Adding upstream version 3.8.5.upstream/3.8.5

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 243 insertions, 0 deletions

diff --git a/RELEASE_NOTES b/RELEASE_NOTES
new file mode 100644
index 0000000..0a23bf8
--- /dev/null
+++ b/RELEASE_NOTES
@@ -0,0 +1,243 @@
+This is the Postfix 3.8 stable release.
+
+The stable Postfix release is called postfix-3.8.x where 3=major
+release number, 8=minor release number, x=patchlevel. The stable
+release never changes except for patches that address bugs or
+emergencies. Patches change the patchlevel and the release date.
+
+New features are developed in snapshot releases. These are called
+postfix-3.9-yyyymmdd where yyyymmdd is the release date (yyyy=year,
+mm=month, dd=day). Patches are never issued for snapshot releases;
+instead, a new snapshot is released.
+
+The mail_release_date configuration parameter (format: yyyymmdd)
+specifies the release date of a stable release or snapshot release.
+
+If you upgrade from Postfix 3.6 or earlier, please read RELEASE_NOTES-3.7
+before proceeding.
+
+Dual license
+------------
+
+As of Postfix 3.2.5 this software is distributed with a dual license:
+in addition to the historical IBM Public License (IPL) 1.0, it is
+now also distributed with the more recent Eclipse Public License
+(EPL) 2.0. Recipients can choose to take the software under the
+license of their choice. Those who are more comfortable with the
+IPL can continue with that license.
+
+Incompatibility with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
+==============================================================
+
+Improvements for outbound SMTP smuggling defense:
+
+- With "cleanup_replace_stray_cr_lf = yes" (the default), the cleanup
+  daemon replaces each stray <CR> or <LF> character in message
+  content with a space character. The replacement happens before
+  any other content management (header/body_checks, Milters, etc).
+
+  This prevents outbound SMTP smuggling, where an attacker uses
+  Postfix to send email containing a non-standard End-of-DATA
+  sequence, to exploit inbound SMTP smuggling at a vulnerable remote
+  SMTP server.
+
+  This also improves the remote evaluation of Postfix-added DKIM
+  and other signatures, as the evaluation result will not depend
+  on how a remote email server handles stray <CR> or <LF> characters.
+
+This feature applies to all email that Postfix locally or remotely
+sends out. It is not allowlisted based on client identity.
+
+Major changes with Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24
+============================================================
+
+Improvements for inbound SMTP smuggling defense:
+
+- Better compatibility: the recommended setting "smtpd_forbid_bare_newline
+  = normalize" requires the standard End-of-DATA sequence
+  <CR><LF>.<CR><LF>, but allows bare newlines from SMTP clients,
+  maintaining more compatibility with existing infrastructure.
+
+- Improved logging for rejected input (it now includes queue ID,
+  helo, mail, and rcpt, if available).
+
+- The setting "smtpd_forbid_bare_newline = reject" requires
+  that input lines end in <CR><LF>, requires the standard End-of-DATA
+  sequence <CR><LF>.<CR><LF>, and rejects a command or message that
+  contains a bare newline. To disconnect the client, specify
+  "smtpd_forbid_bare_newline_reject_code = 521".
+
+- The Postfix SMTP server no longer strips extra <CR> as in
+  <CR><LF>.<CR><CR><LF>, to silence false alarms from test tools
+  that send attack sequences that real mail servers cannot send.
+  Details at https://www.postfix.org/false-smuggling-claims.html
+
+- The old setting "yes" has become an alias for "normalize".
+
+- The old setting "no" has not changed, and allows SMTP smuggling.
+
+The recommended settings are now:
+
+    # Require the standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+    # Otherwise, allow bare <LF> and process it as if the client sent
+    # <CR><LF>.
+    #
+    # This maintains compatibility with many legitimate SMTP client
+    # applications that send a mix of standard and non-standard line
+    # endings, but will fail to receive email from client implementations
+    # that do not terminate DATA content with the standard End-of-DATA
+    # sequence <CR><LF>.<CR><LF>.
+    #
+    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+    # The example below allowlists SMTP clients in trusted networks.
+    #
+    smtpd_forbid_bare_newline = normalize
+    smtpd_forbid_bare_newline_exclusions = $mynetworks
+
+Alternative settings:
+
+    # Reject input lines that contain <LF> and log a "bare <LF> received"
+    # error. Require that input lines end in <CR><LF>, and require the
+    # standard End-of-DATA sequence <CR><LF>.<CR><LF>.
+    #
+    # This will reject email from SMTP clients that send any non-standard
+    # line endings such as web applications, netcat, or load balancer
+    # health checks.
+    #
+    # This will also reject email from services that use BDAT to send
+    # MIME text containing a bare newline (RFC 3030 Section 3 requires
+    # canonical MIME format for text message types, defined in RFC 2045
+    # Sections 2.7 and 2.8).
+    #
+    # Such clients can be allowlisted with smtpd_forbid_bare_newline_exclusions.
+    # The example below allowlists SMTP clients in trusted networks.
