files: util/dict_unix.c, + postalias/postalias.c, postmap/postmap.c, INSTALL.sh. + + Bugfix: LDAP lookup timeout settings were ignored. Patch + by John Hensley. File: util/dict_ldap.c. + +19991108 + + Bugfix: when doing a fresh install, INSTALL.sh didn't set + main.cf:mail_owner properly (Simon J. Mudd). + +19991109 + + Bugfix: when doing a fresh install, INSTALL.sh no longer + worked (missing main.cf file). Fix: add "-c" argument to + the postmap commands (Lars Hecking @ nmrc.ucc.ie). + + Documentation: removed spurious "do not edit" comments from + the sample pcre and regexp configuration files. + +19991110-13 + + Code cleanup: greatly simplified the SMTPD command parser + and somewhat simplified the code that groks RFC 822-style + address syntax in MAIL FROM and RCPT TO commands. + + New parameter: strict_rfc821_envelopes (default: no) to + reject RFC 822 address forms (with comments etc.) in SMTP + envelopes. By default, the Postfix SMTP server only logs + a warning. + +19991113 + + Oops, also updated the SMTP VRFY code in the light of + changes to the SMTPD command parser. + + Cleanup: the local delivery agent now explicitly rejects + recipients with an empty username. + +19991114 + + Workaround: with some gawk versions, postconf/extract.awk + reportedly returns a non-zero exit status upon success. + Added an explicit exit(0) statement. + +19991115 + + Feature: DNS TXT record lookup support, based on initial + code by Simon J Mudd. File: dns/dns_lookup.c. + + Feature: RBL TXT record lookups, based on initial code by + Simon J Mudd. File: smtpd/smtpd_check.c. + + Feature: permit_auth_destination restriction based on code + by Jesper Skriver @ skriver.dk. + + Code cleanup: the transport table now can override all + deliveries, including local ones. + +19991116 + + Code cleanup: a new "local_transports" configuration + parameter explicitly lists all transports that deliver mail + locally. The first name listed there is the default local + transport. This is the end of the "empty next-hop hostname" + hack to indicate that a destination is local. Files: + trivial-rewrite/resolve.c, global/local_transport.[hc] + + Feature: "postconf -m" shows what lookup table types are + available. Code by Scott Cotton, Internet Consultants + Group, Inc. + + Feature: "postconf -e" edits any number of main.cf parameters. + The edit is done on a copy, and the copy is renamed into + the place of the original. File: postconf/postconf.c, + util/readlline.[hc]. + +19991117 + + Portability: SunOS 4 has no SA_RESTART. File: util/watchdog.c. + + Feature: on systems with h_errno, the "reject_unknown_client" + restriction now distinguishes between soft errors (always + reply with 450) and hard errors (use the user-specified + reply code). This should lessen the load by broken mailers + that re-connect once a minute. + + Feature: forward/reverse name/address check for SMTP client + hostnames. This fends off some hypothetical attacks by + spammers who are in control of their own reverse mapping. + + Robustness: postconf no longer aborts when it can't figure + out the local domain name; it prints a warning instead. + This allows you to use "postconf -e" to fix the problem. + +19991118 + + Bugfix: the RFC822 address parser would misparse a leading + \ as an atom all by itself. Problem reported by Keith + Stevenson @ louisville.edu. File: global/tok822_parse.c. + +19991119 + + Bugfix: tiny memory leak in pipe_command() when fork() + fails. File: global/pipe_command.c. + +19991120 + + Bugfix: reversed test for all-numerical results in SMTPD + access maps. File: smtpd/smtpd_check.c. + +19991121 + + Robustness: INSTALL.sh no longer uses postmap for sanity + checks. + + Feature: INSTALL.sh now has an install_root option. + + Bugfix: INSTALL.sh now installs manual pages with proper + permissions and ownership. + + Bugfix: the LDAP client did not properly escape special + characters in lookup keys (patch by John Hensley). File: + util/dict_ldap.c. + +19991122 + + Bugfix: missing absolute path in INSTALL.sh broke fresh + install. + +19991124 + + Bugfix: the local delivery agent's recipient duplicate + filter did not work when configured to use unlimited memory + (which is not a recommended setting). Patrik Rak @raxoft.cz. + +19991125 + + Bugfix: postconf didn't have an umask(022) call at the + beginning (problem experienced by Matthias Andree). + +19991126 + + Bugfix: DNS TXT records now have string lengths before text + (Mark Martinec @ nsc.ijs.si). + +19991127 + + Update: the LDAP client code now supports escapes as per + RFC2254 (John Hensley). + +19991207 + + Performance: one message with many recipients no longer + stops other mail from being delivered. The queue manager + now frees in-memory recipients as soon as a message is + delivered to one destination, rather than waiting until + all in-memory destinations of that message have been tried. + Patch by Patrik Rak @ raxoft.cz. Files: qmgr/qmgr_entry.c, + qmgr/qmgr_message.c. + + Performance: when delivering mail to a huge list of + recipients, the queue manager now reads more recipients + from the queue file before delivery concurrency drops too + low. Files: qmgr/qmgr_entry.c, qmgr/qmgr_message.c. + +19991208 + + Updated LDAP client code by John Hensley with escape + sequences as per RFC 2254. File: util/dict_ldap.c. + + Updated MYSQL client code by Scott Cotton. File: dict_mysql.c. + + Feature: added -N/-n options to include/exclude terminating + nulls in keys and values in postmap/postalias DB or DBM + files. Normally, Postfix uses whatever is appropriate for + the host system. A non-default setting can be necessary + for inter-operability with third-party software. + + Bugfix: the local delivery agent would deliver to the user + instead of the .forward file when the .forward file was + already visited via some non-recursive path. Patch by Patrik + Rak @ raxoft.cz. Files: global/been_here.c, local/dotforward.c. + + Robustness: attempt to deliver all addresses in the expansion + of an alias or .forward file, even when some addresses must + be deferred. File: local/token.c. + +19991211 + + Performance: qmgr_fudge_factor controls what percentage of + delivery resources Postfix will devote to one message. + With 100%, delivery of one message does not begin before + delivery of the previous message is completed. This is good + for list performance, bad for one-to-one mail. With 10%, + response time for one-to-one mail improves much, but list + performance suffers. In the worst case, people near the + start of a mailing list get a burst of postings today, + while people near the end of the list get that same burst + of postings a whole day later. Files: qmgr/qmgr_message.c, + qmgr/qmgr_entry.c. + + Bugfix: address rewriting would panic on a lone \ at the + end of a line where an address was expected. Jason Hoos @ + thwack.net. File: global/rewrite_clnt.c. + +19991215 + + Bugfix: the strict RFC821 envelope address check should + not be applied to VRFY commands. File: smtpd/smtpd.c. + + Cleanup: permit_recipient_maps is gone, because that could + only be used inside UCE restrictions. + +19991216 + + Feature: allow an empty inet_interfaces parameter, just + like an empty mydestination parameter. It's needed for true + null clients and for firewalls that deliver no local mail. + + Feature: "disable_vrfy_command = yes" disables some forms + of address harvesting used by spammers. + + Workaround: added the alias map parameter definition to + the smtpd code. This is a symptom of a general problem + with parameters that have non-empty default values: unless + a program explicitly defines such a parameter, the parameter + defaults to the empty string when used in other parameters. + There's also a problem with evaluation order. + + Feature: the SMTP server rejects mail for unknown users in + virtual domains that are defined by Postfix virtual domain + files. File: smtpd/smtpd_check.c. + + Feature: reject mail for unknown local users at the SMTP + port. The local_recipient_maps configuration parameter + specifies maps with all addresses that are local with + respect to $mydestination or $inet_interfaces. Example: + "local_recipient_maps = $alias_maps unix:passwd.byname". + This feature is disabled by default. You may have to copy + the passwd file into the chroot jail. File: smtpd/smtpd_check.c. + + Feature: the sendmail -f option now understands '' + and even understands address forms with RFC 822-style + comments. + +19991217 + + Cleanup: no more UCE checks for VRFY commands. It still + reports unknown local/virtual users. File: smtpd/smtpd_check.c. + + Robustness: upon Postfix startup, report discrepancies + between system files inside and outside the chroot jail. + Files: conf/postfix-script-nosgid, conf/postfix-script-sgid. + +19991218 + + Cleanup: INSTALL.sh produces relative symlinks, which is + necessary when install_root is not /. + +19991219 + + Documentation: completely reorganized the FAQ and added + many new entries. Rewrote the UCE html documentation. + + Cleanup: INSTALL.sh uses a configurable directory for + scratch files, so that it can install from a file system + that is not writable by the super-user. + + Cleanup: INSTALL.sh gives helpful hints when the "mv" + command is unable to move symlinks across file system + boundaries. + +19991220 + + Cleanup: it is no longer necessary to list $virtual_maps + as part of the relay_domains definition. The SMTP server + now by default accepts mail for destinations that match + $inet_interfaces, $mydestination or $virtual_maps, whether + or not these are specified in relay_domains. We still need + the ugly "virtual.domain whatever" hack in the virtual + maps. Files: smtpd/smtpd_check.c and lots of documentation + and sample config files. + +19991221 + + Removed cyrus -q flag (ignore quotas) from the sample + master.cf file. + +19991223 + + Bugfix: smtpd should not check for unknown users when + running in stand-alone (sendmail -bs) mode. Problem + experienced by Chuck Mead. File: smtpd/smtpd.c. + + Retraction: the "local_transports" configuration parameter + is gone. Adjusted code and documentation accordingly. + Instead, use just one "local_transport" parameter with the + name of the default local transport. Files: smtpd/smtpd_check.c, + qmgr/qmgr_message.c, trivial-rewrite/ resolve.c, local/resolve.c. + + Feature: Postfix SMTPD now insists that the smtpd recipient + restrictions contain at least one restriction that by + default rejects mail. This should make it much more difficult + to change Postfix into an open relay. File: smtpd/smtpd_check.c. + + Retraction: null-length inet_interfaces is too confusing. + +19991224 + + Bugfix: the relative symlink code in INSTALL.sh computed + the ../ prefix from the wrong pathname. + +1999122[5-7] + + Feature: "allow_untrusted_routing = no" (default) prevents + forwarding of source-routed mail from untrusted clients to + destinations that are blessed by the relay_domains parameter + (example: user@domain2@domain1 etc.). This plugs a mail + relay loophole where a backup MX host forwards junk mail + to a primary MX host which forwards the junk to the Internet. + Files: global/quote_822_local.c, smtp/quote_821_local.c, + trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, + smtp/smtpd_check.c. + + In order to make this possible, the Postfix resolver data + structure and protocol has changed, so that all resolver + clients need to be re-compiled. + + Side effect from the above change: from now on, an address + with @ in the recipient localpart no longer bounces with + "user unknown" but instead is rejected with "relay access + denied" or "source-routed relay access denied". + +19991227 + + Workaround: the BSD/OS "mkdir -p" and "cmp -s" commands + misbehave on boundary cases: directory exists or file does + not exist. Those who re-invent... + +19991229 + + Added the no source routing info requirement to addresses + accepted by the permit_mx_backup UCE restriction. + +19991230 + + Added a spawn daemon (not compiled and installed by default) + to enable LMTP delivery over UNIX-domain sockets. The goal + is to simplify the experimental LMTP delivery agent by + ripping out the privileged code that forks the LMTP server. + +20000102 + + Clarified documentation after early feedback on the 19991231 + release by Drew Derbyshire, Ollivier Robert, Khetan Gajjar. + + Sanity check: a common error is to list Postfix virtual + domains in the mydestination parameter. This causes the + new optional local_recipient_maps feature to reject mail + for virtual users. The SMTP server now explicitly tests + for this common error and logs a warning instead of refusing + the mail. File: smtpd/smtpd_check.c. + +20000104 + + Bugfix: a case sensitivity bug had slipped through in the + anti-relaying code, causing mail for USER@VIRTUAL.DOMAIN + to be rejected with "relay access denied". This was found + by Jim Maenpaa @ jmm.com. + + Questionable feature: set "smtp_skip_5xx_greeting = yes" + to make Postfix more sendmail compatible, even though this + is wrong, IMNSHO. File: smtp/smtp_connect.c. + + Portability: Ultrix patch from Simon Burge @ thistledown.com.au. + + Portability: Siemens Pyramid (dcosx) patch by Thomas D. + Knox @ vushta.com. + + Performance: FreeBSD has bidirectional pipes that are faster + than socketpairs. Anticipating on more platform-specific + optimizations, all duplex pipe plumbing is now isolated in + a duplex_pipe.c module that provides a system-independent + interface. + +20000105 + + Cleanup: the INSTALL.sh script now updates the sample files + in /etc/postfix even when main.cf exists. + +20000106 + + Bugfix: the SMTP server should consult the relocated map + for virtual destinations (Denis Shaposhnikov). Files: + smtpd/smtpd.c smtpd/smtpd_check.c. + +20000108 + + Workaround: rename() over NFS can fail with ENOENT even + when the operation succeeds (Graham Orndorff @ WebTV). This + is not news. Any non-idempotent operation can fail over + NFS when the NFS server's acknowledgment is lost and the + NFS client code retries the operation (other examples are: + create, symlink, link, unlink, mkdir, rmdir). Postfix has + workarounds for the cases where this is most likely to + cause trouble. Files: util/sane_{rename,link}.[hc]. If + you want reliable mail system, do not use NFS. + +20000115 + + Workaround: better detection of bad hardware. Added SIGBUS + to the list of signals that the master will log before + exiting. + +20000122 + + Portability: preliminary SCO5 port Christopher Wong @ + csports.com. This still needs to a workaround for "find" + not supporting "-type s" (actually, UNIX-domain sockets + have no unique representation in the file system and show + up as FIFOs). + +20000115-22 + + Bugfix: in case of a too long message header, don't extract + recipients from message headers. With the previous behavior, + Bcc information could be left in the message body, as one + person found out the hard way. Files: cleanup/cleanup.c, + cleanup/cleanup_extracted.c, global/cleanup_user.h. + +20000124 + + Whatever: RFC 1869 amends RFC 821 and specifies that code + 555 is to be used when a MAIL FROM or RCPT TO parameter is + not implemented or not recognized. Russ Allbery @stanford.edu. + This reply code is added to the list of reply codes that + cause the Postfix SMTP client to mail a transcript to the + postmaster. File: smtp/smtp_trouble.c. + +20000126 + + Emergency feature: qmgr_site_hog_factor (default: 90 percent) + limits the amount of resources that Postfix devotes to a + single destination. With less than 100, Postfix defers the + excess mail so that one site with a large backlog does not + block other deliveries. Files: qmgr/qmgr.c, qmgr/qmgr_message.c. + +20000128 + + Cleanup: the queue manager no longer replaces the nexthop + field by the recipient localpart when a destination matches + $mydestination/$inet_interfaces. The price is the introduction + of a new parameter local_destination_recipient_limit which + defaults to 1 in order to maintain backwards compatibility. + Files: qmgr/qmgr.c, qmgr/qmgr_message.c. + +20000129 + + Bugfix: extracted recipients were misfiled when a message + was moved back to the maildrop queue. But they still worked + due to a coincidence. + + Feature: bounce_recip() bounces a recipient immediately + without accessing a bounce logfile. This is necessary for + VERP bounces, for bounces by delivery agents that change + the sender address, and for bounces that for some reason + must not use temporary logfiles. Files: global/bounce.c, + bounce/bounce_recip_service.c. + +20000130 + + Bugfix: the too long header fix of 20000115-22 lost mail + with too long headers that didn't need to extract recipients + from message headers. + + Bugfix: the too long header fix of 20000115-22 lost mail + without (blank line + message body). + + Code rewrite: reorganized the cleanup daemon source code + so that the cleanup service can be called one record at a + time (see cleanup/cleanup_api.c); also got rid of the global + state variables and fixed a couple bugs that were introduced + with 20000115-22. + +20000204 + + Feature: in daemon mode, the MAIL FROM size check can be + postponed until RCPT TO so that Postfix can log sender and + recipient. Simon J Mudd. Files: smtpd/smtpd.c + + Robustness: limit the number of recipient addresses that + can be extracted from message headers. Parameter: + extract_recipient_limit (default: 10240). Files: + cleanup/cleanup_message.c, cleanup/cleanup_extracted.c. + + Cleanup: the message header reject logging now includes + sender and recipient address (if possible), so that the + logging looks more like the other reject logging. File: + cleanup/cleanup_message.c. + + Documentation: added sections on regular expression tables + to the access, canonical, virtual, transport and relocated + man pages, and write new man pages that are specific to + regular expressions: pcre_table.5 and regexp_table.5. + +20000214 + + Bugfix: postconf reported some parameters more than once + because the parameter extracting script didn't recognize + lines that differ in whitespace only. File: postconf/extract.awk. + Reported by Kenn Martin. + +20000221 + + Logging: the SMTP client now logs log host+port when it is + unable to connect to a non-MX host, just like it logs + host+port when unable to connect to an MX host. + +20000226 + + Bugfix: the SMTP server's "User unknown" test didn't notice + LDAP etc. dictionary access errors. The code now reports + a 450 status (try again instead of bounce) if the reply is + not definitive. File: smtp/smtpd_check.c. + + Robustness: the smtp-source program could stall when making + hundreds of parallel connections to a Postfix system with + only one SMTP server process. The fix is to use non-blocking + connect() calls, very carefully. File: smtpstone/smtp-source.c. + +20000303 + + Feature: with smtp_always_send_ehlo the SMTP client will + send EHLO regardless of the content of the SMTP server's + greeting. File: smtp/smtp_proto.c. + +20000304 + + Feature: DICT_FLAG_SYNC_UPDATE flag for synchronous dictionary + updates, if supported by the underlying mechanism. Files: + util/dict.h, util/dict_open.c, util/dict_db.c. + +20000307 + + Cleanup: the manual pages in Postfix configuration files + no longer contain troff formatting codes. The text is now + generated from prototype files in a new "proto" subdirectory. + Requested by Matthias Andree @ stud.uni-dortmund.de. + +20000308 + + Bugfix: the unused db and dbm "delete" routines would + clobber the per-dictionary flags when called before reading + or writing the table. Files: util/dict_dbm.c, util/dict_db.c. + Lutz Jaenicke @ aet.TU-Cottbus.DE. + + Bugfix: the SMTP server would produce a cryptic message + when a queue file write error happened before it had written + any recipients. Keith Stevenson. File: smtpd/smtpd.c. + + Robustness: the db and dbm "delete" routines didn't adjust + to dictionaries with/without one trailing null in lookup + keys and values. Did a complete rewrite of the routines. + Files: util/dict_db.c, util/dict_dbm.c. + + Feature: specify "-d key" to postalias or postmap in order + to remove one key. This still needs to be generalized to + multi-key removal (read stdin?). Files: postmap/postmap.c, + postalias/postalias.c. + + Test: added test targets for the dictionary delete operations. + Files: util/Makefile.in, util/dict_test.{c,in,ref}. + + Feature: added data offset and recipient count fields to + the first queue file record output from the cleanup daemon. + The recipient counts provides an initial estimate for a + more advanced queue manager scheduling algorithm. Files: + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. + +20000311 + + Portability: HP-UX awk can't handle bare { in regexps + (Lamont Jones. HP). File: postconf/extract.awk. + + Compatibility: sendmail now recognizes '.' as end of input. + File: sendmail/sendmail.c. + +20000313 + + Compatibility: dtcm (CDE desktop calendar manager) leaks + a file descriptor into its child process, and requires that + sendmail closes the descriptor, otherwise mail notification + will hang. These GUI programmers never figured out that + the child process must close the writing end of a pipe. + File: sendmail/sendmail.c. + +20000314 + + Feature: SASL authentication in the SMTP server and client. + Based on code contributed by Till Franke, SuSE. Specify: + "smtpd_sasl_auth_enable = yes" and "smtp_sasl_auth_enable + = yes". The "permit_sasl_authenticated" UCE restriction + gives special treatment to authenticated clients. + +20000315 + + Workaround: added -blibpath option for AIX 4.x, to close + hole in case postdrop needs to be set-gid. + +20000320 + + Portability: FreeBSD 5.x added to the list of supported + systems (Mark Huizer). + +20000323 + + Portability: INSTALL.sh looks if sendmail is in /usr/lib + rather than in /usr/sbin. + +20000326 + + Bugfix: settings in one mysql configuration file would act + as the implicit defaults for the next one, which could be + confusing. Patch by Scott Cotton. File: util/dict_mysql.c. + + Robustness: limit the number of "junk" commands that can + be issued in an SMTP session (ex.: NOOP, VRFY, ETRN, RSET). + Problem report by Michael Ju. Tokarev @ tls.msk.ru. Files: + global/mail_params.h, smtpd/smtpd.c. + +20000413 + + Portability: more MacOS X patches by Gerben Wierda. + + Bugfix: RFC 822 requires the presence of at least one + destination message header. The cleanup daemon now generates + a generic "To: undisclosed-recipients:;" message header + when no destination header is present. The header content + is specified with the undisclosed_recipients_header parameter. + Problem pointed out by Geoff Gibbs, UK-Human Genome Mapping + Project-Resource Centre. + +20000416 + + Workaround: allow <(comment)> as SMTP MAIL FROM address. + +20000417 + + The SASL authentication in the SMTP server and client works, + but only on Linux and Solaris, neither of which I wish to + run on my laptop. + +20000418 + + Added LMTP support to the smtp-source and smtp-sink utilities + so that I don't have to install Cyrus IMAP just to test + LMTP. + +20000419 + + Bugfix: removed the () from the tokenized representation + of RFC 822 comments, so that comments with \( or \) can be + unparsed correctly. Problem reported by Bodo Moeller. + +20000423 + + Bugfix: mail_copy() could prepend > or . in the middle of + long lines. Found by code inspection. + +20000427 + + New code: unescape module that translates C escape sequences + into their equivalent character values. File: util/unescape.c. + + Feature: the pipe mailer now has a way to specify the output + record delimiter (for example, eol=\r\n). This is necessary + for transports that require CRLF instead of UNIX-style LF. + +20000502 + + In order to support timeouts more conveniently, VSTREAMs + now have built into them the concept of timeout. Instead + of calling read() and write(), the low-level VSTREAM + interface now by default uses timed_read() and timed_write() + which receive a timeout parameter; vstream_ctl(stream, + VSTREAM_CTL_TIMEOUT...) sets the timeout deadline on a + stream, and vstream_ftimeout(stream) queries a stream for + timeout errors. This change simplified timeout handling + considerably. Files: util/vbuf.h, util/vstream.[hc], + global/smtp_stream.c, global/timed_ipc.c. + +20000504 + + Added application context to VSTREAMs, which is passed on + transparently to application-provided read/write routines. + vstream_ctl(stream, VSTREAM_CTL_CONTEXT...) sets the context. + Files: util/vstream.[hc]. + + Added vstream_setjmp() and vstream_longjmp() support to + make exception handling more convenient. Turn on exception + handling with vstream_ctl(stream, VSTREAM_CTL_EXCEPT...). + Files: util/vstream.[hc]. + + Cleaned up the smtp_stream module further and got rid of + the global state that limited the use of this module to + one stream per process. Files: global/smtp_stream.[hc]. + +20000505 + + Bugfix: the SMTP server now flushes unwritten output before + tarpit delays, to avoid protocol timeouts in pipelined + sessions when a client causes lots of errors. Found by + Lamont Jones, HP. File: smtpd/smtpd_chat.c. + + Finished the LMTP client, which is based on a modified + version of the SMTP client by Philippe Prindeville, Mirapoint, + Inc., later modified by Amos Gouaux, UTDallas, and then + Wietse ripped it all up again. Currently this talks LMTP + over TCP only. + + Feature: override main.cf parameters in master.cf. Specify + "-o parameter=value" after the program name. This allows + you to selectively override myhostname etc. See also the + new smtp_bind_address parameter below. + +20000506 + + Convenience: the LMTP and SMTP clients now append the local + domain to unqualified nexthop destinations. This makes it + more convenient to set up transport maps. Files: + lmtp/lmtp_addr.c, smtp/smtp_addr.c. + + Sendmail compatibility: the Postfix SMTP client now skips + servers that greet the client with a 4xx or 5xx status + code. To disable, set both smtp_skip_4xx_greeting and + smtp_skip_5xx_greeting to "no". + +20000507 + + Portability: NetBSD has migrated to /etc/mail/aliases. We + can expect to see this happen more often when systems start + shipping Sendmail 8.10. File: util/sys_defs.h + + Updated LDAP code by John Hensley, with support for + dereferencing of LDAP aliases, which have nothing to do + with Postfix aliases. + + Feature: "smtp_bind_address=x.x.x.x" specifies the source + IP address for SMTP client connections. Specify in master.cf + as "smtp -o smtp_bind_address=x.x.x.x" in order to give + different delivery agents different source addresses. + +20000510 + + Cleanup: mailbox_transport did not work with the lmtp + delivery agent. This dates back to when Postfix used empty + nexthop information to indicate that a destination was + local. File: global/deliver_pass.c. + + Bugfix: configuration parameters for one mysql dictionary + would become default settings for the next one. File: + dict_mysql.c. This patch was merged into Postfix a while + back but apparently that Postfix version was nuked when + other parts were redesigned. Update by Scott Cotton. + + Bugfix: some Postfix delivery agents would abort on addresses + of the form `stuff@.' which could be generated only locally. + Found by Patrik Rak. File: trivial-rewrite/resolve.c. + + Third-party Berkeley DB support for HP-UX by Lamont Jones. + File: makedefs. + +20000511 + + Bugfix: Postfix would incorrectly reject domain names with + adjacent - characters. File: util/valid_hostname.c. + + Bugfix: the 20000505 pipeline tarpit delay flush was wrong + and caused the client and server to get out of phase. Yuck! + +20000513 + + Feature: VSTREAMs now have the concept of last fill/flush + time, which is needed to prevent timeouts with pipelined + SMTP sessions as detailed in the next item. + + Bugfix: delayed SMTP command/reply flushing to prevent + sender delays from accumulating too much and causing timeouts + with pipelined sessions. For example, client-side delays + happen when a client does DNS lookups to replace hostname + aliases in MAIL FROM or RCPT TO commands; server-side delays + happen when an UCE restriction involves a time-consuming + DNS lookup, or when a server generates tarpit delays. + Files: lmtp/lmtp_proto.c, smtp/smtp_proto.c, smtpd/smtpd_chat.c. + + Portability: define ANAL_CAST for compilation environments + that reject explicit casts between pointers and integral + types. File: util/sys_defs.h, master/*server.c. Upon closer + investigation, this turned out to be the result of someone's + compiler configuration preferences. Therefore the change + is likely to go away after a code cleanup. + +20000514 + + Feature: mysql client support for multi-valued queries + (select email, email2 from aliastbl where username='$local') + By Loic Le Loarer @ m4x.org. File: util/dict_mysql.c. + + Finalized the delayed SMTP command/reply flushing code in + the SMTP and LMTP clients after lots of testing and review. + +20000520 + + Robustness: upon receipt of mail, map the mailer-daemon + sender address back into the magic null string. File: + cleanup/cleanup_envelope.c. + +20000524 + + Bugfix: the code for masquerade_exceptions was case sensitive. + Reported by Eduard Vopicka. File: cleanup/cleanup_masquerade.c. + +20000526 + + Feature: experimental queue manager by Patrik Rak with a + fancy pre-emptive scheduling algorithm that improves delivery + performance of mail with few recipients. This queue manager + is made available as "nqmgr". + +20000528 + + Feature: the SMTP client SASL password file can contain + entries for destination domain names (the address remote + part) not just mail server hostnames. File: smtp_sasl_glue.c. + + Feature: smtpd_sasl_local_domain parameter (default: + $myhostname) to specify the local SASL authentication realm. + File: smtpd_sasl_glue.c. + + Feature: specify "body_checks=regexp:/file/name" for a very + crude one line at a time message body content filter. This + feature uses the same filtering syntax as the header_checks + feature. File: cleanup/cleanup_message.c. See also the + conf/sample-filter.cf file. + +20000530 + + Feature: full content filtering through external software. + This uses existing interfaces for sending mail to the + external content filter and for injecting it back into + Postfix. Details in FILTER_README. Files: pickup/pickup.c, + smtpd/smtpd.c, qmgr/qmgr_message.c. + +20000531 + + More SASL feedback by Liviu Daia, regarding the use of + authentication realms. File smtpd/smtpd_sasl_glue.c. + + Added a simple shell-script based content filtering example + to the FILTER_README file. + + Content filtering support for nqmgr by Patrik Rak. File: + nqmgr/qmgr_message.c. + + Renamed "content inspection" etc. to "content filtering" + in anticipation of a new hook for content inspection that + only inspects mail without re-injecting it into Postfix. + +20000601 + + Feature: limit the size of pipe mailer deliveries with the + size=nnn command-line attribute. Patch by Andrew McNamara. + +20000603 + + Bugfix: don't try to do SASL authentication when running + in stand-alone (sendmail -bs) mode. Fix by Liviu Daia. + + Bug: the unauthorized pipelining test fails with single + recipient mail when smtpd_delay_reject = yes. + +20000617 + + Bugfix: conf/sample-ldap.cf was no longer up to date with + reality. Patch by Lamont Jones, HP. + + Bugfix: the maildir delivery routine left temporary files + lying around after unsuccessful delivery (problem reported + by Brian Laughton @ Corp.Axxent.Ca). + +20000621 + + AIX 4.x had POSIX regular expression support all the time + I was working on Postfix. Better find out late than never. + +20000623 + + Bugfix: the SMTP server did not reset the so-called junk + command counter after successful delivery (Mark Hoffman @ + wallst.com). File: smtpd/smtpd.c. + +20000625 + + Cleanup: remove Content-Length from incoming mail. The + sender has no authority over the format of mail as stored + by the receiving system. File: global/header_opts.h. + + Feature: rewrite Mail-Followup-To: as sender. Files: + global/header_opts.[hc]. + + Cleanup: rewrite Reply-To, Errors-To, Return-Receipt-To as + sender, so that address masquerading works as expected. + Files: global/header_opts.c. + + Feature: specify "require_home_directory = yes" to prevent + mail from being delivered to a user whose home directory + is not mounted. File: local/dotforward.c. + + Cleanup: the pipe deliver agent no longer appends a blank + line when the F flag (prepend From_ line) is specified. + Specify the B flag if you need that blank line. The local + delivery agent no longer appends a blank line to mail that + is delivered to external command. Files: pipe/pipe.c, + global/mail_copy.[hc]. + +20000708 + + Portability: support for NEXT/OPENSTEP requires extra + include file in util/watchdog.c (Masaki Murase). + +20000715 + + Added macros to turn on vstream/vstring/etc. format string + checking by gcc, in addition to the checking that was + already implemented with printfck. File: util/sys_defs.h, + the macros for PRINTFLIKE and SCANFLIKE. Problem - unlike + the printfck tool, gcc finds format argument type mismatches + only in code that isn't #ifdef-ed out. + +20000718 + + Robustness: make_dirs() now continues when a missing + directory is created by another process. + +20000720 + + Feature: the queue manager now logs the number of recipients + when opening a queue file (a zero recipient count is logged + with older queue files). File: global/opened.c. + +20000726 + + Robustness: added watchdog_pat() routine to keep the watchdog + quiet if a client stays connected for a lot of time. Files: + util/watchdog.[hc], smtpd/smtpd.c. + +20000729 + + Robustness: if relayhost is specified but the host does + not exist, defer mail instead of bouncing it (which would + lose the mail if the bounce would have to be delivered to + that same non-existent relayhost). Problem reported by + Chris Cooper @ maths.ox.ac.uk. File: smtp/smtp_connect.c. + +20000821 + + Feature: added -r (replace key+value) option to postalias + and postmap. + + Cleanup: smtpd now replies with 555 when the client sends + unrecognized RCPT TO parameters, as required by RFC 1869 + (problem report by Robert Norris @ its.monash.edu.au). + File: smtpd/smtpd.c. + +20000822 + + Logging: the SMTP server's SASL code logs the authentication + method along with an authentication failure. Suggested by + Ronald F. Guilmette @ monkeys.com. + + Workaround: some systems have file size resource limits + that cannot be represented with the off_t type that is used + by standard functions such as lseek(2). Problem reported + by Blaz Zupan @ amis.net. + +20000823 + + Feature: all this discussion about when to reject mail and + when not made me decide to implement a TCP-based map type + so that it becomes relatively simple to implement dynamic + access controls, for example, hold off mail from an unknown + client or sender until we have completed some investigation, + after which we will either reject or accept. + + However, this code is turned off until it is finished. + +20000905 + + Robustness: the dns client now rejects malformed domain + names rather than depending on the DNS to report that the + name does not exist. Linux returns a rather misleading + server failure code as found out by Patrik Rak. File: + dns/dns_lookup.c. + +20000911 + + Feature: added IGNORE keyword to header_checks and body_checks + to pretend that certain data does not exist. File: + cleanup/cleanup_message.c. + +20000911 + + Bugfix: the SASL code did not allow MAIL FROM... AUTH=sender + without prior authentication. The RFC allows this, although + one wonders what the reasoning behind this is. File: + smtpd/smtpd_sasl_proto.c. + +20000913 + + Bugfix: the rmail script did not handle remote UUCP systems + that send a from_ line with unqualified envelope sender. + Reported by Luciano Mannucci. + + Compatibility: don't insert Sender: header lines. Sendmail + has not done so for at least 10 years, if it ever did. + Problem reported by Brad Knowles. File: cleanup/cleanup_message.c. + +20000916 + + Bugfix: when propagating an address extension in a virtual + or canonical mapping, cleanup accesses memory that is no + longer allocated. This can happen when the result address + length is more than 100 characters. Problem reported by + Adi Prasaja @ satunet.com. File: global/mail_addr_crunch.c. + + Bugfix: fixed a misleading error message when the cleanup + server reaches the queue file size limit. Fix by Robby + Griffin @ MIT.EDU. File: cleanup/cleanup_extracted.c. + +20000917 + + Bugfix: postalias -i would complain about duplicate entries + for the Sendmail-compatible @ entry and for the NIS-compatible + YP_LAST_MODIFIED and YP_MASTER_NAME entries. + +20000918 + + Gross hack: prevent looping on a bad recipient by always + forwarding recipients in :include: files to a new mail + delivery request, even when owner-listname is not set. + File: local/recipient.c. + +20000919 + + Convenience: INSTALL.sh now imports default settings from + the process environment, in order to make scripting easier. + + Robustness: INSTALL.sh now systematically skips over CVS, + RCS and SCCS cruft. + + Portability: another fix for NEXTSTEP (Masaki MURASE). + File: util/spawn_command.h. + +20000920 + + Cleanup: in a transport table entry, do not ignore port + numbers specified as [host]:port. In fact, this is now + becoming the preferred form, in order to avoid parsing + problems with IPV6 addresses. Postfix supports both forms, + but future versions will print a warning for the old form. + Problem reported by Claus Fischer @ werhats.at + + Bugfix: missing initialization for state->sasl_method can + cause permit_sasl_authenticated to always succeed. Report + and fix by Lutz Jaenicke @ aet.TU-Cottbus.DE. + + FAQ: added notes about how to delete, copy or restore queue + files in a safe manner. + +20000921 + + File reorganization. No code change except Makefiles. All + sources are pushed down by one directory level to keep file + listings usable. Released as 20000922, so that I have a + reference to run "diff -cr against. + + Bugfix: the spawn service was installed without man pages. + + Portability: MacOSX hints and tips by Joe Block, University + of Central Florida School of Optics/CREOL + + Portability: The MacOSX gcc compiler does not understand + the new printf_like/scanf_like attributes. File: util/sys_defs.h. + +20000922 + + nqmgr update from Patrik Rak for the changed queue manager + to delivery agent protocol. + + Lame feature: syslog_facility parameter to control where + syslogd sends Postfix logging (default: syslog_facility = + mail). However, errors during command-line parsing are + still logged with the default syslog facility, as are errors + while processing the main.cf file (surprise). Based on + code by Andrew McNamara. + +20000923 + + Cleanup: new bounce logfile API so that Postfix can change + to an extensible bounce logfile format with per-recipient + sender addresses (needed for VERP and for reporting local + list delivery problems to the list owner) and other + attributes. File: global/bounce_log.[hc]. + + Cleanup: replaced the ad-hoc logfile parsing code in showq + by something that uses the generic bounce logfile API. + +20000924 + + Feature: Postfix bounced mail and delayed mail notifications + now have the standard RFC 1894 form (DSN). The bounce + service now uses the generic bounce logfile API. File: + bounce/bounce_notify_service.c, bounce/bounce_notify_util.c. + + Cleanup: deleted the per-recipient bounce protocol. Future + bounce logfiles will support per-recipient bounce addresses. + Files: global/bounce.c, bounce/bounce_recip_service. + +20000925 + + Workaround: sendmail allows MAIL FROM and RCPT TO envelope + addresses like > so we will never get + rid of them. To disallow, specify "strict_rfc821_envelopes + = yes". File: smtpd/smtpd.c. + +20000926-20001003 + + Feature: a "flush" server that keeps per-destination records + of deferred mail. It is the basis of a faster ETRN and + "sendmail -qRsite" implementation. This code was rewritten + half a dozen times. + +20000928 + + Bugfix: the stricter dns_lookup() argument checks revealed + that Postfix was doing DNS lookups for domain literals + ([ip.address]) when expanding aliases in MAIL FROM and RCPT + TO address parameters. Reported by Jim Littlefield. File: + smtp/smtp_unalias.c. + + Documentation: added text on the biff=yes/no parameter to + conf/sample-local.cf (text provided by Paul Wagland, + relational-consultancy.com. + + Robustness? Log errors from SASL library code as warnings + not as fatal errors. Files: smtp*/*glue.c. + +20001001 + + Feature: in master.cf, specify ? after wakeup time to avoid + waking up services that aren't being used. + +20001003 + + Feature: the fast flush refresh and purge time interval + parameters can now be specified in user-specified units by + providing an appropriate suffix: s (seconds), m (minutes), + h (hours), d (days), w (weeks). unit. This was needed so + that I could test the flush server code in a reasonable + way (its timeouts are normally specified in days or hours, + and I don't have that much time for testing). Other Postfix + time interval parameters will be migrated as time permits. + Files: conf/sample-flush.cf, global/mail_conf_time.c, + postconf/postconf.c. + + Unfeature: qmgr_hog_factor is now disabled by default. It + was just too confusing. If you don't know what this means, + do not worry. + +20001005 + + Cleanup: after "postfix reload" do not penalize mail that + was in the active queue, but make it ready for immediate + delivery so that ETRN etc. works as intended. Files: + *qmgr/qmgr.c, *qmgr/qmgr_active.c. + + Portability: Redhat 7 library interfaces have changed + incompatibly, which breaks existing software. File makedefs. + + Consistency: the fallback_relay parameter did not understand + the [] or host:port syntax, and there was no way to suppress + MX record lookups. Files: smtp/smtp_addr.c, smtp/smtp_connect.c. + + Convenience: you can now specify multiple SMTP destinations + in the relayhost or fallback_relay configuration parameters. + The specified destinations will be tried in the specified + order. File: smtp/smtp_connect.c. + + Many typographical corrections by Matthias Andree. + +20001024 + + Documentation: the canonical, virtual etc. manual pages + did not document the effect of leading whitespace. + +20001025 + + Bugfix: virtual map expansion stopped too early with + self-referential aliases. Reported by Michael Douglass @ + datafoundry.net. File: cleanup/cleanup_map1n.c. + +20001026 + + Horror: postmap and postalias (newaliases) silently lose + the file lock while building a lookup table with Berkeley + DB 2.x and later on Solaris, HP-UX, IRIX, and UNIXWARE. + The result is that table lookups fail while the table is + being built, so that mail is lost. In