+    #
+    smtpd_forbid_bare_newline = reject
+    smtpd_forbid_bare_newline_exclusions = $mynetworks
+    #
+    # Alternatively, in the case of BDAT violations, BDAT can be selectively
+    # disabled with smtpd_discard_ehlo_keyword_address_maps, or globally
+    # disabled with smtpd_discard_ehlo_keywords.
+    #
+    # smtpd_discard_ehlo_keyword_address_maps = cidr:/path/to/file
+    # /path/to/file:
+    #     10.0.0.0/24 chunking, silent-discard
+    # smtpd_discard_ehlo_keywords = chunking, silent-discard
+
+Major changes with Postfix 3.8.1
+================================
+
+Security: the Postfix SMTP server optionally disconnects remote
+SMTP clients that violate RFC 2920 (or 5321) command pipelining
+constraints. The server replies with "554 5.5.0 Error: SMTP protocol
+synchronization" and logs the unexpected remote SMTP client input.
+Specify "smtpd_forbid_unauth_pipelining = yes" to enable. This
+feature is enabled by default in Postfix 3.9 and later.
+
+Workaround to limit collateral damage from OS distributions that
+crank up security to 11, increasing the number of plaintext email
+deliveries. This introduces basic OpenSSL configuration file support,
+with two new parameters "tls_config_file" and "tls_config_name".
+Details are in the postconf(5) manpage under "tls_config_file" and
+"tls_config_name".
+
+Major changes - documentation and code cleanup
+----------------------------------------------
+
+There are numerous small fixes to Postfix documentation, and small
+code-health changes that should not affect documented behavior but
+may improve Postfix behavior for malformed input, or that make
+Postfix easier to maintain. See the HISTORY file for details.
+
+Major changes - SRV support
+---------------------------
+
+[Feature 20230214] Support to look up DNS SRV records in the Postfix
+SMTP/LMTP client, Based on code by Tomas Korbar (Red Hat).
+
+For example, with "use_srv_lookup = submission" and "relayhost =
+example.com:submission", the Postfix SMTP client will look up DNS
+SRV records for _submission._tcp.example.com, and will relay email
+through the hosts and ports that are specified with those records.
+
+See https://www.postfix.org/postconf.5.html#use_srv_lookup for more
+details, including how to selectively use SRV in a configuration
+that connects to multiple ISP accounts.
+
+SRV support may also be useful inside a cloud-based infrastructure
+when Postfix needs to deliver mail to services that run on a
+dynamically-allocated port.
+
+Major changes - TLS support
+---------------------------
+
+[Incompat 20230304] This introduces the following changes:
+
+- Postfix treats the "export" and "low" cipher grade settings as
+  "medium". The  "export" and "low" grades are no longer supported
+  in OpenSSL 1.1.1, the minimum version that Postfix requires.
+
+- Postfix default settings now exclude the following deprecated or
+  unused ciphers (SEED, IDEA, 3DES, RC2, RC4, RC5), digest (MD5),
+  key exchange algorithms (DH, ECDH), and public key algorithm
+  (DSS).
+
+[Feature 20230108] New configuration parameter tls_ffdhe_auto_groups
+for finite-field Diffie-Hellman ephemeral (FFDHE) support in TLS
+1.3 with OpenSSL 3.0.
+
+Major changes - attack resistance
+---------------------------------
+
+[Feature 20240312] the Postfix SMTP server can now aggregate
+smtpd_client_*_rate and smtpd_client_*_count statistics by network
+block, as specified with smtpd_client_ipv4_prefix_length (default
+32, no aggregation) and smtpd_client_ipv6_prefix_length (default
+84, aggregation by /84 network blocks). The latter raises the bar
+for a memory exhaustion attack.
+
+[Feature 20221023] Unconditionally disable a CPU resource attack
+requesting TLS renegotiation. There's no good reason to support
+this in the middle of an SMTP connection.
+
+Major changes - bit rot
+-----------------------
+
+[Incompat 20221228] Postfix documentation and code have been converted
+to use "grep -E" and "grep -F" instead of the historical forms
+"egrep" and "fgrep". To build Postfix on a system that supports
+only the historical forms, run the script auxiliary/fix-grep/fix-grep.sh
+to revert this change.
+
+Major changes - configuration checks
+------------------------------------
+
+[Feature 20240406] The postconf command now warns for #comment in
+or after a Postfix parameter value. Postfix programs do not support
+#comment after other text, and treat that as input.
+
+Major changes - database support
+--------------------------------
+
+[Incompat 20220509] The PostgreSQL client encoding is now configurable
+with the "encoding" Postfix configuration file attribute. The default
+is "UTF8". Previously the encoding was hard-coded as "LATIN1".
+
+Major changes - logging
+-----------------------
+
+[Incompat 20230308] The postfix(1) and postlog(1) commands now
+produce stderr logging even when stderr is not connected to a
+terminal. This eliminates an inconsistency, and makes these programs
+easier to use in some automated procedures. The canonical example
+is to capture output from "postmulti -p status" to figure out which
+instances are or are not running.
+
+Major changes - source code organization
+----------------------------------------
+
+[Incompat 20220507] Most global/mkmap*.[hc] files are moved to the
+util directory; only global/mkmap_proxy.* remains. The old file
+organization was designed before support for dynamically-loadable
+databases was added, and that code suffered from complexity.
+