order to avoid this + misbehavior one has to use an undocumented feature that is + NOT available with the DB1.85 compatibility interface. + Therefore, Postfix now supports three Berkeley DB programming + interfaces of increasing complexity. File: util/dict_db.c. + + Bugfix: some character manipulations were not portable for + signed/unsigned characters. Files: global/quote_821_local.c, + global/quote_822_local.c. + + Workaround: apparently, some software sends SMTP mail that + begins with "From sender time-stamp". Sendmail silently + ignores such RFC violating garbage, and therefore Postfix + needs to jump another hoop. File: smtpd/smtpd.c. + +20001028 + + Bugfix: the flush server tried to access config files after + going to the chroot jail. Found by Lutz Jaenicke, TU-Cottbus.DE. + File: flush/flush.c. + + Update: revised LDAP module from primary maintainer John + Hensley, with contributions from many other people. Files: + util/dict_ldap.c, LDAP_README. + + Update: LINUX2 chroot setup script by Matthias Andree, + uni-dortmund.de. + + Feature: specify unix:/path/name for LMTP connections over + UNIX-domain sockets, and specify inet:host or inet:host:port + for IPV4. If no unix: or inet: is specified, IPV4 is assumed. + File: lmtp/lmtp_connect.c. + + Feature: added UNIX-domain support to the smtpstone test + programs in order to test the LMTP client UNIX-domain + support. + +20001030 + + Bugfix: further testing in preparation for 19991231-pl10 + revealed that the DB map code was now broken for every + platform. + +20001031 + + Performance: the slow start (gradually increase number of + parallel connections to the same site) was too gentle and + Postfix would back off too quickly. Files: qmgr/qmgr_queue.c + and nqmgr/qmgr_queue.c. + +20001101 + + FAQ update by Ralph Hildebrandt. + +20001104 + + Portability: RedHat Linux has changed incompatibly, again. + Fixed with the help of Matthias Andree. File: makedefs. + +20001109 + + Cleanup: changed prototype of internal function that did + not return a useful result. File: src/util/vstream_popen.c. + +20001110 + + Workaround: the Debian post install script passes an open + file descriptor into the master server and waits forever. + Reported by Lamont Jones. File: master/master.c. + +20001114 + + Compatibility: added sendmail -G (gateway submission) option + for compatibility with the sendmail rmail command. Requested + by David Gilbert, Velocet Communications. + +20001116 + + Documentation: added MAILER-DAEMON to the list of sample + masquerade_exceptions settings in conf/sample-rewrite.cf. + Suggested by Karl O. Pinc, pop.artic.edu. + + Performance: the slow start (gradually increase number of + parallel connections to the same site) was too gentle and + Postfix would back off too quickly. Files: qmgr/qmgr_queue.c + and nqmgr/qmgr_queue.c. Yup, changed the same code, again. + We now allow for a margin above the actual concurrency, + with the size of the initial destination concurrency. + Final solution by Patrik Rak. + + Bugfix: the recipient home directory test broke mailbox_transport + support for non-UNIX recipients. File: local/recipient.c. + +20001117 + + Robustness: additional integrity tests for the nqmgr by + Patrik Rak. File: nqmgr/qmgr_message.c. + +20001118 + + Bugfix: the new LDAP client code did not work properly if + the new ldap_domain parameter was not specified. LaMont + Jones, HP. File: util/dict_ldap.c. + + Feature: the soft_bounce safety net is extended to the SMTP + server. With "soft_bounce = yes", The SMTP server changes + all 5xx (reject) replies into 4xx (try again) replies. + + Documentation: the virtual(5) man page now documents both + Postfix-style virtual domains and Sendmail-style virtual + domains, including their interaction with local usernames, + aliases and mailing lists. Hopefully, this ends some of + the confusion surrounding virtual domain support. Updated + several FAQ entries concerning virtual domain support. + + Documentation: added FAQ entry for the biff service. + +20001119 + + Bugfix: per-destination queue names were case sensitive so + that the same site could have multiple queues. Reported + by Patrik Rak. Files: *qmgr/qmgr_message.c. + +20001120 + + Bugfix: per-destination deferred mail logfiles were case + sensitive so that the same site could have multiple deferred + mail logfiles, so that not all mail would be flushed with + ETRN. Reported by Ralph Hildebrandt. Files: flush/flush.c. + + Portability: added (int) casts to printf-like arguments + that specify the width of %*letter conversions. On some + systems, sizeof and pointer difference expressions are + wider than an int. Reported by Valentin Nechayev @ lucky.net. + +20001121: + + Compatibility: Postfix now retries delivery when an external + command is killed by a signal, because people expect such + behavior from Sendmail. File: global/pipe_command.c. + +20001123-30 + + Feature: mailbox locking is now configurable. The configuration + parameter name is "mailbox_delivery_lock". Depending on + the operating system one can specify one or more of "flock", + "fcntl" and "dotlock". Use "postconf -l" to find out what + locking methods Postfix supports. The default setting is + system dependent. All mailbox file opens are now done by + one central mbox_open() routine. This affects the operation + of the postlock command, and of local delivery to mailbox + or /file/name. Files: util/safe_open.c, util/myflock.c, + global/deliver_flock.c, global/mbox_conf.c, global/mbox_open.c. + local/mailbox.c, local/file.c, postlock/postlock.c. + + Compatibility: the old sun_mailtool_compatibility parameter + is being phased out. It still works (by turning off + flock/fcntl locks), but logs a warning as a reminder that + it will go away. + + Compatibility: when delivering to /file/name, the local + delivery agent now logs a warning when it is unable to + create a /file/name.lock file, and then delivers the mail + (older Postfix versions would silently deliver). + +20001202 + + Feature: specify "smtp_never_send_ehlo = no" to disable + ESMTP. Someone asked for this long ago. Files: smtp/smtp.c, + smtp/smtp_proto.c. + + Feature? Bugfix? The smtp client now skips server replies + that do not start with "CODE SPACE" or with "CODE HYPHEN", + and flags them as protocol errors. Older versions silently + treat "CODE TEXT" as "CODE SPACE TEXT". File: smtp/smtp_chat.c. + +20001203 + + Documentation: postmap(1) and postalias(1) did not document + the process exit status for "-q key". + +20001204 + + Bugfix: the Postfix master daemon no longer imported + MAIL_CONF and some other necessary environment parameters. + Postfix now has explicit "import_environment" and + "export_environment" configuration parameters that control + what environment parameters are shared with non-Postfix + processes. Files: util/clean_env.c, util/spawn_command.c, + util/vstream_popen.c, global/pipe_command.c, and everything + that invokes this code. + +20001208 + + Bugfix: while processing massive amounts of one-recipient + mail, qmgr could deadlock for 10 seconds while sending a + bounce message. All queue manager bounce send requests are + now implemented asynchronously. Files: global/abounce.[hc] + (asynchronous bounce client), qmgr/qmgr_active.c. Problem + reported by El Bunzo (webpower.nl) and Tiger Technologies + (tigertech.com). + +20001209 + + Feature: mailbox_transport and fallback_transport can now + have the form transport:nexthop, with suitable defaults + when either transport or nexthop are omitted, just like in + the Postfix transport map. This allows you to specify for + example, "mailbox_transport = lmtp:unix:/file/name". File: + global/deliver_pass.c. + +20001210 + + Bugfix: the local_destination_concurrency_limit paramater + no longer worked as per-user concurrency limit but instead + worked as per-domain limit, so that the limit of "2" in + the default main.cf files resulted in poor local delivery + performance. Files: qmgr/qmgr_message.c, qmgr/qmgr_deliver.c. + Problem reported by David Schweikert (ee.ethz.ch) and Dallas + Wisehaupt (cynicism.com). + +20001210 + + Feature: support for MYSQL connections over UNIX-domain + sockets by Piotr Klaban. Files: util/dict_mysql.c, + MYSQL_README. + +20001211 + + Small dirt: postconf -m produced too much output due to a + missing "else", and the optional SASL code needed a fix + for the changed name_mask API. + +20001212 + + Workaround: due to an error, record type L for "filter + transport name" was the same as that for the already existing + record type L for "record not ending in newline", causing + the pickup daemon to discard all records not ending in + newline. The code cannot be changed without breaking + compatibility with queued mail, so the pickup server is + changed to discard type L records only from the message + envelope, not from the content. File: pickup/pickup.c. + +20001213 + + Bugfix: dict_ldap did not properly initialize a handle + after connection timeout. Problem reported by Alain Thivillon. + File: util/dict_ldap.c. + +20001214 + + Feature: local_transport and default_transport now also + understand the transport[:destination] notation, so that + all transport config parameters are similar again. File: + trivial-rewrite/resolve.c, trivial-rewrite/transport.c. + + Code cleanup: mailbox_transport and fallback_transport no + longer allow the user to omit the transport part of a + transport:destination specification. That just did not make + any sense at all. The :destination part is still optional. + File: global/deliver_pass.c. + + Feature: most time-related configuration parameters take + a one-letter suffix that specifies the time unit: s + (second), m (minutes), h (hours), d (days), w (weeks). + "postconf -d" output includes the default time unit. Files: + many. + + Code cleanup: in a CONFIG_TIME_TABLE, the default time unit + is now always the last character of a default time value. + It is no longer necessary to specify the default time unit + separately. This change means that it will not be possible + to specify default values in the form of function calls, + but that was unused anyway. Files: global/mail_conf_time.c, + and user code. + +20001217 + + Bugfix: reorganized some code in the MYSQL client to end + a number of memory allocation/deallocation problems. This + code needs more work. File: dict_mysql.c. + +20001218 + + Bugfix: the MYSQL client did not provide function pointers + for unimplemented operations, causing "postmap -d" to dump + core instead if issuing an error message. This is what I + get for accepting code that I cannot test myself. + +20001221 + + Code cleanup: configuration parameters that are $name + expanded at run-time now have their own data type hierarchy + instead of being piggy-backed on top of strings that are + $name expanded at program initialization time. Files: + global/mail_conf.h, global/mail_conf_raw.c, and code that + calls it. + +20001230 + + Update: replaced the default rbl.maps.vix.com setting by + the current blackholes.mail-abuse.org. + +20010102 + + Code cleanup: the queue manager is a bit greedier with + allocating a delivery agent. Problem pointed out by Patrik + Rak. All bugs in the solution are mine. Files: + *qmgr/qmgr_active.c. + +20010105 + + Bugfix: the FILTER_README shell script example did not + correctly pass exit status to the parent. + + Bugfix: soft errors in client hostname lookups would be + treated as hard errors. Fix by Michael Herrmann + (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c. + +20010110 + + Bugfix: the mkdir() EEXIST race condition workaround was + not complete. Matthias Andree, Daniel Roesen. Files: + global/mail_queue.c, util/make_dirs.c. + +20010111 + + Portability: IRIX 6.5.10 defines sa_len as a macro, causing + a name collision with a variable used by Postfix. Roberto + Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c. + +20010116 + + Bugfix: REJECT by header/body_checks was flagged in smtpd + as a bounce, should be policy, in order to make postmaster + notifications more consistent. File: smtpd/smtpd.c. + + Merged updated chroot setup procedure by Matthias Andree. + Files: examples/chroot-setup/LINUX2. + +20010117 + + Formatting: changed the seconds and days formats in the + "your mail is delayed" text so that it does not switch to + scientific notation. File: bounce/bounce_notify_util.c. + +20010119 + + Feature: SASL support for the LMTP client. Recent CYRUS + software requires this for Postfix over TCP sockets. + +20010120 + + Bugfix: the 20001005 revised fallback_relay support caused + Postfix to send mail to the fallback even when the local + machine was an MX host for the final destination. Result: + mailer loop. Found by Laurent Wacrenier (teaser.fr). Files: + smtp/smtp_connect.c, smtp/smtp_addr.c. + +20010121 + + Workaround: specify "broken_sasl_auth_clients = yes" in + order to support old Microsoft clients that implement a + non-standard version of RFC 2554 (AUTH command). + + Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies + to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c. + +20010125 + + Code cleanup: wrote creator/destructor for dictionary + objects that provides default methods that trap all attempts + to perform an unimplemented operation. Based on an ansatz + by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc]. + + Code cleanup: INSTALL.sh does not ask questions when stdin + is not connected to a tty (as in: make install instances across line boundaries. + sed(1) is an amazing tool. File: mantools/postlink. + +20010204 + + Laid the ground work for logging of table accesses. This + will give more insight into how Postfix uses its lookup + tables. User interface comes later. File: util/dict_debug.c. + +20010216 + + Bugfix: the pipe delivery agent expanded $size as if it + were a recipient, instead of expanding it as $nexthop or + as $sender. Reported by Michael Tokarev. File: pipe/pipe.c. + +20010221 + + Bugfix: poor LMTP performance for domains that are listed + in $mydestination, because Postfix would send one recipient + at a time, with multiple deliveries of recipients of the + same message in parallel; a similar problem could exist + with virus scanning and with firewall relay hosts that + forward mail for $mydestination to an inside machine. This + behavior is now changed to depend on the transport-specific + xxx_destination_recipient_limit parameter. This also means + that you can now get qmail behavior for SMTP deliveries by + setting smtp_destination_recipient_limit=1. File: + {qmgr,nqmgr}/qmgr_message.c. + + Workaround: Solaris socketpair() can fail with EINTR. Added + a sane_socketpair.c module that joins the ranks of the + other sane_whatever workarounds. Reported by Andrew McNamara. + File: util/sane_socketpair.[hc] + +20010222 + + Documentation: the default main.cf file has a prominent + warning that mynetworks should be properly configured in + order to reject unauthorized mail relay requests from + strangers. + + Documentation: the INSTALL document, section "mandatory + configuration file edits" has a section that explains that + mynetworks should be properly configured in order to reject + unauthorized mail relay requests from strangers. + +20010223 + + Documentation: the basic.html document has a section that + explains that mynetworks should be properly configured in + order to reject unauthorized mail relay requests from + strangers. + + Feature: new "mynetworks_style" parameter that controls + how mynetworks (trusted networks) is derived from the + inet_interfaces (machine interfaces) setting. Specify + "class" for entire class A, B, C networks; "subnet" for + the local subnets only; or "host" for maximal privacy. + Files: util/inet_addr_local.[hc], global/own_inet_addr.[hc], + global/mynetworks.[hc], postconf/postconf.c. + + Portability: MACOSX patches by Gerben Wierda. + + Portability: Solaris /dev/null is a symlink, which tripped + up the code to safely open a file before local delivery. + We now grudgingly allow symlinks owned by root. File: + util/safe_open.c. + +20010224 + + Bugfix: "postconf mynetworks" ignored the inet_interfaces + setting. That was a very old one. File: postconf/postconf.c. + + INCOMPATIBLE CHANGE: POSTFIX NO LONGER RELAYS MAIL FOR + CLIENTS IN THE ENTIRE CLASS A/B/C NETWORK. POSTFIX BY + DEFAULT RELAYS MAIL FOR CLIENTS IN THE LOCAL SUBNETWORK. + Specify "mynetworks_style = class" to get the old behavior. + +20010225 + + Portability: master sigchld handler based on writing to a + pipe, so that the master wakes up from select(). Based on + code by Erik Forsberg, Linkoping University, Sweden. File: + master/master_sig.c. Disabled until after the major release. + + Code cleanup: Postfix should now run with no alias database. + + Code cleanup: local_destination_recipient_limit and + local_destination_concurrency_limit have become first-class + configuration parameters. Files: global/mail_params.h, + *qmgr/qmgr.c, postconf/postconf.c. + +20010226 + + Documentation suggestions by Lars Hecking and Richard + Huxton, Matthias Andree and many others. + + Code cleanup: some queue/transport operations need to be + moved, after the code cleanup of the recipient/concurrency + limit handling. Patrik Rak. Files: *qmgr/qmgr_message.c. + +20010301 + + Feature: configurable name in syslog output (default: + "syslog_name = postfix") so that different Postfix instances + can be recognized by their logging. File: global/mail_task.c. + +20010313 + + Workaround for logic mismatch in nqmgr that was exposed + with the introduction of the asynchronous bounce client. + Patrik Rak. + +20010313 + + Bugfix: the RFC 822 untokenizer quoted newlines inside + comments. File: global/tok822_parse.c. + +20010316 + + Cleanup: removed an extraneous warning when a queue file + write error happened. + +20010321 + + Workaround: LMTP connection caching never worked for + destinations starting with unix: or inet:. File: + lmtp/lmtp_connect.c. + +20010322 + + Portability: Solaris <2.6 does not have srandom() and + random() in libc. File: util/rand_sleep.c. It does not have + to be cryptographically strong. + + Bugfix: the fast ETRN flush server could not handle [ipaddr] + or domain names with one-character hostname part. This + fix changes the destination to logfile name mapping, so + that you need to populate the new files with "sendmail -q". + The old files go away automatically. File: flush/flush.c. + +20010327 + + Speed up mailq (sendmail -bp) display by flushing output + after each file. File: showq/showq.c. + + Portability: missing string.h includes, %p wants (void *), + Lamont Jones, HP. + +20010328 + + Bugfix: swapped logic caused cleanup to stall when the + queue file size exceeded the file size limit by less than + one the VSTREAM buffer size, so that the "file too big" + was detected after flushing the last queue file record. + File: cleanup/cleanup.c. + +20010329 + + Portability: workaround for missing prototype problem in + dict_ldap.c. This module should move to the global directory, + because it depends on Postfix main.cf parameter information. + + Workaround: after sending a trigger message over a socket, + do not immediately close the client side, but close it from + a background thread that waits until the server closes the + socket first. This avoids trouble with socket implementations + that destroy a socket when the client closes a socket before + the server has received the client's data. Files: + util/{inet,unix,stream}_trigger.c, util/events.c, + master/master_trigger.c, postkick/postkick.c. + +20010403 + + Workaround: the mysql library can return null pointers + rather than zero-length strings. File: util/dict_mysql.c. + +20010404 + + Ergonomics: log additional information about the reason + why "mail for XXX loops back to myself" when the local + machine is the best MX host. File: smtp/smtp_addr.c. + +20010406 + + Changed some noisy LDAP client warnings into optional + logging. LaMont Jones, util/dict_ldap.c. + +20010411 + + Bugfix: the SMTP server now replies with 550 instead of + 503 when it receives the DATA command without having received + a valid recipient address. This is needed for the Sendmail + client-side pipelining implementation. Problem reported by + Lutz Jaenicke. File: smtpd/smtpd.c. + + Cleanup: shut up if chattr fails on Reiserfs and other file + systems that do not support the respective attributes. + Files: conf/postfix-script-{no,}sgid. + +20010413 + + Ergonomics: Postfix applications now warn when a DB or DBM + file is out of date, and recommend to rebuild the table. + Files: util/dict_db.c, util/dict_dbm.c. + +20010414 + + Feature: specify a key of "-" to the postmap or postalias + -q or -d option, and the keys will be read from standard + input, one key per line. Files: postmap/postmap.c, + postalias/postalias.c. + + Bugfix: with a non-default inet_interfaces setting, the + master ignored host information in master.cf host:port + settings. Fix by Jun-ichiro itojun Hagino @ iijlab.net. + Files: master/master.h, master/master_ent.c. + +20010426 + + Bugfix: the SMTP server did not parse invalid MAIL FROM or + RCPT TO addresses such as > the + way it was supposed to do. I thought this was taken care + of years ago. File: smtpd/smtpd.c. + +20010427 + + Bugfix: smtpd would reject mail instead of replying with + a 4xx temporary error code when, for example, an LDAP or + mysql server was unavailable. Remotely based on a fix by + Robert Kiessling @ de.easynet.net. File: smtpd/smtpd_check.c. + +20010429 + + Feature: the Postfix SMTP client now by default randomly + shuffles destination IP addresses of equal preference. + Specify "smtp_randomize_addresses = no" to disable. + Shuffling code by Elias Levy @ SecurityFocus.com Files: + dns/dns_rr.c, smtp/smtp_addr.c. + +20010501 + + Bugfix: The SMTP server's 550 in reply to DATA should be + a 554 response. And it wasn't Sendmail. Claus Assman. + + Bugfix: the INSTALL.sh test for non-interactive upgrade + broke rooted installations that specify settings via the + environment. Simon Mudd. + + Bugfix: mailq output is now really flushed one message at + a time. File: sendmail/sendmail.c. + + Feature: "postsuper -d queueID" deletes one message queue + file; "postsuper -d -" reads zero or more queue IDs from + standard input, and deletes one instance of each file. + File: postsuper/postsuper.c. + + Code cleanup: in order to make postsuper -d safe with a + running Postfix mail system, some routines had to be made + tolerant for sudden queue file disappearances. Files: + global/deliver_request.c, *qmgr/qmgr_move.c. + + Code cleanup: in order to make postsuper -d more usable, + the showq command was extended to safely list the possibly + world-writable maildrop directory. File: showq/showq.c. + +20010504 + + Feature: postsuper -d will also delete defer and bounce + logfiles when the named queue file is found. + +20010505 + + RFC 2821 feature: an SMTP server must reset all buffers + upon receipt of EHLO. File: smtpd/smtpd_check.c. + + RFC 2821 feature: an SMTP server must accept a recipient + address of "postmaster" without domain name. File: + smtpd/smtpd_check.c. + + RFC 2821 recommendation: reply with 503 to commands sent + after 554 greeting. File: smtpd/smtpd.c. + + RFC 2821 recommendation: if VRFY is enabled, list it in + the EHLO response. File: smtpd/smtpd.c. + + RFC 2821 recommendation: SMTP clients should use EHLO. + The default setting of smtp_always_send_ehlo has changed + from 0 (send EHLO if server greets with ESMTP) to 1 (always + send EHLO). In all cases, Postfix falls back to HELO if + the server does not support EHLO. File: smtp/smtp_proto.c. + +20010507 + + Bugfix: with soft_bounce=yes, the SMTP server would log + 5xx replies even though it would send 4xx replies to the + client (Phil Howard, ipal.net). File: smtpd/smtpd_check.c. + +20010515 + + Compatibility: Microsoft sends "AUTH=MBS_BASIC LOGIN". + Updated the parsing code in smtp/smtp_proto.c. Problem + reported by Ralf Tessmann, Godot GmbH. + +20010520 + + Standard: deleted the non-standard "via" portion from + Received: headers generated by Postfix bounce or other + notification processes. File: global/post_mail.c. + + Robustness: eliminated stack-based recursion from the RFC + 822 address parser. File: global/tok822_parse.c. + + Standard: annotated the source code with comments based on + RFC 2821 and 2822. Not all the RFC changes make sense. + + RFC 2821 recommendation: treat a RCPT 552 reply as if the + server sent 452. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. + + Cleanup: moved ownership of the debug_peer parameters from + the applications to the library, so that a Postfix shared + library does not suffer from undefined references. Files: + smtp/smtp.c, lmtp/lmtp.c, smtpd/smtpd.c, global/mail_params.c. + LaMont Jones, for Debian. + +20010522 + + Feature: "postsuper -r queueID" re-queues a message, and + "postsuper -r ALL" re-queues all mail. The message is moved + to the maildrop queue so that the pickup daemon will copy + it to a new queue file, and so that address rewriting will + be done again. This is useful after changes of address + rewriting or virtual mappings. + + Feature: "postsuper -d ALL [queue-name]" deletes a bunch + of mail. + +20010523 + + Feature: "postsuper -s" (which is done by default) renames + queue files whose name (queue ID) does not match the message + file inode number. + + Bugfix: memory leak in the LDAP client module. Alain + Thivillon, France Teaser - Groupe Firstream. + +20010525 + + Portability: gcc 2.6.3 does not have __attribute__ (Clive + Jones, dgw.co.uk). File: util/sys_defs.h. + + Bugfix: the SMTP and LMTP clients claimed that a queue file + needed to be delivered again (even when all recipients were + erased from the queue file) when no QUIT or RSET reply was + received (by default, this does not happen with SMTP mail + because the SMTP client does not wait for QUIT replies and + does not send RSET to deliver mail). As a result of the + same bug the LMTP client followed a dangling pointer when + sending QUIT after process idle timeout while the LMTP + server had disconnected. Files: smtp/smtp_proto.c, + lmtp/lmtp_proto.c. + +20010526 + + newaliases no longer complains when an empty list is + specified with the alias_database configuration parameter. + File: sendmail/sendmail.c. + +20010529 + + Workaround: old PIX firewall code messes up when the final + "." at the end of DATA spans a packet boundary. + When Postfix detects PIX SMTP fixup mode, Postfix flushes + the output buffers before sending the final ".". + File: smtp/smtp_proto.c. + +20010530 + + Portability: updated code for Mac OS X, accounting for the + post-Beta changes. Code by Joe Block, UCF School of + Optics/CREOL. + +20010601 + + Safety: postdrop turns off interrupts when cleaning up + after interrupt. The additional safety does not hurt anyone. + File: src/postdrop/postdrop.c. + +20010607 + + Safety: dropped the RFC 2821 compliant code that treats + 552 RCPT TO replies as 452. It created more problems than + it solved. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. + + Logging: the SMTP server now logs a warning if RBL lookups + have problems other than "not found". file: smtpd/smtpd_check.c. + +20010610 + + Feature: address quoting and case folding flags for the + pipe(8) mailer. + +20010611 + + Workaround: some MTAs fall on their face when they receive + unexpectedly long lines. From now on, Postfix defaults to + breaking long lines at 2048 (like Sendmail so it has got + to be right). To get the old, content preserving, behavior + specify "smtp_truncate_lines = no". File: smtp/smtp_proto.c. + +20010614 + + Bugfix: did not really undo 2821 552->452 mapping. + +20010628 + + Bugfix: postfix-script used a hard-coded maildrop group + owner instead of using the install-time specified name + stored in /etc/postfix/install.cf. Problem reported by + David Terrell @ meat.net. + +20010701 + + Feature: mail_spool_directory ending in / causes maildir + style delivery. + + Bugfix: the FreeBSD kernel parameters kern.ipc.nmbclusters + and kern.ipc.maxsockets cannot be set with sysctl commands. + File: html/faq.html. Len Conrad @ Go2France.com. + + Cleanup: the virtual delivery agent was poorly integrated + so that the SMTP server and queue manager did not reject + mail for unknown users. Files: smtpd/smtpd_check.c. + +20010705 + + Feature: QMQP server, compatible with qmail and the ezmlm + list manager. Files: util/netstring.[hc], qmqpd/qmqpd*.c. + +20010706 + + Feature: QMQP stress test message generator program. Files: + smtpstone/qmqp-source.c, smtpstone/qmqp-sink.c. + +20010708 + + Bugfix: with disable_dns=yes, the SMTP client treated all + host lookup errors as permanent. File: smtp/smtp_addr.c. + +20010709 + + Feature: VERP support, based on a patch by Peng Yong, and + with the missing parts filled in so that the Postfix bounce + daemon can send one VERP bounce per undeliverable recipient. + Files: , sendmail/sendmail.c, smtpd/smtpd.c, qmgr/qmgr_deliver.c, + bounce/bounce_notify_verp.c, qmqpd/qmqpd.c, plus a couple + support routines in the global library. + + Cleanup: with recipient_delimiter=+ (or any character other + than -) Postfix will now recognize address extensions even + with owner-foo+extension addresses. This is necessary to + make VERP work for mailing lists. + +20010710 + + Bugfix: potential memory leak in the queue managers with + the new VERP delimiter record. Fix by Patrik Rak. + +20010711 + + Cleanup: you can now specify the VERP delimiter characters + on the sendmail(1) command line, but they are still optional. + + Safety: with maildir style delivery and with hashed mailboxes + the system mail spool directory must not be world writable. + +20010713 + + Safety: the verp_delimiter_filter parameter (default: -=+) + limits what characters Postfix accepts as VERP delimiter + characters. + +20010714 + + Logging: the queue manager now logs a "status=expired" + record when it returns a message that is too old. Files: + *qmgr/qmgr_active.c. + +20010719 + + Feature: stiffer coupling between mail receiving rates and + mail delivery rates, using a trivial token-based scheme, + implemented by reading and writing an in-memory pipe. The + queue manager produces one token when it retrieves mail + from the incoming queue. The cleanup daemon consumes one + token when it adds mail to the incoming queue. If no token + is available the cleanup server pauses for $in_flow_delay + seconds and proceeds anyway. The delay allows mail sending + process to catch up and access the disk while not blocking + inbound mail. Valid delays are 0..10 seconds. + +20010727 + + Bugfix: updated LDAP client module from LaMont Jones, HP. + This also introduces new LDAP query filter patterns: %u + (address localpart) and %d (domain part). Files: + conf/sample-ldap.cf, util/dict_ldap.c. + +20010729 + + Bugfix: recursive smtpd_whatever_restrictions clobbered + intermediate results when switching between sender and + recipient address restrictions. Problem found by Victor + Duchovni, morganstanley.com. In order to fix, introduced + address resolver result caching, which should also help to + speed up sender/recipient address restriction processing. + + Bugfix: the not yet announced DUNNO access table lookup + result did not prevent lookups with substrings of the same + lookup key. Found by Victor Duchovni, morganstanley.com. + +20010730 + + Robustness: trim trailing whitespace from regexp and pcre + right-hand sides, for consistency with DB/DBM tables. + Files: util/dict_pcre.c, util/dict_regexp.c. + +20010731 + + Robustness: eliminate duplicate IP addresses after expansion + of hostnames in $inet_interfaces, so that Postfix does not + suddenly refuse to start up after someone changes the DNS. + Files: util/inet_addr_list.c global/own_inet_addr.c. + + Feature: specify "disable_verp_bounces = yes" to have + Postfix send one RFC-standard, non-VERP, bounce report for + multi-recipient mail, even when VERP style delivery was + requested. + +20010801 + + Bugfix: postconf was using unexpanded values internally + for myhostname, inet_interfaces, and mynetworks_style. + This broke the "postconf -d" mynetworks computation. File: + postconf/postconf.c. + +20010803 + + Feature: masquerade_classes parameter for fine control of + address masquerading. The default setting is backwards + compatible: envelope_sender header_sender header_recipient. + Files: cleanup/whatever.c. + +20010822 + + Code cleanup: the bounce daemon complained about data that + it was not going to send back anyway. Fix: stop reading + the original message when the bounce message reaches the + bounce message size limit. File: bounce/bounce_notify_util.c. + +20010826 + + Logging: postsuper now logs the queue ID when it requeues + a message, or when it deletes a message from the mail queue. + File: postsuper/postsuper.c. + +20010830 + + Safety: the SMTP server now sends a 4xx (try again later) + response when an UCE restriction is misconfigured, instead + of ignoring the bad restriction and possibly accepting mail + that it should not accept. File: smtpd/smtpd_check.c. + +20010907 + + Workaround: the Postfix qmqp-source program produced mail + not ending in newline. qmail-qmqpd accepts such mail, but + qmail-remote is unable to deliver it. Matthias Andree, + uni-dortmund.de. File: smtpstone/qmqp-source.c. + +20010910 + + Bugfix: the smtp-sink stress test program broke when RCPT + TO commands crossed network packet boundaries. Problem + reported by Matthias Andree, uni-dortmund.de. File: + smtpstone/smtp-sink.c. + +20010917 + + Code cleanup: permit_mx_backup implements the old behavior + (accept mail if the local MTA is MX relay), and allows an + additional restriction via the permit_mx_backup_networks + parameter (accept mail only if the primary MX hosts match + the specified list of network blocks). This second restriction + is now entirely optional, for backwards compatibility. + + Bugfix: an address extension could be appended multiple + times to the result of a canonical or virtual map lookup. + File: global/mail_addr_map.c. Fix by Victor Duchovni, + Morgan Stanley. + + Bugfix: split_addr() would split an address even when there + was no data before the recipient delimiter. In combination + with the above bug, this could cause an address to grow + exponentially in size. Problem reported by Victor Duchovni, + Morgan Stanley. File: global/split_addr.c. + +20010918 + + Bugfix: the mail_addr_map() fix was almost but not quite + right. It took two clever people and several iterations of + email to really fix the mail_addr_map() problem. Thanks + to Victor Duchovni and Liviu Daia. + +20011006 + + Cleanup: Postfix no longer flushes the whole deferred queue + after an ETRN request for a random domain name (i.e. a + domain name not matched by $fast_flush_domains); the SMTP + server instead replies with "459 service unavailable". + Files: smtpd/smtpd.c, global/flush_clnt.c, flush/flush.c. + +20011008 + + Bugfix: there was a minute memory leak when an smtpd access + restriction was misconfigured. File: smtpd/smtpd_check.c. + +20011010 + + Code cleanup: Postfix daemons now print the name of the + UNIX-domain socket (instead of "unknown stream") in case + of a malformed client request. Files: master/*server.c. + +20011010-14 + + Code cleanup: replaced the ugly mail_print() and mail-scan() + protocols by (name,value) attribute lists. This gives better + error detection when we make changes to internal protocols, + and allows new attributes to be introduced without breaking + everything immediately. Files: util/attr_print.c util/attr_scan.c + global/mail_command_server.c global/mail_command_client.c + as wel as most Postfix applications and daemons. + +20011015 + + Put base 64 encoding into place on the replaced internal + protocols. Files: util/base64_code.[hc]. + + Feature: header/body REJECT rules can now provide text that + is sent to the originator. Files: cleanup/cleanup.c, + cleanup/cleanup_message.c, conf/sample-filter.cf. + +20011016 + + Bugfix: As of 20000625, Errors-To: was broken, because the + code to extract the address was not moved from recipient + address rewriting to sender address rewriting. Problem + reported by Roelof Osinga @ nisser.com. File: + cleanup/cleanup_message.c. + +20011029 + + Bugfix: virtual map expansion terminated early because the + detection of self-referential entries was flawed. File: + cleanup/cleanup_map1n.c. + +20011031 + + Bugfix: mail_date() mis-formatted negative time zone offsets + with fractional hours (-03-30 instead of -0330). Fix by + Chad House, greyfirst.ca. File: global/mail_date.c. + +20011102 + + Feature: new -f option to postmap and postalias (do not + lowercase the lookup key while creating a table). Files: + util/dict.h postmap/postmap.c postalias/postalias.c. + + Code cleanup: simplified the attribute print/scan routines, + and removed the never-used support for sending and receiving + integer arrays and string arrays. Files: util/attr_print.c, + util/attr_scan.c. + + Bugfix: qmqpd could read past the end of a string while + looking for qmail's VERP magic token in the envelope sender + address. File: qmqpd/qmqpd.c. + + Code cleanup: finished testing the new internal protocols. + The only bug was with the flush server, which still needs + to support the old (string + null byte) protocol for triggers + from the Postfix master daemon. + +20011103 + + Bugfix: Postfix would log the wrong error text when locally + submitted mail was deferred due to "soft_bounce = yes". + + Bugfix: The LDAP client dropped any entries that don't have + the result_attribute, but errored out when a DN didn't + exist. The behavior is now consistent: treat non-existant + DN's in a special result attribute expansion the same as + DN's with no attribute. LaMont Jones, HP. + +20011104 + + Bugfix: the new smtp-sink -n option (terminate after the + specified number of deliveries) wasn't optional. + + Portability: updated Mac OS X documentation and install + scripts by Gerben Wierda. + +20011105 + + Bugfix: missing terminator in new attribute-based function + call caused signal 11. File: src/cleanup/cleanup.c. + + Lame workaround for ESTALE errors with mail delivery over + NFS. Additional bandages were added to the local delivery + agent. However, Wietse maintains that Postfix offers no + guarantee for reliable delivery over NFS. + + Feature: put "warn_if_reject" before an smtpd restriction, + and that restriction logs warnings without rejecting mail. + This makes it easier to test configurations "live" without + having to lose mail. File: smtpd/smtpd_check.c. + +20011107 + + Workaround: in order to get mail past PIX firewall bugs, + the Postfix SMTP client now blocks until the socket send + buffer is empty before sending the final ".". Files: + util/sock_empty_wait.c, smtp/smtp_proto.c. Changed into + sleep(10) on 20011119. Sleep suggested by Hobbit. + +20011108 + + Feature: added string-null encoding for internal protocols. + Files: util/attr_print0.c, util/attr_scan0.c. + + Feature: configurable parent domain matching for domain + and hostname/address match lists: either .domain or the + domain name itself. Files: util/match_ops.c util/match_list.c + + Feature: added pretend-to-be-behind-PIX mode to the smtp-sink + test program, in order to stress test some PIX bug workaround + code. + +20011109 + + Workaround: Linux and Solaris systems have no reasonable + way to block until a socket drains. On these systems Postfix + simply waits for 10 seconds, in order to work around PIX + "." bugs. File: util/sock_empty_wait.c. + +20011114 + + Bugfix: reset the smtpd command transaction log between + deliveries. File: smtpd/smtpd.c. + +20011115 + + Feature: mailbox_command_maps no longer requires that every + user has an entry. If the user does not have a command + entry, the local delivery agent tries the other delivery + methods (mailbox_command, home_mailbox). File: local/mailbox.c. + + Bugfix: reset the smtpd command transaction log between + non-deliveries. File: smtpd/smtpd.c. + +20011116 + + Bugfix: consolidated all the command transaction log resets + and eliminated one missing reset (Victor Duchovni, Morgan + Stanley). File: smtpd/smtpd.c. + +20011118 + + Cleanup: replaced unnecessary match_list wrapper code by + macros. Files: global/{string,domain,namadr}_list.[hc]. + +20011119 + + Feature: configurable parent domain matching strategy for + transport map lookups. File: trivial-rewrite/transport.c. + + New parent_domain_matches_subdomains parameter. This lists + all the Postfix features where a domain name matches itself + and all its subdomains (instead of requiring ".domain.name" + for subdomain matches). Planning for future backwards + compatibility :-) File: global/match_parent_style.c. + + Workaround: simplified the PIX "." bug to always + sleep for 10 seconds. File: smtp/smtp_proto.c. + +20011120 + + Workaround: disable attribute string length restriction so + that trivial-rewrite does not refuse to rewrite broken mail + headers. Files: util/attr_scan*.c. + +20011121 + + Bugfix: missing long integer support in the new IPC protocols. + Files: util/attr_scan*.c, util/attr_print*.c. + + Portability: AIX5 (Adrian P. van Bloois), MAC OS X 10.1.1 + (Gerben Wierda). + +20011125 + + Bugfix: spurious postmaster notifications because some flag + was not reset. + + Feature: new parameter smtpd_sender_login_maps that specifies + the (SASL) login name that owns a MAIL FROM address. + Specify a regexp table in order to require a simple one-to-one + mapping. This is used in the reject_sender_login_mismatch + sender anti-spoofing feature. + + Feature: restriction reject_sender_login_mismatch refuses + a MAIL FROM address when $smtpd_sender_login_maps specifies + an owner but the client is not (SASL) logged in as the MAIL + FROM address owner, or when a client is (SASL) logged in + but the client login name does not own the MAIL FROM address + according to $smtpd_sender_login_maps. File: smtpd/smpd_check.c. + + Documentation: added some redundancy to the LMTP_README + file so people can keep track of the difference between + the Postfix LMTP client and the non-Postfix LMTP server. + +20011126 + + Feature: smtpd_noop_commands specifies a list of commands + that are treated as NOOP (no operation) commands, without + syntax check or state change. File: smtpd/smtpd.c. + + Bugfix: the "mark queue file as corrupt" code did not work + because it was never used. Files: global/mark_corrupt.c, + global/mail_copy.c, global/pipe_command.c, *qmgr/qmgr_active.c, + local/maildir.c, local/mailbox.c, local/command.c, pipe/pipe.c, + virtual/mailbox.c, virtual/maildir.c. + + Bugfix: the bounce daemon broke in the unlikely case of a + non-existing queue file. File: bounce/bounce_notify_util.c. + +20011127 + + Feature: added WARN command to header/body_checks files as + proposed by Michael Tokarev. File: cleanup/cleanup_message.c. + + Bugfix: the postdrop program was broken after the change + of Postfix internal protocols. This broke "sendmail -bs" + mail submissions with "secure" maildrop directory. Reported + by Craig Loomis, apo.nmsu.edu. File: postdrop/postdrop.c. + + Feature: a first start at fault injection for testing + unlikely error scenarios (such as corrupt queue files). + Parameter: fault_injection_code, must be left at zero for + production use. + +20011128 + + Robustness: add a file size limit to the sendmail and + postdrop submission programs to stop run-away process + accidents. This is not a defense against DOS attack. Files: + sendmail/sendmail.c, postdrop/postdrop.c. + + That resulted in a considerable amount of work to properly + propagate "file too large" conditions back to the sendmail + mail posting user interface. Took the opportunity to express + other mail submission fatal exits with the + exit status codes. Files: sendmail/sendmail.c, + postdrop/postdrop.c. + +20011129 + + Maintenance: dict_ldap.c wasn't updated after the revision + of the string matching routines. File: util/dict_ldap.c. + +20011208 + + Maintenance: LDAP module and documentation from LaMont + Jones. This version adds verbose logging for LDAP library + routines. Files: src/util/dict_ldap.[hc], LDAP_README, + conf/sample-ldap.cf + + Portability: made memory alignment restrictions configurable. + File: util/mymalloc.c. + + Bugfix? Avoid surprises with source routed destinations + and OK entries in SMTPD access maps. File: smtpd/smtpd_access.c. + + Security: "postfix check" looks for damage by well-intended + but misguided use of "chown -R postfix /var/spool/postfix". + That would make chrooted Postfix less secure than non-chrooted + Postfix. These extra tests may cause complaints with + third-party patches such as TLS that introduce their own + files into the jail. + + Feature: static map type that always returns the map name + as lookup value, regardless of lookup key value. Contributed + Jeff Miller (jeffm at ghostgun.com) + + Feature: turn off the PIX . workaround for + the first mail delivery attempt, i.e. when mail is queued + for less than $smtp_pix_workaround_threshold_time (default: + 500) seconds. New parameter $smtp_pix_workaround_delay_time + to control the delay before sending . (default: 10 + seconds) when doing the PIX . workaround. + +20011210 + + Bugfix: the 20011128 change in sendmail and postdrop did + not handle the case of message_size_limit=0. Fix by Will + Day, Georgia Tech. + +20011212 + + Compatibility: The SMTP server now accepts as + if the client sent . Reportedly, some badly written + windows software produces such garbage, and some badly + written windows anti-VIRUS software cannot handle such + garbage. File: global/smtp_stream.c. + +20011214 + + Bugfix: postmap/postalias queries ignored the -f flag. + Reported by Hamish Marson. + +20011217 + + Compatibility: Sendmail now has a -L option to set the + syslogging label. Postfix sendmail uses syslog_name instead, + and ignores the -L option. + + Security: subtle hardening of the Postfix chroot jail, + Postfix queue file permissions and access methods, in case + someone compromises the postfix account. Michael Tokarev, + who received the insights from Solar Designer, who tested + Postfix with a kernel module that is paranoid about open() + calls. Files: master/master_wakeup.c, util/fifo_trigger.c, + postfix-script. + + Convenience: issue a warning instead of aborting when the + local machine name is not in fully-qualified domain form. + This would otherwise break initial postfix installation + which needs the postconf command. File: global/mail_params.c. + +20011220 + + Added more garbage detection to postconf -e input processing. + +20011221 + + Feature: SMTPD access map lookups of null sender addresses. + If your access maps cannot store or look up null string + key values, specify "smtpd_null_access_lookup_key = <>" + and the null sender address will be looked up as <> instead. + File: smtpd/smtpd_access.c. + +20011223 + + Safety: configuration file comments no longer span multiple + lines when the next line begins with whitespace; multi-line + input is no longer terminated by a comment line, by an all + white space line, or by an empty line. Michael Tokarev made + the crucial suggestion to simplify the readline routine. + Files: util/readlline.c, postconf/postconf.c. + + Cleanup: proper detection of big number overflow in EHLO + and MAIL FROM size announcements, with input from Victor + Duchovni, Morgan Stanley. Files: global/off_cvt.c, + smtpd/smtpd.c, smtp/smtp_proto.c, util/alldig.c. + + Forward compatibility: added queue file record types for + original recipient and for generic named attributes. + + Cleanup: safe_open() now returns sensible errno values so + that the fifo_trigger() external interface is restored. + +20011225 + + Upgrade: PCRE_README now describes PCRE version 3.x. + + Cleanup: flush SMTPD command history upon receipt of EHLO, + RSET, and upon DATA completion, only if it exceeds + $smtpd_history_flush_threshold lines (default: 100). + Distant derivative of code by Michael Tokarev. File: + smtpd/smtpd.c. + +20011228 + + Bugfix: a readlline() error message showed less text than + intended. Christian von Roques. + + Cleanup: postfix now installs with group-writable maildrop + directory and with a set-gid postdrop mail submission + command. The pickup service is now unprivileged. The + world-writable maildrop directory no longer exists. + + The cleanup service is now public, in preparation for local + sendmail/postdrop mail submission that avoids the maildrop + queue directory while Postfix is up. + + Cleanup: moved the main.cf/master.cf file editing from the + postfix-script file to the INSTALL.sh file. + + Cleanup: INSTALL.sh no longer accepts "no" as the destination + of Postfix manual pages. + +20011230 + + Cleanup: the code for "mailq", "sendmail -q", and for + "sendmail -qRsite" was moved from the sendmail command to + a new set-gid postqueue command. The pickup and qmgr FIFOs + are no longer world writable. Files: sendmail/sendmail.c, + postqueue/postqueue.c. + +20020101 + + Security: new alternate_config_directories parameter that + specifies what directories a set-gid command will accept + as its configuration directory. The list must be specified + in the default main.cf file. File: global/mail_conf.c. + + Cleanup: "sendmail -qRsite" is no longer implemented by + connecting to the SMTP port. It is now implemented by + talking to the fast flush service. File: postqueue/postqueue.c. + +20020203 + + Cleanup: INSTALL.sh now records all installation information + in the main.cf file. The now obsolete install.cf file is + used only when upgrading from an older Postfix release. + + Cleanup: INSTALL.sh now takes name=value settings on the + command line, and has a new "-upgrade" command line option + to turn on non-interactive installation. + + Security: additional run-time checks to discourage sharing + of Postfix user/group ID values with other accounts. + +20020105 + + Cleanup: SMTPD access maps now return DUNNO (undetermined) + instead of OK when a recipient address contains multiple + domains (user@dom1@dom2, etcetera). Victor Duchovni, Morgan + Stanley. File: smtpd/smtpd_check.c. + +20020106 + + Bugfix: SMTPD access maps did not handle address extensions. + File: smtpd/smtpd_check.c. + +20020107 + + Bugfix: postfix-script, when creating a missing maildrop + queue directory, still referenced install.cf when setting + maildrop directory group ownership; and the postfix command + did not export the setgid_group parameter to the postfix-script + shell script. Victor Duchovni. + + Bugfix: postfix-script, when creating a missing public + queue directory, did not set group ownership of the public + directory. + +20020109 + + Cleanup: rewrote the Postfix installation procedure again. + It is now separated into 1) a primary installation script + (postfix-install) that installs files locally or that builds + a package for distribution and that stores file owner and + permission information in /etc/postfix/post-files, and 2) + a post-installation script (/etc/postfix/post-install) that + creates missing directories, that sets file/directory + ownership and permissions, and that upgrades existing + configuration files if necessary. + +20020110 + + Workaround: AIX null read() return on an empty but open + non-blocking pipe. File: master/master_flow.c. Report: + Hamish Marson. + +20020111 + + Feedback: feedback, bugfixes, and brain-dead shell workarounds + for the install scripts by Victor Duchovni and Simon Mudd. + +20020113 + + Rewrote postfix-install. The postfix-files file now controls + what is installed. Refined the semantics of many post-install + operations. post-install now auto-saves settings that + override main.cf. + +20020114 + + Bugfix: alternate_config_directories did not take comma or + whitespace as separators. File: global/mail_conf.c. Victor + Duchovni, Morgan Stanley. + + Bugfix: the rewritten postfix-install script did not chattr + +S the Postfix queue. + +20020115 + + Cleanup: added sample_directory and readme_directory + installation parameters for sample configuration files and + for README files. Files: postconf.c, postfix-install, + conf/postfix-files, conf/post-install. + + Robustness: the postfix command now exports all installation + parameter settings, and input filters the environment, so + that the startup shell scripts produce a consistent result. + Files: postconf.c. + +20020117 + + Portability: patch from LaMont Jones for compiling dict_ldap.c + with the Netscape SDK. + + Feature: added "r" (recursive chown/chgrp) flag to the + postfix-files database, for more convenient change of + Postfix queue ownership. Files: conf/postfix-files, + conf/post-install. + +20020122 + + Documentation: lots of little fixes. + + Documentation: updates for the VIRTUAL_README file by Victor + Duchovni, Morgan Stanley. + + Bugfix: postqueue -s dereferenced a null pointer when given + a numerical domain argument. LaMont Jones, HP. + + Cleanup: smtpd now logs a warning when permit_sasl_authenticated + is used while SASL authentication is disabled, instead of + simply ignoring the restriction. LaMont Jones, HP. File: + smtpd/smtpd.c. + + Safety: when postmap creates a non-existent file, the new + file inherits group/other read permissions from the source + file. Based on code by LaMont Jones, HP. File: + postmap/postmap.c. + +20020123 + + Portability: some Linux systems install libnsl.so without + libnsl.a file, causing an yp_match undefined reference + problem. File: makedefs. + +20020124 + + Portability: post-install now requests that command_directory + is given on the command line when the postconf command is + in an unusual place. + + Safety: extra code to detect and report Berkeley DB version + mismatches between compile time and run time. This test + is limited to mismatches in the major version number only. + File: util/dict_db.c. Based on code by Lawrence Greenfield, + Carnegie-Mellon university. + + Safety: the postfix command and the master daemon abort if + they are running set-uid. + + Documentation: the postmap manual page described an out of + date input file format. + +20020129 + + Workaround: SCO version 3.2 can't ioctl(FIONREAD) a pipe. + Therefore, input mail flow control is disabled by default. + Files: makedefs, global/mail_params.h, conf/main.cf. + Problem reported by Kurt Andersen, Agilent. + +20020201 + + Workaround: changed the default smtpd_null_access_lookup_key + setting to <>, because some Bezerkeloid DB implementations + can't handle null-length lookup keys. File: global/mail_params.h. + + Bugfix: backed out a null-length address panic call by + ignoring the problem, like Postfix did in the past. File: + global/resolve_local.c. + + Safety: "postfix check" will now warn if /usr/lib/sendmail + and /usr/sbin/sendmail differ, and will propose to replace + one by a symlink to the other. File: conf/postfix-script. + +20020204 + + Sanity: additional permission checks for "postfix check" + that warn for setgid_group group ownership mismatches. by + Matthias Andree, uni-dortmund.de. File: conf/postfix-script. + + Bugfix: "postfix check" used a too simplistic way to + recognize file ownership (grepping ls output). It now uses + the recently discovered "find -prune". Peter Bieringer, + Matthias Andree. File: conf/postfix-script. + +20020218 + + Workaround: log a warning and disconnect when an SMTP client + ignores our negative replies and starts sending message + content without permission. File: smtpd/smtpd.c. + +20020220 + + Bugfix: mismatch in the file being locked by dict_dbm and + the file being locked by postmap, so that locks did not + work correctly. Victor Duchovni, Morgan Stanley. + +20020222 + + Workaround: Solaris bug 4380626: strcasecmp() and strncasecmp() + produce incorrect results with 8-bit characters. For example, + non-ASCII characters could compare equal to ASCII characters, + and that could result in any number of security problems. + Files: util/strcasecmp.c, COPYRIGHT (the BSD license). + + Bugfix: off-by-one error, causing a null byte to be written + outside dynamically allocated memory in the queue manager + with addresses of exactly 100 bytes long, resulting in + SIGSEGV on systems with an "exact fit" malloc routine. + Experienced by Ralf Hildebrandt; diagnosed by Victor + Duchovni. Files: *qmgr/qmgr_message.c. This is not a + security problem. + + Bugfix: make all recipient comparisons transitive, because + Solaris qsort() causes SIGSEGV errors otherwise. Victor + Duchovni, Morgan Stanley. File: *qmgr/qmgr_message.c. + +20020302 + + Bugfix: don't strip source route (@domain...:) when the + result would be an empty address. This avoids problems when + append_at_myorigin is set to "no" (which is not supported). + Problem reported by Charles McColgan, Big Fish Communications. + File: trivial-rewrite/rewrite.c. + +20020304 + + Cleanup: postqueue should not not complain when output + fails with "broken pipe". + +20020308 + + Bugfix? reply with 550 not 552 when content is rejected. + 552 is reserved for "too much mail". + + Documentation: add note to sendmail manual page that running + "sendmail -bs" as $mail_owner enables SMTP server UCE and + access control checks. This is meant for use from inetd + etc. Matthias Andree. + +20020311 + + Bugfix: DBM maps should use different files for locking + and for change detection. Problem reported by Victor + Duchovni, Morgan Stanley. Files: util/dict.h util/dict.c + util/dict_db.c util/dict_dbm.c global/mkmap.c local/alias.c. + +20020313 + + Bugfix: mailq could show addresses with unusual characters + twice. Problem reported by Victor Duchovni, Morgan Stanley. + File: showq/showq.c. + + Bugfix: null recipients weren't properly recorded in + bounce/defer logfiles. Such recipient addresses are not + accepted in SMTP mail, but they could appear within locally + submitted mail. File: bounce/bounce_append_service.c. + +20020318 + + Workaround: Berkeley DB can't handle null key lookups, + which happen with HELO names ending in ".". Victor Duchovni, + Morgan Stanley. File: smtpd/smtpd_check.c. + + Logging: log a hint when mail is deferred because the + soft_bounce parameter is set. People sometimes forget to + turn it off. File: global/bounce.c. + +20020319 + + Cleanup: add a msg_warn() call when fork() fails in + pipe_command(), to make problems easier to investigate. + Chris Wedgwood. File: global/pipe_command.c. + +20020320 + + Feature: smtp_helo_name parameter to specify the hostname + or [ip.address] in HELO or EHLO commands. Files: smtp/smtp.c + smtp/smtp_proto.c. + +20020324 + + Cleanup: more graceful handling of long physical message + header lines upon input. Physical header lines can now + extend up to $header_size_limit characters. When a logical + message header is too long, the excess text is discarded + and Postfix no longer switches to body mode, to avoid + breaking MIME encapsulation. Based on code by Victor + Duchovni, Morgan Stanley. Files: cleanup/cleanup_out.c, + cleanup/cleanup_message.c. + + Cleanup: more graceful handling of long physical message + header or body lines upon output by the SMTP client. The + SMTP client output line length is controlled by a new + parameter smtp_line_length_limit (default: 990; specify 0 + to disable the limit). Long lines are folded by inserting + , to avoid breaking MIME encapsulation. + Based on code by Victor Duchovni, Morgan Stanley. File: + smtp/smtp_proto.c. + +20020325 + + Cleanup: allow additional text after a WARN command in a + header/body_checks pattern file, so that one can change + REJECT+text into WARN+text and vice versa. Based on code + by Fredrik Thulin, Stockholm University. + + Cleanup: log a warning when an unknown command is found in + a header/body_checks pattern file, or when additional text + is found after a command that does not expect additional + text. Based on code by Fredrik Thulin, Stockholm University. + + Bugfix: sendmail should not recognize "." as the end of + input when the current read operation started in the middle + of a line. Victor Duchovni, Morgan Stanley. File: + sendmail/sendmail.c. + +20020328 + + Portability fix for OPENSTEP and NEXTSTEP by Gerben Wierda. + File: util/sys_defs.h. + +20020329 + + Bugfix: defer_transports broke because the flush server + triggered mail delivery (as if ETRN was sent) while doing + some internal housekeeping of per-destination logfiles. + Problem experienced by LaMont Jones, HP. File: flush/flush.c. + + Bugfix: virtual mapping broke for addresses with embedded + whitespace. Fix by Victor Duchovni, Morgan Stanley. File: + cleanup/cleanup_map1n.c. + + Feature: configurable service name for the internal services: + bounce, cleanup, defer, error, flush, pickup, queue, rewrite, + showq. This allows you to specify, for example, a non-default + cleanup service (smtpd -o cleanup_service_name=alt_cleanup). + Files: global/mail_params.[hc]. + + Feature: SASL version 2 support by Jason Hoos. Files: + */*_sasl_glue.c, SASL_README, conf/sample-auth.cf. + +20020330 + + Bugfix: postqueue did not pass on non-default configuration + directory settings when running showq while the mail system + is down. The super-user is now exempted from environment + stripping in postqueue/postqueue.c. Problem reported by + Victor Duchovni, Morgan Stanley. + +20020402 + + Workaround: recognize more headers that are sent instead + of SMTP commands. File: smtpd/smtpd.c. + +20020413 + + Feature: new pipe delivery agent "D" flag to prepend a + Delivered-To: message header. This requires single recipient + deliveries. Based on code by Matthias Andree. File: + pipe/pipe.c. + +20020414 + + Portability: Postfix will no longer attempt to build with + gdbm support, because gdbm is broken. File: makedefs. + +20020415 + + Cleanup: the attribute list IPC code did not distinguish + between "disconnect" and "timeout" while reading an attribute + list, making trouble shooting more difficult than necessary. + Files: util/attr_scan0.c, util/attr_scan64.c. + + Cleanup: install parameter defaults can now be overruled + from makedefs: sendmail_path, mailq_path, newaliases_path, + command_directory, daemon_directory. Based on code by Victor + Duchovni, Morgan Stanley. File: util/sys_defs.h. + +20020411 + + Cleanup: Use more robust quoting passing makedefs/Makefile + settings. This also simplifies the seven backslashes example + in the INSTALL file. Victor Duchovni, Morgan Stanley. + Files: makedefs, INSTALL. + +20020417 + + Bugfix: the post-install script failed to upgrade master.cf + settings from private to public if the service was explicitly + configured as private. + +20020418 + + Documentation: added CPU saving patterns for quickly skipping + base 64 encoded text in message bodies. Liviu Daia. Files: + {proto,conf}/pcre_table, {proto,conf}/regexp_table, + conf/sample_{regexp,pcre}_body.cf. + +20020426 + + Bugfix: the SMTP client forgot to quote whitespace etc. + in a sender/recipient address when DNS lookup was turned + off (disable_dns_lookups = yes). Problem experienced by + Chip Paswater. Files: smtp/smtp_proto.c. + +20020501 + + Feature: wildcard lookup in transport maps (lookup key + "*"). Code developed with Lamont Jones, HP. + + Feature: a null transport:destination transport map entry + means proceed as if the transport map lookup failed. Code + developed with Lamont Jones, HP. + + Feature: more efficient use of cache memory when a process + opens multiple Berkeley DB tables; and faster performance + creating large tables by using more buffer memory. Files: + util/dict_db.[hc], global/mkmap_db.c. Victor Duchovni, + Morgan Stanley. + +20020503 + + Cleanup: postqueue silently ignored command-line arguments + following -p or -f options, instead of complaining; postqueue + produced an incorrect error message (mail system down) when + the command was installed with incorrect privileges. File: + postqueue/postqueue.c. + + Bugfix: while reporting a domain name or IP address syntax + error, postqueue could dereference a dangling pointer with + some getopt() implementations. LaMont Jones, HP. File: + postqueue/postqueue.c. + + Safety: postalias and postmap now drop root privileges + while processing a non-root input file. Thus, the result + should be writable to the source file owner. Specify the + -o option if this is a problem. Files: postmap/postmap.c, + postalias/postalias.c. + + Consistency: just like postmap, postalias now copies file + permissions from the source file when it creates a new + table for the first time. File: postalias/postalias.c. + +20020504 + + Portability: run-time test to avoid GDBM trouble. File: + util/dict_dbm.c. + +20020505 + + Cleanup: revised and simplified the transport map semantics. + Null transport or nexhop fields now mean: "do not change": + use what would be used if the transport map did not exist. + This change eliminated a lot of code. The incompatibility + is that a null transport field no longer defaults to + $default_transport, but to $local_transport or $default_transport + depending on the destination, and that a transport map only + overrides relayhost when the table specifies explicit + nexthop information. Files: trivial-rewrite/transport.c, + trivial-rewrite/resolve.c. + + Cleanup: revised the user interface for controlling the + Berkeley DB create and read buffer size controls. Files: + util/dict_db.[hc], global/mail_params.[hc], global/mkmap_db.c. + +20020507 + + Cleanup: simplified the hash/btree cache management code. + The caches are now per table instead of shared, and the + default read cache size is reduced to 128 kBytes. File: + util/dict_db.c. + +20020508 + + Bugfix: close user@domain@postfix-style.virtual.domain + source routing relaying loophole involving postfix-style + virtual domains with @virtual.domain catch-all patterns. + Problem reported by Victor Duchovni. File: smtpd/smtpd_check.c. + + Bugfix: mail_addr_map() used the "wrong" @ character in + addresses with multiple @. Victor Duchovni. File: + global/mail_addr_map.c. + + Bugfix: for address localpart quoting, now quote @ as a + special character everywhere, except when resolving addresses. + Previously, the @ was nowhere quoted as a special character, + not even in SMTP commands. Files: global/quote_82[12]_local.c + and clients. + +20020509 + + Safety: don't allow an OK access rule lookup result for + user@domain@postfix-style.virtual.domain. Suggested by + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + Bugfix: quote unquoted address localparts that need quoting. + Files: global/tok822_parse.c, global/quote_82[12]_local.c. + + Documentation: simplified the advanced content filtering + example, and included a more advanced example for those + who want to squeeze out more performance without running + multiple Postfix instances. Text by Victor Duchovni, Morgan + Stanley. File: README_FILES/FILTER_README. + +20020510 + + Feature: header/body filters now log the origin of the + message that is being rejected. Files: smtpd/smtpd.c, + qmqpd/qmqpd.c, pickup/pickup.c, cleanup/cleanup_envelope.c, + cleanup/cleanup_message.c. Requested by Craig Sanders, if + I remember correctly. + + Feature: the Postfix SMTP client now passes on MIME body + type information (8bit, 7bit) received via SMTP, via MIME + headers, or via the sendmail command line. Files: + global/deliver_request.c, smtpd/smtpd.c, sendmail/sendmail.c, + cleanup/cleanup_envelope.c, cleanup/cleanup_message.c, + cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c, + *qmgr/qmgr_deliver.c, smtp/smtp_proto.c, lmtp/lmtp_proto.c. + +20020511 + + Feature: bounces now specify the proper MIME encoding (8bit, + 7bit), depending on the MIME body type information received + via SMTP, via MIME headers, or via the sendmail command + line. Files: global/bounce.c, global/defer.c, global/abounce.c, + bounce/bounce_service.c, bounce/bounce_notify_util.c. + +20020512 + + Cleanup: the SMTP client logged and bounced the CNAME + expanded recipient address, and thereby complicated trouble + shooting. File: smtp/smtp_proto.c. + + Bugfix: the SMTP and LMTP clients bounced the quoted + recipient address, resulting in too much quoting in bounce + reports. Files: smtp/smtp_proto.c, lmtp/lmtp_proto.c. + +20020513 + + Bugfix: the LDAP client used the "wrong" @ character in + addresses with multiple @. LaMont Jones, HP. File: + util/dict_ldap.c. + + Feature: lots of new LDAP stuff: result_filter (filter to + expand results from queries), chase_referrals, LaMont Jones, + HP. The LDAP bind timeout now works thanks to Victor + Duchovni, Morgan Stanley. File: util/dict_ldap.c. + + Cleanup: specify "resolve_dequoted_address = no" to prevent + Postfix from looking inside quotes for extra @ etc. characters + when resolving an address. This behavior is technically + more correct, but it opens a mail relay loophole with "user + @domain"@domain when relaying mail to a Sendmail system. + +20020514 + + Bugfix: the new code for header address quoting sometimes + did not null terminate strings so that arbitrary garbage + could appear at the end of message headers. Reported by + Ralf Hildebrandt. File: global/tok822_parse.c. + + Safety: user@domain@domain is no longer accepted by the + permit_mx_backup uce restriction (unless Postfix is configured + with "resolve_dequoted_address = no"). Victor Duchovni, + Morgan Stanley. File: smtpd/smtpd_check.c. + +20020515 + + Workaround: flush the SMTP client output buffer when no + output has happened for 10+ seconds. This prevents the + socket from timing out, in case DNS CNAME expansion is + slow. Problem experienced by Alex Erdelyi, peregrine.com. + File: smtp/smtp_chat.c. We did the same thing for the SMTP + server years ago, and one wonders why the coin didn't drop + at the time that the SMTP client could suffer from a similar + problem. + +20020516 + + Updated the FILTER_README file to turn off DNS lookups in + the SMTP client that feeds mail into a content filter. + +20020517 + + Cleanup: Mailbox-Line: message header labels should be + X-Mailbox-Line: labels. Files: smtpd/smtpd.c, qmqpd/qmqpd.c. + +20020515-21 + + Feature: new MIME parser, written from scratch, that + recognizes the structure of MIME encapsulated mail. Influenced + by comments from Victor Duchovni. This code can detect but + will not decode obscure MIME formats or obscure character + string encoding that Liviu Daia expresses concern about. + + MIME header scanning now happens in header_checks, and is + faster than body_checks could ever be. This also eliminates + the problem with multi-line MIME headers being matched one + line at a time. Files: global/mime_state.[hc], + cleanup/cleanup_message.c. + +20020521-22 + + Feature: 8-bit to quoted-printable conversion. First use + in the Postfix SMTP client. File: smtp/smtp_proto.c. + + Logging: the Postfix SMTP and LMTP clients now report the + the protocol stage when they report a server reply. File: + smtp/smtp_proto.c, lmtp/lmtp_proto.c. + + Bugfix: the SMTP server warned about ignored client attributes + (these were introduced 20020510) in mail that was submitted + with "sendmail -bs". File: smtpd/smtpd.c. + +20020525 + + Feature: separation of header checks into header_checks + (all primary headers except MIME related headers), + mime_header_checks (all MIME headers including MIME headers + at the start of messages) and nested_header_checks (headers + of attached messages, except MIME related headers). + + Cleanup: broke out the header value parser from the MIME + processor so that the code can be reused elsewhere. File: + global/header_token.c. + + Compatibility: Postfix now recognizes "name :" as a valid + message header, but normalizes it to "name:" form or else + lots of things would break all over the place. Files: + global/is_header.c, global/mime_state.c. + +20020526 + + Bugfix: the SMTP server now disallows RCPT TO:<"">, just + like it disallows RCPT TO:<>. File: smtpd/smtpd.c. + + Feature: disable_mime_input_processing=yes/no controls + whether Postfix recognizes (and optionally enforces) MIME + formats while receiving mail. Default is NO. + + Feature: disable_mime_output_conversion=yes/no controls + whether Postfix will convert 8BITMIME to 7BIT mail when + delivering mail to an SMTP server that does not announce + 8BITMIME support. Default is NO. + + Feature: strict_8bitmime=yes/no controls whether Postfix + rejects 8-bit characters in headers and 7-bit body parts. + This blocks mail from poorly written software, including + majordomo approval requests that contain a valid 8BITMIME + email message, as well as mail that is piped into ancient + /bin/mail implementations that do not MIME format 8-bit + content. Default is NO. + + Feature: strict_mime_encoding_domain=yes/no controls whether + Postfix rejects illegal content transfer encodings for + multipart/* and message/*. This blocks mail from poorly + written software. Default is NO. + +20020527 + + Feature: "FILTER transport:nexthop" in header/body checks. + After the message is queued, the message is sent through + a content filter. This requires different cleanup servers + before and after the filter, with header/body checks turned + off in the second cleanup server. + +20020528 + + Feature: strict_7bit_headers and strict_8bitmime_body are + now separately available. To to turn on both, use + strict_8bitmime. + + Cleanup: abandon the use of isspace(3) in the parsing of + RFC822 message headers. Files: global/lex_822.h and lots + of little places. + + Documentation: replace domain.name by domain.tld in the + example config files. The domain exists. They were getting + mail from poorly configured Postfix boxes. + + Bugfix: The Postfix sendmail command did not export the + MAIL_CONFIG environment setting to the postdrop command. + File: global/mail_config.h. + + Incompatibility: by default, turn on the PCRE_DOTALL flag, + so that PCRE patterns will match multi-line message headers + without causing pain. Suggested by Michael Tokarev. Also + documented all those darned undocumented PCRE flags in the + pcre_table(5) manual page. Files: util/dict_pcre.c, + proto/pcre_table. + +20020529 + + Bugfix: mail rejected due to MIME errors was rejected + without proper logging. Files: global/mime_state.c, + cleanup/cleanup_message.c. + +20020531 + + Bugfix: the SMTP client code that prepends '.' to lines + starting with '.' had to be moved from its old place to + after the MIME output conversion. Problem found by Mark + Martinec. File: smtp/smtp_proto.c. + +20020601 + + Bugfix: the deliver_pass() routine needed updating for the + extra MIME encoding attribute that was introduced 20020510. + Patch by Sebastian Schaffert @ wastl.net. File: + global/deliver_pass.c. + +20020604 + + Workaround: Solaris non-blocking read() can fail on a socket + with unread data according to ioctl FIONREAD. Incredible. + Diagnosis by Max Pashkov. File: smtp/smtp-sink.c. + + Weird feature: sender-based routing. This will become more + useful once per-address transport map entries are done. + File: src/*qmgr/qmgr_message.c. + +20020605 + + Safety: header_address_token_limit limits the amount of + memory and CPU that we're willing to spend while parsing + addresses in message headers. The limit is expressed as a + number of tokens. File: global/tok822_parse.c + +20020608 + + Feature: user@domain transport map lookup, based on code + by Scott Cotton, from several years ago. Adding this code + now was much less painful than it was in the past. Files: + global/strip_addr.c, trivial-rewrite/transport.c. + +20020610 + + Cleanup: making user@domain transport map lookups work with + sender-based routing was a bit tricky, because the null + address must be handled sensibly. Files: global/resolve_clnt.c, + trivial-rewrite/resolve.c. It ain't perfect yet, but close. + +20020613 + + Bugfix: postsuper -r was broken as of 20020510. The cleanup + daemon would discard mail with MIME type information. Moved + a bunch of sanity checks from the cleanup daemon to the + pickup daemon, so the checks are in one place. Problem + experienced by Pavol Luptak. Files: pickup/pickup.c, + cleanup/cleanup_extracted.c. + +20020705 + + Safety: log a warning when a domain is listed in mydestination + and (virtual_maps or virtual_mailbox_maps). This configuration + error causes the Postfix SMTP server to reject recipients + when the local_recipient_maps feature is enabled. File: + smtpd/smtpd_check.c. + +200207011 + + Portability: in the master daemon, the default now is to + enable the signal handler code that writes a byte into a + pipe, instead of the signal handler code that sets a global + flag and hopes that select() will somehow wake up. File: + master/master_sig.c. This is needed for some IRIX and + UnixWare versions, but it should also produce a robust + result on all other supported systems. + + Performance: the default SMTP connection establishment + timeout is now 30 seconds, instead of the system default + which can be atrociously large. + +20020712 + + When DNS lookup fails while delivering mail, report not + only the domain name but also the DNS record type. This + should clue in people who ask why Postfix can't find a + domain while nslookup can. File: dns/dns_lookup.c. + +20020713 + + Bugfix: undo change made at 20020610 that causes the trivial + resolver client to loop when an address consists entirely + of @ and . characters. File: trivial-rewrite/resolve.c. + + Cleanup: Postfix no longer strips multiple '.' at the end + of a domain name. One '.' is silently tolerated. Files: + trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, + global/resolve_local.c. This policy is too distributed. + +20020715 + + Feature: @domain.tld catch-all map entries for the virtual + mail delivery agent. Files: global/virtual8_maps_find.c, + virtual/mailbox.c, smtpd/smtpd_check.c. + + Feature: the virtual mail delivery agent now accepts address + extensions (user+foo@domain.tld), ignores them when looking + up users in its tables, but displays them in Delivered-To: + message headers. File: global/virtual8_maps_find.c. + +20020716 + + Feature: domain names in a masquerade_domains list can now + be prefixed with !, in order to disable masquerading for + that domain name and for its subdomains. File: + cleanup/cleanup_masquerade.c. + +20020717 + + Bugfix: Mac OS X niscript (Netinfo) update by Gerben Wierda. + File: auxiliary/MacOSX/niscript. + + Feature: The SMTP server reject_unknown_whatever restrictions + now also attempt to look up AAAA (IPV6 address) records. + Jun-ichiro itojun Hagino, IIJ labs. Files: smtpd/smtpd_check.c, + dns/dns_lookup.c. + +20020718 + + Bugfix: unnecessary lookups for extended addresses by the + virtual8_maps_find() routine. Victor Duchovni. His patch + did not work, nor did my own, but the present version should + be OK. File: global/virtual8_maps_find.c. + +20020719 + + Workaround: log a warning when an SMTP client name->address + lookup results in a numeric IP address, and set the client + hostname to "unknown". Some gethostbyname() implementations + will actually accept such garbage and thereby allow sites + to defeat the "reject_unknown_client" restriction. Problem + reported by Wolfgang Rupprecht, fix based on analysis (but + not code) by Victor Duchovni. + + Bugfix: memory leaks in the LDAP client by Victor Duchovni. + File: util/dict_ldap.c. + + Bugfix: garbage in verbose "flush" server logging. Victor + Duchovni. File: flush/flush.c. + +20020723 + + Incompatibility: smtpd_sasl_local_domain now defaults to + the null string. File: smtpd/smtpd.c, smtpd/smtpd_sasl_glue.c. + +20020726 + + Documentation: added GDB debugging instructions for sites + that do not have X installed on the Postfix machine. Henrik + Larsson, spambox.dk. + +20020729 + + Weird: installed RedHat 3.03 inside VMware, and no change + was needed to build Postfix, except to recognize the Linux + version. + + Bugfix: some mailers will announce ESMTP features in their + HELO (not EHLO) response. Postfix did not ignore them. + File: smtp/smtp_proto.c. + +20020731 + + Cleanup: permit_naked_ip_address is unsafe (especially when + used with smtpd_recipient_restrictions) and will go away. + Postfix now logs a warning. File: smtpd/smtpd_check.c. + +20020801 + + Cleanup: the warning message for matched header/body content + was misleading. File: cleanup/cleanup_message.c. + + Safety: moved the "postsuper -r ALL" operation after the + "postsuper -s" check that makes queue file names match + inode numbers. This avoids loss of mail in the unlikely + case that someone runs "postsuper -sr ALL" on a queue that + was copied from another place. + + Feature: "postsuper -h" to put mail "on hold" and "postsuper + -H" to release mail that was placed "on hold". This involves + a new queue, which is appropriately named "hold". Files: + postsuper/postsuper.c, showq/showq.c. + +20020803 + + Feature: when a Delivered-To: mail delivery loop is detected, + send the bounce to the mailing list owner. This required + changes to the local delivery agent, a new bounce client + stub, and a new bounce server stub and support routines + for one recipient bouncing. Files: local/recipient.c, + global/bounce_log.c, global/bounce.c, bounce/bounce.c, + bounce/bounce_notify_util.c, bounce/bounce_one_service.c. + +20020809 + + Bugfix: the 20020531 bugfix could prepend '.' to lines when + it shouldn't (but only when converting 8-bit mail to 7-bit). + Problem experienced by Ralf Hildebrandt. File: + smtp/smtp_proto.c. + + Bugfix: smtpd_sender_login_maps did not do the @domain etc. + wild-card lookups that were promised. Problem experienced + by Sven Michels. File: smtpd/smtpd_check.c. + +20020810 + + Feature: new smtp-sink command-line options to specify the + SMTP hostname, to disable ESMTP protocol support, to disable + 8BITMIME support, and to syslog selected commands. File: + smtpstone/smtp-sink.c. + +20020814 + + Feature: the queue manager now warns when mail for some + destination is piling up in the active queue, and suggests + a variety of remedies. The qmgr_clog_warn_time parameter + controls the time between warnings, mainly so that I could + test the code. To disable these warnings, specify + "qmgr_clog_warn_time = 0". Files: *qmgr/qmgr_entry.c. + +20020815 + + Paranoia: truncate the DNS response length result value in + case it is larger than the result buffer length (the resolver + documentation is vague about this). File: dns/dns_lookup.c. + +20020816 + + Cleanup: "postqueue -f" now also triggers delivery of mail + in the maildrop directory. This is needed when the master + does not frequently wake up the pickup service. Files: + global/mail_flush.c, postqueue/postqueue.c. + +20020818 + + Cleanup: the qmgr_site_hog_factor feature is gone (defer + mail if a site uses up too much space in the active queue). + Instead, the qmgr_clog_warn_time feature provides better + solutions. File: qmgr/qmgr_message.c. + +20020819 + + Feature: new header/body_checks HOLD pattern that causes + mail to be placed on the "hold" queue for manual inspection. + Files: global/hold_message.[hc], cleanup/cleanup_message.c. + +20020820 + + Bugfix: yesterday's HOLD pattern code did not update the + cleanup server's idea of the queue file name for error + recovery and for error reporting purposes, so that incomplete + or content rejected mail would not be deleted from the + queue, and so that the bouncer would not find the queue + file. + + Bugfix: the #ifdef that detects too old LDAP libraries was + in the wrong place. Victor Duchovni. File: util/dict_ldap.c. + + Feature: new header/body_checks DISCARD pattern that causes + mail to be silently discarded. Files: global/cleanup_user.h, + cleanup/cleanup_message.c, cleanup/cleanup_api.c. + + Bugfix: the local delivery agent's mailbox duplicate delivery + eliminator was not updated in the days that address extensions + were added to Postfix. The other local duplicate eliminators + probably need revision as well. File: local/mailbox.c. + +20020821 + + Feature: HOLD and DISCARD actions in SMTPD access tables. + These requests are propagated to the cleanup daemon. Files: + cleanup/cleanup_envelope.c smtpd/smtpd_check.c. + + Cleanup: eliminate unnecessary references to the obsolete + program_directory configuration parameter (but keep the + parameter so as to not break existing installations). + Matthias Andree, many little changes in documentation. + +20020822 + + Bit Rot: OpenLDAP incompatible change with URL parsing. + Patches by Will Day, Georgia Tech, and Carsten Hoeger, + SUSE. File: util/dict_ldap.c. + +20020823 + + Bugfix: added a missing memset() call to wipe the lookup + key in dict_db_delete(). This is needed by some Berkeley + DB implementations. Patch by Katsu Yamamoto, Fujitsu. + + Bugfix: when permit_mx_backup is unable to make a decision + due to DNS problems, set the "defer if reject" flag so that + other restrictions will not cause mail to be rejected. + File: smtpd/smtpd_check.c. + + Feature: instead of giving up immediately after DNS failure, + turn on the "defer_if_permit" flag when reject_unknown_hostname, + reject_unknown_sender_domain or reject_unknown_recipient_domain + are unable to make a decision, and see if any subsequent + restrictions would still cause the mail to be rejected. + File: smtpd/smtpd_check.c. + + Feature: "FILTER transport:nexthop" is now also available + in SMTPD access tables. + +20020826 + + Workaround: HP-UX 11 accept() fails with ENOBUFS when the + client disconnects early. File: sane_accept.c. + +20020901 + + Cleanup: postfix-install no longer installs all the manual + pages under $POSTFIXSOURCE/man, so we can generate manual + pages for smtp-sink etc. File: man/Makefile.in. + +20020903 + + Bugfix: the rmail script should have been updated when + Postfix sendmail was changed to recognize `.' as the end + of input. Problem fix by Christian Kratzer, cksoft.de. + File: auxiliary/rmail/rmail. + + Feature: specify "maximal_queue_lifetime = 0" for mail that + should be returned immediately after the first unsuccessful + delivery attempt. Files: qmgr/qmgr.c, nqmgr/nqmgr.c. + +20020904 + + Bugfix: qmail compatibility: qmqpd should support any + character at the end of the VERP prefix in prefix@host-@[]. + Based on a patch by LaMont Jones, HP. + +20020905 + + Feature: "smtpd_data_restrictions = reject_unauth_pipelining" + blocks mail from SMTP clients that send message content + before Postfix has replied to the DATA command. File: + smtpd/smtpd.c, smtpd/smtpd_check.c. + + Bugfix: the LDAP client dumped core in verbose mode. + Reported by Will Day and others. File: util/dict_ldap.c. + +20020906 + + Cleanup: dict_regexp module speedups by avoiding unnecessary + substring overhead while matching strings. Based on a + suggestion by Liviu Daia. This involved major rewriting of + the regexp map code. File: util/dict_regexp.c. + +20020907 + + Feature: IF..ENDIF support based on code by Bert Driehuis. + This involved a further rewrite of the regexp map code. + File: util/dict_regexp.c. + +200209010 + + Bugfix: the SMTP client produced suprious warnings about + trouble with fallback_relay hosts. File: smtp/smtp_connect.c. + + Robustness: don't wait with detecting broken SMTP connections + until reading input. Leandro Santi. File: smtpd/smtpd_chat.c. + +200209011 + + Workaround: IRIX 6 can't do ioctl FIONREAD on pipes. This + breaks the in_flow_delay feature. File: util/sys_defs.h. + +20020912 + + Bugfix: canonical/virtual mapping core dump with a null + right-hand side address. Report by Jussi Silvennoinen. + File: global/mail-addr_crunch.c. + + Feature: IF..ENDIF support based on code by Bert Driehuis. + This involved a rewrite of the pcre map code similar to + the regexp map code. File: util/dict_pcre.c. + +20020917 + + Feature: on Linux, support for PCRE lookup tables is now + compiled in if the PCRE library code is found under + /usr/include and /usr/lib. File: makedefs. + +20020918 + + Documentation: postsuper(1) did not document the -c option. + + Bugfix: possible longjump() before setjmp(). File: + smtpd/smtpd.c. + + Bugfix: pickup should not preserve INSPECT or FILTER records + from "postsuper -r". File: pickup/pickup.c. + +20020919 + + Feature: "reject_rbl " for client address blacklisting + by LaMont Jones, including $name expansion for per-domain + customized response messages. The obsolete reject_maps_rbl + is now a wrapper that uses the new code. + +20020921 + + Internal: added caching and factored out common code that + will be used for both reject_rbl and for the upcoming + reject_rhsbl restriction. + +20020922 + + Feature: "reject_rhsbl " for sender domain + blacklisting. Provides the same per-domain customized + response message mechanisms with $name expansion as + reject_rbl. + + Safety: the smtpd_expansion_filter parameter controls what + characters are allowed in the expansion of $name macros in + template RBL responses. + + Cleanup. In order to make sensible warnings possible when + expanding a non-existent $name in RBL reply templates, + mac_expand() had to be changed so that an empty string + result (i.e. the name does exist) will no longer cause + ${name?text} to succeed. File: util/mac_expand.c. + +20020923 + + Cleanup. Renamed the RBL features according to a scheme + that was suggested by Liviu Daia in October 2001. The names + are reject_rbl_client and reject_rhsbl_sender, respectively. + Added domain name based reject_rhsbl_client and + reject_rhsbl_recipient restrictions for completeness. The + reject_rbl restriction name is still recognized for + compatibility with systems maintained by LaMont Jones. + +20020924 + + Bugfix: reject_rhsbl_ was broken when was + unavailable, causing the restrictions parser to get out if + sync. Spotted by Ralf Hildebrandt. File: smtpd/smtpd_check.c. + +20020928 + + Bugfix: missing %s in the 20020923 RBL code. This was not + exploitable because Postfix implements only a safe subset + of all printf format operators and because memory for the + result is dynamically allocated. Victor Duchovni. File: + smtpd/smtpd_check.c. + +20020929 + + Updated MacOSX support scripts from Gerben Wierda. Files: + auxiliary/MacOSX/*. + +20021009 + + Bugfix: SIZE errors should be reported at MAIL FROM time, + and should not be postponed (with smtpd_delay_reject = yes) + until RCPT TO time. Reported by Jeroen Scheerder, Utrecht + University. Files: smtpd/smtpd.c smtpd/smtpd_check.c. + +20021013 + + When Postfix development started, Linux mail delivery + software such as procmail did not use kernel locks, and + Postfix picked one that seemed plausible, namely, flock(). + In the mean time, Linux mail delivery software seems to + have standardized on fcntl() locks. File: util/sys_defs.h. + + Feature: body_checks_size_limit parameter to specify how + much of a message body segment (or attachment, if you prefer + to use that term) is subjected to body_checks inspection. + Default limit: 50 kbytes. Files: global/mime_state.c, + cleanup/cleanup_message.c. + +20021015 + + Bugfix: the code for missing postmaster/mailer-daemon + aliases had to be moved after the code that implements the + luser_relay feature. Files: local/alias.c, local/unknown.c. + + Weird? The LMTP client lowercased the MAIL FROM and RCPT + TO addresses. Some remnant of code that someone put in + there long ago. File: lmtp/lmtp_proto.c. + +20021024 + + Feature: proxy_interfaces parameter. Specify your NAT or + other proxy addresses here to avoid mail delivery loops. + Files: global/mail_params.[hc] global/own_inet_addr.[hc] + global/resolve_local.c smtp/smtp_addr.c smtpd/smtpd_check.c. + + Paranoia: defend against a very unlikely false alarm in + safe_open(). + +20021025 + + Feature: X-Original-To: message headers with the raw original + envelope recipient. + + Logging: status=sent/deferred/bounced/ logging now includes + the original recipient address if it differs from the final + address. + +20021026 + + Logging: SMTP UCE reject/warn/hold/discard logging now + includes queue ID. This will break some logfile analyzers. + + Logging: SMTP UCE reject/warn/hold/discard logging now + includes the protocol name and, if available, the hostname + given in the SMTP HELO or EHLO command. + + Logging: header/body_checks reject/warn/hold/discard logging + now includes the protocol name and, if available, the + hostname given in the SMTP HELO or EHLO command. + +20021028 + + Bugfix: don't reset state after rejected EHLO. Reset state + after HELO. Reported by Karthikeyan Bhargavan, upenn.edu. + Files: smtpd/smtpd.c. + +20021029 + + Bugfix: local(8) did not prepend an X-Original-To: message + header while delivering to command, and local(8) did not + document the X-Original-To: message header. + + Workaround: DJBDNS produces a bogus A record when given a + numerical hostname. File: dns/dns_lookup.c. + +20021030 + + Portability: support for Berkeley DB version 4.0 but not + for Berkeley DB version 4.1 (yes, the API is different). + Postfix is now going to be paranoid about the minor version + number, too. File: util/dict_db.c. + + Documentation: updated LMTP_README file by Amos Gouaux. + +20021031 + + Bugfix: (bug introduced 20021026) log NOQUEUE when rejecting + ETRN, instead of trying to log a non-existent queue ID. + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + Cleanup: allow optional text after commands in SMTPD access + maps. Based on initial effort by Victor Duchovni, Morgan + Stanley. File: smtpd/smtpd_check.c. + + Portability: support for Berkeley DB version 4.1. This + version refuses to open zero-length files. This complicates + lock management and requires extra code to remove broken + files. Files: util/dict_db.c, global/mkmap*.[hc]. + +20021101 + + Bugfix: don't complain about out-of-order original recipient + records for finished recipients. Files: *qmgr/qmgr_message.c, + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. + + Cleanup: further simplified the mkmap wrapper (used by + postmap and postalias only) to remove some hurdles for + Michael Tokarev's CDB support. Files: global/mkmap*.[hc]. + +20021105 + + Postalias now produces YP_LAST_MODIFIED and YP_MASTER_NAME + records only when NIS support is compiled in. File: + postalias.c. + +20021106 + + Postalias now puts $myhostname in the YP_MASTER_NAME record, + instead of the possibly bogus gethostname() result. File: + postalias.c. + + The PCRE map code did not reject non-numeric replacement + indices in replacement text, and silently treated $text as + $0. Found by Michael Tokarev. File: dict_pcre.c. + +20021108 + + Cleanup: the behavior of the SMTP server's defer_if_permit + flag was changed, in order to maximize the opportunity to + permanently reject mail without opening opportunities for + losing legitimate mail. This was done in cooperation with + Victor Duchovni, Morgan Stanley. File: smtpd/smtpd_check.c. + + The defer_if_permit flag is still set when an UCE reject + restriction fails due to a temporary (e.g., DNS) problem, + to prevent unwanted mail from slipping through. However, + the flag is no longer tested at the end of client, helo or + sender restrictions. Instead, the flag is now tested at + the end of the ETRN and recipient restrictions only. + + The behavior of the warn_if_reject restriction has changed. + It no longer activates any already made defer_if_permit or + defer_if_reject decisions (the defer_if_reject flag is set + when some UCE permit restriction fails due to a temporary + (DNS) problem, to avoid loss of legitimate mail). + + Bugfix: instead of setting the defer_if_permit flag, a + failing reject restriction after warn_if_reject now merely + logs that it would have caused mail to be deferred. + + A failing permit restriction after warn_if_reject still + raises the defer_if_reject flag, to avoid loss of legitimate + mail. + +20021109 + + Bugfix: a misguided change to the .forward macro expansion + filter broke .forward file lookup. + + Bugfix: missing defer_if_permit test in smtpd_data_restrictions. + Victor Duchovni. File: smtpd/smtpd_check.c. + +20021112 + + Robustness: increase the mime_nesting_limit from 20 to 100, + so that bounces can't loop. Each bounces increases the MIME + nesting level by one. Ralf Hildebrandt and Victor Duchovni. + +20021113 + + Robustness: reinstated SMTP client command flushing to + avoid pipeline stalls. File: smtp/smtp_chat.c. + +20021114 + + Robustness: distinguish between timeout and "lost connection" + when the SMTP server is unable to send a reply to the remote + client. File: smtpd/smtpd_chat.c. + +20021115 + + Bugfix: initialization error with "*" transport table + lookup, reported by LaMont Jones. The transport map lookup + code had grown into a monster and needed to be replaced. + trivial-rewrite/transport.c. + +20021115 + + Start implementing recipient verification. For now this is + done by adding trace flags to queue files. In case of a + verification request, a delivery agent does not deliver, + deliver, it just records what would happen. + + This required instrumenting the bounce/defer/sent logging + routines to send their data to the right place depending + on the type of delivery request. + +20021116 + + New trace service. This is used for reporting if a recipient + is deliverable (sendmail -bv) and for producing a record + of delivery attempts (sendmail -v). The report is sent via + email, using the bounce daemon. Files: global/trace.[hc]. + + This required replacing the bounce/defer logfile format by + an extensible name=value format. Files: global/bounce_log.c, + bounce/bounce_append_service.c. + +20021117 + + New address verification service with simple expiration + and refresh policy. Storage can be in-core or in permanent + table. The daemon is appropriately called "verify". Files: + global/verify_clnt.[hc], verify/verify.c. + +20021118 + + Cleaning up the code for tracing and verification. Files: + global/{log_adhoc,bounce,defer,trace,verify}.[hc]. + +20021119 + + New address_verification_negative_cache = yes/no parameter + controls whether Postfix stores the result of negatieve + address verification probes. This reduces cache pollution + but causes Postfix to send a probe for each address + verification service query. File: verify/verify.c. + + Added optimistic caching to the verify daemon, so that one + failed probe will not clobber a known to be good address. + As long as some probes succeeed, a good address will stay + cached as OK. + + Cleaning up of the bounce daemon's code for bounce, delayed + mail warning and trace notification. Files: bounce/*.[hc], + global/bounce_log.c. + +20021120 + + Changed the probe's sender address to "postmaster" so that + we get better information about the address we're testing. + File: verify/verify.c. + + Added some paranoia to the routine that reads data from + the address verification cache. Ignore data that is obviously + bogus. File: verify/verify.c. + +20021121 + + Bugfix: garbage in "user@garbage"@domain address forms may + cause the SMTP or LMTP client to terminate with a fatal + error exit because garbage/tcp is not an existing service. + This cannot be abused to cause the SMTP or LMTP client to + send data into unauthorized ports. Files: *qmgr/qmgr_message.c, + trivial-rewrite/resolve.c. + +20021124 + + Bugfix: don't use same VSTRING buffer for reading and + writing. File: verify/verify.c. + +20021128 + + Feature: hashed hold queue support, with hashing turned on + by default. Omission spotted by Victor Duchovni, Morgan + Stanley. Files: global/hold_message.c, global/mail_params.h. + + Bugfix: the LMTP client lost the port(service) information + when parsing host:port information. Victor Duchovni, Morgan + Stanley. Fix is to have a new host_port(3) module that does + the parsing for the SMTP and LMTP clients. + + Cleanup: host_port() routine that parses host/port information + more consistently than the existing code in the LMTP and + SMTP clients. Files: smtp/smtp_connect.c, lmtp/lmtp_connect.c, + util/host_port.[hc]. + +20021130 + + Cleanup: defer mail when recipient verification takes too + long. File: smtpd/smtpd_proto.c. + + Feature: new reject_multi_recipient_bounce restriction, to + reject "MAIL FROM: <>" with multiple recipients. File: + smtpd/smtpd_check.c. + +20021201 + + Compatibility: ignore the new Sendmail -A option. File: + sendmail/sendmail.c. + + Workaround: sendmail -v now produces no output. You need + to specify -v -v instead. This is to avoid problems when + people request verbose mail delivery in their mail.rc file. + File: sendmail/sendmail.c. + +20021202 + + Cleanup: hash_queue_depth now defaults to 1 level of + subdirectories. This makes "mailq" faster on most systems, + but will result in poorer worst-case performance when lots + of mail is queued. + + The check_relay_domains restriction is going away. The SMTP + server logs a warning and suggests using reject_unauth_destination + instead. + + Cleanup: the local(8) and virtual(8) delivery agents did + not prepend X-Original-To: addresses to maildir files. + Omission spotted by Matthias Andree. + + Specify "address_verify_sender=" or "address_verify_sender=<>" + to use a null sender address while doing address verification + probes. Beware, doing so may trigger false negatives + because some sites reject mail from the null sender, even + though this is required by RFC standards. + + Bugfix: too many levels of dereferencing while testing for + missing reject_rbl_mumble domain names. Patrik Rak. File: + smtpd/smtpd_check.c. + +20021203 + + Bugfix: the FILTER access table action included the FILTER + command in the filter request, where only the transport+destination + were expected. Noel Jones. File smtpd/smtpd_check.c. + + Cleanup: virtual_maps is now called virtual_alias_maps, in + order to better distinguish it from virtual_mailbox_maps. + The default value is $virtual_maps for backwards compatibility. + + New parameters virtual_alias_domains and virtual_mailbox_domains + for the "domain.tld whatever" lookups. These use the same + syntax as the mydestination parameter. Default settings + are backwards compatible with Postfix 1.1. + + Concept: just like $mydestination+$inet_interfaces control + what routes to $local_transport, $virtual_mailbox_domains + now controls what routes to $virtual_transport (default + transport: virtual), and $relay_domains now controls what + routes to $relay_transport (default transport: relay, a + clone of the smtp transport). Everything else routes to + $default_transport as before. This eliminates the need + for transport map entries for every virtual(8) domain, and + avoids performance problems with inbound relay mail. This + was improvement was suggested by Victor Duchovni. File: + trivial-rewrite/resolve.c. + +20021206 + + Cleanup: do allow regexps in aliases, virtual mailbox maps + but do not allow regular expression substitutions. Files: + util/dict.h, util/dict_regexp.c, util/dict_pcre.c. + +20021207 + + Cleanup: deleted the description of sendmail-style virtual + domains from the virtual(5) manual page. This part of + Postfix was too confusing. + + Performance: RFC 2821 blesses the use of CNAME domain names + in MAIL FROM and RCPT TO. Not having to expand CNAME domain + names speeds things up a bit. File: smtp/smtp_proto.c. + + Workaround: exclude error mailer destinations from transport + mapping lookups :-(. File: trivial-rewrite/resolve.c. + + Cleanup: relocated_maps lookups are now moved to the + trivial-rewrite server. As of now, the queue manager no + longer does any map lookups, so it won't restart when maps + change. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. + + Robustness: because the trivial-rewrite server now does + many more table lookups, some of which are often LDAP or + SQL based, trivial-rewrite clients must be be prepared for + the case that the resolver reports a failure while processing + a request (when it was unable to access a lookup table). + Files: trivial-rewrite/resolve.c, local/resolve.c, + smtpd/smtpd_check.c. + + Robustness: moving possible LDAP or SQL table lookups into + the trivial-rewrite server also required that trivial-rewrite + be running as multiple processes to reduce lookup latencies. + Files: master/multi-server.c. + + Workaround: don't discard all the DNS lookup results when + only one of the results has a malformed name or address. + File: dns/dns_lookup.c. + +20021208 + + Cleanup: with the preliminary address domain classification + concept as implemented by the trivial-rewrite address + resolver, a lot of table lookups could be eliminated from + the SMTP server. Files: smtpd/smtpd_check.c. + + Feature: new relay_recipient_maps parameter, for optional + maps with all the recipients in the domains that match + $relay_domains (so you can reject mail for unknown relay + recipients). This is for consistency with virtual_xx_maps + and virtual_xx_domains, and with local_recipient_maps and + the local delivery agent. File: smtpd/smtpd_check.c. + + Cleanup: removed support for obsolete #number domain forms. + File: smtpd/smtpd_check.c. + +20021209 + + The Postfix installation procedure no longer sets the + "chattr +S" bit on Linux queue directories. Wietse has + gotten too annoyed with naive reviewers who complain about + performance without having a clue of what they are comparing. + + "Security": local_recipient_maps is now turned on by default, + to reject mail for non-existent users at the SMTP port. + See conf/main.cf for instructions, section REJECTING UNKNOWN + LOCAL USERS. + + Safety: detection of missing or inaccessible passwd file + database, to prevent massive complaints from people who + suddenly lose all their mail because local_recipient_maps + is now turned on by default. + +20021210 + + Feature: recipient address verification, using the code + that already implements sender address verification. Based + on suggestion by Matthias Andree. Files: src/smtpd/smtpd.c, + src/smtpd/smtpd_check.c. + +20021211 + + Performance: doubled the default process limit (50->100) + and default queue manager active queue message/recipient + limits (10k->20k). File: global/mail_params.h. + + Bugfix: the change that begot us multiple trivial-rewrite + processes (good) also gave us multiple verify daemons (bad). + File: conf/post-install. + +20021212 + + Cleanup: allow transport map lookups to override error + mailer results (to avoid breaking existing installations), + and do transport map lookups before relocated map lookups. + Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. + + Shortened the verify server's negative cache refresh time + from 12 hours to 2 hours. File: global/mail_params.h. + + Admin friendliness: the SMTP server now reports "User + unknown in {local recipient | virtual alias | virtual + mailbox | relay recipient} table". This will make trouble + shooting a little easier. Files: smtpd/smtpd_check.c, + trivial-rewrite/resolve.c. + +20021213 + + Cleanup: transport map entries with null nexthop ignored + relayhost settings. Making the code simpler also made it + more correct. Files: trivial-rewrite/resolve.c, + trivial-rewrite/transport.c. + + Feature: "helpful_warnings" (default: yes) that can be + turned off if you really know what you're doing and want + to eliminate some unnecessary work. + + Feature: enforcement of master.cf process limits for + processes such as qmgr and pickup that must run alone, and + processes such as cleanup and bounce that must run without + explicit process count limit. If an incorrect process limit + is specified in master.cf the service aborts. + +20021214 + + Cleanup: it looks like we finally get it right with transport + lookup table entries that either override or specify an + error transport without updating the nexthop information. + File: trivial-rewrite/resolve.c. + + Robustness: don't probe the sender address when probed for + our own address verification probe sender address. File: + smtpd/smtpd_check.c. + + Performance: don't do UCE checks (which may result in 4xx + SMTP reply codes, and thus, repeated delivery attempts) + when we already know that the recipient does not exist. + Files: smtpd/smtpd.c, smtpd/smtpd_check.c. + +20021215 + + Cleanup: further simplification of transport map handling + after some really fine hair splitting with Victor Duchovni. + Files: trivial-rewrite/resolve.c, trivial-rewrite/transport.c. + +20021216 + + Workaround: transform the address local-part into unquoted + form only when the address domain is local and the local-part + contains routing operators. Otherwise, we may damage the + address local-part by inserting space between non-operator + tokens. Some people use weird addresses and expect them to + be handled without damage. File: trivial-rewrite/resolve.c. + + Robustness: scan the resolved recipient address for routing + operators in the address local-part, even when the local + MTA does not recognize ! and % as valid operators. File: + trivial-rewrite/resolve.c. + + Cleanup: the address rewriting code no longer tries to + rewrite broken user@ or user@. address forms into even more + broken forms. bother. File: trivial-rewrite/rewrite.c. + + Cleanup: the address resolver code now treates forms ending + in @ in a more rational manner (because the address rewriting + code no longer messes up by appending .my.domain). + + Bugfix: a null address local-part before @domain now is + properly quoted just like the null address. File: + global/quote_82[12]_local.c. + +20021217 + + Cleanup: more work on the trivial-rewrite address rewriting + and address resolving code. New regression tests for address + rewriting and resolving that make some assumptions about + main.cf settings. Files: global/Makefile.in (assumptions), + global/rewrite_clnt.in, global/rewrite_clnt.ref, + global/resolve_clnt.in, global/resolve_clnt.ref. + + Safety: configurable SMTPD reject codes for recipients not + in {local,relay}_recipient,virtual_{alias,mailbox}}_maps, + aptly named unknown_mumble_reject_code. Postfix installs + with unknown_local_recipient_reject_code=450, unless the + site already ran Postfix with local_recipient_maps enabled. + Files: smtpd/smtpd.c, smtpd/smtpd_check.c, conf/post-install. + +20021218 + + Feature: specify unverified_recipient_reject_code=250 or + unverified_sender_reject_code=250 to accept mail for an + address that is known to bounce. File: smtpd/smtpd_check.c. + +20021219 + + Bugfix: longjmp() while sending "go away" without setjmp() + in the QMQP server. Patrik Rak. File: qmqpd/qmqpd.c. + + Safety: the XVERP extension is restricted to clients listed + in the authorized_verp_clients list (default: $mynetworks). + File: smtpd/smtpd.c. + + Workaround: preliminary IPV6 support in valid_hostliteral(). + File: util/valid_hostname.c. + +20021220 + + Bugfix: the reject_multi_recipient_bounce restriction had + an off-by-one error when used in smtpd_data_restrictions. + File: smtpd/smtpd_check.c. + + Feature: new check_recipient_maps restriction that gives + finer control over when unknown recipients are rejected. + As with Postfix 1.1, the default is to do this at the end + of the recipient restrictions. Sites that want to improve + performance can put check_recipient_maps at the start of + the smtpd_client_restrictions list and avoid doing unnecessary + RBL lookups etc. File: smtpd/smtpd_check.c. + + Feature: new show_user_unknown_recipient_table parameter + controls whether or not to reveal the lookup table name in + "User unknown" responses. The extra detail makes trouble + shooting easier but also reveals information that is nobody + elses business. + +20021221 + + Workaround: don't allow the transport map to override the + virtual alias class (error:User unknown) result. File: + trivial-rewrite/transport.c. + +20030101 + + Documentation update: new-style virtual domains broke the + advanced content filtering example. Files: FILTER_README, + RELEASE_NOTES-2.0. + +20030102 + + Cleanup: use different client instances when the same map + is opened with different flags. File: global/maps.c. + + Feature: proxymap server for Postfix table lookups. This + helps to consolidate the number of open lookup tables (such + as MYSQL or LDAP), or to overcome chroot restrictions + (example: specify proxy:unix:passwd.byname to avoid the + need for a copy of the UNIX passwd file in chroot jails). + Files: global/dict_proxy.[hc], proxymap/proxymap.c + + Cleanup: multiservers such as trivial-rewrite and the new + proxymap server now enforce the max_use total client number + limit more agressively, by not accepting new connections + after the limit is reached. Based on a patch by Victor + Duchovni, Morgan Stanley. File: master/multi_server.c. + +20030103 + + Cleanup: client stream endpoints not only have an idle time + limit ($ipc_idle) before a connection is closed, they now + also have a time to live ($ipc_ttl) to prevent connections + from becoming too persistent. This allows multi-servers + such as trivial-rewrite or the proxymap server to refresh + more frequently on busy systems. File: global/clnt_stream.c. + +20030104 + + Cleanup: avoid warnings about flag mismatches when the same + lookup table is listed under both virtual_alias_maps and + virtual_mailbox_maps. Files: global/virtual8.h, virtual/virtual.c. + + Bugfix: an obscure memory leak that puzzled me for more + than a year until I found out how to reproduce it. File: + util/vstream.c. + +20030105 + + Cleanup: removed the address syntax check from the queue + manager, since a better test was implemented recently in + the trivial-rewrite server. Files: *qmgr/qmgr_message.c. + + Bugfix: redirect bounce/defer to the address verification + service where appropriate. Files: *qmgr/qmgr_bounce.c, + *qmgr/qmgr_defer.c. + + Bugfix: "no such file or directory" warnings after "postfix + reload" when a chrooted smtpd reconnects to the proxy + service. Fix: use "private/proxymap" if possible, otherwise + use "$queue_dir/private/proxymap". File: global/dict_proxy.c. + + Robustness: daemons now chdir() to the queue directory + before running the pre-jail initialization code, so that + daemons running in stand-alone mode produce more consistent + results. Files: master/single_server.c, master/multi_server.c. + master/trigger_server.c. + + Bugfix: "sendmail -bs" tried to access the proxymap service. + It should not try to open any user/domain/uce related tables + at all. File: smtpd/smtpd.c. + +20030106 + + Bugfix: bouncing to owner-alias was broken, i.e. the mail + kept being deferred, and when that was fixed, another buglet + came to light. File: bounce/bounce.c. + + Robustness: the master no longer aborts with "address + already in use" when inet_interfaces specifies the same IP + address multiple times, or when a TCP service in master.cf + specifies a hostname for which the same IP address is listed + multiple times. File: master/master_ent.c. + +20030107 + + Robustness: check that FILTER actions in SMTPD access maps + or cleanup header/body_checks have plausible syntax. Files: + smtpd/smtpd_check.c, cleanup/cleanup_message.c. + +20030109 + + Cleanup: unnecessary "premature end of file on xxx while + reading yyy" warnings became exposed after some code + simplification. Files" global/*_clnt.c, global/dict_proxy.c + + Robustness: undo the change that causes a multi-server + process to stop accepting new connections while it still + services existing clients for an extended amount of time. + We need a better process retirement strategy. File: + master/multi_server.c. + +20030110 + + Cleanup: the virtual_mailbox_maps parameter is now optional + even when virtual_mailbox_domains is. This makes virtual + mailbox domains more like relay domains and the local + domain. + + Portability: the makedefs script now uses the pcre-config + utility to find out where things are installed. + + Bugfix: the SMTP server did not recognize the local built-in + double bounce address as local. Reported by Matthias Andree. + For safety sake, threw in the local postmaster address as + well. File: smtpd/smtpd_check.c. + +20030113 + + Added MAILER-DAEMON to the list of always recognized local + addresses, since it is generated by Postfix bounces. File: + smtpd/smtpd_check.c. + +20030114 + + Bugfix: transport_errno was not reset upon successful + transport map wildcard lookup after an earlier failure. + Reported by Victor Duchovni. File: trivial-rewrite/transport.c. + + Cleanup: unnecessary warnings from the proxymap client + after proxymap server disconnect. File: global/dict_proxy.c. + + Cleanup: Patrik Rak found a few more chattr invocations + that were missed 20021209. Files: postfix-install, + conf/post-install. + + Cleanup: the pcre-config command can produce null outputs. + Matthias Andree. File: makedefs. + + Bugfix: the virtual(8) Makefile included $(AUXLIBS) in the + dependencies. + +20030118 + + Typos: some hyperlinks referred to flushd, which is the + name that was used before the flush service was released. + Reported by Victor Duchovni. + + Cleanup: smtpd no longer needed to open relocated_maps. + +20030119 + + Cleanup: bounce messages used "X-Postfix" even when mail_name + was set to something other than the default "Postfix" name. + File: bounce/bounce-notify_util.c. + +20030120 + + Bugfix: wrong FILTER_README instructions for disabling + virtual alias mapping in the cleanup server before the + content filter. + + Bugfix: wrong FILTER_README instructions for destination-dependent + filtering, because relay_domains was specified incorrectly. + +20030122 + + Bugfix: 20021207 (move relocated table lookup from queue + manager to trivial-rewrite server) broke relocated table + lookup results with mail not rejected at the SMTP port. + Files: *qmgr/qmgr_deliver.c, *qmgr/qmgr_message.c. + +20030123 + + Bugfix: a widely used maildir filename algorithm was broken. + Postfix now uses TIME.DEVICE_INODE.HOST. Files: local/maildir.c, + virtual/maildir.c. + +20030124 + + Cleanup: queue structures no longer overload queue name + and nexthop destination. Files: *qmgr/qmgr_message.c, + *qmgr/qmgr_queue.c, *qmgr/qmgr_deliver.c. + +20030125 + + Feature: "REDIRECT user@domain" action in access maps or + in header/body_checks causes mail to be sent to the specified + address instead of the intended recipient(s). I would never + recommend that people use this to redirect (bounced) SPAM + to the beneficiaries of an advertisement campaign. Files: + smtpd/smtpd_check.c, cleanup/cleanup_message.c, + *qmgr/qmgr_message.c. + +20030126 + + Update: maildir filename algorithm updated according to + today's version of http://cr.yp.to/proto/maildir.html. + +20030127 + + Cleanup: use separate error messages for separate problems + with computing the list of SASL authentication mechanisms. + File: smtpd/smtpd_sasl_glue.c. + +20030130 + + Bugfix: allow $name in default time values. File: + global/mail_conf_time.c. + +20030205 + + Feature: allow !, /file/name and map:name in masquerade_exceptions. + By Liviu Daia. Files:cleanup_init.c, cleanup.h, + cleanup_masquerade.c. + +20030219 + + Bugfix: the local pickup daemon skipped unterminated records, + since they happened to have the same record type code as + content filtering instructions. Victor Duchovni. Files: + global/rec_type.h, pickup/pickup.c. + + Portability: Postfix could block, and thus not enforce + command execution time limits, while delivering mail to + command. File: global/pipe_command.c. + + Bugfix: command execution time limits were not enforced + because the child process killing code in pipe_command() + was running with the wrong privileges. Problem reported by + Ben Rosengart, Panix. File: global/pipe_command.c. + + Bugfix: duplicate recipient filtering in the cleanup server + did not eliminate virtual expansion duplicates with the + same original recipient. File: cleanup/cleanup_out_recipient.c. + +20030223 + + Cleanup: added postmap/postalias -p option (do not inherit + the source file permissions when creating a new file), for + completeness. A feature that can't be turned off is a bug. + Files: postmap/postmap.c, postalias/postalias.c. + + Bugfix: smtpd_hard/soft_error_limit off-by-one error, so + that the real limit was one larger than the configured + value. File: smtpd/smtpd.c, smtpd/smtpd_chat.c. + +20030226 + + Safety: proxymap server defense against potential deadlock + when some library routine wants to open a proxied table. + Instead, proxymap opens the requested table directly. File: + proxymap/proxymap.c. + + Portability: updated AIX 5.x system dependent definitions. + File: util/sys_defs.h. + +20030227 + + Bugfix: added mynetworks to the list of proxy_read_maps + parameter settings that are pre-authorized to use proxied + table lookups. File: global/mail_params.h. + + Cleanup: daemons now log what table has changed before + restarting. Files: dict.c, and anything that invoked + dict_changed(). + + Cleanup: more consistency in the naming of lookup table + handles as generated by maps(3) and by match_list(3). + +20030305 + + Workaround: Postfix removes too long non-address text from + message headers in order to protect vulnerable Sendmail + systems against exploitation of the remote buffer overflow + vulnerability described in CERT advisory CA-2003-07. + +20030311-19 + + Bugfix: the access map actions HOLD, DISCARD, FILTER and + REDIRECT were broken with smtpd_delay_reject=no and with + ETRN. This required re-architecting of the actions code. + Files: smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c. + +20030315 + + Bugfix: the postsuper manual page documented support for + the -c command line option, but it was not implemented. + File: postsuper/postsuper.c. + + Bugfix: the Postfix 2.0 recipient map checking code broke + the VRFY command, causing it to reply with status code 252 + for non-existent addresses. This required re-architecting + the recipient table lookup code. File: smtpd/smtpd_check.c. + +20030319 + + Feature: configurable limit on virtual alias expansion size + and nesting depth, via the virtual_alias_expansion_limit + and virtual_alias_recursion_limit parameters. The default + limits are compatible with past Postfix versions. Victor + Duchovni, Morgan Stanley. Files: /sample-resource.cf, + html/resource.html, cleanup/cleanup.c, cleanup/cleanup_init.c, + cleanup/cleanup_map1n.c. + + Feature: the installation procedure records build information + (by default: in /etc/postfix/makedefs.out). + +20030324 + + Bugfix: smtp-source flushed too often, causing suboptimal + performance with smtp-source sending directly into smtp-sink. + Files: smtpstone/smtp-source.c. + +20030410 + + Safety: log a fatal error when a net/mask pattern has a + non-zero host part, so that mail delivery is deferred. + File: util/match_ops.c. + +20030411 + + Bugfix: extraneous warning about out-of-order original + recipient records by Patrik Rak. Files: *qmgr/qmgr_message.c. + +20030412 + + Workaround: log a warning and reset the queue file time + stamps when the file system clock is ahead of the local + clock. File: global/mail_stream.c. + +20030414 + + Feature: PostgreSQL client module, adopted by LaMont Jones. + Files: README_FILES/PGSQL_README, util/dict_pgsql.c, + util/dict_pgsql.h, conf/sample-pgsql-aliases.cf. + + Cleanup: the generic smtp client/server code in smtp_stream.c + now has an explicit flush operation, and the smtp-source/sink + programs are updated to take advantage of this. + + Cleanup: the file system clock drift detection code now + runs only once per process instance, to minimize the + performance impact. File: global/mail_stream.c. + + Robustness: avoid TIME_WAIT state with smtp/qmqp-source + client sockets. This puts less strain on local system + resources. + +20030415 + + Cleanup: the file system clock drift detection code now + runs only for incoming mail. File: global/mail_stream.c. + +20030416 + + Bugfix: missing partial last line when 1) someone submits + 8-bit mail not ending in newline via /usr/sbin/sendmail + and 2) MIME input processing is turned off, and 3) MIME + 8bit->7bit conversion is requested upon delivery via SMTP. + + Cleanup: auto-bcc recipients are now added in one place + (the cleanup server) instead of by individual front-end + servers (pickup, smtpd, qmqpd). This makes it easier to + add auto-bcc features that trigger on sender or recipient + addresses. + + Cleanup: "sendmail -t" (recipients from headers) is now + implemented by the sendmail command instead of by the + cleanup server. This means that the extract_recipient_limit + configuration parameter is no longer needed. Files: + sendmail/sendmail.c, cleanup/cleanup_message.c, + cleanup/cleanup_extracted.c. + + Compatibility: "sendmail -t" (recipients from headers) now + accepts command-line recipients instead of complaining. + The extracted header recipients are added to the command-line + recipients. + + Feature: sender/recipient_bcc_maps. These are indexed by + sender/recipient address and are examined when mail enters + from outside of Postfix. Files: cleanup/cleanup_addr.c. + cleanup/cleanup_envelope.c cleanup/cleanup_extracted.c. + +20030417 + + Feature: the SMTP client now falls back to native name + service lookups (including /etc/hosts) when a host cannot + be found in the DNS. This is controlled by a new parameter + smtp_host_lookup (default: dns, native). Files: smtp/smtp.c, + smtp/smtp_addr.c. + +20030418 + + Bugfix: "sendmail -t" broke with unrecognized message + headers. + +20030419 + + Feature: "postcat -q" searches the queue for the named + file. + + Cleanup: made postcat "record names" output more consistent. + +20030421 + + Debugging: added some extra detailed error logging to the + pipe-to-command delivery, to help folks with bizarre file + truncation problems. File: global/pipe_command.c. + +20030424 + + Cleanup: readlline() did not terminate the result before + complaining about lines starting with whitespace. + + Cleanup: eliminated valid_hostname warning for invalid + queue file names. File: global/mail_queue.c. + + Bugfix: lost three lines of code when readying the postcat + command for release, which broke postcat -q. File: + postcat/postcat.c. + + Bugfix: the Postfix sendmail command applied the message + size limit when running as newaliases. The limiting code + is now moved to the message enqueuing branch of the code. + File: sendmail/sendmail.c. + + Documentation: start of documentation for the algorithm of + Patrik Rak's clever queue manager scheduler (nqmgr). Files: + conf/sample-scheduler.cf, README_FILES/SCHEDULER_README. + +20030429 + + Bugfix: while verifying an address, the LMTP client entered + a forbidden "next" sender state after the last recipient. + Fix by Vladimir Davydoff. File: lmtp/lmtp_proto.c. + + Bugfix: "," was not recognized in proxy_read_maps settings. + Fix by Leandro Santi. File: proxymap/proxymap.c. + +20030502 + + Bugfix: defer delivery after .forward etc. file read error. + File: local/token.c. Problem reported by Ben Rosengart, + Panix. + +20030503 + + Bugfix: the Postfix LMTP client used the wrong service + name, causing trouble with SASL 2.1.13. Daniel Schales, + Louisiana Tech. File: lmtp/lmtp_sasl_glue.c. + +20030518 + + Workaround: IRIX select() reports that a non-blocking file + descriptor is writable while write() transfers zero bytes. + File: util/vstream.c. Superseded by change 20030523. + +20030520 + + Cleanup: future time stamps in Received: headers and negative + delays in delivery agent logging after "postdrop -r", + because deferred queue files had future file modification + times. File: src/postsuper/postsuper.c. + +20030521 + + Cleanup: nqmgr warnings about "recipient count mismatch" + after "postdrop -r", because the cleanup server did not + count the "already done" recipients. Problem reported by + Richard Stockton, Gramma Software. Files: + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c. + +20030523 + + Workaround: IRIX select() reports that a non-blocking file + descriptor is writable while write() transfers zero bytes. + File: global/pipe_command.c. + +20030523-20030605 + + Cleanup: rewrote the queue file record processing loops in + pickup, cleanup and in [n]qmgr. This code had deteriorated + a lot as the result of small changes over the years. This + change brings the code closer to "obviously correct". Files: + cleanup/cleanup_envelope.c, cleanup/cleanup_extracted.c, + *qmgr/qmgr_message.c. + + Cleanup: Postfix no longer produces queue files with + backwards compatibility data for Postfix versions < 1.0 + (a.k.a. 20010228). Files: cleanup/cleanup_extracted.c, + showq/showq.c. + + Performance: the queue manager no longer has to examine + every queue file record before it can start deliveries. + This helps to avoid thrashing with very large mailing lists. + Postfix queue files have an extra field in the size record + with queue manager processing hints. This change is backward + and forward compatible. Files: cleanup/cleanup_envelope.c, + cleanup/cleanup_extracted.c, *qmgr/qmgr_message.c. + +20030528 + + Compatibility: "sendmail -q